wurmd.exe

wurmd.exe

wurmd.exe

O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe
O23 - Service: Windows User Mode Drivers (WUMD) - Unknown owner - C:\WINDOWS\system32\wumd.exe

ewido

C:\WINDOWS\system32\wumd.exe -> Backdoor.SdBot.anx

http://www.sophos.de/virusinfo/analyses/w32agobottb.html

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MS_Update Check
wdfmgr.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MS_Update Check
wdfmgr.exe

[wdfmgr.exe]
ModuleName : F:\WINDOWS.1\System32\wdfmgr.exe
Command Line : F:\WINDOWS.1\System32\wdfmgr.exe
ProcessID : 1224
ThreadCreationTime : 19.05.2005 23:33:19
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

Aber in diesem Fall ist es : Windows User Mode Driver Framework (UMWdf) , gehoert also nicht zu MS..... ???? oder ????

User-Mode Driver Framework
The user-mode driver framework implements a subset of the kernel-mode framework functionality, including support for Plug and Play, power management, and asynchronous I/O. Using the user-mode framework, developers can create drivers for network-connected devices and some USB devices, such as portable media players, cameras, and cell phones. Although these drivers run in user mode, they will be standard Plug and Play drivers that the system finds and installs in the same way as kernel-mode Plug and Play drivers. The user-mode driver framework will be supported on Windows Longhorn
http://www.microsoft.com/whdc/driver/wdf/wdf-intro.mspx

Start -- Ausführen -- regedit (reinschreiben)

bearbeiten - suchen - WUMD

Sollte man Probleme haben, die Einträge zu löschen, Legacy_ .....kann nicht gelöscht werden. Fehler beim Löschen des Schlüssels, dann gehe mit Rechtsklick im Kontextmenü auf: "Berechtigungen" Setze das Häkchen bei "Vollzugriff zulassen"
Übernehmen, OK
Danach sollte(n) sich der(die) betreffenden Schlüssel löschen lassen.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WUMD\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WUMD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WUMD\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WUMD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUMD\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WUMD

bearbeiten - suchen - UMWdf

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_UMWDF\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UMWdf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_UMWDF\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UMWdf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UMWDF\0000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UMWdf]

PC neustarten

scannen:
http://www.f-secure.com/tools/f-bot.exe

scanne mit kaspersky und Bitdefender
http://virus-protect.org/onlinescan.html

C:\WINDOWS\LastGood\Downloaded Program Files\start.INF
Infected with: Trojan.Dagonit.INF

C:\WINDOWS\system32\o
Suspected of: Backdoor.BotGet.FtpB.Gen

C:\WINDOWS\system32\vbnet.ini
Infected with: Backdoor.BotGet.FtpB.Gen

-----------------------------------------------------

datfindbat

Verzeichnis von C:\WINDOWS\system32
30.03.2006 14:06 82 vbnet.ini

wurmd.exe

wurmd.exe

O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe O23 - Service: Windows User Mode Drivers (WUMD) - Unknown owner - C:\WINDOWS\system32\wumd.exe

O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe
O23 - Service: Windows User Mode Drivers (WUMD) - Unknown owner - C:\WINDOWS\system32\wumd.exe