*.crypted Dateiendungen MS Server 2003 *.jpg/xls/doc/zip etc.
 

Moin moin Zusammen,

wir haben heute aktuellen Befall einer meiner Meinung nach Ransomware auf einem MS 2003 Server oder zumindest auf die Freigabedateien. Ich bitte um die Hilfe der Analyse des Server Hijack Logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:43:43, on 19.07.2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Dell\SysMgt\RAC4\racsvc.exe
C:\Programme\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Programme\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\Programme\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Programme\Dell\SysMgt\sm\mr2kserv.exe
C:\Programme\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\nsclient_ce\NSClient++.exe
C:\Programme\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\Programme\Dell\SysMgt\cm\invcol\invcol.exe
C:\Programme\Symantec AntiVirus\SavRoam.exe
C:\Programme\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Programme\Symantec AntiVirus\Rtvscan.exe
C:\Programme\VERITAS\Backup Exec\NT\beremote.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programme\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Programme\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Symantec AntiVirus\DoScan.exe
C:\Programme\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = hxxp://197.46.112.3/wgproxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 197.46.112.114:8080
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Programme\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-21-3330061741-945155168-3372883284-4025\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'BackupEpp')
O4 - HKUS\S-1-5-21-3330061741-945155168-3372883284-4025\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'BackupEpp')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Programme\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1253050190953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253050181218
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CCS\Services\Tcpip\..\{893C1630-8F68-49B9-9A9C-2DBD6BA1DB36}: NameServer = 10.226.226.242
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDEE97CA-4AF0-4EE2-9C81-13EE9C757EF7}: NameServer = 10.226.226.242
O17 - HKLM\System\CCS\Services\Tcpip\..\{D90CE0D4-F2E4-4C1A-B2A2-F7BB7AE23651}: NameServer = 10.226.226.242,192.168.32.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS1\Services\Tcpip\..\{893C1630-8F68-49B9-9A9C-2DBD6BA1DB36}: NameServer = 10.226.226.242
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\..\{893C1630-8F68-49B9-9A9C-2DBD6BA1DB36}: NameServer = 10.226.226.242
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Programme\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Programme\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Programme\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Programme\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Naming Service (BackupExecNamingService) - VERITAS Software Corporation - C:\Programme\VERITAS\Backup Exec\NT\benser.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Programme\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Programme\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Programme\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programme\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: ExecView Communication Module (ECM) (ECM Service) - VERITAS Software Corporation - C:\Programme\VERITAS\Backup Exec\NT\ECM\ECM.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Programme\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Programme\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Programme\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: NSClientpp (Nagios) 0.3.6.385 2009-02-24 w32 (NSClientpp) - Unknown owner - C:\nsclient_ce\NSClient++.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Programme\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: Remote Access Controller 4 (RAC4) (racsvc) - Dell, Inc. - C:\Programme\Dell\SysMgt\RAC4\racsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programme\Symantec AntiVirus\SavRoam.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Programme\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programme\Symantec AntiVirus\Rtvscan.exe

Gibt es Möglichkeiten die Quelle des Trojaners zu finden?

Vielen Dank schonmal im Voraus für eure Hilfe.

MFG

Olli

Moin moin Zusammen,

hat hier keiner einen Rat?

Vielen Dank im Voraus.

MFG

Olli