neue Vundofix.exe
vundofix --> neue Vundofix.exe (24.01.2006)
C:\WINDOWS\Fonts\svcodbc.dll - Spyware.Virtumonde : Cleaned with backup
C:\WINDOWS\AppPatch\anticat.dll - Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temp\145.tmp - Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temporary Internet Files\Content.IE5\M07SNLYX\mm[2].js - Spyware.Chitika : Cleaned with backup
C:\System Volume Information\_restore{A94F1AD0-1BD4-4C7C-8121-E2881FB5E114}\RP265\A0048672.dll - TrojanDownloader.ConHook.k : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Browser.Helper.Objects\{8E13DDE1-E013-47ec-9C4C-27C2F78BDD26}
L2mfix
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxxu]
"Asynchronous"=dword:00000001
"DllName"="cbxxu.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"
C:\WINDOWS\SYSTEM32\
set71.tmp Wed 29 Jun 2005 3:49:40 A.... 74.240 72,50 K
set81.tmp Sun 3 Jul 2005 4:15:28 A.... 664.064 648,50 K
set82.tmp Sun 3 Jul 2005 4:15:28 A.... 605.696 591,50 K
set83.tmp Sun 3 Jul 2005 4:15:28 A.... 474.112 463,00 K
C:\WINDOWS\SYSTEM32\
cbxxu.dll Thu 25 Aug 2005 0:36:28 ..... 25.088 24,50 K
Verzeichnis von C:\WINDOWS\system32
07.09.2005 23:38 1.158 wpa.dbl
25.08.2005 00:36 25.088 cbxxu.dll
20.07.2005 04:04 3.012.096 mshtml.dll
20.07.2005 04:04 3.012.096 SET88.tmp
Öffne Notepad (editor)Start/Ausführen den Befehl notepad eingeben,bestätigen,dann erscheint ein notepad editor.
Oder unter Start/Programme/Zubehör/Editor
2. kopiere den Code rein:
findtheotherbat
3. Speichere die Datei als findtheother.bat auf dem Desktop
4. Doppel klick auf diese Datei findtheother.bat (abkopieren und posten)
Öffne Notepad (editor)Start/Ausführen den Befehl notepad eingeben,bestätigen,dann erscheint ein notepad editor.
Oder unter Start/Programme/Zubehör/Editor
2. kopiere den Code rein:
echo ** This batch was originally written by OSC ** cd C:\WINDOWS\inf\ if exist C:\contents.txt del C:\contents.txt echo ************************************>> C:\contents.txt echo **These are the hidden files found**>> C:\contents.txt echo ************************************>> C:\contents.txt dir /a:h >> c:\contents.txt echo ************************************>> C:\contents.txt echo **These are the system files found**>> C:\contents.txt echo ************************************>> C:\contents.txt dir /a:s >> C:\contents.txt attrib /d /s -s -r -h -a start notepad c:\contents.txt exit |
3. Speichere die Datei als findtheother.bat auf dem Desktop
4. Doppel klick auf diese Datei findtheother.bat ((abkopieren und posten)
echo ** This batch was originally written by OSC ** cd C:\WINDOWS\Web\printers\ if exist C:\contents.txt del C:\contents.txt echo ************************************>> C:\contents.txt echo **These are the hidden files found**>> C:\contents.txt echo ************************************>> C:\contents.txt dir /a:h >> c:\contents.txt echo ************************************>> C:\contents.txt echo **These are the system files found**>> C:\contents.txt echo ************************************>> C:\contents.txt dir /a:s >> C:\contents.txt attrib /d /s -s -r -h -a start notepad c:\contents.txt exit |
************************************
**These are the hidden files found**
************************************
Volume in drive C has no label.
Volume Serial Number is E4B9-42B6
Directory of C:\WINDOWS\Web\printers
04/21/2005 04:57 PM 25,677 vrspa.bak1
06/25/2005 01:53 PM 479,300 vrspa.bak2
05/12/2005 05:04 PM 385,858 vrspa.ini
06/27/2005 04:34 PM 386,134 vrspa.ini2
05/12/2005 05:04 PM 385,858 vrspa.tmp
5 File(s) 1,662,827 bytes
0 Dir(s) 20,756,287,488 bytes free
************************************
**These are the system files found**
************************************
Volume in drive C has no label.
