-----------------
EDIT:
Our mod kampfschaf was hacked yesterday so we banned him to avoid more damage.
Kampfschaf is back and we are happy to have him in our crawler-team.
-----------------
After a long night and a lot of Coffee i Managed to find how the Virus works.
How the Virus Works:
1) If you had click onto the launcher the Executable Vanish and nothing happens.
2) The Virus Injected hisself into the System service (svchost.exe)
3) Now it Downloads the Virus ( Its a Passwordstealer :-( )
4) The Virus is Located at WINDOWS\Temp name atixxx.tmp.
5) If you Reboot it gets loaded by AMDEX2.msi
This was my Infected Registry pathes:
Local_Machine\SYSTEM\ControlSet001\Services\6to4\Parameters\ServiceDll AMDEx3.msi
Local_Machine\SYSTEM\ControlSet002\Services\6to4\Parameters\ServiceDll AMDEx3.msi
Local_Machine\SYSTEM\CurrentControlSet\Services\6to4\Parameters\ServiceDll AMDEx3.msiHow to remove manulie FOR PROS!!!:
1) Open cmd.exe
2) enter regedit
3) search for the Registrykeys i provided above.
4) Delete all keys that contain AMDEx...
5) Reboot System.
6) Go to Windows\Temp and Delete atixxx.tmp
7) Go to Windows\Installer and Delete AMDEx....msi
That should remove the Virus
This Tool detects and can remove it:
I found the Tool Malwarebytes. It detects and can remove the Virus. Please folow the Instructions on the Malwarebytes homepage.
http://downloads.malwarebytes.org/mbam-download.phpFor all who are intrested on the Virus code, that is what i could recover from it:
http://pastebin.com/kEC6jNFRhttp://pastebin.com/eXcJDPc6http://www.n00bunlimited.net/pastebin.php?show=64264
