dllmgr64.exe, win32host.exe, pnpsp2fix.exe, WinSys32s.exe, msbitsec.exe, mscn.exe

startseite Gastbuch Kontakt
dllmgr64.exe win32host.exe
dllmgr64.exe, win32host.exe, pnpsp2fix.exe

dllmgr64.exe, win32host.exe, pnpsp2fix.exe, WinSys32s.exe, msbitsec.exe, mscn.exe


HijackThis

O23 - Service: dllmgr64 - Unknown owner - D:\WINDOWS\dllmgr64.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\dllmgr64

Unknown Service # 3
Service Name: dllmgr64
Display Name: dllmgr64
Start Mode: Disabled
Start Name: LocalSystem
Description: Windows 64bit DLL ...
Service Type: Own Process
Path: "c:\windows\dllmgr64.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DLLMGR64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dllmgr64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DLLMGR64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\dllmgr64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DLLMGR64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dllmgr64



W32/Tilebot-FE

http://www.sophos.de/security/analyses/w32tilebotfe.html

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Win32Kernel

HijackThis

O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe

Unknown Service
Service Name: Win32Kernel
Display Name: Win32 Kernel Update
Start Mode: Disabled
Start Name: LocalSystem
Description: Win32 OS ...
Service Type: Own Process
Path: "c:\windows\win32host.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIN32KERNEL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win32Kernel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WIN32KERNEL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Win32Kernel
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32KERNEL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Kernel



Verzeichnis von C:\WINDOWS
06.05.2006 13:49 34.384 win32host.exe

Verzeichnis von C:\WINDOWS\system32
06.05.2006 15:58 0 TFTP1616
06.05.2006 15:58 0 TFTP632


HijackThis

F2 - REG:system.ini: Shell=Explorer.exe winservnt32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,winservnt32.exe

O4 - HKLM\..\Run: [Windows Ndis Driver] WinSys32s.exe
O4 - HKLM\..\Run: [Error Reporting Service] mdmm.exe
O4 - HKLM\..\Run: [Ms Update WinServices NT/XP] winservnt32.exe
O4 - HKLM\..\Run: [Ms Java Update For Windows NT/XP] msijavaupdt32.exe
O4 - HKLM\..\RunServices: [Windows Ndis Driver] WinSys32s.exe
O4 - HKLM\..\RunServices: [Error Reporting Service] mdmm.exe
O4 - HKLM\..\RunServices: [Windows Ndis Device] cfgwin.exe
O4 - HKCU\..\Run: [Windows Ndis Driver] WinSys32s.exe
O4 - HKCU\..\Run: [Windows Ndis Device] cfgwin.exe
O4 - HKCU\..\Run: [Ms Update WinServices NT/XP] winservnt32.exe
O4 - HKCU\..\Run: [Ms Java Update For Windows NT/XP] msijavaupdt32.exe

O23 - Service: Microsoft Background Intelligent Transfer Update Version 2.0 (MBIT) - Unknown owner - C:\WINDOWS\system32\msbitsec.exe

O23 - Service: Plug-n-Play SP2 Fix (sp2pnpfix) - Unknown owner - C:\WINDOWS\system32\pnpsp2fix.exe

O23 - Service: Windows Ndis Driver (zions.game-host.org) - Unknown owner - C:\WINDOWS\System32\WinSys32s.exe" -netsvcs


datfindbat

Verzeichnis von C:\WINDOWS\system32

30.08.2006 20:40 189.440 83033_netapi.exe
24.12.2005 15:29 71 i
18.12.2005 19:20 238.080 msbitsec.exe
15.11.2005 19:43 0 TFTP3248
10.11.2005 17:45 0 eraseme_31530.exe

Verzeichnis von C:\

03.11.2005 15:03 130.681 lc.exe


Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. Die Datei "fixme.reg" auf dem Desktop doppelklicken und der Registry mit "ja" oder "yes" beifügen

REGEDIT4

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Ndis Driver"=-
"Windows Ndis Device"=-
"Ms Update WinServices NT/XP"=-

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Windows Ndis Driver"=-
"Windows Ndis Device"=-

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Ndis Driver"=-
"Windows Ndis Device"=-
"Ms Update WinServices NT/XP"=-

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Windows Ndis Driver"=-
"Windows Ndis Device"=-



