Check alle échte Black Friday-deals Ook zo moe van nepaanbiedingen? Wij laten alleen échte deals zien
Toon posts:

Trojan t.b.v. zombie?

Pagina: 1
Acties:
  • 101 views sinds 30-01-2008
  • Reageer

vrijdag 23 juni 2006 17:06

Acties:

Verwijderd

Topicstarter
Mijn zonealarm firewall waarschuwt me de laatste tijd dat er vanuit een computer naar een website wordt gezocht. Dit gebeurt bijna iedere dag en soms meerdere malen per dag.
Die website had ik nooit bezocht, maar het ziet er uit als een website van een onschuldige vereniging.

Ik heb (volgens mij) een NAT in mijn modem, daarachter een accespoint/router en verder op elke computer zonealarm, Norton antivirus 2005 die elke dag bijgewerkt wordt, Windows Defender (dito) en draai eens per week Hitman Pro. Nooit een aanwijzing gehad dat er iets niet pluis zou zijn...
Toch heb ik kennelijk een trojan op 1 computer binnengehaald.

Ik heb 2 vragen:
1 Hoe kom ik nou van die trojan af?
2 Moet ik nog die lui van die website waarschuwen dat ze hun spullen laten nakijken. Het is een (waarschijnlijk kleine) vereniging en het zal er wel niet erg professioneel toegaan.

vrijdag 23 juni 2006 17:14

Acties:

Verwijderd

post eens een hijack this logje.

vrijdag 23 juni 2006 17:29

Acties:
  • EricJH
  • Registratie: November 2003
  • Laatst online: 29-11 20:50

EricJH

Scans eens met de trial versie van Trojan Hunter en kijk eens of die wat vind. Probeer ook eens rootkitrevealer als je met Trojan Hunter en Hijack This de boosdoener niet kunt vinden.

Je kunt met Zone Alarm zien welk porgramma toestemming vraagt. Spoor dat eeens op met Windows Verkenner om te beginnen. Kun je het programma wissen. Draait het als service?

@2. Niet geschoten is altijd mis natuurlijk.

vrijdag 23 juni 2006 22:33

Acties:

Verwijderd

Topicstarter
Eric, volgens mij geeft Zonealarm alleen maar aan dat mijn computer met een bepaalde URL contact wil maken, verder niets. Maar ik zal de volgende keer nog eens goed kijken... En Trojan Hunter zal ik morgen eens proberen.
En, Coen, als dat niets oplevert,zal ik HijackThis eens proberen.
Alvast bedankt!

maandag 26 juni 2006 09:03

Acties:

Verwijderd

Topicstarter
Trojan Hunter heeft niets opgeleverd. Vanochtend kreeg ik weer een melding van ZoneAlarm, ik heb het nu eens opgeschreven:
The firewall has blocked Internet Acces to 195.140.241.186 [TCP Port 445] from your computer [TCP Flags:S]
Verder niets. Ik hoop binnenkort HijackThis te proberen.
Alvast bedankt!

maandag 26 juni 2006 09:09

Acties:
  • Black Piet
  • Registratie: April 2005
  • Niet online

Black Piet

Domain dossier
Address lookup
canonical name server.indis.nl.
aliases
addresses 195.140.241.186

Domain Whois record
Queried whois.nic.nl with "indis.nl"...

Rights restricted by copyright. See
http://www.domain-registry.nl/whois.php

Domain name:
indis.nl (first domain)

Status: active

Registrant:
Indis
Pastoor de Kroonstraat 417
5211 XJ 'S-HERTOGENBOSCH
Netherlands

Domicile:
N/A

Committed to ADR: no

Administrative contact:
P. Quintus
+31 (0)736891116
postmaster@indis.nl

Registrar:
KiXtart internet bv *) /d
Wilhelminastraat 25
2011 VJ HAARLEM
Netherlands
Ben je hier al verder mee geholpen?

