upnp.exe
|
WORM_CODBOT.B - integitor.exe, upnp.exe, nmeproxy.exe
HijackThis
O23 - Service: Universal Plug and Play Device Configuration (UPnP Configuration) - Unknown owner - C:\WINDOWS\System32\upnp.exe 1. Click Start - Ausführen - Services.msc und Click OK! "Eigenschaften" - Click "Stop" - Starttyp "deaktiviert" - Universal Plug and Play Device Configuration (UPnP Configuration) --> nur diese, keine andere !!! - Secure System 2. Start --> Ausführen --> reinkopieren (wenn eine Fehlermeldung kommt...ignorieren) --> klicke nach jedem O.K. sc delete Universal Plug and Play Device Configuration sc delete UPnP Configuration sc delete Secure System
regsearch
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren) Universal Plug and Play Device Configuration in edit und klicke "Ok". Notepad wird sich oeffnen in: "Enter search strings" (reinschreiben oder reinkopieren) UPnP Configuration Secure System ServiceFilter.zip Unknown Service # 8 Service Name: UPnP Configuration Display Name: Universal Plug and Play Device Configuration Start Mode: Disabled Start Name: LocalSystem Description: Handling all UPnP related system ... Service Type: Own Process Path: c:\windows\system32\upnp.exe State: Stopped Process ID: 0 Started: Falsch Exit Code: 1077 Accept Pause: Falsch Accept Stop: Falsch Unknown Service # 5 Service Name: Secure System Display Name: Secure System Start Mode: Disabled Start Name: LocalSystem Description: ... Service Type: Share Process Path: "c:\windows\system32\integitor.exe" -service State: Stopped Process ID: 0 Started: Falsch Exit Code: 1077 Accept Pause: Falsch Accept Stop: Falsch
datfindbat
Verzeichnis von C:\WINDOWS\system32 26.02.2006 12:01 167.936 nmeproxy.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Secure System] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SECURE_SYSTEM\0000] "Service"="Secure System" "DeviceDesc"="Secure System" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Secure System] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Secure System] "DisplayName"="Secure System" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Secure System\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SECURE_SYSTEM\0000] "Service"="Secure System" "DeviceDesc"="Secure System" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Secure System] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Secure System] "DisplayName"="Secure System" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Secure System\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Secure System\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_SECURE_SYSTEM\0000] "Service"="Secure System" "DeviceDesc"="Secure System" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Secure System] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Secure System] "DisplayName"="Secure System" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Secure System\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECURE_SYSTEM\0000] "Service"="Secure System" "DeviceDesc"="Secure System" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Secure System] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Secure System] "DisplayName"="Secure System" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Secure System\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Secure System\Enum] [HKEY_USERS\S-1-5-21-2669302297-645757453-568730901-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU] "d"="sc delete secure system\\1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE1E00A A-3FD5-403C-8A27-2BBDC30CD0E1}] @="Home Networking NAT Traversal via UPnP Configuration Manager" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPNP_CONFIGURATION\0000] "Service"="UPnP Configuration" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UPnP Configuration] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UPnP Configuration\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_UPNP_CONFIGURATION\0000] "Service"="UPnP Configuration" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UPnP Configuration] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UPnP Configuration\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UPnP Configuration\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_UPNP_CONFIGURATION\0000] "Service"="UPnP Configuration" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\UPnP Configuration] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\UPnP Configuration\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPNP_CONFIGURATION\0000] "Service"="UPnP Configuration" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPnP Configuration] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPnP Configuration\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPnP Configuration\Enum] [HKEY_USERS\S-1-5-21-2669302297-645757453-568730901-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU] "c"="sc delete UPnP configuration\\1" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPNP_CONFIGURATION\0000] "DeviceDesc"="Universal Plug and Play Device Configuration" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UPnP Configuration] "DisplayName"="Universal Plug and Play Device Configuration" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_UPNP_CONFIGURATION\0000] "DeviceDesc"="Universal Plug and Play Device Configuration" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UPnP Configuration] "DisplayName"="Universal Plug and Play Device Configuration" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_UPNP_CONFIGURATION\0000] "DeviceDesc"="Universal Plug and Play Device Configuration" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\UPnP Configuration] "DisplayName"="Universal Plug and Play Device Configuration" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPNP_CONFIGURATION\0000] "DeviceDesc"="Universal Plug and Play Device Configuration" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPnP Configuration] "DisplayName"="Universal Plug and Play Device Configuration" [HKEY_USERS\S-1-5-21-2669302297-645757453-568730901-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU] "b"="sc delete universal plug and play device configuration\\1" F-Secure Virendefinition: Bozori.B F-Secure stellt zur Desinfektion dieser Malware ein spezielles Dienstprogramm zur Verfügung. Dieses Dienstprogramm können Sie von unseren FTP- bzw. Websites herunterladen Removal Tools wintbp.exe (Net-Worm.Win32.Bozori.a) [verwendet die MS05-039-Sicherheitslücke] winpnp.exe (Backdoor.Win32.Rbot.ym) [verwendet die MS05-039-Sicherheitslücke] mousebm.exe (Backdoor.Win32.IRCBot.es) [verwendet die MS05-039-Sicherheitslücke] csm.exe (Net-Worm.Win32.Mytob.cf / Zotob.B) [verwendet die MS05-039-Sicherheitslücke] botzor.exe (Net-Worm.Win32.Mytob.cd / Zotob.A) [verwendet die MS05-039-Sicherheitslücke] pnpsrv.exe (Backdoor.Win32.Rbot.yk) [verwendet die MS05-039-Sicherheitslücke] svnlitup32.exe (Backdoor.Win32.SdBot.yx) [verwendet die MS05-039-Sicherheitslücke] upnp.exe (Backdoor.Win32.Codbot.ab) [verwendet nicht die MS05-039-Sicherheitslücke] service32.exe llsrv.exe system32.exe
Panda (Onlinescan)
Virus:W32/Codbot.A.worm -> C:\WINDOWS\system32\upnp.exe Virus:W32/Gaobot.AZP.worm Disinfected C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Temp\31E.tmp Virus:W32/Sdbot.BWA.worm Disinfected C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Temp\3AB.tmp Virus:W32/Sdbot.BSW.worm Disinfected C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Temp\3FC.tmp Virus:W32/Codbot.A.worm Disinfected C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Temp\436.tmp 
|
