Všechny dokumenty KO (HOWDECRYPT.TXT ; HOWDECRYPT.GIF)

[johnycz]

Dobrý den,
setkal jsem se za poslední den s dvěma počítači, které byly napadeny Trojským koněm a to tak, že zacryptoval všechny DOC,XLS,JPG,PDF,PST,TXT soubory a do každé složky kde byl aspoň jeden z těchto souborů vložil svoje dva soubory HOWDECRYPT.TXT a GIF. Malwarebytes mi při rychlé kontrole nalezl cca 15 hrozeb a odstranil. Od té chvíle lze vytvořit dokument, uložit a následně i normálně otevřít. Ostatní soubory do té doby jsou rozsypaný čaj. Hledal jsem na netu a kloudnou odpověď jsem nenašel. Zatím jsem se s tím setkal u dvou zákazníků, ale kdo ví zda jich nebude víc. Níže je log z RSITu
Nehledě na to, že od té doby neběží AVG rezidentní štít. Pustil jsem ještě ESET Online Scanner a ten mi našel cca 1900 infikovaných souborů a v 97% se zasekl. Myslím si, že většina z nich byly výše dva uvedené soubory a hlásil je jako Win32/Filecoder.CB.Gen

Logfile of random's system information tool 1.09 (written by random/random)
Run by user at 2014-01-28 22:36:26
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 117 GB (77%) free of 153 GB
Total RAM: 958 MB (18% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:36:38, on 28.1.2014
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\AVG\AVG2013\avgidsagent.exe
C:\Program Files\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\AVG\AVG2013\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\loggingserver.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\AVG\AVG2013\avgcsrvx.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\JU65AWST\RSIT[1].exe
C:\Program Files\trend micro\user.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.centrum.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ToolboxFX] "C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9680846062
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\17.3.0\ViProtocol.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe (file missing)
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgwdsvc.exe
O23 - Service: Služba Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Služba Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP LaserJet Service - HP - C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: vToolbarUpdater17.3.0 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe

--
End of file - 8944 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Adobe Flash Player Updater.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\Norton Security Scan for user.job
C:\WINDOWS\tasks\ROC_JAN2013_TB_rmv.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{172FDB66-816B-419B-8FA7-37E71B78A169}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
AVG Security Toolbar - C:\Program Files\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll [2014-01-09 3349528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2013-12-13 194128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll [2013-10-09 1001936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-06-29 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-06-29 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
{95B7759C-8C7F-4BF1-B163-73684A933233} - AVG Security Toolbar - C:\Program Files\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll [2014-01-09 3349528]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2013-12-13 194128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2009-08-24 18702336]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"hpqSRMon"= []
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2013-11-21 959904]
"ToolboxFX"=C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe [2010-10-25 58936]
"vProt"=C:\Program Files\AVG Secure Search\vprot.exe [2014-01-09 2486296]
"AVG_UI"=C:\Program Files\AVG\AVG2013\avgui.exe [2013-11-20 4411952]
"LogMeIn GUI"=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2013-12-11 63048]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2011-06-16 39408]
"PC Suite Tray"=C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe [2012-06-26 1516632]

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2014-01-20 85832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\AVG\AVG10\avgmfapx.exe"="C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:Instalátor AVG"
"H:\Installer\hpbcsiInstaller.exe"="H:\Installer\hpbcsiInstaller.exe:*:Enabled:HP Networked Printer Installer"
"C:\WINDOWS\Temp\avgcu_mDNSResponder.exe"="C:\WINDOWS\Temp\avgcu_mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Stereo2013 v15\Stereo2013.exe"="C:\Stereo2013 v15\Stereo2013.exe:*:Enabled:Stereo 2013"
"C:\Program Files\AVG\AVG2013\avgmfapx.exe"="C:\Program Files\AVG\AVG2013\avgmfapx.exe:*:Enabled:Instalátor AVG"
"C:\Program Files\AVG\AVG2013\avgnsx.exe"="C:\Program Files\AVG\AVG2013\avgnsx.exe:*:Enabled:Webový štít"
"C:\Program Files\AVG\AVG2013\avgdiagex.exe"="C:\Program Files\AVG\AVG2013\avgdiagex.exe:*:Enabled:AVG Diagnostika 2013"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"=midimap.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msadpcm"=msadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.trspch"=tssoft32.acm
"vidc.cvid"=iccvid.dll
"vidc.I420"=msh263.drv
"vidc.iv31"=ir32_32.dll
"vidc.iv32"=ir32_32.dll
"vidc.iv41"=ir41_32.ax
"vidc.iyuv"=iyuv_32.dll
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"vidc.uyvy"=msyuv.dll
"vidc.yuy2"=msyuv.dll
"vidc.yvu9"=tsbyuv.dll
"vidc.yvyu"=msyuv.dll
"wavemapper"=msacm32.drv
"msacm.msg723"=msg723.acm
"vidc.M263"=msh263.drv
"vidc.M261"=msh261.drv
"msacm.msaudio1"=msaud32.acm
"msacm.sl_anet"=sl_anet.acm
"msacm.iac2"=C:\WINDOWS\system32\iac25_32.ax
"vidc.iv50"=ir50_32.dll
"msacm.l3acm"=C:\WINDOWS\system32\l3codeca.acm
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux"=wdmaud.drv