Mooooooeeeee......

maandag 26 juni 2006 09:13

Acties:
  • Croga
  • Registratie: Oktober 2001
  • Laatst online: 08:03

Croga

The Unreasonable Man

Black Piet schreef op maandag 26 juni 2006 @ 09:09:
Ben je hier al verder mee geholpen?
Nee. Het kan namelijk goed zijn dat er nog honderden andere "sites" op dat IP adres gehost worden met behulp van virtuele servers.... Die lookup heb je dus niets aan.

maandag 26 juni 2006 09:20

Acties:
  • Black Piet
  • Registratie: April 2005
  • Niet online

Black Piet

Hmmmm....daar heb je gelijk in.... Als je eens kijkt op die server hebben ze wel heel veel oost-europese klanten....Je kan ze even een berichtje sturen naar indus.nl over het feit dat jij verkeer naar dat IP-adres ziet gaan

Zat nog even bij GRC.com over de poort

Dit kwam eruit
Background and Additional Information:

While ports 137-139 were known technically as "NBT over IP", port 445 is "SMB over IP". (SMB is known as "Samba" and stands for "Server Message Blocks".) After all of the trouble the personal computer industry has had with Microsoft's original Windows NetBIOS ports 137 through 139, it is difficult to imagine or believe that Microsoft could have actually made things significantly worse with their replacement port 445 . . . but they did.
Whereas the great vulnerability originally created by Windows file sharing was that hackers could perhaps gain remote access to the contents of hard disk directories or drives, the default exposure of the Internet server Microsoft silently installed into every Windows 2000 system (where port 445 first appeared), allows malicious hackers to remotely log onto the computers of unsuspecting users — across the Internet — and more recently, though the use of some clever and readily available freeware tools (PsExec from SysInternals) to silently upload and run (in the remote user's computer) any programs of their choosing without the computer's owners ever being aware.

As you might imagine, malicious hackers have been having a field day scanning for port 445, then easily and remotely commandeering Windows machines. Even several hackers I have spoken with are unnerved by the glaring insecurities created by port 445. One chilling consequence of port 445 has been the relatively silent appearance of NetBIOS worms. These worms slowly but methodically scan the Internet for instances of port 445, use tools like PsExec to transfer themselves into the new victim computer, then redouble their scanning efforts. Through this mechanism, massive, remotely controlled Denial of Service "Bot Armies", containing tens of thousands of NetBIOS worm compromised machines, have been assembled and now inhabit the Internet.

Dealing with Port 445

Needless to say, you do NOT want port 445 exposed to the Internet. Like Windows port 135 (which is a whole different problem) port 445 is deeply embedded in Windows and can be difficult or impossible to safely close. While its closure is possible, other dependent services such as DHCP (dynamic host configuration protocol) which is frequently used for automatically obtaining an IP address from the DHCP servers used by many corporations and ISPs, will stop functioning.

For the security reasons described above, port 445 has been causing so many problems that many ISPs are taking security matters into their own hands and blocking this port on behalf of their users. If our port checking shows your port 445 as "stealth" while you are not being otherwise protected by a NAT router or personal firewall, your ISP is probably preventing port 445 traffic from reaching you.

If you really want 445 closed

Any NAT router or personal firewall should be able to block port 445 from the outside world without trouble.

Trojan Sightings: Lioten

Mooooooeeeee......

maandag 26 juni 2006 09:34

Acties:

Verwijderd

Topicstarter
Black Piet: bedankt voor je info. Als ik het verhaal goed begrijp moet ik die Indis mailen dat zijn poort 445 openstaat?
Een HiJackThis log maken is gemakkelijker dan ik dacht ;-) Kan iemand eens kijken wat mijn Trojan zou kunnen zijn?

