| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Verschlüsselungs-Trojaner am.9.6. eingefangenWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
14.06.2012, 12:29
| #1 |
 |  Verschlüsselungs-Trojaner am.9.6. eingefangen Hallo, nach mehreren Tagen Recherche und lesen div. Threads hier im Forum, starte ich nun doch mal mit meinem Problem. Vergangenen Samstag habe ich mir den Verschl. Trojaner eingefangen. per Mail. bei mir ist es nicht ganz so schlimm hatte mit dem Shadow explorer, das meiste an Daten Widerherstellen können. Bei meiner Nichte (von der ich den Trojaner her habe) ist das Laptop betroffen. Allerdings komme ich da nicht mal in den abgesicherten Modus. NAch Auswahl, läd er die benötigten Einstellungen und ganz kurz biltzt ein Bluescreen auf und das Teil steht wieder auf dem Auswahlschirm vom Abnormalen Windows Start. EIne OTLPENet CD habe ich mir gebrannt und den Scan laufen lassen, allerdings habe ich nur eine OTL.txt als Ergebniss, die Extras.txt fehlt bei mir. Die sieht so bei mir aus: Code:
ATTFilter OTL logfile created on: 6/14/2012 12:06:26 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 88.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): E:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Programme
Drive C: | 97.65 Gb Total Space | 93.68 Gb Free Space | 95.93% Space Free | Partition Type: NTFS
Drive D: | 135.22 Gb Total Space | 106.55 Gb Free Space | 78.80% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001
========== Win32 Services (SafeList) ==========
SRV - File not found [Disabled] -- -- (HidServ)
SRV - [2012/02/26 18:15:42 | 000,055,144 | ---- | M] (Apple Inc.) [Auto] -- D:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2011/02/24 06:24:12 | 000,389,960 | ---- | M] (CA) [Auto] -- C:\Programme\CA\eTrust Antivirus\InoTask.exe -- (InoTask)
SRV - [2010/03/03 04:06:04 | 000,283,888 | ---- | M] (CA, Inc.) [Auto] -- D:\Programme\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe -- (ITMRTSVC)
SRV - [2010/03/03 04:02:57 | 000,208,896 | ---- | M] (CA) [Auto] -- C:\Programme\CA\eTrust Antivirus\InoRT.exe -- (InoRT)
SRV - [2010/03/03 04:02:57 | 000,192,512 | ---- | M] (CA) [Auto] -- C:\Programme\CA\eTrust Antivirus\InoRpc.exe -- (InoRPC)
SRV - [2007/02/05 02:57:24 | 000,106,496 | ---- | M] (CA, Inc.) [Auto] -- D:\Programme\CA\SharedComponents\iTechnology\igateway.exe -- (iGateway)
SRV - [2007/01/19 10:16:46 | 000,061,440 | ---- | M] (AuthenTec,Inc) [Auto] -- D:\WINDOWS\system32\FpLogonServ.exe -- (FingerprintServer)
SRV - [2002/09/20 12:41:00 | 000,077,824 | ---- | M] (Computer Associates) [On_Demand] -- D:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe -- (CA_LIC_SRVR)
SRV - [2002/09/20 12:29:28 | 000,053,248 | ---- | M] (Computer Associates) [Auto] -- D:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe -- (LogWatch)
SRV - [2002/09/20 12:27:04 | 000,077,824 | ---- | M] (Computer Associates) [On_Demand] -- D:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe -- (CA_LIC_CLNT)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2009/09/08 12:13:16 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System] -- D:\WINDOWS\system32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2008/12/13 06:26:38 | 000,102,400 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2007/10/18 16:14:32 | 000,184,080 | ---- | M] (Computer Associates) [File_System | Auto] -- D:\WINDOWS\system32\drivers\ino_fltr.sys -- (INO_FLTR)
DRV - [2007/08/06 17:07:02 | 000,027,536 | ---- | M] (Computer Associates) [File_System | Boot] -- D:\WINDOWS\system32\drivers\ino_flpy.sys -- (INO_FLPY)
