|
|
|
integitor.exe, msgfix.exe, winsN320.exe, wnplayer.exe
Link: upnp_exe
hijackthis
O4 - HKLM\..\Run: [Secure System] integitor.exe
O4 - HKLM\..\RunServices: [Secure System] integitor.exe
O23 - Service: Secure System - Unknown owner - C:\WINNT\system32\integitor.exe"
Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)
Secure System
in edit und klicke "Ok".
Notepad wird sich oeffnen
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SECURE_SYSTEM\0000]
"Service"="Secure System"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SECURE_SYSTEM\0000]
"DeviceDesc"="Secure System"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Secure System]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Secure System]
"DisplayName"="Secure System"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Secure System\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Secure System\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SECURE_SYSTEM\0000]
"Service"="Secure System"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SECURE_SYSTEM\0000]
"DeviceDesc"="Secure System"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Secure System]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Secure System]
"DisplayName"="Secure System"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Secure System\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECURE_SYSTEM\0000]
"Service"="Secure System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECURE_SYSTEM\0000]
"DeviceDesc"="Secure System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Secure System]
[HKEY_USERS\S-1-5-21-1454471165-1343024091-1060284298-500\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU]
"000"="integitor.exe"
Start - Ausfuehren - regedit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SECURE_SYSTEM\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Secure System
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SECURE_SYSTEM\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Secure System
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECURE_SYSTEM\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Secure System
|
Sollte man Probleme haben, die Einträge zu löschen,
Klicke auf Bearbeiten-->Berechtigung und klicke dann auf Vollzugriff -->[Übernehmen] und auf [OK]. Erneuter [Rechtsklick] auf den Schlüssel und versuche diesen zu löschen.
C:\WINNT\system32\msgfix.exe -> "Backdoor.Win32.SdBot.gen" Virus!
C:\WINNT\system32\winsN320.exe -> "Backdoor.Win32.Rbot.gen
einen virus/trojaner/hijacker oder ähnliches auf meienm pc! jedesmal wenn ich ins netz gehen faengt der pc nach ca 10 minuten an kleinere programme wie zb: wmedia.exe / wnplayer.exe / bigoj.exe usw. runterzuladen bzw zu starten.
wnplayer.exe
BitDefender Backdoor.SDBot.23058FD8 gefunden
ClamAV Worm.Mytob.BP gefunden
Dr.Web Win32.HLLW.ForBot.based gefunden
F-Prot Antivirus unknown virus gefunden (mögliche Variante)
Fortinet W32/SDBot.01AC-net gefunden
Kaspersky Anti-Virus Backdoor.Win32.SdBot.gen gefunden
NOD32 probably unknown NewHeur_PE gefunden mögliche Variante
Norman Virus Control Sandbox: W32/Backdoor; [ General information ]
* File length: 45594 bytes.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\wnplayer.exe.
[ Changes to registry ]
* Creates value "wnplayer"="wnplayer.exe" in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "wnplayer"="wnplayer.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
* Creates value "wnplayer"="wnplayer.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
[ Network services ]
* Connects to "hlserv.no-ip.info" on port 6667 (TCP).
* Connects to IRC server.
* IRC: Uses nickname [Dns]-767253.
* IRC: Uses username [Dns]-043800.
* IRC: Joins channel #more1.
* IRC: Sets the usermode for user [Dns]-767253 to +i.
[ Security issues ]
* Possible backdoor functionality [Authenticate] port 113.
[ Process/window information ]
* Creates a mutex sdf.
* Will automatically restart after boot (I'll be back...). gefunden
|
|