Avenger

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SP2PNPFIX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SP2PNPFIX
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SP2PNPFIX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sp2pnpfix
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sp2pnpfix
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sp2pnpfix

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ZIONS.GAME-HOST.ORG
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZIONS.GAME-HOST.ORG
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZIONS.GAME-HOST.ORG
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zions.game-host.org
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\zions.game-host.org
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zions.game-host.org

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBIT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MBIT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBIT

Files to delete:
C:\WINDOWS\system32\winsys32s.exe
C:\WINDOWS\system32\pnpsp2fix.exe
C:\WINDOWS\system32\msbitsec.exe
C:\WINDOWS\System32\msijavaupdt32.exe
C:\WINDOWS\system32\i
C:\WINDOWS\system32\TFTP3248
C:\WINDOWS\system32\eraseme_31530.exe
C:\lc.exe



ServiceFilter.zip

Unknown Service
Service Name: MBIT
Display Name: Microsoft Background Intelligent Transfer Update Version 2.0
Start Mode: Auto
Start Name: LocalSystem
Description: Transfers data between clients and servers in the background. If BITS is disabled, features such ...
Service Type: Own Process
Path: "c:\windows\system32\msbitsec.exe"


Unknown Service
Service Name: sp2pnpfix
Display Name: Plug-n-Play SP2 Fix
Start Mode: Auto
Start Name: LocalSystem
Description: Plug-n-Play SP2 Fix stays memory resident in order to ensure ...
Service Type: Own Process
Path: "c:\windows\system32\pnpsp2fix.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch


Unknown Service
Service Name: zions.game-host.org
Display Name: Windows Ndis Driver
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: "c:\windows\system32\winsys32s.exe" -netsvcs
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

----------------------------------------------------------------

Combofix

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Ndis Driver"="WinSys32s.exe"
"Windows Ndis Device"="cfgwin.exe"
"Ms Update WinServices NT/XP"="winservnt32.exe"


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Windows Ndis Driver"="WinSys32s.exe"
"Windows Ndis Device"="cfgwin.exe"


[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Ndis Driver"="WinSys32s.exe"
"Windows Ndis Device"="cfgwin.exe"
"Ms Update WinServices NT/XP"="winservnt32.exe"


[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Windows Ndis Driver"="WinSys32s.exe"
"Windows Ndis Device"="cfgwin.exe"



O23 - Service: Windows Debug Management - Unknown owner - C:\WINDOWS\system32\mscn.exe

avenger
http://virus-protect.org/artikel/tools/avenger.html

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_DEBUG_MANAGEMENT\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Debug Management
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_DEBUG_MANAGEMENT\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Debug Management
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_DEBUG_MANAGEMENT\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Debug Management

Files to delete:
C:\WINDOWS\system32\mscn.exe




O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINDOWS\System32\wgareg.exe

http://www.avira.com/de/threats/section/fulldetails/id_vir/2490/worm_ircbot.9609.html


Unknown Service
Service Name: wgareg
Display Name: Windows Genuine Advantage Registration Service
Start Mode: Auto
Start Name: LocalSystem
Description: Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this ...
Service Type: Own Process
Path: c:\windows\system32\wgareg.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch


avenger
http://virus-protect.org/artikel/tools/avenger.html

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WGAREG
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wgareg
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WGAREG
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wgareg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WGAREG
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wgareg

Files to delete:
c:\windows\system32\wgareg.exe




O23 - Service: mtc l32 (mtcl32) - Unknown owner - C:\WINDOWS\mtcls32.exe

Service Name: mtcl32
Display Name: mtc l32
Start Mode: Auto
Start Name: LocalSystem
Description: micro soft ...
Service Type: Own Process
Path: "c:\windows\mtcls32.exe"
State: Running
Process ID: 1692
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False


mtcls32.exe

AntiVir 7.1.1.16 09.09.2006 HEUR/Crypted
BitDefender 7.2 09.10.2006 GenPack:Generic.Sdbot.60DB92F5
CAT-QuickHeal 8.00 09.09.2006 (Suspicious) - DNAScan
Panda 9.0.0.4 09.10.2006 W32/Sdbot.IDB.worm
VirusBuster 4.3.7:9 09.10.2006 Worm.SdBot.CRK



registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTCL32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mtcl32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MTCL32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mtcl32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTCL32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mtcl32

Files to delete:
C:\WINDOWS\mtcls32.exe




Valid HTML 4.01 Ranking-Hits