Volume Serial Number is E4B9-42B6
Directory of C:\WINDOWS\Web\printers
04/21/2005 04:57 PM 25,677 vrspa.bak1
06/25/2005 01:53 PM 479,300 vrspa.bak2
05/12/2005 05:04 PM 385,858 vrspa.ini
06/27/2005 04:34 PM 386,134 vrspa.ini2
05/12/2005 05:04 PM 385,858 vrspa.tmp
5 File(s) 1,662,827 bytes
0 Dir(s) 20,756,283,392 bytes free
delete these files
C:\WINDOWS\Web\printers
vrspa.bak1
vrspa.bak2
vrspa.ini
vrspa.ini2
vrspa.tmp
Edit findtheother.bat or make a new bat file, run it same as before, post the results
echo ** This batch was originally written by OSC ** cd C:\WINDOWS\repair if exist C:\contents.txt del C:\contents.txt echo ************************************>> C:\contents.txt echo **These are the hidden files found**>> C:\contents.txt echo ************************************>> C:\contents.txt dir /a:h >> c:\contents.txt echo ************************************>> C:\contents.txt echo **These are the system files found**>> C:\contents.txt echo ************************************>> C:\contents.txt dir /a:s >> C:\contents.txt attrib /d /s -s -r -h -a start notepad c:\contents.txt exit |
************************************
**These are the hidden files found**
************************************
Volume in drive C has no label.
Volume Serial Number is E4B9-42B6
Directory of C:\WINDOWS\repair
04/18/2005 02:47 PM 25,677 daelo.bak1
04/18/2005 03:38 PM 25,818 daelo.ini
04/15/2005 01:35 PM 419,348 dbinfo.dll
06/01/2003 01:22 AM 237,568 ntuser.dat
06/01/2003 01:28 AM 1,024 SAM.LOG
06/01/2003 01:28 AM 1,024 SECURITY.LOG
06/01/2003 01:28 AM 1,024 SOFTWARE.LOG
06/01/2003 01:28 AM 1,024 SYSTEM.LOG
8 File(s) 712,507 bytes
0 Dir(s) 20,761,403,392 bytes free
************************************
**These are the system files found**
************************************ Volume in drive C has no label.
Volume Serial Number is E4B9-42B6
Directory of C:\WINDOWS\repair
04/18/2005 02:47 PM 25,677 daelo.bak1
04/18/2005 03:38 PM 25,818 daelo.ini
04/15/2005 01:35 PM 419,348 dbinfo.dll
3 File(s) 470,843 bytes
0 Dir(s) 20,761,399,296 bytes free
Delete these files in the repair folder
C:\WINDOWS\repair
olead.old
daelo.bak1
daelo.ini
dbinfo.dll
HijackThis
O4 - HKLM\..\Run: [*binacc] C:\WINDOWS\Registration\binacc.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\cmdmp3.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\polmx2.inf
HijackThis
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\repair\rasdvd.dll
REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1] |
vundofix:
C:\WINDOWS\repair\rasdvd.dll
-----------------
HijackThis
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Cursors\mssrv.dll
O20 - Winlogon Notify: mssrv - O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Cursors\mssrv.dll
-----------------
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\msagent\hardcab.dll
O20 - Winlogon Notify: hardcab - C:\WINDOWS\msagent\hardcab.dll
--------------------
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Help\SBSI\aplog.dll
O20 - Winlogon Notify: aplog - C:\WINDOWS\Help\SBSI\aplog.dll
O20 - Winlogon Notify: comiis - C:\WINDOWS\java\comiis.dll
--------------------
vundofix:
C:\WINDOWS\Help\SBSI\aplog.dll
C:\WINDOWS\Help\SBSI\golpa.dll
C:\WINDOWS\Help\SBSI\golpa.bak1
C:\WINDOWS\Help\SBSI\golpa.tmp
-------------------------
HijackThis
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Fonts\svcodbc.dll
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\sstrs.dll
O20 - Winlogon Notify: svcodbc - C:\WINDOWS\Fonts\svcodbc.dll
C:\WINDOWS\Fonts\svcodbc.dll -> Spyware.Virtumonde : Cleaned with backup
C:\WINDOWS\AppPatch\anticat.dll -> Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temp\145.tmp -> Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temp\287.tmp -> Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temp\3FA.tmp -> Spyware.Virtumonde : Cleaned with backup
----------------------
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Web\msvcdisk.dll
O20 - Winlogon Notify: msvcdisk - C:\WINDOWS\Web\msvcdisk.dll
vundofix.txt
--------------------------------------------------------------------------------------
Filepaths entered
--------------------------------------------------------------------------------------
The filepath entered was C:\WINDOWS\system32\ljjkk.dll
The second filepath entered was C:\WINDOWS\system32\kkjjl.*
Killing PID 136 'smss.exe'
Killing PID 760 'explorer.exe'
C:\WINDOWS\system32\ljjkk.dll Deleted sucessfully.
C:\WINDOWS\system32\kkjjl.* Deleted sucessfully.
Fixing Registry
Tidak ada komentar:
Posting Komentar