DRV - [2007/04/10 10:55:28 | 000,140,808 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\atswpdrv.sys -- (ATSWPDRV) (****DEBUG****) AuthenTec TruePrint USB Driver (SwipeSensor)
DRV - [2007/02/24 09:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto] -- D:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/02/16 10:46:42 | 000,160,256 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2007/01/30 13:57:00 | 004,474,368 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/01/23 12:03:28 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto] -- D:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/01/23 11:40:20 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto] -- D:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/08 08:49:42 | 000,012,544 | ---- | M] (Intel Corporation) [Kernel | Auto] -- D:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2006/08/30 09:53:00 | 001,161,152 | ---- | M] (Agere Systems) [Kernel | On_Demand] -- D:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Saskia_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
IE - HKU\Saskia_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\Saskia_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\Saskia_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 74 D4 8A C1 E3 A0 CB 01 [binary data]
IE - HKU\Saskia_ON_D\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - File not found
IE - HKU\Saskia_ON_D\..\URLSearchHook: {cc05a3e3-64c3-4af2-bfc1-af0d66b69065} - File not found
IE - HKU\Saskia_ON_D\..\URLSearchHook: {f4e6547e-325b-403c-a3bb-ad29ed37a92f} - File not found
IE - HKU\Saskia_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Saskia_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: D:\Programme\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: D:\Programme\Microsoft Silverlight\4.0.60129.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: D:\Programme\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: D:\Programme\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: D:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: D:\Programme\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: D:\Programme\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: D:\Programme\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,820 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - D:\Programme\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Programme\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (softonic-de3 Toolbar) - {cc05a3e3-64c3-4af2-bfc1-af0d66b69065} - File not found
O2 - BHO: (Softonic Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - File not found
O2 - BHO: (SearchElf 1.2 Toolbar) - {f4e6547e-325b-403c-a3bb-ad29ed37a92f} - File not found
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - D:\Programme\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (softonic-de3 Toolbar) - {cc05a3e3-64c3-4af2-bfc1-af0d66b69065} - File not found
O3 - HKLM\..\Toolbar: (Softonic Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - File not found
O3 - HKLM\..\Toolbar: (SearchElf 1.2 Toolbar) - {f4e6547e-325b-403c-a3bb-ad29ed37a92f} - File not found
O3 - HKU\Saskia_ON_D\..\Toolbar\WebBrowser: (softonic-de3 Toolbar) - {CC05A3E3-64C3-4AF2-BFC1-AF0D66B69065} - File not found
O3 - HKU\Saskia_ON_D\..\Toolbar\WebBrowser: (Softonic Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - File not found