Logfile of HijackThis v1.99.1
Scan saved at 9:24:49, on 26-6-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Progs\Norton SystemWorks 2005\Norton GoBack\GBPoll.exe
C:\windows\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Progs\Norton SystemWorks 2005\Norton AntiVirus\navapsvc.exe
C:\Progs\Norton SystemWorks 2005\Norton Ghost\Agent\PQV2iSvc.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Progs\Norton SystemWorks 2005\Norton AntiVirus\IWP\NPFMntor.exe
C:\Progs\NORTON~4\NORTON~1\NPROTECT.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Progs\Medionkeyboard\KbdAp32A.exe
C:\Progs\NORTON~4\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Progs\ScanSoft\OmniPagePro11.0\opware32.exe
C:\Progs\HandyFind\HandyFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Progs\Norton Password Manager\AcctMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Progs\TrojanHunter 4.5\THGuard.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Progs\Nuria\Nuria.exe
C:\Progs\Kramers Talen cd-rom 2.0\KT_quickstart.exe
C:\Progs\Norton SystemWorks 2005\Norton GoBack\GBTray.exe
C:\windows\system32\fxssvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system32\svchost.exe
C:\Progs\TotalCmd\TOTALCMD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\R5DEB~1.BOR\LOCALS~1\Temp\_tc\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} -

C:\Progs\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\Progs\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Progs\Norton SystemWorks

2005\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Progs\Norton

SystemWorks 2005\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator

5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Progs\Medionkeyboard\KbdAp32A.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Progs\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L

ElbyCDFL
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Omnipage] C:\Progs\ScanSoft\OmniPagePro11.0\opware32.exe
O4 - HKLM\..\Run: [HandyFind Utility] C:\Progs\HandyFind\HandyFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Progs\Norton SystemWorks 2005\Norton

Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AcctMgr] C:\Progs\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Progs\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Progs\Norton SystemWorks 2005\cfgwiz.exe" /GUID

{05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Nuria] C:\Progs\Nuria\Nuria.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: Elsevier Bedrijfsinformatie bv.lnk = C:\Progs\Kramers Talen cd-rom

2.0\KT_quickstart.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Progs\Norton SystemWorks 2005\Norton

GoBack\GBTray.exe
O8 - Extra context menu item: &Google Zoeken - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Woord vertalen in het Nederlands - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Download with GetRight - C:\Progs\GetRight\GRdownload.htm
O8 - Extra context menu item: Gelijkwaardige pagina's - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Progs\GetRight\GRbrowse.htm
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) -

https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation

Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) -

https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -

https://www-secure.symant...upp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec....tent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -

http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.c...ient/muweb_site.cab?11294

05640000
O16 - DPF: {A0D8CBD7-1223-4A64-B603-D6680A055A08} (FRSActiveX) -

https://secured.payvision...oadManager/FRSActiveX.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information

Class) - http://security.symantec....tent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

https://www-secure.symant...upp/asa/ctrl/SymAData.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) -

https://www.p3.postbank.nl/GTO/PBGNX.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Progs\Norton

SystemWorks 2005\Norton GoBack\GBPoll.exe
O23 - Service: GEARSecurity - GEAR Software - C:\windows\System32\GEARSec.exe
O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation -

C:\Progs\Norton SystemWorks 2005\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Progs\Norton SystemWorks 2005\Norton

Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation -

C:\Progs\Norton SystemWorks 2005\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation -

C:\Progs\NORTON~4\NORTON~1\NPROTECT.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. -

C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Progs\Norton SystemWorks 2005\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -

C:\Progs\NORTON~4\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 -

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe


Alvast bedankt!

maandag 26 juni 2006 14:49

Acties:
  • EricJH
  • Registratie: November 2003
  • Laatst online: 29-11 20:50

EricJH

Ik heb de lijst eens doorgenomen maar kan niet iets ongewoons vinden.

Ik gebruik www.hijackthis.de als eerste schifting van vertrouwde en onbekende entries

Er staan in de log trouwens enters waar ze niet thuis horen. Dat maakt het doorspitten zowel op het forum als met de analyse van de site lastig. Kijk eens of je dat kunt editen. Zet eventueel de log tussen code tags
code:
1

 de HJT log
.

dinsdag 27 juni 2006 07:10

Acties:

Verwijderd

Topicstarter
Tja, het is de eerste keer dat ik poblemen met virussen heb, dus weet ik niet veel van AV-programma's af. Maar dat Hijack-log komt rechtstreeks van HijackThis, waar kan ik aan zien welke entries er niet in thuishoren?
En dat van die code-tags begrijp ik ook al niet :-(
Alvast bedankt voor een toelichting of een aanwijzing waar ik die vinden kan!

dinsdag 27 juni 2006 14:50

Acties:
  • EricJH
  • Registratie: November 2003
  • Laatst online: 29-11 20:50

EricJH

Ik laat de log altijd eerst door www.hijackthis.de analyseren voor een eerste schifting.

