|
|
| rdriv.sys shost.exe scchost.exe
|
|
The file rdriv.sys is detected as Troj/Rootkit-W.
Start -- Ausführen -- regedit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv
|
datfindbat
Verzeichnis von C:\WINDOWS\system32
08.11.2005 19:19 1.328 npqss.ini
08.11.2005 19:11 28.672 scchostc.exe
08.11.2005 19:11 6.144 scchost.exe
08.11.2005 18:15 7.168 rdriv.sys
08.11.2005 16:43 71 i
08.11.2005 09:40 0 winsecure.exe
Verzeichnis von C:\WINDOWS
08.11.2005 16:43 35.132 windat.exe
http://www.sophos.com/virusinfo/analyses/w32rbotaja.html
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\
Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
1
HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\
Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
[HKEY_USERS\S-1-5-21-602162358-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\OpenSaveMRU\*]
"b"="C:\\WINDOWS\\system32\\rdriv.sys"
[HKEY_USERS\S-1-5-21-602162358-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\OpenSaveMRU\sys]
"a"="C:\\WINDOWS\\system32\\rdriv.sys"
ServiceFilter.zip
ServiceFilter.zip
- entzippen
- scannen
- POST_THIS.TXT abkopieren
Service Name: shost.exe
Display Name: shost.exe
Start Mode: Auto
Start Name: LocalSystem
Description: Platform SDK ...
Service Type: Own Process
Path: "c:\windows\shost.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1067
Accept Pause: Falsch
Accept Stop: Falsch
datfindbat
C:\WINDOWS\system32
28.11.2005 14:35 7.168 rdriv.sys
05.11.2005 11:24 0 TFTP6656
03.11.2005 22:18 0 eraseme_02655.exe
03.11.2005 22:18 73 i
03.11.2005 22:08 107.520 MsMicroSoft.exe
03.11.2005 18:55 117.668 WMTX.exe
02.11.2005 18:00 9.736 csrssv.exe
02.11.2005 17:59 44.544 TFTP3736
C:\WINDOWS
05.11.2005 11:11 245.760 shost.exe
C:\
24.11.2005 20:04 23.936 zuni.exe
HijackThis
O4 - HKLM\..\Run: [Microsoft Layer Service] WMTX.exe
O4 - HKLM\..\Run: [MicroSoft] MsMicroSoft.exe
O4 - HKLM\..\Run: [Microsoft DLL Verifier] smsvc.exe
O4 - HKLM\..\RunServices: [Microsoft Layer Service] WMTX.exe
O4 - HKLM\..\RunServices: [MicroSoft] MsMicroSoft.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] smsvc.exe
O4 - HKCU\..\Run: [Microsoft Layer Service] WMTX.exe
O23 - Service: shost.exe - Unknown owner - C:\WINDOWS\shost.exe
|
|