O3 - HKU\Saskia_ON_D\..\Toolbar\WebBrowser: (SearchElf 1.2 Toolbar) - {F4E6547E-325B-403C-A3BB-AD29ED37A92F} - File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe ARM] D:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] D:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [APSDaemon] D:\Programme\Gemeinsame Dateien\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AzMixerSel] D:\Programme\Realtek\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ConnectionCenter] D:\Programme\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [FingerPrintSoftware] D:\Programme\Lenovo Fingerprint Software\fpapp.exe (Authentec,Inc)
O4 - HKLM..\Run: [NvCplDaemon] D:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] D:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [Realtime Monitor] C:\Programme\CA\eTrust Antivirus\realmon.exe (CA)
O4 - HKU\Saskia_ON_D..\Run: [14577AE6] D:\WINDOWS\system32\72FA3BF714577AE6325B.exe (Nonprofit organization offering health, educational, and distance learning Internet broadcasting services)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegedit = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Saskia_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Saskia_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\Saskia_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegedit = 1
O7 - HKU\Saskia_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - D:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - D:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - D:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - D:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - D:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (E:\WINDOWS\system32\72FA3BF714577AE6325B.exe) - D:\WINDOWS\system32\72FA3BF714577AE6325B.exe (Nonprofit organization offering health, educational, and distance learning Internet broadcasting services)
O20 - Winlogon\Notify\ATFUS: DllName - E:\WINDOWS\system32\FpWinLogonNp.dll - D:\WINDOWS\system32\FpWinlogonNp.dll (AuthenTec,Inc)
O27 - HKLM IFEO\msconfig.exe: Debugger - P9KDMF.EXE File not found
O27 - HKLM IFEO\regedit.exe: Debugger - P9KDMF.EXE File not found
O27 - HKLM IFEO\taskmgr.exe: Debugger - P9KDMF.EXE File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/16 11:25:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
File not found -- D:\Dokumente und Einstellungen\Saskia\Desktop\SharePodSettings.xml
File not found -- D:\Dokumente und Einstellungen\Saskia\Desktop\SharePod.exe
File not found -- D:\Dokumente und Einstellungen\Saskia\Desktop\Mahnbescheid.zip
[2012/06/09 06:23:45 | 000,000,000 | ---D | C] -- D:\Dokumente und Einstellungen\Saskia\Anwendungsdaten\Lzsrlzs
[2012/06/09 06:23:26 | 000,071,624 | -H-- | C] (Nonprofit organization offering health, educational, and distance learning Internet broadcasting services) -- D:\WINDOWS\System32\72FA3BF714577AE6325B.exe
[2012/05/20 12:44:33 | 000,000,000 | ---D | C] -- D:\Dokumente und Einstellungen\All Users\Dokumente\Bilder
[2012/05/20 12:38:21 | 000,000,000 | ---D | C] -- D:\Dokumente und Einstellungen\Saskia\Desktop\Downloads
[2012/05/20 11:39:49 | 000,000,000 | ---D | C] -- D:\Dokumente und Einstellungen\All Users\Dokumente\Musik
[2012/05/20 11:10:42 | 000,000,000 | ---D | C] -- D:\Dokumente und Einstellungen\Saskia\Desktop\Automatisch zu iTunes hinzufügen
[5 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]
[4 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
File not found -- D:\Dokumente und Einstellungen\Saskia\Desktop\SharePodSettings.xml
File not found -- D:\Dokumente und Einstellungen\Saskia\Desktop\SharePod.exe
File not found -- D:\Dokumente und Einstellungen\Saskia\Desktop\Mahnbescheid.zip
[2012/06/13 13:48:32 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2012/06/13 13:48:04 | 000,017,408 | ---- | M] () -- D:\WINDOWS\System32\rpcnetp.dll
[2012/06/13 13:47:34 | 000,017,408 | ---- | M] () -- D:\WINDOWS\System32\rpcnetp.exe
