dskcheck.exe, shost.exe - Adware.Virtumonde

dskcheck.exe, shost.exe, Adware.Virtumonde

Hijackthis

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\vtuts.dll
O20 - Winlogon Notify: vtuts - C:\WINDOWS\SYSTEM32\vtuts.dll
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe

C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\shost.exe

----------------

O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\qommn.dll
O4 - HKLM\..\Run: [Life Personal Firewall] FirewallingV10.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\9rpl2l.exe
O4 - HKLM\..\RunServices: [Life Personal Firewall] FirewallingV10.exe
O4 - HKCU\..\Run: [Life Personal Firewall] FirewallingV10.exe
O20 - Winlogon Notify: qommn - C:\WINDOWS\System32\qommn.dll
O23 - Service: Windows Disk Check (dskcheck) - Unknown owner - C:\WINDOWS\system32\dskcheck.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe

Vundofix -> Vundofix anwenden

Killbox anwenden (Beispiel)

C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\eraseme_81435.exe
C:\WINDOWS\system32\i
C:\WINDOWS\system32\FirewallingV10.exe
C:\WINDOWS\system32\TFTP3784
C:\WINDOWS\system32\download.dat
C:\WINDOWS\system32\wvuus.dll
C:\9rpl2l.exe
C:\irpll7l.exe

laden: ServiceFilter.zip

- entzippen
- doppelklick auf die datei ServiceFilter.vbs
- versions-nummer bestätigen
- scannen
- öffnen von wordpad oder editor erlauben
- POST_THIS.TXT abkopieren

Unknown Service # 4
Service Name: ServiceHost
Display Name: Service Hosts
Start Mode: Auto
Start Name: LocalSystem
Description: Service ...
Service Type: Own Process
Path: "c:\windows\shost.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Avenger

registry keys to delete: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERVICEHOST HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceHost HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SERVICEHOST HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ServiceHost HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERVICEHOST HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceHost Files to delete: C:\WINDOWS\shost.exe

Virenscanner

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Browser Helper Objects\{83A5F7B7-DC75-44CE-9195-264F41709FA9}
Adware.Virtumonde

HKU\S-1-5-21-1957994488-2147209987-1005048707-1003\Software\ Microsoft\Windows\CurrentVersion\Ext\Stats\{83A5F7B7-DC75-44CE-9195-264F41709FA9}
Adware.Virtumonde