======List of files/folders created in the last 1 month======

2014-01-28 22:36:27 ----D---- C:\Program Files\trend micro
2014-01-28 22:36:26 ----D---- C:\rsit
2014-01-28 21:02:24 ----D---- C:\Program Files\Common Files\Symantec Shared
2014-01-28 21:02:15 ----D---- C:\WINDOWS\system32\drivers\NSS
2014-01-28 21:02:15 ----D---- C:\Program Files\Norton Security Scan
2014-01-28 21:02:15 ----D---- C:\Documents and Settings\All Users\Data aplikací\Norton
2014-01-28 21:01:28 ----D---- C:\Program Files\NortonInstaller
2014-01-28 21:01:28 ----D---- C:\Documents and Settings\All Users\Data aplikací\NortonInstaller
2014-01-28 14:01:19 ----A---- C:\WINDOWS\system32\LMIRfsClientNP.dll
2014-01-28 14:01:19 ----A---- C:\WINDOWS\system32\LMIport.dll
2014-01-28 14:01:19 ----A---- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2014-01-28 14:01:18 ----A---- C:\WINDOWS\system32\drivers\lmimirr.sys
2014-01-28 14:01:13 ----A---- C:\WINDOWS\system32\LMIinit.dll
2014-01-28 14:01:09 ----D---- C:\Documents and Settings\All Users\Data aplikací\LogMeIn
2014-01-28 14:00:51 ----D---- C:\Program Files\LogMeIn
2014-01-28 13:10:55 ----D---- C:\Program Files\ESET
2014-01-28 12:52:09 ----A---- C:\avenger.txt
2014-01-28 12:19:35 ----D---- C:\Documents and Settings\user\Data aplikací\Malwarebytes
2014-01-28 12:19:29 ----D---- C:\Documents and Settings\All Users\Data aplikací\Malwarebytes
2014-01-28 12:19:28 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2014-01-28 12:19:28 ----A---- C:\WINDOWS\system32\drivers\mbam.sys
2014-01-27 10:58:53 ----D---- C:\Documents and Settings\All Users\Data aplikací\cnludq
2014-01-27 10:58:46 ----D---- C:\Documents and Settings\All Users\Data aplikací\voylbqu
2014-01-27 10:58:46 ----D---- C:\Documents and Settings\All Users\Data aplikací\nhcp
2014-01-27 10:58:46 ----D---- C:\Documents and Settings\All Users\Data aplikací\cxocdm
2014-01-27 10:58:45 ----D---- C:\Documents and Settings\All Users\Data aplikací\dklpoi
2014-01-27 10:11:43 ----D---- C:\Documents and Settings\All Users\Data aplikací\ffertic
2014-01-16 14:59:44 ----HDC---- C:\WINDOWS\$NtUninstallKB2914368$

