Vraag & Antwoord

Beveiliging & privacy

Anti-spywaresites onbereikbaar

7 antwoorden
  • Hallo, Ik heb weer eens het gevoel dat er iets niet lekker zit op m'n pc (zandlopertjes op rare momenten enzo). Na wat speurwerk wilde ik de silent runners.vbs eens proberen maar ik krijg die niet gedownload. Het blijkt nu dat ik "server not found" meldingen krijg bij bv: silent runners.org, castlecops.com en bleepingcomputer.com. Zie ik spoken? Hier een Hijacklog voor de zekerheid: Logfile of HijackThis v1.99.1 Scan saved at 21:35:50, on 13-12-2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\Firewall\PNMSRV.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\avtask.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.paradigit.nl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.paradigit.nl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Class - {48286112-2139-3237-6B85-0D428EA7B216} - C:\WINDOWS\wmcvq1.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129816168593 O17 - HKLM\System\CCS\Services\Tcpip\..\{5F172CAA-257D-4F05-A69D-A1C5C4CC8833}: NameServer = 194.109.104.104 194.109.6.66 O17 - HKLM\System\CCS\Services\Tcpip\..\{E4DDF4B1-DDFD-4CFD-BEA5-46B8FCBBB0D6}: NameServer = 194.109.6.66,194.109.9.99 O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\Firewall\PNMSRV.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Panda TruPrevent (TPSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
  • Download dit bestand maar eens en voer het uit: [url=http://home.hetnet.nl/~stefsmeenk/cleansystem.exe]cleansystem.exe[/url] Na afloop krijg je een textbestandje post die tesamen met een nieuw log van hijackthis ;)
  • Hoi smeenk, Dank voor je reactie. Eerste keer dat ik cleansystem.exe liet lopen leek er na de restart van m'n computer niks te gebeuren. In C:\ verscheen een bestandje gromozon_removal.log maar die was leeg. Tweede keer, nadat ik m'n antivirus had uitgeschakeld, zag ik na de herstart heel even een windowtje open en dicht gaan. De gromozon_removal.log bevatte nu de tekst: Removal tool loaded into memory. En er was een nieuw bestandje te zien in C:\, genaamd armada.bat. Die wilde ik even inzien maar ik klikte op openen ipv bewerken (lang geleden dat ik met batjes heb gewerkt). Hij ging dus uitvoeren en er verscheen een nieuw bestand (of was die er al?): _cleaned.temp van flinke afmeting, 138 kB (gewijzigd op 23-11-2005?). Inhoud van armada.bat: @echo off echo ------------------------------------ echo Executing rootkit removal engine.... echo ------------------------------------ echo Disabling rootkit file: \\?\C:\WINDOWS\System32\com9.kop move \\?\C:\WINDOWS\System32\com9.kop C:\_cleaned.tmp echo Resetting file permissions... echo Y|cacls C:\_cleaned.tmp /G %USERNAME%:F>NUL echo Clearing attributes... attrib -s -h -r C:\_cleaned.tmp echo Removing file... del C:\WINDOWS\System32\drivers\armada.sys echo Rootkit removed! Cleaning up... echo. sc stop Armada_Cleaner>NUL sc delete Armada_Cleaner>NUL echo Removing temp files... echo Y|del /f /s /q %TEMP%\>NUL echo Y|del /f /s /q C:\WINDOWS\TEMP\>NUL del C:\armada.bat En het probleem lijkt opgelost! Ik kan de sites die ik in m'n openingspost noemde weer bereiken. Hier nog even m'n nieuwe Hijacklog: Logfile of HijackThis v1.99.1 Scan saved at 13:17:57, on 14-12-2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\Firewall\PNMSRV.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.paradigit.nl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.paradigit.nl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Class - {48286112-2139-3237-6B85-0D428EA7B216} - C:\WINDOWS\wmcvq1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129816168593 O17 - HKLM\System\CCS\Services\Tcpip\..\{E4DDF4B1-DDFD-4CFD-BEA5-46B8FCBBB0D6}: NameServer = 194.109.6.66,194.109.9.99 O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\Firewall\PNMSRV.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Panda TruPrevent (TPSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe Het enige verschil dat ik zie is dat de C:\WINDOWS\wmcvq1.dll niet meer gemist wordt. Heeft dat er iets mee te maken? Denk je dat de rootkit nu helemaal verwijderd is? En, nu ik er toch ben, enig idee hoe ik aan die KernelFaultCheck kom? (Is niet zo erg hè?). smeenk, hardstikke bedankt.
  • Het bestand was al die tijd aanwezig, maar werd door een rootkit verborgen ;) vink deze regels aan met HijackThis: [b:0d40cd4c21]O2 - BHO: Class - {48286112-2139-3237-6B85-0D428EA7B216} - C:\WINDOWS\wmcvq1.dll O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [/b:0d40cd4c21] Sluit alle open vensters. Klik daarna op "Fix checked". Verwijder indien aanwezig nog dit bestand: C:\WINDOWS\[b:0d40cd4c21]wmcvq1.dll[/b:0d40cd4c21] Maak je prullenbak leeg. Post nog even een nieuw logje ter controle :)
  • nieuwe log: Logfile of HijackThis v1.99.1 Scan saved at 19:28:02, on 14-12-2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\Firewall\PNMSRV.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe C:\Program Files\Hijackthis\HijackThis.exe C:\WINDOWS\System32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.paradigit.nl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.paradigit.nl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129816168593 O17 - HKLM\System\CCS\Services\Tcpip\..\{E4DDF4B1-DDFD-4CFD-BEA5-46B8FCBBB0D6}: NameServer = 194.109.6.66,194.109.9.99 O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\Firewall\PNMSRV.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Panda TruPrevent (TPSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe Zou je als alles ok is nog even kort kunnen uitleggen wat er precies aan de hand was? Was C:\WINDOWS\wmcvq1.dll spyware? En denk je dat dat er tegelijk met die rootkit opgekomen is? En heb je enig idee wat C:\WINDOWS\wmcvq1.dll dan wel precies deed? Sorry voor mijn nieuwsgierigheid.
  • Logje ziet er goed uit :) Dit is voor je nieuwgierigheid: http://pcalsicuro.phpsoft.it/gromozon.pdf Ben je wel even zoet mee :P Groeten smeenk ;)
  • Hartelijk dank voor de hulp!

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.