pro3_install.exe , taskmngr32.exe , deskbar.dll , netmon.exe , winmgr.exe

pro3_install.exe , taskmngr32.exe , deskbar.dll , netmon.exe , winmgr.exe

HijackThis

O23 - Service: Microsoft Windows Man Service (Windows Man Service) - Unknown owner - C:\WINNT\winmgr.exe


Combofix anwenden

((((((((((((((((((((((((((((((( Files Created from 2006-09-30 to 2006-10-30 ))))))))

2006-10-30 18:10 492,211 ---hs---- C:\WINNT\system32\xycdd.bak1
2006-10-30 18:10 110,612 --a------ C:\WINNT\system32\cgeqgvtv.exe
2006-10-30 18:09 688,180 ---hs---- C:\WINNT\system32\ddcyx.dll
2006-10-30 17:38 24,576 --a------ C:\mc44a43.exe
2006-10-30 17:37 32,768 --a------ C:\DXC9.exe
2006-10-30 17:37 266,240 --a------ C:\yz02.exe
2006-10-30 17:36 175,900 --a------ C:\pro3_install.exe
2006-10-30 09:18 63,248 --a------ C:\WINNT\system32\SC.EXE
2006-10-29 12:10 94,720 -r-hs---- C:\WINNT\winmgr.exe

C:\WINNT\System32\Com
12/07/2006 23:59 94 install.bat

Avenger (Beispiel)

registry keys to delete: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_MAN_SERVICE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Man Service HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_MAN_SERVICE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Man Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MAN_SERVICE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Man Service HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyx Files to delete: %windir%\system32\xycdd.ini %windir%\system32\iifdbyv.dll %windir%\system32\cgeqgvtv.exe %windir%\system32\xycdd.bak1 %windir%\system32\ddcyx.dll %windir%\system32\SC.EXE %windir%\winmgr.exe C:\pro3_install.exe C:\mc44a43.exe C:\yz02.exe C:\DXC9.exe %windir%\Temp\removalfile.bat %windir%\System32\Com\install.bat %windir%\system32\Com\dreve.exe

anderer PC

HijackThis

R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Programme\Deskbar\deskbar.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\qomjigg.dll
O2 - BHO: (no name) - {A5B8C341-81AB-4D14-BB10-17C16E26C328} - C:\WINNT\system32\yayaw.dll (file missing)

O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe
O4 - HKLM\..\Run: [Task Manager Win32] C:\WINNT\system32\taskmngr32.exe
O20 - Winlogon Notify: IPConfTSP - C:\WINNT\system32\m6nqlg5516.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINNT\system32\o6lulg3916.dll
O23 - Service: Network Monitor - Unknown owner - C:\Programme\Network Monitor\netmon.exe
O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINNT\win32host.exe
O23 - Service: 27037 - Unknown owner - \\84.57.213.153\Admin$\eraseme_24845.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QXJub2xk\command.exe
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINNT\winlogon.exe

Verzeichnis von C:\WINNT
15.09.2006 19:20 95.232 winlogon.exe
15.09.2006 19:20 95.232 eraseme_24845.exe

Verzeichnis von C:\
01.10.2006 14:11 175.900 pro3_install.exe
28.09.2006 22:35 37.376 iexplorer.exe

C:\WINNT\system32
01.10.2006 14:50 81.984 bdod.bin
01.10.2006 11:12 0 atmtd.dll.tmp
27.09.2006 19:56 37.376 taskmngr32.exe
17.09.2006 20:14 12.068 ycey.exe
17.09.2006 20:14 0 TFTP2616

Combofix

((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{417DA1ED-2861-4BD0-A118-9926642C4F76}] @=""

FILES REMOVED:

C:\WINNT\system32\dbctl.dll
C:\WINNT\system32\dnr4019qe.dll
C:\WINNT\system32\erent.dll

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))

C:\dfndrff_e15.exe
C:\dfndrff_e16.exe
C:\dfndrff_e17.exe
C:\dfndrff_e18.exe
C:\dfndrff_e19.exe
C:\drsmartload.exe
C:\drsmartload45a45a45o.exe
C:\drsmartload45a45a45p.exe
C:\deskbar.exe
C:\deskbar4.exe
C:\deskbar7.exe
C:\deskbar8.exe
C:\deskbar_e18.exe
C:\deskbar_e19.exe
C:\MTE3NDI6ODoxNg.exe
C:\MTE3NDI6ODoxNgnew.exe
C:\nwnmff_e19.exe
C:\mte3ndi6odoxng.exe
C:\WINNT\uninstall_nmon.vbs
C:\Dokumente und Einstellungen\%Username%\Anwendungsdaten\NetMon
C:\Programme\Deskbar
C:\Programme\network monitor
C:\WINNT\QXJub2xk

((((((((((((((((((((((((((((((( Files Created from 2006-09-01 to 2006-10-01 ))))))))))))