======List of files/folders modified in the last 1 month======

2014-01-28 22:36:29 ----D---- C:\WINDOWS\Prefetch
2014-01-28 22:36:27 ----RD---- C:\Program Files
2014-01-28 21:53:40 ----D---- C:\WINDOWS\system32\drivers
2014-01-28 21:53:38 ----D---- C:\WINDOWS\system32\CatRoot2
2014-01-28 21:52:35 ----D---- C:\Documents and Settings
2014-01-28 21:47:03 ----D---- C:\WINDOWS\Temp
2014-01-28 21:47:02 ----D---- C:\WINDOWS
2014-01-28 21:43:24 ----A---- C:\WINDOWS\SchedLgU.Txt
2014-01-28 21:42:55 ----D---- C:\Documents and Settings\All Users\Data aplikací\AVG2013
2014-01-28 21:02:24 ----SD---- C:\WINDOWS\Tasks
2014-01-28 21:02:24 ----D---- C:\Program Files\Common Files
2014-01-28 20:23:18 ----D---- C:\Documents and Settings\All Users\Data aplikací\MFAData
2014-01-28 14:01:28 ----SHD---- C:\WINDOWS\Installer
2014-01-28 14:01:27 ----HD---- C:\Config.Msi
2014-01-28 14:01:19 ----D---- C:\WINDOWS\system32
2014-01-28 14:01:18 ----HD---- C:\WINDOWS\inf
2014-01-28 13:10:57 ----SD---- C:\WINDOWS\Downloaded Program Files
2014-01-28 13:09:44 ----A---- C:\WINDOWS\wincmd.ini
2014-01-27 14:21:15 ----D---- C:\Documents and Settings\user\Data aplikací\Adobe
2014-01-27 10:53:37 ----D---- C:\WINDOWS.2
2014-01-27 10:53:23 ----D---- C:\totalcmd
2014-01-27 10:50:48 ----D---- C:\Stereo2013 v15
2014-01-27 10:48:21 ----D---- C:\Stereo2012 v14
2014-01-27 10:46:19 ----D---- C:\Microsoft Office 2007 CZ Full
2014-01-27 10:25:47 ----D---- C:\Documents and Settings\user\Data aplikací\TeamViewer
2014-01-27 10:25:04 ----D---- C:\Documents and Settings\user\Data aplikací\HpUpdate
2014-01-27 10:24:36 ----D---- C:\Documents and Settings\All Users\Data aplikací\MSScanAppDataDir
2014-01-27 10:24:36 ----D---- C:\Documents and Settings\All Users\Data aplikací\Microsoft Help
2014-01-16 15:04:40 ----D---- C:\WINDOWS\system32\MRT
2014-01-16 14:59:57 ----A---- C:\WINDOWS\system32\MRT.exe
2014-01-16 14:59:50 ----RSHDC---- C:\WINDOWS\system32\dllcache
2014-01-09 09:56:34 ----D---- C:\WINDOWS\system32\cache
2014-01-09 09:56:08 ----D---- C:\Program Files\AVG Secure Search

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 AVGIDSHX;AVGIDSHX; C:\WINDOWS\system32\DRIVERS\avgidshx.sys [2013-07-20 60216]
R0 Avglogx;AVG Logging Driver; C:\WINDOWS\system32\DRIVERS\avglogx.sys [2013-07-20 246072]
R0 Avgrkx86;AVG Anti-Rootkit Driver; C:\WINDOWS\system32\DRIVERS\avgrkx86.sys [2013-10-23 39224]
R0 nvata;nvata; C:\WINDOWS\system32\DRIVERS\nvata.sys [2006-10-18 105472]
R0 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2009-07-13 91904]
R1 AmdPPM;Ovladač procesoru HwPState AMD; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 AVGIDSDriver;AVGIDSDriver; C:\WINDOWS\system32\DRIVERS\avgidsdriverx.sys [2013-11-25 208184]
R1 AVGIDSShim;AVGIDSShim; C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys [2013-10-23 22328]
R1 Avgldx86;AVG AVI Loader Driver; C:\WINDOWS\system32\DRIVERS\avgldx86.sys [2013-07-20 171320]
R1 Avgtdix;AVG TDI Driver; C:\WINDOWS\system32\DRIVERS\avgtdix.sys [2013-03-21 182072]
R1 avgtp;avgtp; \??\C:\WINDOWS\system32\drivers\avgtpx86.sys []
R3 HDAudBus;Ovladač Microsoft UAA pro sběrnici High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2007-11-02 49920]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2007-11-02 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2007-11-02 21568]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2009-08-31 5891584]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2013-02-08 12648960]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-11-27 58368]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-11-27 19968]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2013-08-09 32384]
R3 usbprint;Třída USB Printer; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2013-07-03 14976]
R3 usbstor;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield; C:\WINDOWS\system32\DRIVERS\avgmfx86.sys [2013-07-01 96568]
S1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
S1 kbdhid;Ovladač klávesnice standardu HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
S2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
S2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
S3 Ambfilt;Ambfilt; C:\WINDOWS\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
S3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2013-12-11 10144]
S3 Monfilt;Monfilt; C:\WINDOWS\system32\drivers\Monfilt.sys [2006-01-04 1389056]
S3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
S3 nmwcd;Nokia USB Phone Parent Driver; C:\WINDOWS\system32\drivers\ccdcmb.sys [2012-01-09 18176]
S3 nmwcdc;Nokia USB Communication Driver; C:\WINDOWS\system32\drivers\ccdcmbo.sys [2012-01-09 23168]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2012-06-11 19072]
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2012-01-09 8192]
S3 usbser;USB Modem Driver; C:\WINDOWS\system32\drivers\usbser.sys [2013-08-29 26240]
S3 UsbserFilt;UsbserFilt; C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2012-01-09 8192]
S3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2009-07-14 444136]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2009-07-13 132224]
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AVGIDSAgent;AVGIDSAgent; C:\Program Files\AVG\AVG2013\avgidsagent.exe [2013-07-04 4939312]
R2 avgwd;AVG WatchDog; C:\Program Files\AVG\AVG2013\avgwdsvc.exe [2013-11-20 283136]
R2 HP LaserJet Service;HP LaserJet Service; C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe [2010-10-25 145920]
R2 hpqddsvc;Služba HP CUE DeviceDiscovery; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-04-12 153376]
R2 LMIGuardianSvc;LMIGuardianSvc; C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe [2014-01-20 375120]
R2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2014-01-20 203088]
R2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2013-12-11 390528]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 vToolbarUpdater17.3.0;vToolbarUpdater17.3.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe [2014-01-09 1771544]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2012-06-11 724376]
S2 gupdate;Služba Google Update (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2011-06-16 136176]
S2 nvsvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-08-17 168004]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service; C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-11 257416]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service; C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe []
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gupdatem;Služba Google Update (gupdatem); C:\Program Files\Google\Update\GoogleUpdate.exe [2011-06-16 136176]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2012-08-21 194032]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WMPNetworkSvc;Služba Windows Media Player Network Sharing; C:\Program Files\Windows Media Player\WMPNetwk.exe [2007-01-05 913920]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