[2012/06/13 13:43:36 | 000,051,048 | ---- | M] () -- D:\WINDOWS\System32\nvapps.xml
[2012/06/13 13:43:24 | 000,002,206 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2012/06/13 13:43:07 | 000,001,086 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/06/09 06:23:26 | 000,071,624 | -H-- | M] (Nonprofit organization offering health, educational, and distance learning Internet broadcasting services) -- D:\WINDOWS\System32\72FA3BF714577AE6325B.exe
[2012/06/09 06:18:12 | 000,001,090 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/06/06 09:52:00 | 000,481,078 | ---- | M] () -- D:\WINDOWS\System32\winsh323
[2012/06/06 09:51:42 | 000,481,078 | ---- | M] () -- D:\WINDOWS\System32\winsh322
[2012/06/06 09:51:18 | 000,481,078 | ---- | M] () -- D:\WINDOWS\System32\winsh321
[2012/06/06 09:50:48 | 000,481,078 | ---- | M] () -- D:\WINDOWS\System32\winsh320
[2012/06/02 05:01:00 | 000,000,228 | ---- | M] () -- D:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2012/05/31 09:22:01 | 000,604,160 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\crypt32.dll
[2012/05/26 09:18:35 | 000,044,544 | ---- | M] (Absolute Software Corp.) -- D:\WINDOWS\System32\agremove.exe
[2012/05/20 15:27:34 | 000,118,152 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2012/05/20 14:14:13 | 000,001,374 | ---- | M] () -- D:\WINDOWS\imsins.BAK
[2012/05/20 14:13:29 | 000,450,722 | ---- | M] () -- D:\WINDOWS\System32\perfh007.dat
[2012/05/20 14:13:29 | 000,434,368 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2012/05/20 14:13:29 | 000,081,984 | ---- | M] () -- D:\WINDOWS\System32\perfc007.dat
[2012/05/20 14:13:29 | 000,069,324 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2012/05/20 11:10:42 | 000,000,305 | ---- | M] () -- D:\Dokumente und Einstellungen\Saskia\Desktop\lpeaDXsTlpealpps
[5 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]
[4 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012/06/09 06:23:58 | 000,481,078 | ---- | C] () -- D:\WINDOWS\System32\winsh325
[2012/06/09 06:23:58 | 000,481,078 | ---- | C] () -- D:\WINDOWS\System32\winsh324
[2012/06/09 06:23:58 | 000,481,078 | ---- | C] () -- D:\WINDOWS\System32\winsh323
[2012/06/09 06:23:58 | 000,481,078 | ---- | C] () -- D:\WINDOWS\System32\winsh322
[2012/06/09 06:23:58 | 000,481,078 | ---- | C] () -- D:\WINDOWS\System32\winsh321
[2012/06/09 06:23:58 | 000,481,078 | ---- | C] () -- D:\WINDOWS\System32\winsh320
[2012/06/02 04:34:50 | 000,017,408 | ---- | C] () -- D:\WINDOWS\System32\rpcnetp.dll
[2012/06/02 04:34:18 | 000,017,408 | ---- | C] () -- D:\WINDOWS\System32\rpcnetp.exe
[2012/02/18 22:05:06 | 000,003,072 | ---- | C] () -- D:\WINDOWS\System32\iacenc.dll
[2010/10/17 08:07:45 | 000,003,584 | ---- | C] () -- D:\Dokumente und Einstellungen\Saskia\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/04 23:53:07 | 000,013,274 | ---- | C] () -- D:\Dokumente und Einstellungen\All Users\Anwendungsdaten\yULsAjVoxqdOXQ
[2009/02/16 14:17:20 | 000,086,016 | ---- | C] () -- D:\WINDOWS\System32\preflib.dll
[2009/02/16 14:17:19 | 000,757,760 | ---- | C] () -- D:\WINDOWS\System32\bcm1xsup.dll
[2009/02/16 14:17:19 | 000,020,480 | ---- | C] () -- D:\WINDOWS\System32\WLTRYSVC.EXE
[2009/02/16 14:16:19 | 000,016,480 | ---- | C] () -- D:\WINDOWS\System32\rixdicon.dll
[2009/02/16 14:10:23 | 000,000,176 | ---- | C] () -- D:\WINDOWS\System32\drivers\RTHDAEQ0.dat
[2009/02/16 14:10:21 | 000,049,152 | ---- | C] () -- D:\WINDOWS\System32\ChCfg.exe
[2009/02/16 12:16:50 | 000,000,046 | ---- | C] () -- D:\WINDOWS\InoSetup.ini
[2009/02/16 12:11:13 | 000,036,864 | ---- | C] () -- D:\WINDOWS\RmvDir.exe
