timessquare.exe, unstall.exe, drsmartload.dat, timessquare1.dat, ntlc42.exe
uwhjjgm.exe, scvhost.exe, evjarn.exe
dhyyo.exe, wincntrl.exe, tsuninst.exe, index1.exe, a.bmp, dxdllreg.exe
HijackThis
O4 - HKLM\..\RunServicesOnce: [capscanuninstall] "C:\WINDOWS\command.com" /c del "C:\DOKUME~1\User\LOKALE~1\Temp\uninstal.exe"
Beispiel:
Combofix anwenden
datfinbat
Verzeichnis von C:\WINDOWS
05.12.2005 16:15 41.216 timessquare.exe
05.12.2005 12:25 32.768 unstall.exe
05.12.2005 12:25 188 iaPXSWOD.ini
05.12.2005 12:24 2 tempf.txt
04.12.2005 19:53 33.376 DIIUnin.dat
04.12.2005 19:48 38 drsmartload.dat
04.12.2005 19:46 0 timessquare1.dat
04.12.2005 19:12 2.829 DIIUnin.pif
04.12.2005 19:12 102.400 DIIUnin.exe
Verzeichnis von C:\WINDOWS\system32
05.12.2005 14:10 133.913 ntlc42.exe.vir
05.12.2005 14:08 154 log.~
05.12.2005 12:25 82 key.~
05.12.2005 12:25 2.118 data.~
05.12.2005 12:24 557.108 awtsr.dll
04.12.2005 19:49 687.592 atmtd.dll
04.12.2005 19:49 687.592 atmtd.dll._
04.12.2005 19:36 236.032 wincntrl.exe.vir
04.12.2005 19:33 71 i
04.12.2005 19:17 90.624 uwhjjgm.exe
04.12.2005 19:15 147.225 tjpwqfuh.exe
04.12.2005 19:14 52.505 scvhost.exe.vir
04.12.2005 19:14 147.225 evjarn.exe
04.12.2005 19:14 90.624 dhyyo.exe
04.12.2005 18:57 0 TFTP3764
04.12.2005 18:52 25.941 NULL
04.12.2005 18:52 16.832 amcompat.tlb
04.12.2005 18:52 23.392 nscompat.tlb
02.11.2005 00:44 127.574 tsuninst.exe
Verzeichnis von C:\
05.12.2005 14:39 16.384 index1.exe
05.12.2005 14:10 446 a.bmp
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\czRtM3Q\command.exe
O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe (file missing)
C:\WINDOWS\czRtM3Q\command.exe
L2mfix --> arbeite das Option 2 ab
http://virus-protect.org/l2mfix.html
Avenger
Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
Files to delete:
%windir%\system32\guard.tmp
%windir%\system32\kqdtat.dll
%windir%\system32\t8r8li9u18.dll
%windir%\system32\lv4o09h3e.dll
%windir%\system32\fpjm0311e.dll
%windir%\system32\nqrsda.dll
%windir%\system32\enj4l11q1.dll
%windir%\system32\hr0205doe.dll
%windir%\system32\l20ulcd91f0.dll
%windir%\system32\dn6m01j1e.dll
%windir%\iun6002.exe
%windir%\winsysupd1.dat
%windir%\enewsletterpro1.dat
%windir%\winsysban.exe
%windir%\winsysupd.exe
%windir%\timessquare1.dat
%windir%\banmanpro.exe
%windir%\enewsletterpro.exe
%windir%\uninstall_nmon.vbs
%windir%\tool2.exe
%windir%\kl.exe
%windir%\uniq
%windir%\datanrzzzqwuwzu.log
%windir%\drsmartloadb1.dat
%windir%\bytespersecond.dat
%windir%\adtech2006.exe
%windir%\msresearch1.dat
%windir%\adtech2005.exe
%windir%\rfk5.bin
%windir%\pcup23467.dat
%windir%\setuperr.log
%windir%\sp2update00.exe
%windir%\drsmartload.dat
%windir%\teller2.chk
%windir%\msresearch.exe
Folders to delete:
%windir%\czRtM3Q
|
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\nqrsda.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFudWVs\command.exe (file missing)
CCleaner anwenden + die temporären Dateien löschen
datfindbat
Verzeichnis von C:\WINDOWS\system32
01/18/2006 11:25 PM 234,621 guard.tmp
01/18/2006 11:22 PM 234,621 kqdtat.dll
01/18/2006 11:19 PM 234,272 t8r8li9u18.dll
01/18/2006 01:32 PM 234,621 lv4o09h3e.dll
01/16/2006 03:46 PM 234,272 fpjm0311e.dll
01/16/2006 03:38 PM 234,272 nqrsda.dll
01/16/2006 03:38 PM 235,683 enj4l11q1.dll
01/16/2006 12:54 AM 235,604 hr0205doe.dll
01/15/2006 11:46 PM 234,272 l20ulcd91f0.dll
12/28/2005 08:20 PM 248 systemdrv32.aso
10/20/2005 11:40 PM 235,263 dn6m01j1e.dll
Verzeichnis von C:\WINDOWS
01/15/2006 12:42 PM 0 winsysupd1.dat
01/14/2006 10:45 PM 0 enewsletterpro1.dat
01/14/2006 10:45 PM 69,888 winsysban.exe
01/14/2006 10:45 PM 45,312 winsysupd.exe
01/06/2006 12:42 AM 0 timessquare1.dat
01/06/2006 12:42 AM 69,888 banmanpro.exe
01/06/2006 12:42 AM 41,216 enewsletterpro.exe
01/03/2006 05:45 PM 1,989 uninstall_nmon.vbs
01/02/2006 08:02 PM 32,256 tool2.exe
01/02/2006 08:02 PM 72,809 kl.exe
01/02/2006 08:02 PM 0 uniq
01/02/2006 02:20 PM 19 powerplayer.ini
12/31/2005 12:04 PM 4 datanrzzzqwuwzu.log
12/24/2005 09:33 AM 0 drsmartloadb1.dat
12/19/2005 09:17 PM 183,296 NDNuninstall7_14.exe
12/17/2005 10:57 PM 4 bytespersecond.dat
12/01/2005 10:04 PM 69,888 adtech2006.exe
11/26/2005 12:11 AM 4,096 d3dx.dat
11/20/2005 01:32 PM 0 msresearch1.dat
11/20/2005 01:32 PM 69,888 adtech2005.exe
11/01/2005 12:30 PM 182,272 NDNuninstall6_98.exe
10/26/2005 01:59 PM 4 rfk5.bin
10/26/2005 01:59 PM 4 pcup23467.dat
10/20/2005 09:31 AM 22,368 sp2update00.exe
10/20/2005 09:30 AM 38 drsmartload.dat
10/20/2005 09:30 AM 40 teller2.chk
10/20/2005 09:29 AM 40,176 msresearch.exe
scanne mit Spysweeper (trial)
http://virus-protect.org/spysweeper.html
L2mfix --> arbeite das Option 2 ab
http://virus-protect.org/l2mfix.html
HostsXpert anwenden
HostsXpert
Link: Command
Link: secure_32
|
