TrojanDownloader.ConHook , Virtumonde

TrojanDownloader.ConHook , Virtumonde

Link + Entfernungstool Vundofix

popups NOTICE: If your computer has errors in the registry database... Would you like to install WinFixer 2005... etc. Trojan-Downloader.ConHook.

HijackThis

01 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\cbxxu.dll
O20 - Winlogon Notify: cbxxu - C:\WINDOWS\SYSTEM32\cbxxu.dll

L2mfix

l2mfix\report.txt
L2MFIX find log 1.04a
These are the registry keys present

**********************************************************************************

Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxxu]
"Asynchronous"=dword:00000001
"DllName"="cbxxu.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"


C:\WINDOWS\SYSTEM32\
cbxxu.dll Thu 25 Aug 2005 0:36:28 ..... 25.088 24,50 K

HijackThis

O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\System32\sstts.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O20 - Winlogon Notify: sstts - C:\WINDOWS\SYSTEM32\sstts.dll

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\awvts.dll
O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll
O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll
O20 - Winlogon Notify: mljji - C:\WINDOWS\system32\mljji.dll
O20 - Winlogon Notify: mlljh - C:\WINDOWS\system32\mlljh.dll
O20 - Winlogon Notify: ssqrs - C:\WINDOWS\system32\ssqrs.dll
O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll
O20 - Winlogon Notify: sstts - C:\WINDOWS\system32\sstts.dll
O20 - Winlogon Notify: vtutq - C:\WINDOWS\system32\vtutq.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awvts]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\awvts.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljji]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\mljji.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssttr]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\ssttr.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sstts]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\sstts.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

datfindbat

Directory of C:\WINDOWS\System32

31/08/2005 12:17 AM 181,305 stvwa.ini
30/08/2005 08:10 PM 179,148 stvwa.bak2
30/08/2005 07:12 PM 303 srqss.ini
30/08/2005 07:12 PM 516,116 ssqrs.dll
30/08/2005 07:03 PM 180,714 hjllm.ini
30/08/2005 07:03 PM 303 qtutv.ini
30/08/2005 07:03 PM 516,116 vtutq.dll
30/08/2005 06:57 PM 303 rttss.ini
30/08/2005 06:57 PM 516,116 ssttr.dll
30/08/2005 06:52 PM 303 sttss.ini
30/08/2005 06:52 PM 516,116 sstts.dll
30/08/2005 05:20 PM 303 bccdd.ini
30/08/2005 05:20 PM 516,116 ddccb.dll
30/08/2005 05:04 PM 303 ijjlm.ini
30/08/2005 05:04 PM 516,116 mljji.dll
30/08/2005 04:33 PM 516,116 awvts.dll
30/08/2005 04:33 PM 178,623 hjllm.bak1
30/08/2005 04:32 PM 516,116 mlljh.dll
23/08/2005 10:42 PM 25,088 gebcc.dll
04/07/2005 05:27 PM DIR dllcache
04/08/2004 02:56 AM 69,120 notepad.exe
08/06/2004 11:28 AM DIR Microsoft
20 File(s) 4,944,744 bytes
2 Dir(s) 11,716,390,912 bytes free

Ewido-AVG-Spyware

C:\WINDOWS\Fonts\svcodbc.dll - Spyware.Virtumonde : Cleaned with backup
C:\WINDOWS\AppPatch\anticat.dll - Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temp\145.tmp - Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temp\287.tmp - Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temp\3FA.tmp - Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temporary Internet Files\Content.IE5\M07SNLYX\mm[2].js - Spyware.Chitika : Cleaned with backup
C:\System Volume Information\_restore{A94F1AD0-1BD4-4C7C-8121-E2881FB5E114}\RP265\A0048672.dll - TrojanDownloader.ConHook.k : Cleaned with backup

HijackThis

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\tuvur.dll
O2 - BHO: (no name) - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\byxwt.dll
O20 - Winlogon Notify: byxwt - C:\WINDOWS\system32\byxwt.dll
O20 - Winlogon Notify: tuvur - C:\WINDOWS\SYSTEM32\tuvur.dll

