Hilfe Trojaner Lefeat.1 eingefangen
- Ersteller ede
- Erstellt am
Der Turl
Commander
- Registriert
- Juli 2002
- Beiträge
- 2.108
verwendest du win xp ?
also ich würde sagen das du eine sicherheitslücke in windows hast ( => windows update seite besuchen) und sich daher ( auch wennst den trojaner killst) win immer neu infiziert !
aber guckst du hier:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SMALL.SA
Details:
This Trojan is uploaded to a system by other malware, such as TROJ_AGENT.JR, or manually installed by a user.
On Windows 95, 98 and ME, it creates the following registry entry to ensure automatic execution at every Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
%file name of this Trojan% = "%path and file name of this Trojan%"
On Windows NT, 2000, and XP, it registers itself as a service using any of the following service names:
Network Security Service
Network Security Service (NSS)
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service
It creates the following registry entries to be able to do the above-mentioned routine:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\
LEGACY_*008F*0010AF*00E5*0003*0017*001A*00A4*00B6*00C0*00A8
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\%AFå¤À¨
DisplayName = "%Service Name%"
(Note: %Service Name% is one of the four service names previously enumerated).
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\%AFå¤À¨
ErrorControl = "dword:00000000"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\%AFå¤À¨
ImagePath = "<malware path and file name>"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\%AFå¤À¨
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\%AFå¤À¨
Start = "dword:00000002"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\%AFå¤À¨
Type = "dword:00000020"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\%AFå¤À¨ \Enum
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\ %AFå¤À¨\Security
As of this writing, the tests conducted showed that only the first registry entry could be created when this trojan is executed in Windows XP systems.
As part of its installation routine, it adds the following registry entries:
HKEY_CLASSES_ROOT\CLSID\%random CLSID%\LocalServer32
@ = "%path and file name of this Trojan%"
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
%random CLSID%\LocalServer32
@ = "%path and file name of this Trojan%"
On Windows NT, 2000, and XP, it deletes the following registry subkey and a file associated with the said subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\CurrentVersion\Windows
AppInit_DLLs
The said registry entry contains .DLL files that are loaded by each Microsoft Windows-based application running in a current login session. Deleting the said entry as well as associated file may cause the application using the said file to crash.
This Trojan is compressed using UPX.
LÖSUNG:
Solution:
Identifying the Malware Program
To remove this malware, first identify the malware program.
Scan your system with your Trend Micro antivirus product.
NOTE all files detected as TROJ_SMALL.SA.
NOTE: For Windows 95, 98, and ME users, please perform the instructions given in the next two sections, then proceed directly to the Running Trend Micro Antivirus section. For Windows NT, 2000,and XP, please skip the next two sections.
Restarting in Safe Mode
» On Windows 95
Restart your computer.
Press F8 at the Starting Windows 95 message.
Choose Safe Mode from the Windows 95 Startup Menu then press Enter.
» On Windows 98 and ME
Restart your computer.
Press the CTRL key until the startup menu appears.
Choose the Safe Mode option then press Enter.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file(s) detected earlier.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>System>CurrentControlSet>Services
Still in the left panel, locate and delete the entry:
%AFå¤À¨
Close Registry Editor.
--------------------------------------------------------------------------------
NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.
Terminating the Service
To terminate the execution of the malware, do the following:
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>System>CurrentControlSet>
Services>%AF夶À¨
In the right panel, locate the entry DisplayName in the leftmost column and note its data value (located at the rightmost column).
Open the Services window. To do this click the following:
Start>Settings>Control Panel
In the Window that appears, click Administrative Tools. Then, click Services in the Administrative Tools Window.
In the Services window, locate the data value you noted earlier in the right panel (under the Name heading in the leftmost column). Right-click on the entry and choose Stop.
Close the Services and Administrative Tools windows.
Removing Other Entries from the Registry
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
On the menu, choose Edit>Find.
In the popup box, type the name of the malware files detected above. Then click Find Next.
Once a match is found, check if the registry entry looks like any of the following:
HKEY_CLASSES_ROOT>CLSID>%random CLSID%>LocalServer
@ = “%path and file name of this Trojan%”
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
%random CLSID%\LocalServer
@ = “%path and file name of this Trojan%”
If the registry key data matches any of the mentioned forms, go to the parent registry subkeys. In the left panel, locate and delete the following:
HKEY_CLASSES_ROOT>CLSID>%random CLSID%
HKEY_LOCAL_MACHINE>Software>Classes>
CLSID>%random CLSID%
In the left panel, locate and delete the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Services>%AF夶À¨
Close Registry Editor.
--------------------------------------------------------------------------------
NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.
Users running other Windows versions can proceed with the succeeding procedure set(s).
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as TROJ_SMALL.SA. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s online virus scanner.