[2009/02/16 12:08:31 | 000,000,400 | ---- | C] () -- D:\WINDOWS\ODBC.INI
[2009/02/16 11:29:17 | 000,002,048 | --S- | C] () -- D:\WINDOWS\bootstat.dat
[2009/02/16 11:22:37 | 000,021,740 | ---- | C] () -- D:\WINDOWS\System32\emptyregdb.dat
[2009/02/16 11:07:18 | 000,004,161 | ---- | C] () -- D:\WINDOWS\ODBCINST.INI
[2009/02/16 11:05:56 | 000,118,152 | ---- | C] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2007/03/21 17:31:34 | 001,662,976 | ---- | C] () -- D:\WINDOWS\System32\nvwdmcpl.dll
[2007/03/21 17:31:34 | 001,622,016 | ---- | C] () -- D:\WINDOWS\System32\nwiz.exe
[2007/03/21 17:31:34 | 001,019,904 | ---- | C] () -- D:\WINDOWS\System32\nvwimg.dll
[2007/03/21 17:31:32 | 001,470,464 | ---- | C] () -- D:\WINDOWS\System32\nview.dll
[2007/03/21 17:31:32 | 001,339,392 | ---- | C] () -- D:\WINDOWS\System32\nvdspsch.exe
[2007/03/21 17:31:32 | 000,573,440 | ---- | C] () -- D:\WINDOWS\System32\nvhwvid.dll
[2007/03/21 17:31:32 | 000,466,944 | ---- | C] () -- D:\WINDOWS\System32\nvshell.dll
[2007/03/21 17:31:32 | 000,442,368 | ---- | C] () -- D:\WINDOWS\System32\nvappbar.exe
[2007/03/21 17:31:32 | 000,098,304 | ---- | C] () -- D:\WINDOWS\System32\nvapi.dll
[2007/03/21 17:31:30 | 000,425,984 | ---- | C] () -- D:\WINDOWS\System32\keystone.exe
[2004/08/04 08:00:00 | 013,107,200 | ---- | C] () -- D:\WINDOWS\System32\oembios.bin
[2004/08/04 08:00:00 | 000,673,088 | ---- | C] () -- D:\WINDOWS\System32\mlang.dat
[2004/08/04 08:00:00 | 000,626,176 | ---- | C] () -- D:\WINDOWS\System32\autochk.exe
[2004/08/04 08:00:00 | 000,450,722 | ---- | C] () -- D:\WINDOWS\System32\perfh007.dat
[2004/08/04 08:00:00 | 000,434,368 | ---- | C] () -- D:\WINDOWS\System32\perfh009.dat
[2004/08/04 08:00:00 | 000,272,128 | ---- | C] () -- D:\WINDOWS\System32\perfi009.dat
[2004/08/04 08:00:00 | 000,269,480 | ---- | C] () -- D:\WINDOWS\System32\perfi007.dat
[2004/08/04 08:00:00 | 000,218,003 | ---- | C] () -- D:\WINDOWS\System32\dssec.dat
[2004/08/04 08:00:00 | 000,081,984 | ---- | C] () -- D:\WINDOWS\System32\perfc007.dat
[2004/08/04 08:00:00 | 000,069,324 | ---- | C] () -- D:\WINDOWS\System32\perfc009.dat
[2004/08/04 08:00:00 | 000,046,258 | ---- | C] () -- D:\WINDOWS\System32\mib.bin
[2004/08/04 08:00:00 | 000,034,478 | ---- | C] () -- D:\WINDOWS\System32\perfd007.dat
[2004/08/04 08:00:00 | 000,028,626 | ---- | C] () -- D:\WINDOWS\System32\perfd009.dat
[2004/08/04 08:00:00 | 000,004,569 | ---- | C] () -- D:\WINDOWS\System32\secupd.dat
[2004/08/04 08:00:00 | 000,004,463 | ---- | C] () -- D:\WINDOWS\System32\oembios.dat
[2004/08/04 08:00:00 | 000,001,804 | ---- | C] () -- D:\WINDOWS\System32\dcache.bin
[2004/08/04 08:00:00 | 000,000,741 | ---- | C] () -- D:\WINDOWS\System32\noise.dat
[1601/02/13 04:28:18 | 000,013,274 | ---- | C] () -- D:\Dokumente und Einstellungen\Saskia\Lokale Einstellungen\Anwendungsdaten\yLjEqnAEyLjoTepDasXl
========== LOP Check ==========
[2012/04/03 04:48:02 | 000,000,000 | ---D | M] -- D:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Citrix
[2012/04/01 07:33:06 | 000,000,000 | ---D | M] -- D:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2012/06/02 05:01:00 | 000,000,228 | ---- | M] () -- D:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 22528 bytes -> D:\WINDOWS\System32\autochk.exe:BAK
< End of report >
Gruss T. |
| Themen zu Verschlüsselungs-Trojaner am.9.6. eingefangen |
| adobe, alternate, antivirus, bho, bluescreen, bonjour, conduit, desktop, disabletaskmgr, dllcache, einstellungen, error, explorer, format, helper, langs, lenovo, logfile, monitor, nvidia, object, realtek, registry, scan, server, software, trojaner, version=1.0, windows, windows xp, winlogon |
Baum-Darstellung