L2mfix

byxwt.dll Sat 22 Oct 2005 11:47:46 ..... 540.692 528,02 K
geeda.dll Fri 21 Oct 2005 20:27:46 ..SH. 28.173 27,51 K
tuvur.dll Fri 21 Oct 2005 16:18:02 ..... 28.173 27,51 K
xxyay.dll Sat 22 Oct 2005 0:42:10 ..SH. 28.173 27,51 K

Verzeichnis von C:\WINDOWS\System32
26.10.2005 13:42 188.118 twxyb.ini2
26.10.2005 11:55 185.609 twxyb.bak2
22.10.2005 11:47 140.379 twxyb.bak1
22.10.2005 11:47 140.379 twxyb.ini
22.10.2005 11:47 140.416 twxyb.tmp
22.10.2005 00:42 28.173 xxyay.dll
21.10.2005 20:27 28.173 geeda.dll

datfindbat

Verzeichnis von C:\WINDOWS\system32

26.10.2005 13:49 188.110 twxyb.ini2
26.10.2005 11:55 185.609 twxyb.bak2
26.10.2005 11:55 285 mcrh.tmp
22.10.2005 11:47 140.379 twxyb.bak1
22.10.2005 11:47 140.379 twxyb.ini
22.10.2005 11:47 140.416 twxyb.tmp
22.10.2005 11:47 540.692 byxwt.dll
22.10.2005 00:42 28.173 xxyay.dll
21.10.2005 20:27 28.173 geeda.dll
21.10.2005 16:18 28.173 tuvur.dll


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvur]
"Asynchronous"=dword:00000001
"DllName"="tuvur.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxwt]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\byxwt.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

HijackThis

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\ddaby.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\qoppn.dll
O20 - Winlogon Notify: ddaby - C:\WINDOWS\SYSTEM32\ddaby.dll
O20 - Winlogon Notify: qoppn - C:\WINDOWS\system32\qoppn.dll

L2mfix

qoppn.dll Mon 24 Oct 2005 10:25:32 ..SH. 540.692 528,02 K
ddaby.dll Wed 26 Oct 2005 10:13:56 ..SH. 28.173 27,51 K
jkhee.dll Fri 21 Oct 2005 8:41:22 ..SH. 28.173 27,51 K
rqrsq.dll Wed 26 Oct 2005 13:04:46 ..SH. 28.173 27,51 K
tlnadsnw.dll Fri 21 Oct 2005 8:44:24 A.... 45.056 44,00 K
wvuur.dll Wed 26 Oct 2005 19:00:54 ..SH. 28.173 27,51 K

Verzeichnis von C:\WINDOWS\system32

26.10.2005 19:47 159.596 nppoq.ini2
26.10.2005 19:36 159.398 nppoq.bak2
26.10.2005 19:00 28.173 wvuur.dll
26.10.2005 13:04 28.173 rqrsq.dll
26.10.2005 10:13 28.173 ddaby.dll
24.10.2005 10:55 141.330 nppoq.ini
24.10.2005 10:36 140.323 nppoq.tmp
24.10.2005 10:25 140.323 nppoq.bak1
24.10.2005 10:25 540.692 qoppn.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddaby]
"Asynchronous"=dword:00000001
"DllName"="ddaby.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoppn]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\qoppn.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

C:\WINDOWS\System32\nppoq.tmp2
C:\WINDOWS\System32\nppoq.bak1
C:\WINDOWS\System32\nppoq.bak2
C:\WINDOWS\System32\nppoq.ini
C:\WINDOWS\System32\nppoq.tmp
C:\WINDOWS\System32\wvuur.dll
C:\WINDOWS\System32\rqrsq.dll
C:\WINDOWS\System32\ddaby.dll
C:\WINDOWS\System32\qoppn.dll
C:\WINDOWS\System32\jkhee.dll
C:\WINDOWS\System32\tlnadsnw.dll

O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\urqnk.dll
O20 - Winlogon Notify: urqnk - C:\WINDOWS\System32\urqnk.dll

Verzeichnis von C:\WINDOWS\system32
15.10.2005 16:38 2.936 knqru.ini
15.10.2005 15:42 0 mcrh.tmp
15.10.2005 14:38 0 r1giale5.html
12.10.2005 16:43 0 knqru.tmp2
05.10.2005 08:45 528.404 urqnk.dll
05.10.2005 08:39 7.168 lpdriver.sys (???)

