|
|
| TrojanDownloader.ConHook Virtumonde
|
|
TrojanDownloader.ConHook, Virtumonde
Vundofix
Link + Entfernungstool vundofix
popups NOTICE: If your computer has errors in the registry database... Would you like to install WinFixer 2005... etc.
Trojan-Downloader.ConHook.i
HijackThis
01 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\cbxxu.dll
O20 - Winlogon Notify: cbxxu - C:\WINDOWS\SYSTEM32\cbxxu.dll
http://virus-protect.org/l2mfix.html
l2mfix\report.txt
L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxxu]
"Asynchronous"=dword:00000001
"DllName"="cbxxu.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"
C:\WINDOWS\SYSTEM32\
cbxxu.dll Thu 25 Aug 2005 0:36:28 ..... 25.088 24,50 K
HijackThis
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\System32\sstts.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O20 - Winlogon Notify: sstts - C:\WINDOWS\SYSTEM32\sstts.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\awvts.dll
O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll
O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll
O20 - Winlogon Notify: mljji - C:\WINDOWS\system32\mljji.dll
O20 - Winlogon Notify: mlljh - C:\WINDOWS\system32\mlljh.dll
O20 - Winlogon Notify: ssqrs - C:\WINDOWS\system32\ssqrs.dll
O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll
O20 - Winlogon Notify: sstts - C:\WINDOWS\system32\sstts.dll
O20 - Winlogon Notify: vtutq - C:\WINDOWS\system32\vtutq.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awvts]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\awvts.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljji]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\mljji.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssttr]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\ssttr.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sstts]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\sstts.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"
datfindbat
Directory of C:\WINDOWS\System32
31/08/2005 12:17 AM 181,305 stvwa.ini
30/08/2005 08:10 PM 179,148 stvwa.bak2
30/08/2005 07:12 PM 303 srqss.ini
30/08/2005 07:12 PM 516,116 ssqrs.dll
30/08/2005 07:03 PM 180,714 hjllm.ini
30/08/2005 07:03 PM 303 qtutv.ini
30/08/2005 07:03 PM 516,116 vtutq.dll
30/08/2005 06:57 PM 303 rttss.ini
30/08/2005 06:57 PM 516,116 ssttr.dll
30/08/2005 06:52 PM 303 sttss.ini
30/08/2005 06:52 PM 516,116 sstts.dll
30/08/2005 05:20 PM 303 bccdd.ini
30/08/2005 05:20 PM 516,116 ddccb.dll
30/08/2005 05:04 PM 303 ijjlm.ini
30/08/2005 05:04 PM 516,116 mljji.dll
30/08/2005 04:33 PM 516,116 awvts.dll
30/08/2005 04:33 PM 178,623 hjllm.bak1
30/08/2005 04:32 PM 516,116 mlljh.dll
23/08/2005 10:42 PM 25,088 gebcc.dll
04/07/2005 05:27 PM DIR dllcache
04/08/2004 02:56 AM 69,120 notepad.exe
08/06/2004 11:28 AM DIR Microsoft
20 File(s) 4,944,744 bytes
2 Dir(s) 11,716,390,912 bytes free
Ewido
C:\WINDOWS\Fonts\svcodbc.dll - Spyware.Virtumonde : Cleaned with backup
C:\WINDOWS\AppPatch\anticat.dll - Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temp\145.tmp - Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temp\287.tmp - Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temp\3FA.tmp - Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temporary Internet Files\Content.IE5\M07SNLYX\mm[2].js - Spyware.Chitika : Cleaned with backup
C:\System Volume Information\_restore{A94F1AD0-1BD4-4C7C-8121-E2881FB5E114}\RP265\A0048672.dll - TrojanDownloader.ConHook.k : Cleaned with backup
HijackThis
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\tuvur.dll
O2 - BHO: (no name) - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\byxwt.dll
O20 - Winlogon Notify: byxwt - C:\WINDOWS\system32\byxwt.dll
O20 - Winlogon Notify: tuvur - C:\WINDOWS\SYSTEM32\tuvur.dll
Option 1- l2mfix
http://virus-protect.org/l2mfix.html
byxwt.dll Sat 22 Oct 2005 11:47:46 ..... 540.692 528,02 K
geeda.dll Fri 21 Oct 2005 20:27:46 ..SH. 28.173 27,51 K
tuvur.dll Fri 21 Oct 2005 16:18:02 ..... 28.173 27,51 K
xxyay.dll Sat 22 Oct 2005 0:42:10 ..SH. 28.173 27,51 K
Verzeichnis von C:\WINDOWS\System32
26.10.2005 13:42 188.118 twxyb.ini2
26.10.2005 11:55 185.609 twxyb.bak2
22.10.2005 11:47 140.379 twxyb.bak1
22.10.2005 11:47 140.379 twxyb.ini
22.10.2005 11:47 140.416 twxyb.tmp
22.10.2005 00:42 28.173 xxyay.dll
21.10.2005 20:27 28.173 geeda.dll
datfindbat
Verzeichnis von C:\WINDOWS\system32
26.10.2005 13:49 188.110 twxyb.ini2
26.10.2005 11:55 185.609 twxyb.bak2
26.10.2005 11:55 285 mcrh.tmp
22.10.2005 11:47 140.379 twxyb.bak1
22.10.2005 11:47 140.379 twxyb.ini
22.10.2005 11:47 140.416 twxyb.tmp
22.10.2005 11:47 540.692 byxwt.dll
22.10.2005 00:42 28.173 xxyay.dll
21.10.2005 20:27 28.173 geeda.dll
21.10.2005 16:18 28.173 tuvur.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvur]
"Asynchronous"=dword:00000001
"DllName"="tuvur.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxwt]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\byxwt.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"
HijackThis
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\ddaby.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\qoppn.dll
O20 - Winlogon Notify: ddaby - C:\WINDOWS\SYSTEM32\ddaby.dll
O20 - Winlogon Notify: qoppn - C:\WINDOWS\system32\qoppn.dll
Option 1- l2mfix
http://virus-protect.org/l2mfix.html
qoppn.dll Mon 24 Oct 2005 10:25:32 ..SH. 540.692 528,02 K
ddaby.dll Wed 26 Oct 2005 10:13:56 ..SH. 28.173 27,51 K
jkhee.dll Fri 21 Oct 2005 8:41:22 ..SH. 28.173 27,51 K
rqrsq.dll Wed 26 Oct 2005 13:04:46 ..SH. 28.173 27,51 K
tlnadsnw.dll Fri 21 Oct 2005 8:44:24 A.... 45.056 44,00 K
wvuur.dll Wed 26 Oct 2005 19:00:54 ..SH. 28.173 27,51 K
Verzeichnis von C:\WINDOWS\system32
26.10.2005 19:47 159.596 nppoq.ini2
26.10.2005 19:36 159.398 nppoq.bak2
26.10.2005 19:00 28.173 wvuur.dll
26.10.2005 13:04 28.173 rqrsq.dll
26.10.2005 10:13 28.173 ddaby.dll
24.10.2005 10:55 141.330 nppoq.ini
24.10.2005 10:36 140.323 nppoq.tmp
24.10.2005 10:25 140.323 nppoq.bak1
24.10.2005 10:25 540.692 qoppn.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddaby]
"Asynchronous"=dword:00000001
"DllName"="ddaby.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoppn]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\qoppn.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"
C:\WINDOWS\System32\nppoq.tmp2
C:\WINDOWS\System32\nppoq.bak1
C:\WINDOWS\System32\nppoq.bak2
C:\WINDOWS\System32\nppoq.ini
C:\WINDOWS\System32\nppoq.tmp
C:\WINDOWS\System32\wvuur.dll
C:\WINDOWS\System32\rqrsq.dll
C:\WINDOWS\System32\ddaby.dll
C:\WINDOWS\System32\qoppn.dll
C:\WINDOWS\System32\jkhee.dll
C:\WINDOWS\System32\tlnadsnw.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\urqnk.dll
O20 - Winlogon Notify: urqnk - C:\WINDOWS\System32\urqnk.dll
Verzeichnis von C:\WINDOWS\system32
15.10.2005 16:38 2.936 knqru.ini
15.10.2005 15:42 0 mcrh.tmp
15.10.2005 14:38 0 r1giale5.html
12.10.2005 16:43 0 knqru.tmp2
05.10.2005 08:45 528.404 urqnk.dll
05.10.2005 08:39 7.168 lpdriver.sys (???)
