rdriv.sys
shost.exe
scchost.exe


The file rdriv.sys is detected as Troj/Rootkit-W.

weiter Start -- Ausführen -- regedit

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv

weiter datfindbat

Verzeichnis von C:\WINDOWS\system32

08.11.2005 19:19 1.328 npqss.ini
08.11.2005 19:11 28.672 scchostc.exe
08.11.2005 19:11 6.144 scchost.exe
08.11.2005 18:15 7.168 rdriv.sys
08.11.2005 16:43 71 i
08.11.2005 09:40 0 winsecure.exe

Verzeichnis von C:\WINDOWS

08.11.2005 16:43 35.132 windat.exe

weiter http://www.sophos.com

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\
Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
1

HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\
Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\

[HKEY_USERS\S-1-5-21-602162358-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32\OpenSaveMRU\*]
"b"="C:\\WINDOWS\\system32\\rdriv.sys"

[HKEY_USERS\S-1-5-21-602162358-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32\OpenSaveMRU\sys]
"a"="C:\\WINDOWS\\system32\\rdriv.sys"

weiter ServiceFilter.zip

- entzippen
- scannen
- POST_THIS.TXT abkopieren

Service Name: shost.exe
Display Name: shost.exe
Start Mode: Auto
Start Name: LocalSystem
Description: Platform SDK ...
Service Type: Own Process
Path: "c:\windows\shost.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1067
Accept Pause: Falsch
Accept Stop: Falsch

weiter datfindbat

C:\WINDOWS\system32
28.11.2005 14:35 7.168 rdriv.sys
05.11.2005 11:24 0 TFTP6656
03.11.2005 22:18 0 eraseme_02655.exe
03.11.2005 22:18 73 i
03.11.2005 22:08 107.520 MsMicroSoft.exe
03.11.2005 18:55 117.668 WMTX.exe
02.11.2005 18:00 9.736 csrssv.exe
02.11.2005 17:59 44.544 TFTP3736

C:\WINDOWS
05.11.2005 11:11 245.760 shost.exe

C:\
24.11.2005 20:04 23.936 zuni.exe

weiter HijackThis

O4 - HKLM\..\Run: [Microsoft Layer Service] WMTX.exe
O4 - HKLM\..\Run: [MicroSoft] MsMicroSoft.exe
O4 - HKLM\..\Run: [Microsoft DLL Verifier] smsvc.exe
O4 - HKLM\..\RunServices: [Microsoft Layer Service] WMTX.exe
O4 - HKLM\..\RunServices: [MicroSoft] MsMicroSoft.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] smsvc.exe
O4 - HKCU\..\Run: [Microsoft Layer Service] WMTX.exe
O23 - Service: shost.exe - Unknown owner - C:\WINDOWS\shost.exe



startseite
virus-protect.org
startseite Valid HTML 4.01 Transitional Ranking-Hits