VundoFix.exe - Virtumonde - Troj ConHook

neue Vundofix.exe

vundofix --> neue Vundofix.exe (24.01.2006)

C:\WINDOWS\Fonts\svcodbc.dll - Spyware.Virtumonde : Cleaned with backup
C:\WINDOWS\AppPatch\anticat.dll - Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temp\145.tmp - Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temporary Internet Files\Content.IE5\M07SNLYX\mm[2].js - Spyware.Chitika : Cleaned with backup
C:\System Volume Information\_restore{A94F1AD0-1BD4-4C7C-8121-E2881FB5E114}\RP265\A0048672.dll - TrojanDownloader.ConHook.k : Cleaned with backup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Browser.Helper.Objects\{8E13DDE1-E013-47ec-9C4C-27C2F78BDD26}

L2mfix

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxxu]
"Asynchronous"=dword:00000001
"DllName"="cbxxu.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"

C:\WINDOWS\SYSTEM32\
set71.tmp Wed 29 Jun 2005 3:49:40 A.... 74.240 72,50 K
set81.tmp Sun 3 Jul 2005 4:15:28 A.... 664.064 648,50 K
set82.tmp Sun 3 Jul 2005 4:15:28 A.... 605.696 591,50 K
set83.tmp Sun 3 Jul 2005 4:15:28 A.... 474.112 463,00 K

C:\WINDOWS\SYSTEM32\
cbxxu.dll Thu 25 Aug 2005 0:36:28 ..... 25.088 24,50 K

Verzeichnis von C:\WINDOWS\system32

07.09.2005 23:38 1.158 wpa.dbl
25.08.2005 00:36 25.088 cbxxu.dll
20.07.2005 04:04 3.012.096 mshtml.dll
20.07.2005 04:04 3.012.096 SET88.tmp


Öffne Notepad (editor)Start/Ausführen den Befehl notepad eingeben,bestätigen,dann erscheint ein notepad editor.
Oder unter Start/Programme/Zubehör/Editor
2. kopiere den Code rein:

findtheotherbat

3. Speichere die Datei als findtheother.bat auf dem Desktop
4. Doppel klick auf diese Datei findtheother.bat (abkopieren und posten)

Öffne Notepad (editor)Start/Ausführen den Befehl notepad eingeben,bestätigen,dann erscheint ein notepad editor.
Oder unter Start/Programme/Zubehör/Editor

2. kopiere den Code rein:

echo ** This batch was originally written by OSC ** cd C:\WINDOWS\inf\ if exist C:\contents.txt del C:\contents.txt echo ************************************>> C:\contents.txt echo **These are the hidden files found**>> C:\contents.txt echo ************************************>> C:\contents.txt dir /a:h >> c:\contents.txt echo ************************************>> C:\contents.txt echo **These are the system files found**>> C:\contents.txt echo ************************************>> C:\contents.txt dir /a:s >> C:\contents.txt attrib /d /s -s -r -h -a start notepad c:\contents.txt exit

3. Speichere die Datei als findtheother.bat auf dem Desktop
4. Doppel klick auf diese Datei findtheother.bat ((abkopieren und posten)

echo ** This batch was originally written by OSC ** cd C:\WINDOWS\Web\printers\ if exist C:\contents.txt del C:\contents.txt echo ************************************>> C:\contents.txt echo **These are the hidden files found**>> C:\contents.txt echo ************************************>> C:\contents.txt dir /a:h >> c:\contents.txt echo ************************************>> C:\contents.txt echo **These are the system files found**>> C:\contents.txt echo ************************************>> C:\contents.txt dir /a:s >> C:\contents.txt attrib /d /s -s -r -h -a start notepad c:\contents.txt exit

************************************
**These are the hidden files found**
************************************
Volume in drive C has no label.
Volume Serial Number is E4B9-42B6
Directory of C:\WINDOWS\Web\printers

04/21/2005 04:57 PM 25,677 vrspa.bak1
06/25/2005 01:53 PM 479,300 vrspa.bak2
05/12/2005 05:04 PM 385,858 vrspa.ini
06/27/2005 04:34 PM 386,134 vrspa.ini2
05/12/2005 05:04 PM 385,858 vrspa.tmp
5 File(s) 1,662,827 bytes
0 Dir(s) 20,756,287,488 bytes free
************************************
**These are the system files found**
************************************
Volume in drive C has no label.
Volume Serial Number is E4B9-42B6