EDIT: ich sag´s zwar nicht gerne...aber hast eine softwarefirewall ( zb. zonealarm ) laufen ?...damit der trojaner nicht gleich so ohne weiteres files aus dem netz nachladen kann !
also ich würde sagen das du eine sicherheitslücke in windows hast ( => windows update seite besuchen) und sich daher ( auch wennst den trojaner killst) win immer neu infiziert !
aber guckst du hier:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SMALL.SA
Details:
This Trojan is uploaded to a system by other malware, such as TROJ_AGENT.JR, or manually installed by a user.
On Windows 95, 98 and ME, it creates the following registry entry to ensure automatic execution at every Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
%file name of this Trojan% = "%path and file name of this Trojan%"
On Windows NT, 2000, and XP, it registers itself as a service using any of the following service names:
Network Security Service
Network Security Service (NSS)
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service
It creates the following registry entries to be able to do the above-mentioned routine:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Enum\Root\
LEGACY_*008F*0010AF*00E5*0003*0017*001A*00A4*00B6*00C0*00A8
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\%AFå¤À¨
DisplayName = "%Service Name%"
(Note: %Service Name% is one of the four service names previously enumerated).
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\%AFå¤À¨
ErrorControl = "dword:00000000"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\%AFå¤À¨
ImagePath = "<malware path and file name>"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\%AFå¤À¨
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\%AFå¤À¨
Start = "dword:00000002"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\%AFå¤À¨
Type = "dword:00000020"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\%AFå¤À¨ \Enum
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\ %AFå¤À¨\Security
As of this writing, the tests conducted showed that only the first registry entry could be created when this trojan is executed in Windows XP systems.
As part of its installation routine, it adds the following registry entries:
HKEY_CLASSES_ROOT\CLSID\%random CLSID%\LocalServer32
@ = "%path and file name of this Trojan%"
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
%random CLSID%\LocalServer32
@ = "%path and file name of this Trojan%"
On Windows NT, 2000, and XP, it deletes the following registry subkey and a file associated with the said subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\CurrentVersion\Windows
AppInit_DLLs
The said registry entry contains .DLL files that are loaded by each Microsoft Windows-based application running in a current login session. Deleting the said entry as well as associated file may cause the application using the said file to crash.
This Trojan is compressed using UPX.
LÖSUNG:
Solution:
Identifying the Malware Program
To remove this malware, first identify the malware program.
Scan your system with your Trend Micro antivirus product.
NOTE all files detected as TROJ_SMALL.SA.
NOTE: For Windows 95, 98, and ME users, please perform the instructions given in the next two sections, then proceed directly to the Running Trend Micro Antivirus section. For Windows NT, 2000,and XP, please skip the next two sections.
Restarting in Safe Mode
» On Windows 95
Restart your computer.
Press F8 at the Starting Windows 95 message.
Choose Safe Mode from the Windows 95 Startup Menu then press Enter.
» On Windows 98 and ME
Restart your computer.
Press the CTRL key until the startup menu appears.
Choose the Safe Mode option then press Enter.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file(s) detected earlier.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>System>CurrentControlSet>Services
Still in the left panel, locate and delete the entry:
%AFå¤À¨
Close Registry Editor.
--------------------------------------------------------------------------------
NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.
Terminating the Service
To terminate the execution of the malware, do the following:
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>System>CurrentControlSet>
Services>%AF夶À¨
In the right panel, locate the entry DisplayName in the leftmost column and note its data value (located at the rightmost column).
Open the Services window. To do this click the following:
Start>Settings>Control Panel
In the Window that appears, click Administrative Tools. Then, click Services in the Administrative Tools Window.
In the Services window, locate the data value you noted earlier in the right panel (under the Name heading in the leftmost column). Right-click on the entry and choose Stop.
Close the Services and Administrative Tools windows.
Removing Other Entries from the Registry
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
On the menu, choose Edit>Find.
In the popup box, type the name of the malware files detected above. Then click Find Next.
Once a match is found, check if the registry entry looks like any of the following:
HKEY_CLASSES_ROOT>CLSID>%random CLSID%>LocalServer
@ = “%path and file name of this Trojan%”
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
%random CLSID%\LocalServer
@ = “%path and file name of this Trojan%”
If the registry key data matches any of the mentioned forms, go to the parent registry subkeys. In the left panel, locate and delete the following:
HKEY_CLASSES_ROOT>CLSID>%random CLSID%
HKEY_LOCAL_MACHINE>Software>Classes>
CLSID>%random CLSID%
In the left panel, locate and delete the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Services>%AF夶À¨
Close Registry Editor.
--------------------------------------------------------------------------------
NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.
Users running other Windows versions can proceed with the succeeding procedure set(s).
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as TROJ_SMALL.SA. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s online virus scanner.
EDIT: ich sag´s zwar nicht gerne...aber hast eine softwarefirewall ( zb. zonealarm ) laufen ?...damit der trojaner nicht gleich so ohne weiteres files aus dem netz nachladen kann !
Zuletzt bearbeitet:
