AdminBot | 05.07.2011 15:49 | Anti-Malware Lab entfernen Liste der Anhänge anzeigen (Anzahl: 2) Anti-Malware Lab entfernen Was ist Anti-Malware Lab? Anti-Malware Lab ist Teil der Rogue.VirusDoctor Malware-Familie. Anti-Malware Lab ist eine weitere Rogue-Malware in Form einer gefälschten Scan-Software, die mittels eines sog. Trojaners in den PC eindringt und dem Benutzer weissmacht, den PC nach Malware abzusuchen. Diese Software (Anti-Malware Lab) ist ein Fake und selbst eine Schadsoftware und sollte nicht gekauft werden.
Da solche Software wie Anti-Malware Lab sich gegen jede Entfernung wehren wird und Anti-Malware Lab oftmals noch Rootkits mitinstalliert, sollte eine Neuinstallation des Systems in Erwägung gezogen werden.
Verbreitet wird Scareware wie Anti-Malware Lab nicht mehr ausschliesslich über 'dubiose Seiten' für Cracks, KeyGens und Warez, sondern auch seriöse Seiten werden zunehmend für die Verbreitung dieser mißbraucht ( http://www.trojaner-board.de/90880-d...tallation.html).
Der wichtigste Schutz vor einer Infizierung ist ein aktuelles Windows (mit allen Updates) und aktuelle Drittanbietersoftware wie Java oder Adobe Flash! http://www.trojaner-board.de/attachm...1&d=1331575410 http://www.trojaner-board.de/attachm...1&d=1331575410 Symptome von Anti-Malware Lab:- ständige Fake Virenmeldungen von Anti-Malware Lab
- PC läuft seit Anti-Malware Lab langsamer als üblich
Fake-Meldungen von Anti-Malware Lab:%AppData%\Microsoft\Windows\Recent\ANTIGEN.dll %AppData%\Microsoft\Windows\Recent\PE.exe %AppData%\Microsoft\Windows\Recent\PE.tmp %AppData%\Microsoft\Windows\Recent\cid.drv %AppData%\Microsoft\Windows\Recent\cid.sys %AppData%\Microsoft\Windows\Recent\eb.dll %AppData%\Microsoft\Windows\Recent\eb.tmp %AppData%\Microsoft\Windows\Recent\energy.dll %AppData%\Microsoft\Windows\Recent\exec.dll %AppData%\Microsoft\Windows\Recent\exec.drv %AppData%\Microsoft\Windows\Recent\fan.tmp %AppData%\Microsoft\Windows\Recent\pal.drv %AppData%\Microsoft\Windows\Recent\ppal.dll %AppData%\Microsoft\Windows\Recent\std.drv %AppData%\Microsoft\Windows\Recent\tjd.sys An unauthorized program has been prevented from accessing your PC remotely. #Port:433 from 92.11.127.10 An unauthorized software C:\Program Files\Internet Explorer\Iexplore.exe which is potentially malicious and able to modify system files has been prevented from being installed on your PC. Anti-Malware Lab has detected potentially harmful software in your system. It is strongly recommended that you register Anti-Malware Lab to remove all found threats immediately. Notepad.exe cannot be executed. The file is infected. Please activate your antivirus software. Dateien von Anti-Malware Lab: Code:
%AllUsersProfile%\2d764c\
%AllUsersProfile%\2d764c\041705.reg
%AllUsersProfile%\2d764c\1884.mof
%AllUsersProfile%\2d764c\582.mof
%AllUsersProfile%\2d764c\AM2d7_2363.exe
%AllUsersProfile%\2d764c\AML.ico
%AllUsersProfile%\2d764c\AMLSys\
%AllUsersProfile%\2d764c\Quarantine Items\
%AllUsersProfile%\2d764c\mcp.ico
%AllUsersProfile%\AMCHBAL\
%AllUsersProfile%\AMCHBAL\AMCGWYSUL.cfg
%AppData%\Anti-Malware Lab\
%AppData%\Microsoft\Internet Explorer\Quick Launch\Anti-Malware Lab.lnk
%AppData%\Microsoft\Windows\Recent\ANTIGEN.dll
%AppData%\Microsoft\Windows\Recent\PE.exe
%AppData%\Microsoft\Windows\Recent\PE.tmp
%AppData%\Microsoft\Windows\Recent\cid.drv
%AppData%\Microsoft\Windows\Recent\cid.sys
%AppData%\Microsoft\Windows\Recent\eb.dll
%AppData%\Microsoft\Windows\Recent\eb.tmp
%AppData%\Microsoft\Windows\Recent\energy.dll
%AppData%\Microsoft\Windows\Recent\exec.dll
%AppData%\Microsoft\Windows\Recent\exec.drv
%AppData%\Microsoft\Windows\Recent\fan.tmp
%AppData%\Microsoft\Windows\Recent\pal.drv
%AppData%\Microsoft\Windows\Recent\ppal.dll
%AppData%\Microsoft\Windows\Recent\std.drv
%AppData%\Microsoft\Windows\Recent\tjd.sys
%StartMenu%\Programs\Anti-Malware Lab.lnk
%StartMenu%\Anti-Malware Lab.lnk
%UserProfile%\Desktop\Anti-Malware Lab.lnk Registry-Einträge von Anti-Malware Lab: Code:
HKCU\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes\URL http://findgala.com/?&uid=2363&q={searchTerms}
HKCU\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures 1
HKCU\Software\Microsoft\Internet Explorer\PRS http://127.0.0.1:27777/?inj=%ORIGINAL%
HKCU\Software\Microsoft\Internet Explorer\SearchScopes\URL http://findgala.com/?&uid=2363&q={searchTerms}
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\6969000903
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\lib/7.02363
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UID 2363
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 msseces.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 MSASCui.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 avgscanx.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 avgcfgex.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 avgemc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 avgchsvx.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 avgcmgr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 avgwdsvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 ekrn.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 egui.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 avgnt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 avcenter.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 avscan.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 avgfrw.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 avgui.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 avgtray.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Anti-Malware Lab
HKLM\SOFTWARE\Classes\AM2d7_231.DocHostUIHandler
HKLM\SOFTWARE\Classes\AM2d7_2363.DocHostUIHandler
HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKCU\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures "no"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin "2"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser "2"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA "1"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP
... and many more Image File Execution Options entries. Anti-Malware Lab im HijackThis-Log: Code:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:27777
O4 – HKCU\..\Run: [Anti-Malware Lab] “%AllUsersProfile%\<random characters>\<random characters>_<random numbers>.exe” /s /d |