Over code tags. Je kunt een tekst opmaken in een reactie door om een stuk tekst zogenaamde tags te zetten. Dik gedrukt maak je door [ b ] voor de tekst en [ / b ] erachter te zetten (zonder de spatie tussen de blokhaken en de b en de streep; die spaties zijn nodig omdat het anders als code wordt gezien en zie je dit: voor de tekst en.

Zet de log tussen [ code ] en [ / code ] zonder de spaties. Of heredit de log zodat de enters verdwijnen waar ze niet horen.

Ik heb wat gegoogled met onbekende entries in je HJT log maar vond daar niet direct wat verdachts tussen. Ik hoop dat anderen nog eens naa je log kijken. Misschien dat ik dingen niet goed beoordeel. Ik ga je nog een paar scanners geven voor de volledigheid.

Download eens de trial versie van Spy Sweeper en laat die eens neuzen: http://www.webroot.com/ . Die scant ook op rootkits. Je kunt de net nieuwe A Squared Anti Malware eens laten scannen: http://www.emsisoft.com/en/ .

Last but not least laat Rootkit Revealer eens scannen: http://www.sysinternals.com/Utilities/RootkitRevealer.html . Deze scanner zoekt naar bestanden die zich voor het oog van Windows pogen te verbergen (cloaking). Hier een achtergrond stukje over RKR: http://www.pcworld.com/re...19814,pg,1,RSS,RSS,00.asp .

[ Voor 5% gewijzigd door EricJH op 27-06-2006 14:52 ]

woensdag 28 juni 2006 09:54

Acties:

Verwijderd

Topicstarter
Hallo Eric,
Dit is wat de rootkit revealer opleverde. Al die kreten zeggen me niets. Kan jij er wat uit destilleren? Alvast bedankt!

HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 27-6-2006 13:57 80 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\R. Bornkamp\Local Settings\Application Data\Microsoft\Messenger\mail@r-bornkamp.speedlinq.nl\SharingMetadata\Working\database_7E18_6304_1862_BAB3\fsr000B7.log 27-6-2006 14:33 128.00 KB Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\_tc\RootkitRevealer.chm 7-12-2005 15:19 99.77 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Cookies\r. bornkamp@computertotaal[1].txt 27-6-2006 13:52 211 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Cookies\r. bornkamp@computertotaal[2].txt 27-6-2006 14:36 212 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\0XENMJW5\134518512144201763bb71e[1].jpg 27-6-2006 14:36 1.46 KB Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\0XENMJW5\arrow[1].gif 27-6-2006 14:23 99 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\0XENMJW5\CAG1MZM7.net%2Fforum%2Flist_messages%2F1142561&cc=100&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=120&u_his=3&u_java=true 27-6-2006 14:23 2.61 KB Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\0XENMJW5\CAMJCTIN.htm 27-6-2006 14:23 5.52 KB Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\0XENMJW5\forum;tile=1;dcopt=ist;sz=468x60;ord=9405930929022508[2] 27-6-2006 14:36 326 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\0XENMJW5\forum[1].htm 27-6-2006 13:49 31.12 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\0XENMJW5\kaspersky1zu.th[1].jpg 27-6-2006 14:36 3.88 KB Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\0XENMJW5\search[10].htm 27-6-2006 14:23 14 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\0XENMJW5\search[11].htm 27-6-2006 14:23 14 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\0XENMJW5\viewtopic[1].htm 27-6-2006 13:52 75.29 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\56PLMNXC\CA10RYN7.net%2Fforum%2Flist_messages%2F1142561&cc=100&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=120&u_his=3&u_java=true 27-6-2006 14:23 2.04 KB Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\56PLMNXC\CA3ORHQV.htm 27-6-2006 14:23 8.40 KB Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\56PLMNXC\icon_confused[2].gif 27-6-2006 14:36 171 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\56PLMNXC\icon_hand[1].gif 27-6-2006 14:23 147 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\56PLMNXC\laatstefout8of.th[1].jpg 27-6-2006 14:36 4.54 KB Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\56PLMNXC\online[1].gif 27-6-2006 14:23 120 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\56PLMNXC\search[11].htm 27-6-2006 14:23 14 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\DL32GQXS\73[1].htm 27-6-2006 14:23 19.08 KB Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\DL32GQXS\CAKOMYLZ.htm 27-6-2006 14:23 5.24 KB Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\DL32GQXS\forum;tile=1;dcopt=ist;sz=468x60;ord=7331640295533738[2] 27-6-2006 14:36 299 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\DL32GQXS\myreact[1].gif 27-6-2006 14:23 173 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\DL32GQXS\Open_off[1].gif 27-6-2006 14:23 116 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\DL32GQXS\search[8].htm 27-6-2006 14:36 14 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\DL32GQXS\search[9].htm 27-6-2006 14:36 14 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\DL32GQXS\viewtopic[1].htm 27-6-2006 14:36 56.20 KB Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\E8OTDNT0\CAJKUTWV.htm 27-6-2006 14:23 5.37 KB Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\E8OTDNT0\CAO16VWT.gif 27-6-2006 14:36 43 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\E8OTDNT0\CAOQ8Q26.htm 27-6-2006 14:23 9.58 KB Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\E8OTDNT0\CAU7C12Z.gif 27-6-2006 14:36 43 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\E8OTDNT0\nb-myreact[1].gif 27-6-2006 14:23 1.12 KB Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\Temporary Internet Files\Content.IE5\E8OTDNT0\post[2].gif 27-6-2006 14:23 101 bytes Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\~DFE639.tmp 27-6-2006 13:59 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\~DFE69D.tmp 27-6-2006 13:59 512 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\~WRF0001.tmp 27-6-2006 14:20 16.00 KB Hidden from Windows API.
C:\Documents and Settings\R. Bornkamp\Local Settings\Temp\~WRS0000.tmp 27-6-2006 14:17 49.15 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00010311.RDB 24-6-2006 9:07 2.94 MB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010312.RDB 24-6-2006 9:09 2.94 MB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010313.RDB 24-6-2006 9:17 2.94 MB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010314.RDB 24-6-2006 9:19 2.94 MB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010315.lnk 13-5-2006 21:52 618 bytes Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010316.exe 23-4-2006 14:24 1.54 MB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010317.exe 13-5-2006 21:52 658.94 KB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010318.000 24-6-2006 9:25 1.18 KB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010319.RDB 24-6-2006 9:22 2.94 MB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010320.000 24-6-2006 9:26 1.18 KB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010321.000 24-6-2006 9:29 1.65 KB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010322.RDB 24-6-2006 9:26 2.94 MB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010323.DOT 24-6-2006 8:45 162 bytes Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010324.DOT 24-6-2006 8:45 162 bytes Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010325.DOT 24-6-2006 8:45 162 bytes Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010326.dot 24-6-2006 8:45 162 bytes Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010327.LNK 19-6-2006 15:55 890 bytes Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010328.lnk 19-6-2006 15:55 775 bytes Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010329.LNK 24-6-2006 8:45 1.00 KB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010330.lnk 24-6-2006 8:45 896 bytes Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010331.LNK 24-6-2006 8:45 1.00 KB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010332.lnk 24-6-2006 9:35 896 bytes Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010333.LNK 24-6-2006 8:45 1.01 KB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010334.lnk 