dragonage.exe, Win32.IRCBot

dragonage.exe, Win32.IRCBot

HijackThis

O23 - Service: Dragon Age - Bioware - Unknown owner - C:\WINDOWS\System32\dllcache\dragonage.exe
O23 - Service: Microsoft Star Window Service - Unknown owner - C:\WINDOWS\System32\dllcache\starwin32.exe
O23 - Service: Italian Grand Prix - Unknown owner - C:\WINNT\system32\dllcache\grand.exe
O23 - Service: MSCommmand - Unknown owner - C:\WINDOWS\System32\dllcache\mswincom32.exe
O23 - Service: World Of Warcraft - Unknown owner - C:\WINDOWS\System32\dllcache\warcraft.exe

Kaspersky - Onlinescan

C:\WINDOWS\system32\27031_redworld.exe
C:\WINDOWS\system32\dllcache\mswincom32.exe Infected: Backdoor.Win32.VanBot.e
C:\WINDOWS\system32\dllcache\warcraft.exe Infected: Backdoor.Win32.SdBot.avz

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AF4PQF65\84785_redworld[10].exe Infected: Backdoor.Win32.VanBot.e
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AF4PQF65\84785_redworld[11].exe Infected: Backdoor.Win32.VanBot.e
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AF4PQF65\84785_redworld[12].exe Infected: Backdoor.Win32.VanBot.e
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AF4PQF65\84785_redworld[13].exe Infected: Backdoor.Win32.VanBot.e
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AF4PQF65\84785_redworld[14].exe Infected: Backdoor.Win32.VanBot.e
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AF4PQF65\84785_redworld[15].exe Infected: Backdoor.Win32.VanBot.e
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AF4PQF65\84785_redworld[16].exe Infected: Backdoor.Win32.VanBot.e

C:\WINDOWS\System32\dllcache

laden datcache.zip entpacken (auf dem Desktop) - doppeltklicken - scan abwarten - der Texteditor wird sich oeffnet - Text mit der rechten Maustaste abkopieren

Start > Ausführen --> reinschreiben --> cmd.exe
und ok. kopiere rein und poste alles, was im Texteditor erscheint

dir /s /a "c:\redworld*.*" > c:\find.txt & start notepad c:\find.txt

HKLM\SYSTEM\CurrentControlSet\Services\DragonAge - Bioware
HKLM\SYSTEM\CurrentControlSet\Services\Microsoft Star Window Service
HKLM\SYSTEM\CurrentControlSet\Services\Italian Grand Prix

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess
service deactivates the Microsoft Internet
Connection Firewall (ICF).

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Win32.IRCBot.wo attempts to terminate a number of processes related to security and anti-virus applications

Avenger

registry keys to delete: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Italian Grand Prix HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Italian Grand Prix HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_Italian Grand Prix HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Active Italian Grand Prix HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_Italian Grand Prix HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Italian Grand Prix HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_Italian Grand Prix HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Italian Grand Prix HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Dragon Age HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dragon Age HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_Dragon Age HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dragon Age HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_Dragon Age HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Dragon Age HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_Dragon Age HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Dragon Age Files to delete: C:\WINDOWS\System32\dllcache\dragonage.exe C:\WINDOWS\System32\dllcache\starwin32.exe C:\WINDOWS\system32\dllcache\grand.exe C:\WINDOWS\system32\dllcache\warcraft.exe C:\WINDOWS\System32\dllcache\mswincom32.exe C:\WINDOWS\system32\27031_redworld.exe