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\ddccy.dll
O20 - Winlogon Notify: ddccy - C:\WINDOWS\system32\ddccy.dll
Directory of C:\WINDOWS\System32
10/18/2005 12:19 AM 348,793 yccdd.ini2
10/17/2005 06:40 PM 347,654 yccdd.bak2
10/16/2005 05:46 PM 338,343 yccdd.ini
10/16/2005 05:44 PM 338,343 yccdd.tmp
10/04/2005 11:34 PM 27,149 mlljh.dll
10/04/2005 11:34 PM 27,149 ddayx.dll
10/04/2005 11:19 PM 27,149 geede.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddccy]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\ddccy.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"
ddayx.dll Tue Oct 4 2005 11:34:28p A.SH. 27,149 26.51 K
ddccy.dll Sun Oct 16 2005 3:19:32p ..... 528,404 516.02 K
geede.dll Tue Oct 4 2005 11:19:10p A.SH. 27,149 26.51 K
mlljh.dll Tue Oct 4 2005 11:34:56p A.SH. 27,149 26.51 K
Winantivirus Pro 2006 - ADSPY/Effective.A.2
Beim Surfen im Netz öffnen sich automatisch "Meldungen", die mir berichten das mein PC mit Viren infiziert ist bzw. Sichherheitslücken aufweist. Darauf folgt die Weiterleitung zur Seite von "Winantivirus Pro 2006".
Kleine Besonderheit - bei mir tauchen nahezu im Wechsel zwei unterschiedliche "Meldungen" auf; sowohl die Deutsche, wie auch die Englische Version - bei beiden dreht sich jedoch alles um den Kauf bzw. die Installation "Winantivirus Pro 2006".
datfindbat
Verzeichnis von C:\WINDOWS\system32
16.06.2006 13:31 29.184 l3cabl.dll
16.06.2006 04:40 13.837 ljjiijh.dll
l3cabl.dll
AntiVir 6.35.0.21 07.07.2006 ADSPY/Effective.A.2
Authentium 4.93.8 07.07.2006 W32/Downloader.ABKP
Avast 4.7.844.0 07.07.2006 Win32:Conhook-L
AVG 386 07.04.2006 Downloader.Generic2.CYT
BitDefender 7.2 07.07.2006 Trojan.Downloader.ConHook.R
ClamAV devel-20060426 07.06.2006 Trojan.Downloader.ConHook-2
DrWeb 4.33 07.07.2006 Trojan.DownLoader.10541
eTrust-InoculateIT 23.72.61 07.07.2006 Win32/Conhook.8sq!DLL!Trojan
eTrust-Vet 12.6.2291 07.07.2006 Win32/Darksma!generic
Ewido 3.5 07.07.2006 Downloader.ConHook.aa
F-Prot 3.16f 07.07.2006 security risk named W32/Downloader.ABKP
F-Prot4 4.2.1.29 07.06.2006 W32/Downloader.ABKP
Kaspersky 4.0.2.24 07.07.2006 Trojan-Downloader.Win32.ConHook.aa
McAfee 4801 07.06.2006 Downloader-AWX
Microsoft 1.1481 07.01.2006 no virus found
NOD32v2 1.1649 07.07.2006 no virus found
Norman 5.90.23 07.07.2006 W32/ConHook.AS
Panda 9.0.0.4 07.06.2006 Trj/ConHook.K
Sophos 4.07.0 07.07.2006 Troj/ConHook-K
Symantec 8.0 07.07.2006 Downloader
Avenger
registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rasap2K
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dstr5
Files to delete:
C:\WINDOWS\system32\l3cabl.dll
C:\WINDOWS\system32\ljjiijh.dll
|
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten
O2 - BHO: (no name) - {a0b2345c-92cb-4bce-a1c0-d8bd4b5d0078} - C:\WINDOWS\system32\l3cabl.dll
O20 - Winlogon Notify: l3cabl - C:\WINDOWS\SYSTEM32\l3cabl.dll
HostsXpert
Press 'Restore Original Hosts' and press 'OK' Exit Program.
Counterspy
Trojan-Downloader.Win32.ConHook.aa
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rasap2K
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dstr5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dstr5 {a0b2345c-92cb-4bce-a1c0-d8bd4b5d0078}
VirtumundoBegone
VirtumundoBeGone.exe
Lade runter und speichere es auf deinem Desktop, als "VirtumundoBegone"
Boote in den abgesicherten Modus (Anleitung)
Doppelklick auf die "VirtumundoBeGone.exe".
Folge den Hinweisen des Programms. Schliesse das Programm, wenn es beendet ist.
|
|