24-6-2006 9:35 896 bytes Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010335.RDB 24-6-2006 9:33 2.94 MB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010336.RDB 24-6-2006 9:37 2.94 MB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010337.RDB 24-6-2006 9:39 2.94 MB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00010338.RDB 24-6-2006 9:43 2.94 MB Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\NPROTECT\00011882.RDB 27-6-2006 13:53 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011883 27-6-2006 14:00 5.55 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011884.RDB 27-6-2006 13:59 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011885.RDB 27-6-2006 14:02 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011886.DIC 27-6-2006 14:05 162 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011887.DIC 27-6-2006 14:05 162 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011888.RDB 27-6-2006 14:04 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011889.RDB 27-6-2006 14:10 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011890.RDB 27-6-2006 14:15 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011891.DIC 27-6-2006 14:20 162 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011892.DIC 27-6-2006 14:20 162 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011893.RDB 27-6-2006 14:18 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011894.RDB 27-6-2006 14:22 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011895.DIC 27-6-2006 14:29 162 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011896.RDB 27-6-2006 14:24 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011897.RDB 27-6-2006 14:28 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011898.DIC 27-6-2006 14:32 162 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011899.DIC 27-6-2006 14:32 162 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011900.DIC 27-6-2006 14:32 162 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011901.RDB 27-6-2006 14:34 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011902.RDB 27-6-2006 14:35 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011903.RDB 27-6-2006 14:37 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011904.RDB 27-6-2006 14:42 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011905.RDB 27-6-2006 14:44 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011906.RDB 27-6-2006 14:45 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011907.RDB 27-6-2006 14:48 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011908.RDB 27-6-2006 14:50 2.95 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00011909.RDB 27-6-2006 14:52 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165316.RDB 27-6-2006 13:53 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165317.RDB 24-6-2006 9:07 2.94 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165318.RDB 24-6-2006 9:09 2.94 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165319.RDB 27-6-2006 13:59 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165320.RDB 24-6-2006 9:17 2.94 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165321.RDB 27-6-2006 14:02 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165322.RDB 24-6-2006 9:19 2.94 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165323.lnk 13-5-2006 21:52 618 bytes Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165324.exe 23-4-2006 14:24 1.54 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165325.RDB 27-6-2006 14:04 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165326.exe 13-5-2006 21:52 658.94 KB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165327.RDB 27-6-2006 14:10 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165328.RDB 27-6-2006 14:15 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165329.RDB 24-6-2006 9:22 2.94 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165330.lnk 26-6-2006 13:18 606 bytes Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165331.lnk 26-6-2006 13:18 439 bytes Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165332.RDB 27-6-2006 14:18 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165333.RDB 24-6-2006 9:26 2.94 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165334.RDB 27-6-2006 14:22 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165335.RDB 27-6-2006 14:24 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165336.RDB 27-6-2006 14:28 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165337.LNK 19-6-2006 15:55 890 bytes Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165338.lnk 19-6-2006 15:55 775 bytes Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165339.LNK 24-6-2006 8:45 1.00 KB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165340.RDB 27-6-2006 14:31 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165341.lnk 24-6-2006 8:45 896 bytes Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165342.RDB 27-6-2006 14:34 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165343.LNK 27-6-2006 14:35 1.00 KB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165344.RDB 27-6-2006 14:35 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165345.lnk 27-6-2006 14:37 896 bytes Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165346.RDB 27-6-2006 14:37 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165347.LNK 27-6-2006 14:42 1.01 KB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165348.dll 27-6-2006 13:43 340.97 KB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165349.RDB 27-6-2006 14:42 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165350.lnk 27-6-2006 14:44 896 bytes Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165351.RDB 27-6-2006 14:44 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165352.RDB 27-6-2006 14:45 2.94 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165353.RDB 27-6-2006 14:45 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165354.RDB 27-6-2006 14:48 2.94 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165355.RDB 27-6-2006 14:48 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165356.RDB 27-6-2006 14:50 2.94 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165357.RDB 27-6-2006 14:50 2.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP760\A0165358.RDB 27-6-2006 14:52 2.94 MB Hidden from Windows API.
C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll 26-5-2006 7:08 252.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll 26-5-2006 7:08 111.50 KB Visible in Windows API, but not in MFT or directory index.

woensdag 28 juni 2006 16:47

Acties:
  • EricJH
  • Registratie: November 2003
  • Laatst online: 29-11 20:50

EricJH

Ik zie een paar meldingen staan van in de temp internet die erop zouden kunnen duiden dat je tijdens het runnen van de scan I.E. hebt gebruikt.

Om deze ruis en de ruis van de Norton Protected recycle bin te filteren zou je dan de Temp, Temp Internet Files en Norton Protected Recycle bin willen wissen? Doe dan een scan terwijl je verder niets met de computer doet. Dat maakt de log kleiner en beter leesbaar.

donderdag 29 juni 2006 13:53

Acties:

Verwijderd

Topicstarter
Eric, ik hoop dat dit aan je vraag voldoet... Ondanks al mijn wissen stonden er toch nog een heel stel NProtect en Restore op. Daarvan heb ik van elk alleen de eerste laten staan, m.a.w. ik heb de rest gewist. De rest was nl. allemaal van hetzelfde soort.

HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 14-2-2004 16:32 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 29-6-2006 12:09 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\DirectPlayNATHelp\DPNHUPnP\ActiveNATMappings\msmsgs (192.168.123.104:9593) 47518 UDP 29-6-2006 12:09 32 bytes Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\DirectPlayNATHelp\DPNHUPnP\ActiveNATMappings\msmsgs (192.168.123.104:15198) 40576 TCP 29-6-2006 12:09 32 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000014 29-6-2006 12:12 5.23 MB Hidden from Windows API.
C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP766\A0168896.RDB 29-6-2006 12:10 2.96 MB Hidden from Windows API.
C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll 26-5-2006 7:08 252.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll 26-5-2006 7:08 111.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\WGAErrLog.txt 29-6-2006 12:49 43 bytes Hidden from Windows API.

donderdag 29 juni 2006 17:09

Acties:
  • EricJH
  • Registratie: November 2003
  • Laatst online: 29-11 20:50

EricJH

Ik heb je log eens bekeken. Er zijn een aantal discrepanties in het register (embedded nulls) en een paar Universal Plur and Play mappings die ik als onschuldig en ruis interpreteer. Zeker daar er geen bestanden gevonden worden die daarmee verbonden zijn.

C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\.....Vind ik bij mezelf ook terug en lijkt na onderzoek een deel van Dot Net Framework.

C:\System Volume Information\_restore{85CEDD62-35CC-4944-9DCD-6077EE28611D}\RP766\A0168896.RDB 29-6-2006 12:10 2.96 MB Hidden from Windows API. Als je rond 12.10 hebt gescand en er is een herstelpunt gewist in die tijd dan is dat een discrepantie.Als deze bij een volgende scan weer opduikt wordt hij voor mij verdacht.

C:\WINDOWS\Temp\WGAErrLog.txt 29-6-2006 12:49 43 bytes Hidden from Windows API. Interessante vondst. Lijkt onderdeel van WGA campagne van Microsoft. Zou Microsoft aan de rootkit zijn? Vis het ding een keer op met NTFS DOS en kijk eens wat er in staat.

C:\RECYCLER\NPROTECT\00000014 29-6-2006 12:12 5.23 MB Hidden from Windows API. Wellicht dat Norton iets wiste gedurende de scan (want was vol). Treedt deze discrepantie opnieuw op bij een volgende scan dan wordt hij verdacht. Kleine info: Norton gebruikte tot afgelopen najaar rootkit technieken om haar Norton Protected voor onervaren gebruikers. Als je Norton geupdate is dan is dat opgeheven.

Enfin. Ik zie nog geen reden tot zorg. Ik ben benieuwd hoe anderen deze scab analyseren. Ik heb er nog niet heel veel ervaring mee.
Pagina: 1
Reageer

Apple iPhone 17 LG OLED evo G5 Google Pixel 10 Samsung Galaxy S25 Star Wars: Outlaws Nintendo Switch 2 Apple AirPods Pro (2e generatie) Sony PlayStation 5 Pro

Tweakers is onderdeel van DPG Media B.V.
Alle rechten voorbehouden - Auteursrecht © 1998 - 2025 Hosting door TrueFullstaq