Vundofix.exe
|
neue Vundofix.exeWerbungLink: vundofix --> neue Vundofix.exe (24.01.2006) C:\WINDOWS\Fonts\svcodbc.dll - Spyware.Virtumonde : Cleaned with backup C:\WINDOWS\AppPatch\anticat.dll - Spyware.Virtumonde : Cleaned with backup C:\Documents and Settings\Minh\Local Settings\Temp\145.tmp - Spyware.Virtumonde : Cleaned with backup C:\Documents and Settings\Minh\Local Settings\Temporary Internet Files\Content.IE5\M07SNLYX\mm[2].js - Spyware.Chitika : Cleaned with backup C:\System Volume Information\_restore{A94F1AD0-1BD4-4C7C-8121-E2881FB5E114}\RP265\A0048672.dll - TrojanDownloader.ConHook.k : Cleaned with backup Troj/ConHook-C weiter... * Trojan-Downloader.Win32.ConHook.d * TROJ_DLOADER.LE Troj/ConHook-C is a downloader Trojan which attempts to download and execute files from a remote URL without the user's knowledge. The Trojan may create registry entries under the following keys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Browser.Helper.Objects\{8E13DDE1-E013-47ec-9C4C-27C2F78BDD26}  L2mfix.html
The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxxu] "Asynchronous"=dword:00000001 "DllName"="cbxxu.dll" "Impersonate"=dword:00000000 "Logon"="Logon" "Logoff"="Logoff" C:\WINDOWS\SYSTEM32\ set71.tmp Wed 29 Jun 2005 3:49:40 A.... 74.240 72,50 K set81.tmp Sun 3 Jul 2005 4:15:28 A.... 664.064 648,50 K set82.tmp Sun 3 Jul 2005 4:15:28 A.... 605.696 591,50 K set83.tmp Sun 3 Jul 2005 4:15:28 A.... 474.112 463,00 K C:\WINDOWS\SYSTEM32\ cbxxu.dll Thu 25 Aug 2005 0:36:28 ..... 25.088 24,50 K Verzeichnis von C:\WINDOWS\system32 07.09.2005 23:38 1.158 wpa.dbl 25.08.2005 00:36 25.088 cbxxu.dll 20.07.2005 04:04 3.012.096 mshtml.dll 20.07.2005 04:04 3.012.096 SET88.tmp Öffne Notepad (editor)Start/Ausführen den Befehl notepad eingeben,bestätigen,dann erscheint ein notepad editor. Oder unter Start/Programme/Zubehör/Editor 2. kopiere den Code rein: findtheotherbat.html 3. Speichere die Datei als findtheother.bat auf dem Desktop 4. Doppel klick auf diese Datei findtheother.bat (abkopieren und posten) Öffne Notepad (editor)Start/Ausführen den Befehl notepad eingeben,bestätigen,dann erscheint ein notepad editor. Oder unter Start/Programme/Zubehör/Editor 2. kopiere den Code rein:
3. Speichere die Datei als findtheother.bat auf dem Desktop 4. Doppel klick auf diese Datei findtheother.bat ((abkopieren und posten)
************************************ **These are the hidden files found** ************************************ Volume in drive C has no label. Volume Serial Number is E4B9-42B6 Directory of C:\WINDOWS\Web\printers 04/21/2005 04:57 PM 25,677 vrspa.bak1 06/25/2005 01:53 PM 479,300 vrspa.bak2 05/12/2005 05:04 PM 385,858 vrspa.ini 06/27/2005 04:34 PM 386,134 vrspa.ini2 05/12/2005 05:04 PM 385,858 vrspa.tmp 5 File(s) 1,662,827 bytes 0 Dir(s) 20,756,287,488 bytes free ************************************ **These are the system files found** ************************************ Volume in drive C has no label. Volume Serial Number is E4B9-42B6 Directory of C:\WINDOWS\Web\printers 04/21/2005 04:57 PM 25,677 vrspa.bak1 06/25/2005 01:53 PM 479,300 vrspa.bak2 05/12/2005 05:04 PM 385,858 vrspa.ini 06/27/2005 04:34 PM 386,134 vrspa.ini2 05/12/2005 05:04 PM 385,858 vrspa.tmp 5 File(s) 1,662,827 bytes 0 Dir(s) 20,756,283,392 bytes free delete these files C:\WINDOWS\Web\printers vrspa.bak1 vrspa.bak2 vrspa.ini vrspa.ini2 vrspa.tmp Edit findtheother.bat or make a new bat file, run it same as before, post the