2006-10-01 09:44 175,900 --a------ C:\pro3_install.exe
2006-10-01 09:31 13,904 --a------ C:\WINNT\system32\drivers\hidusb.sys
2006-10-01 09:31 11,728 --a------ C:\WINNT\system32\drivers\mouhid.sys
2006-09-27 19:56 37,376 --a------ C:\WINNT\system32\taskmngr32.exe
2006-09-26 22:31 45,525 --a------ C:\WINNT\system32\ruowydfa.dll
2006-09-24 20:38 42,736 --a------ C:\WINNT\icont.exe
2006-09-20 21:30 159,232 --a------ C:\WINNT\system32\awfull.dll
2006-09-19 21:53 50,912 --a------ C:\WINNT\iconu.exe
2006-09-18 21:09 37,376 --a------ C:\iexplorer.exe
2006-09-17 20:25 578,560 --a------ C:\Installer4.exe
2006-09-17 20:14 12,068 --ah----- C:\WINNT\system32\ycey.exe
2006-09-17 20:09 95,232 -rahs---- C:\WINNT\eraseme_24845.exe
2006-09-17 20:09 95,232 ---hs---- C:\WINNT\winlogon.exe

---------------

C:\Dokumente und Einstellungen\Default User.WINNT\Lokale Einstellungen\Temporary Internet Files\Content.IE5\IT65IXWT\deskbar_e[1].exe/deskbar.exe Infizierte Objekte: not-a-virus:AdWare.Win32.Softomate.r
C:\Dokumente und Einstellungen\Default User.WINNT\Lokale Einstellungen\Temporary Internet Files\Content.IE5\IT65IXWT\installer[1].exe/Stream/data0002 Infizierte Objekte: Trojan-Clicker.Win32.VB.fo
C:\Dokumente und Einstellungen\Default User.WINNT\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GTIXCTGL\pro[1].exe/data.rar Infizierte Objekte: not-a-virus:AdWare.Win32.Virtumonde.cz
C:\Dokumente und Einstellungen\Default User.WINNT\Lokale Einstellungen\Temporary Internet Files\Content.IE5\03AXKVMF\AppWrap[1].exe Infizierte Objekte: not-a-virus:AdWare.Win32.AdURL.c

Service Name: 27037
Display Name: 27037
Start Mode: Manual
Start Name: LocalSystem
Description: 27037...
Service Type: Share Process
Path: \\84.57.213.153\admin$\eraseme_24845.exe

O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINNT\win32host.exe

Service Name: Win32Kernel
Display Name: Win32 Kernel Update
Start Mode: Auto
Start Name: LocalSystem
Description: Win32 Kernel ...
Service Type: Own Process
Path: "c:\winnt\win32host.exe"

Service Name: Windows Spooler Service
Display Name: Microsoft Windows Spooler Service
Start Mode: Auto
Start Name: LocalSystem
Description: Microsoft Windows Spooler ...
Service Type: Own Process
Path: "c:\winnt\winlogon.exe"

Avenger

registry keys to delete: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5B8C341-81AB-4D14-BB10-17C16E26C328} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_SPOOLER_SERVICE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Spooler Service HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_SPOOLER_SERVICE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Spooler Service HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDOWS_SPOOLER_SERVICE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Windows Spooler Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_SPOOLER_SERVICE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Spooler Service HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIN32KERNEL HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WIN32KERNEL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32KERNEL HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win32Kernel HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Win32Kernel HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Kernel HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_27037 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\27037 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_27037 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\27037 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_27037 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\27037 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Network Monitor HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Network Monitor HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Network Monitor HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_MAN_SERVICE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Man Service HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_MAN_SERVICE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Man Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MAN_SERVICE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Man Service Files to delete: %windir%\system32\qomjigg.dll %windir%\winlogon.exe %windir%\win32host.exe %windir%\eraseme_24845.exe %windir%\icont.exe %windir%\iconu.exe %windir%\system32\awfull.dll %SYSTEMDRIVE%\pro3_install.exe %SYSTEMDRIVE%\iexplorer.exe %SYSTEMDRIVE%\Installer4.exe %windir%\system32\ruowydfa.dll %windir%\system32\atmtd.dll.tmp %windir%\system32\taskmngr32.exe %windir%\system32\ycey.exe %windir%\system32\TFTP2616 Folders to delete: C:\Dokumente und Einstellungen\%Username%\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GTIXCTGL C:\Dokumente und Einstellungen\%Username%\Lokale Einstellungen\Temporary Internet Files\Content.IE5\03AXKVMF C:\Dokumente und Einstellungen\%Username%\Lokale Einstellungen\Temporary Internet Files\Content.IE5\IT65IXWT C:\Dokumente und Einstellungen\%Username%\Lokale Einstellungen\Temporary Internet Files\Content.IE5\87QX09Q9