[vyosek]

Zdravim

Zatím jsem se s tím setkal u dvou zákazníků, ale kdo ví zda jich nebude víc.

Predpokladam, ze kdyz mluvite o zakaznicich, tak mate enjaky servis, kterym si privydelavate a po na chcete, abych to za Vas resili, jelikoz nevite jak, rozumim tomu spravne??

[johnycz]

Zdravím, ano servis, ale jde o to, podělit se celkově s tímto virem, s tímto příkladem, získat nějaké informace zda se s tím už někdo nesetkal. Může se to stát každému, kdy dojde k tomuto zničení dokumentů a třeba tento můj dotaz může pomoci i někomu jinému. Jestli je to takový problém, vlákno zamkněte, smažte a hotovo.

[vyosek]

S temi zasifrovanymi soubory mate uz bohuzel smulu

Snazil jsem se toho jiz resit s autory, kteri delaji desifrovaci utility,ale neni zatim mozne to rozklicovat...

Je to opravdu spatne, tenhle kram ma desifrovaci klic u nich na webu.

I only took a brief look at it a few weeks ago. Back then it appeared to use RSA for encrypting the files, where one half of the key was stored on the attackers server. Without that half, decryption is impossible.

[johnycz]

Myslel jsem si to, pročítal jsem různě po googlu a všude možně, kde opravdu lidé psali, že i když zaplatily tak jim nic nepřišlo nebo že je již pozdě a klíč není. Nejvíc mě štve, že bylo plně funkční AVG 2013 aktualizované vše ok, ale jak je vidět proběhlo to a teď vše KO.
Tímto můžete vzít toto vlákno, zamknout a vyřešeno. Je to hroznej sráč tenhle trojan.

[vyosek]

Zadny antivir neochrani 100%, nejdulezitejsi je rozum a obezretnost. Navic tyhle ransomware (lidove policejni viry) jsou pekne mrchy - vizte citaci kolegy

Dobrý den,

zde je ale problém trošku složitější. Vir Win32/Ransom (policejní virus) existuje ve stovkách mutací a každý den vznikají nové. Jediné co zůstává téměř neměnné je pak zobrazená podoba. Proto si uživatelé myslí, že se jedná o stejný vir. Drtivou většinu těchto mutací detekujeme a léčíme.

Druhým problémem je způsob šíření. Bohužel, tento vir se šíří všemi možnými kanály: Odkaz v emailu, Skype, Facebook a jiné sociální sítě, bezpečnostní díry v prohlížečích (většinu pokrýváme), bezpečnostní díry v dalších aplikací (java, flash player, atd), bezpečnostní díry v samotném systému, může být "dotáhnut" jiným virem, a další.

Každý výrobce AV řešení přistupuje k prevenci/detekci/léčení trošku odlišným způsobem. Jak jsem již naspal, např. většinu bezpečnostních děr v internetových prohlížečích (a jiných aplikací) pokrýváme. Jak ale již psal kolega, toto by měl primárně řešit výrobce dané aplikace.

Nakonec největší slabinou zůstává sám uživatel. Např. účet administratora bez hesla, uživatel pracuje pod účtem, který má práva administrátora, atd…


S pozdravem,
Ladislav Jukl
Specialista technické podpory

Takze