results
************************************ **These are the hidden files found** ************************************ Volume in drive C has no label. Volume Serial Number is E4B9-42B6 Directory of C:\WINDOWS\repair 04/18/2005 02:47 PM 25,677 daelo.bak1 04/18/2005 03:38 PM 25,818 daelo.ini 04/15/2005 01:35 PM 419,348 dbinfo.dll 06/01/2003 01:22 AM 237,568 ntuser.dat 06/01/2003 01:28 AM 1,024 SAM.LOG 06/01/2003 01:28 AM 1,024 SECURITY.LOG 06/01/2003 01:28 AM 1,024 SOFTWARE.LOG 06/01/2003 01:28 AM 1,024 SYSTEM.LOG 8 File(s) 712,507 bytes 0 Dir(s) 20,761,403,392 bytes free ************************************ **These are the system files found** ************************************ Volume in drive C has no label. Volume Serial Number is E4B9-42B6 Directory of C:\WINDOWS\repair 04/18/2005 02:47 PM 25,677 daelo.bak1 04/18/2005 03:38 PM 25,818 daelo.ini 04/15/2005 01:35 PM 419,348 dbinfo.dll 3 File(s) 470,843 bytes 0 Dir(s) 20,761,399,296 bytes free Delete these files in the repair folder C:\WINDOWS\repair olead.old daelo.bak1 daelo.ini dbinfo.dll HijackThis O4 - HKLM\..\Run: [*binacc] C:\WINDOWS\Registration\binacc.exe Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\cmdmp3.exe Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\polmx2.inf HijackThis O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\repair\rasdvd.dll
vundofix: C:\WINDOWS\repair\rasdvd.dll ----------------- HijackThis O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Cursors\mssrv.dll O20 - Winlogon Notify: mssrv - O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Cursors\mssrv.dll ----------------- O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\msagent\hardcab.dll O20 - Winlogon Notify: hardcab - C:\WINDOWS\msagent\hardcab.dll -------------------- O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Help\SBSI\aplog.dll O20 - Winlogon Notify: aplog - C:\WINDOWS\Help\SBSI\aplog.dll O20 - Winlogon Notify: comiis - C:\WINDOWS\java\comiis.dll -------------------- vundofix: C:\WINDOWS\Help\SBSI\aplog.dll C:\WINDOWS\Help\SBSI\golpa.dll C:\WINDOWS\Help\SBSI\golpa.bak1 C:\WINDOWS\Help\SBSI\golpa.tmp ------------------------- HijackThis O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Fonts\svcodbc.dll O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\sstrs.dll O20 - Winlogon Notify: svcodbc - C:\WINDOWS\Fonts\svcodbc.dll C:\WINDOWS\Fonts\svcodbc.dll -> Spyware.Virtumonde : Cleaned with backup C:\WINDOWS\AppPatch\anticat.dll -> Spyware.Virtumonde : Cleaned with backup C:\Documents and Settings\Minh\Local Settings\Temp\145.tmp -> Spyware.Virtumonde : Cleaned with backup C:\Documents and Settings\Minh\Local Settings\Temp\287.tmp -> Spyware.Virtumonde : Cleaned with backup C:\Documents and Settings\Minh\Local Settings\Temp\3FA.tmp -> Spyware.Virtumonde : Cleaned with backup ---------------------- O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Web\msvcdisk.dll O20 - Winlogon Notify: msvcdisk - C:\WINDOWS\Web\msvcdisk.dll vundofix.txt -------------------------------------------------------------------------------------- Filepaths entered -------------------------------------------------------------------------------------- The filepath entered was C:\WINDOWS\system32\ljjkk.dll The second filepath entered was C:\WINDOWS\system32\kkjjl.* Killing PID 136 'smss.exe' Killing PID 760 'explorer.exe' C:\WINDOWS\system32\ljjkk.dll Deleted sucessfully. C:\WINDOWS\system32\kkjjl.* Deleted sucessfully. Fixing Registry |