Directory of C:\WINDOWS\Web\printers

04/21/2005 04:57 PM 25,677 vrspa.bak1
06/25/2005 01:53 PM 479,300 vrspa.bak2
05/12/2005 05:04 PM 385,858 vrspa.ini
06/27/2005 04:34 PM 386,134 vrspa.ini2
05/12/2005 05:04 PM 385,858 vrspa.tmp
5 File(s) 1,662,827 bytes
0 Dir(s) 20,756,283,392 bytes free

delete these files
C:\WINDOWS\Web\printers

vrspa.bak1
vrspa.bak2
vrspa.ini
vrspa.ini2
vrspa.tmp

Edit findtheother.bat or make a new bat file, run it same as before, post the results

echo ** This batch was originally written by OSC ** cd C:\WINDOWS\repair if exist C:\contents.txt del C:\contents.txt echo ************************************>> C:\contents.txt echo **These are the hidden files found**>> C:\contents.txt echo ************************************>> C:\contents.txt dir /a:h >> c:\contents.txt echo ************************************>> C:\contents.txt echo **These are the system files found**>> C:\contents.txt echo ************************************>> C:\contents.txt dir /a:s >> C:\contents.txt attrib /d /s -s -r -h -a start notepad c:\contents.txt exit

************************************
**These are the hidden files found**
************************************
Volume in drive C has no label.
Volume Serial Number is E4B9-42B6

Directory of C:\WINDOWS\repair

04/18/2005 02:47 PM 25,677 daelo.bak1
04/18/2005 03:38 PM 25,818 daelo.ini
04/15/2005 01:35 PM 419,348 dbinfo.dll
06/01/2003 01:22 AM 237,568 ntuser.dat
06/01/2003 01:28 AM 1,024 SAM.LOG
06/01/2003 01:28 AM 1,024 SECURITY.LOG
06/01/2003 01:28 AM 1,024 SOFTWARE.LOG
06/01/2003 01:28 AM 1,024 SYSTEM.LOG
8 File(s) 712,507 bytes
0 Dir(s) 20,761,403,392 bytes free
************************************
**These are the system files found**
************************************ Volume in drive C has no label.
Volume Serial Number is E4B9-42B6

Directory of C:\WINDOWS\repair

04/18/2005 02:47 PM 25,677 daelo.bak1
04/18/2005 03:38 PM 25,818 daelo.ini
04/15/2005 01:35 PM 419,348 dbinfo.dll
3 File(s) 470,843 bytes
0 Dir(s) 20,761,399,296 bytes free

Delete these files in the repair folder

C:\WINDOWS\repair
olead.old
daelo.bak1
daelo.ini
dbinfo.dll

HijackThis

O4 - HKLM\..\Run: [*binacc] C:\WINDOWS\Registration\binacc.exe

Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\cmdmp3.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\polmx2.inf

HijackThis

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\repair\rasdvd.dll

REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]

vundofix:
C:\WINDOWS\repair\rasdvd.dll
-----------------

HijackThis

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Cursors\mssrv.dll
O20 - Winlogon Notify: mssrv - O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Cursors\mssrv.dll
-----------------
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\msagent\hardcab.dll
O20 - Winlogon Notify: hardcab - C:\WINDOWS\msagent\hardcab.dll
--------------------
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Help\SBSI\aplog.dll
O20 - Winlogon Notify: aplog - C:\WINDOWS\Help\SBSI\aplog.dll
O20 - Winlogon Notify: comiis - C:\WINDOWS\java\comiis.dll
--------------------

vundofix:
C:\WINDOWS\Help\SBSI\aplog.dll
C:\WINDOWS\Help\SBSI\golpa.dll
C:\WINDOWS\Help\SBSI\golpa.bak1
C:\WINDOWS\Help\SBSI\golpa.tmp
-------------------------

HijackThis

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Fonts\svcodbc.dll
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\sstrs.dll
O20 - Winlogon Notify: svcodbc - C:\WINDOWS\Fonts\svcodbc.dll

C:\WINDOWS\Fonts\svcodbc.dll -> Spyware.Virtumonde : Cleaned with backup
C:\WINDOWS\AppPatch\anticat.dll -> Spyware.Virtumonde : Cleaned with backup

C:\Documents and Settings\Minh\Local Settings\Temp\145.tmp -> Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temp\287.tmp -> Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Minh\Local Settings\Temp\3FA.tmp -> Spyware.Virtumonde : Cleaned with backup

----------------------

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Web\msvcdisk.dll
O20 - Winlogon Notify: msvcdisk - C:\WINDOWS\Web\msvcdisk.dll


vundofix.txt
--------------------------------------------------------------------------------------
Filepaths entered
--------------------------------------------------------------------------------------
The filepath entered was C:\WINDOWS\system32\ljjkk.dll
The second filepath entered was C:\WINDOWS\system32\kkjjl.*

Killing PID 136 'smss.exe'
Killing PID 760 'explorer.exe'
C:\WINDOWS\system32\ljjkk.dll Deleted sucessfully.
C:\WINDOWS\system32\kkjjl.* Deleted sucessfully.
Fixing Registry

Angry IP Scanner Help Page

What is Angry IP Scanner?