O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\ddccy.dll
O20 - Winlogon Notify: ddccy - C:\WINDOWS\system32\ddccy.dll

Directory of C:\WINDOWS\System32
10/18/2005 12:19 AM 348,793 yccdd.ini2
10/17/2005 06:40 PM 347,654 yccdd.bak2
10/16/2005 05:46 PM 338,343 yccdd.ini
10/16/2005 05:44 PM 338,343 yccdd.tmp
10/04/2005 11:34 PM 27,149 mlljh.dll
10/04/2005 11:34 PM 27,149 ddayx.dll
10/04/2005 11:19 PM 27,149 geede.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddccy]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\ddccy.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

ddayx.dll Tue Oct 4 2005 11:34:28p A.SH. 27,149 26.51 K
ddccy.dll Sun Oct 16 2005 3:19:32p ..... 528,404 516.02 K
geede.dll Tue Oct 4 2005 11:19:10p A.SH. 27,149 26.51 K
mlljh.dll Tue Oct 4 2005 11:34:56p A.SH. 27,149 26.51 K


Winantivirus Pro 2006 - ADSPY/Effective.A.2

Beim Surfen im Netz öffnen sich automatisch "Meldungen", die mir berichten das mein PC mit Viren infiziert ist bzw. Sichherheitslücken aufweist. Darauf folgt die Weiterleitung zur Seite von "Winantivirus Pro 2006".

Kleine Besonderheit - bei mir tauchen nahezu im Wechsel zwei unterschiedliche "Meldungen" auf; sowohl die Deutsche, wie auch die Englische Version - bei beiden dreht sich jedoch alles um den Kauf bzw. die Installation "Winantivirus Pro 2006".

datfindbat

Verzeichnis von C:\WINDOWS\system32

16.06.2006 13:31 29.184 l3cabl.dll
16.06.2006 04:40 13.837 ljjiijh.dll

l3cabl.dll

AntiVir 6.35.0.21 07.07.2006 ADSPY/Effective.A.2
Authentium 4.93.8 07.07.2006 W32/Downloader.ABKP
Avast 4.7.844.0 07.07.2006 Win32:Conhook-L
AVG 386 07.04.2006 Downloader.Generic2.CYT
BitDefender 7.2 07.07.2006 Trojan.Downloader.ConHook.R 
ClamAV devel-20060426 07.06.2006 Trojan.Downloader.ConHook-2
DrWeb 4.33 07.07.2006 Trojan.DownLoader.10541
eTrust-InoculateIT 23.72.61 07.07.2006 Win32/Conhook.8sq!DLL!Trojan
eTrust-Vet 12.6.2291 07.07.2006 Win32/Darksma!generic
Ewido 3.5 07.07.2006 Downloader.ConHook.aa
F-Prot 3.16f 07.07.2006 security risk named W32/Downloader.ABKP
F-Prot4 4.2.1.29 07.06.2006 W32/Downloader.ABKP
Kaspersky 4.0.2.24 07.07.2006 Trojan-Downloader.Win32.ConHook.aa
McAfee 4801 07.06.2006 Downloader-AWX
Microsoft 1.1481 07.01.2006 no virus found
NOD32v2 1.1649 07.07.2006 no virus found
Norman 5.90.23 07.07.2006 W32/ConHook.AS
Panda 9.0.0.4 07.06.2006 Trj/ConHook.K
Sophos 4.07.0 07.07.2006 Troj/ConHook-K
Symantec 8.0 07.07.2006 Downloader

Avenger

registry keys to delete: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rasap2K HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dstr5 Files to delete: C:\WINDOWS\system32\l3cabl.dll C:\WINDOWS\system32\ljjiijh.dll

HostsXpert anwenden

Press 'Restore Original Hosts' and press 'OK' Exit Program.

Counterspy/Vipre anwenden

Trojan-Downloader.Win32.ConHook.aa

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rasap2K
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dstr5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dstr5 {a0b2345c-92cb-4bce-a1c0-d8bd4b5d0078}

---

---

Counter-Box.de