Worm/IRCBot
|
dllmgr64.exe win32host.exe pnpsp2fix.exe WinSys32s.exe msbitsec.exe mscn.exe
HijackThis
O23 - Service: dllmgr64 - Unknown owner - D:\WINDOWS\dllmgr64.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\dllmgr64 Unknown Service # 3 Service Name: dllmgr64 Display Name: dllmgr64 Start Mode: Disabled Start Name: LocalSystem Description: Windows 64bit DLL ... Service Type: Own Process Path: "c:\windows\dllmgr64.exe" State: Stopped Process ID: 0 Started: Falsch Exit Code: 1077 Accept Pause: Falsch Accept Stop: Falsch
W32/Tilebot-FE http://www.sophos.de HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Win32Kernel
HijackThis
O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe Unknown Service Service Name: Win32Kernel Display Name: Win32 Kernel Update Start Mode: Disabled Start Name: LocalSystem Description: Win32 OS ... Service Type: Own Process Path: "c:\windows\win32host.exe" State: Stopped Process ID: 0 Started: Falsch Exit Code: 1077 Accept Pause: Falsch Accept Stop: Falsch
Verzeichnis von C:\WINDOWS 06.05.2006 13:49 34.384 win32host.exe Verzeichnis von C:\WINDOWS\system32 06.05.2006 15:58 0 TFTP1616 06.05.2006 15:58 0 TFTP632
HijackThis
F2 - REG:system.ini: Shell=Explorer.exe winservnt32.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,winservnt32.exe O4 - HKLM\..\Run: [Windows Ndis Driver] WinSys32s.exe O4 - HKLM\..\Run: [Error Reporting Service] mdmm.exe O4 - HKLM\..\Run: [Ms Update WinServices NT/XP] winservnt32.exe O4 - HKLM\..\Run: [Ms Java Update For Windows NT/XP] msijavaupdt32.exe O4 - HKLM\..\RunServices: [Windows Ndis Driver] WinSys32s.exe O4 - HKLM\..\RunServices: [Error Reporting Service] mdmm.exe O4 - HKLM\..\RunServices: [Windows Ndis Device] cfgwin.exe O4 - HKCU\..\Run: [Windows Ndis Driver] WinSys32s.exe O4 - HKCU\..\Run: [Windows Ndis Device] cfgwin.exe O4 - HKCU\..\Run: [Ms Update WinServices NT/XP] winservnt32.exe O4 - HKCU\..\Run: [Ms Java Update For Windows NT/XP] msijavaupdt32.exe O23 - Service: Microsoft Background Intelligent Transfer Update Version 2.0 (MBIT) - Unknown owner - C:\WINDOWS\system32\msbitsec.exe O23 - Service: Plug-n-Play SP2 Fix (sp2pnpfix) - Unknown owner - C:\WINDOWS\system32\pnpsp2fix.exe O23 - Service: Windows Ndis Driver (zions.game-host.org) - Unknown owner - C:\WINDOWS\System32\WinSys32s.exe" -netsvcs
datfindbat
Verzeichnis von C:\WINDOWS\system32 30.08.2006 20:40 189.440 83033_netapi.exe 24.12.2005 15:29 71 i 18.12.2005 19:20 238.080 msbitsec.exe 15.11.2005 19:43 0 TFTP3248 10.11.2005 17:45 0 eraseme_31530.exe Verzeichnis von C:\ 03.11.2005 15:03 130.681 lc.exe Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. Die Datei "fixme.reg" auf dem Desktop doppelklicken und der Registry mit "ja" oder "yes" beifügen
Avenger (Beispiel)
ServiceFilter.zip
Unknown Service Service Name: MBIT Display Name: Microsoft Background Intelligent Transfer Update Version 2.0 Start Mode: Auto Start Name: LocalSystem Description: Transfers data between clients and servers in the background. If BITS is disabled, features such ... Service Type: Own Process Path: "c:\windows\system32\msbitsec.exe" Unknown Service Service Name: sp2pnpfix Display Name: Plug-n-Play SP2 Fix Start Mode: Auto Start Name: LocalSystem Description: Plug-n-Play SP2 Fix stays memory resident in order to ensure ... Service Type: Own Process Path: "c:\windows\system32\pnpsp2fix.exe" State: Stopped Process ID: 0 Started: Falsch Exit Code: 0 Accept Pause: Falsch Accept Stop: Falsch Unknown Service Service Name: zions.game-host.org Display Name: Windows Ndis Driver Start Mode: Auto Start Name: LocalSystem Description: ... Service Type: Share Process Path: "c:\windows\system32\winsys32s.exe" -netsvcs State: Stopped Process ID: 0 Started: Falsch Exit Code: 0 Accept Pause: Falsch Accept Stop: Falsch
Combofix
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Ndis Driver"="WinSys32s.exe" "Windows Ndis Device"="cfgwin.exe" "Ms Update WinServices NT/XP"="winservnt32.exe" [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce] "Windows Ndis Driver"="WinSys32s.exe" "Windows Ndis Device"="cfgwin.exe" [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Ndis Driver"="WinSys32s.exe" "Windows Ndis Device"="cfgwin.exe" "Ms Update WinServices NT/XP"="winservnt32.exe" [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce] "Windows Ndis Driver"="WinSys32s.exe" "Windows Ndis Device"="cfgwin.exe"
HijackThis
O23 - Service: Windows Debug Management - Unknown owner - C:\WINDOWS\system32\mscn.exe
Avenger (Beispiel)
HijackThis
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINDOWS\System32\wgareg.exe http://www.avira.com Unknown Service Service Name: wgareg Display Name: Windows Genuine Advantage Registration Service Start Mode: Auto Start Name: LocalSystem Description: Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this ... Service Type: Own Process Path: c:\windows\system32\wgareg.exe State: Stopped Process ID: 0 Started: Falsch Exit Code: 0 Accept Pause: Falsch Accept Stop: Falsch
Avenger (Beispiel)
HijackThis
O23 - Service: mtc l32 (mtcl32) - Unknown owner - C:\WINDOWS\mtcls32.exe Service Name: mtcl32 Display Name: mtc l32 Start Mode: Auto Start Name: LocalSystem Description: micro soft ... Service Type: Own Process Path: "c:\windows\mtcls32.exe" State: Running Process ID: 1692 Started: True Exit Code: 0 Accept Pause: False Accept Stop: False mtcls32.exe AntiVir 7.1.1.16 09.09.2006 HEUR/Crypted BitDefender 7.2 09.10.2006 GenPack:Generic.Sdbot.60DB92F5 CAT-QuickHeal 8.00 09.09.2006 (Suspicious) - DNAScan Panda 9.0.0.4 09.10.2006 W32/Sdbot.IDB.worm VirusBuster 4.3.7:9 09.10.2006 Worm.SdBot.CRK
|