Angry IP Scanner is a program that allows you to "scan" a network to locate network devices. It is a great program for doing a network audit or for just finding out more information about your network. Angry IP Scanner will located any network device (Computer, Printer, Network Hard Drives, etc..) that responds to the scan. In other words, it will locate any device on the network that has an IP address and that doesn't have some sort of firewall.

Basic Tutorial

Angry IP Scanner is a very powerful network scanner. It is a great tool for doing network audits, locating network devices or computers, and finding out information about your network. If you don't understand any term while reading this help page please see the glossary near the bottom of the page.

Enter an IP range to begin using the program. Click on the double arrow on the right side for more options.



Click on the button under "Hostname:" to choose different columns. Click on the "..." next to "Scan ports" to scan hosts for open ports.



Click "Start" to begin the Scan.

General Troubleshooting and Tips

How to ping a computer: "Start Menu" > Run > type "ping". Then a space and then an IP address. Then click OK.


You should get a reply like below:


If you can't ping a computer than Angry IP Scanner won't find it.

How to use "ipconfig":
Go to "Start Menu" > Run > type "cmd"


At the Command Prompt type "ipconfig /all". This will display useful information.

"IP Address" is your computer's IP address. "Default Gateway" is normally your router or server. "DHCP Server" is normally your router or server. "Physical Address" is your MAC address.


Angry IP Scanner won't tell me what user is logged on:
The messenger service has to be running on the systems you scan to be able to see which user is logged on.

List of Potential Software Firewalls Interfering with IP Scan:
Norton Internet Security
Norton Personal Firewall
Mcafee Personal Firewall
Zone Alarm
Sygate Personal Firewall
Windows XP SP2 Firewall
Windows XP (Pre SP2) Firewall
Routers also contain a firewall
etc...


Can't find computers behind router
Almost all routers today also function as a type of firewall. If you try to scan a network that is connected to a router that you are not connected to the scan will fail to find anything except the router. Routers can be configured to forward ports and allow traffic to pass through, but this is not the default setting. Angry IP Scanner is made to scan your local network only. Using it to scan external network requires advance knowledge of networking.


List of Common Ports:
21 FTP
22 SSH
23 Telnet
25 SMTP
53 DNS (Domain Name Service)
68 DHCP
80 HTTP (HyperText Transfer Protocol)
110 POP3 (Post Office Protocol, version 3)
115 SFTP (Secure File Transfer Protocol)
119 NNTP (Network New Transfer Protocol)
123 NTP (Network Time Protocol)
137 NetBIOS-ns
138 NetBIOS-dgm
139 NetBIOS
143 IMAP (Internet Message Access Protocol)
161 SNMP (Simple Network Management Protocol)
194 IRC (Internet Relay Chat)
220 IMAP3 (Internet Message Access Protocol 3)
389 LDAP (Lightweight Directory Access Protocol)
443 SSL (Secure Socket Layer)
445 SMB (NetBIOS over TCP)
993 SIMAP (Secure Internet Message Access Protocol)
995 SPOP (Secure Post Office Protocol)
4000 ICQ
5010 Yahoo! Messenger
5190 AOL Instant Messenger
5632 PC Anywhere
5800 + 5900 VNC (Remote Admin Software)
8080 HTTP Proxy

For a complete list of ports see here:
http://www.chebucto.ns.ca/~rakerman/port-table.html
http://www.iss.net/security_center/advice/Exploits/Ports/default.htm
http://www.iana.org/assignments/port-numbers
http://lists.gpick.com/portlist/portlist.htm

Glossary

IP Address: An IP address is a number used to identify a network device or computer on a network using the TCP/IP protocol. An IP address consists of 4 numbers each separated by a period. Each number is between 1 and 255.

MAC Address: This is also an address used to identify network devices. MAC addresses are not protocol dependent and are normally built into the hardware.

Subnet Mask: The subnet mask consists of 4 numbers each separated by a period. This number is used to identify which part of an IP address is the network portion and which part is the host portion.

Ping: An action performed on a network device where a small amount of data is sent to the device and the sender times how long it takes for the network device to respond. Response time is normally measured in milliseconds. Firewalls can prevent a device from responding to a ping.

Host: Another way of referring to a computer or network device on a network.

Router: A network device used to share a single public IP address to many private IP addresses.

Port: A port is like a door into a network device. A port number can range from 1 to 65536. An open port normally indicates something waiting for a connection.

Hostname: The name used to refer to a computer or network device.

DNS Server: DNS servers convert Hostname's to IP addresses so that computers can communicate with each other.

Firewall: Any software or hardware mechanism that prevents a network device from responding to unknown network request.