Forum
Aktif konular
Üyeler
Kurallar
Arama
Tahribat.com Forumları 
Virüs - Trojan - Keylogger - BotNet 
Tahribat Uzmanları Bu Virüsler Ne İşe Yarar ? Tahribat Uzmanları Bu Virüsler Ne İşe Yarar ?
-
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ceza\Application Data\EurekaLog
c:\windows\system32\1055
c:\windows\system32\1055\dwintl.dll
c:\windows\system32\Data
((((((((((((((((((((((((( Files Created from 2011-03-08 to 2011-04-08 )))))))))))))))))))))))))))))))
2011-04-06 19:30 . 2011-04-06 19:30 -------- d-----w- C:\MicrovoltsDownloader
2011-03-27 15:07 . 2011-03-27 15:07 -------- d-----w- C:\BDENET
2011-03-20 18:36 . 2011-03-20 18:36 -------- d-----w- C:\Bwgen
iyi akşamlar
Ustalarım yukarıda gördüğünüz gibi combofix bilgisayarımdan 3 virüs birde klasör sildi
hepinizde olduğu gibi benimde önemli bilgilerim var bu klasör ve virüsler bilgisayarımda ne arıyordular ve amaçları nedir
isterseniz virüsleri uplayabilirm araştırmanız için yardımcı olurmusunuz ?
birde: avast kullanıyordığım için bana çok kızacaksınız biliyorum şimdilik bu virüsler hakkında soruşturma başlatatsak yeterli :)
teşekürler
-
anubis kullan.
-
dwintl.dll dosyası bir modül uygulamasıdır. İlişkili olduğu yazılım : Microsoft Application Error Reporting from Microsoft Corporation [ microsoft modül dosyası ]
C:\Bwgen Brainwave Generator 3.1.9 [ program ]
C:\MicrovoltsDownloader [ oyun ]
http://www.gamearena.com.au/downloads/details.php/microvolts-open-beta-gameplay-trailer
C:\BDENET [ program ] Handy Cafe
EurekaLog Delphi/C++Builder tool [ program ]
-
SUPERBICO bunu yazdı:
-----------------------------
anubis kullan.
---------------------------one ki hocam :D google amcada arattım saçma sapan bişi çıktı
ayrıca neonell hocam çok teşekür ederim
edüt: virüsler hakkında yardımcı olacak varmı ?
-
hocam virus değil ki onlar, senin tam olarak problem nedir ? pcnde virus olduğunu mu düşünüyorsun ?
-
evet hocam combofix bilgisayarında rootkid olabilir yeniden başlat dedi başlattık sonra yukarıdaki dosyaları sildi
1. neden sildi ?
2. virüs değilse neden uzantısının sonuna atıyorum exe.vir diye virüs damgası vurdu?
ayrıa klasörüde sildi ilginç değilmi ?
-
valla kahin değilizki bilelim. ortada antivirüsün ne olarak tanımladığı bile yok.
-
zalimadam bunu yazdı:
-----------------------------
evet hocam combofix bilgisayarında rootkid olabilir yeniden başlat dedi başlattık sonra yukarıdaki dosyaları sildi
1. neden sildi ?
2. virüs değilse neden uzantısının sonuna atıyorum exe.vir diye virüs damgası vurdu?
ayrıa klasörüde sildi ilginç değilmi ?
-----------------------------
windows unda güvenlik duvarı, sistem geri yükleme, güvenlik merkezi, güncellestirmeler vs. kapalı ise, combofix bunu rootkit hareketi olarak düşünüyo ve yeniden baslatıyo, yeniden baslatması ve rootkit olabilir uyarısı vermesi rootkit olduğunu göstermez, bazen yukarıda saydığım olaylar varsa da bu uyarıyı yapar.Sen en iyisi combofix in logu tam olarak koy buraya bakalım
-
neonell bunu yazdı:
-----------------------------
windows unda güvenlik duvarı, sistem geri yükleme, güvenlik merkezi, güncellestirmeler vs. kapalı ise, combofix bunu rootkit hareketi olarak düşünüyo ve yeniden baslatıyo, yeniden baslatması ve rootkit olabilir uyarısı vermesi rootkit olduğunu göstermez, bazen yukarıda saydığım olaylar varsa da bu uyarıyı yapar.Sen en iyisi combofix in logu tam olarak koy buraya bakalım
-----------------------------ComboFix 11-04-07.08 - ceza 08.04.2011 21:10:42.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1254.90.1055.18.1535.1242 [GMT 3:00]
Running from: c:\documents and settings\ceza\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ceza\Application Data\EurekaLog
c:\windows\system32\1055
c:\windows\system32\1055\dwintl.dll
c:\windows\system32\Data
.
.
((((((((((((((((((((((((( Files Created from 2011-03-08 to 2011-04-08 )))))))))))))))))))))))))))))))
.
.
2011-04-06 19:30 . 2011-04-06 19:30 -------- d-----w- C:\MicrovoltsDownloader
2011-03-27 15:07 . 2011-03-27 15:07 -------- d-----w- C:\BDENET
2011-03-20 18:36 . 2011-03-20 18:36 -------- d-----w- C:\Bwgen
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-21 13:48 . 2008-04-15 12:00 28960 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-03-21 13:48 . 2008-04-15 12:00 174916 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-03-21 13:47 . 2005-07-22 08:20 1275776 ----a-w- c:\windows\system32\drivers\P16X.sys
2011-03-21 13:47 . 2002-04-22 06:26 33792 ----a-w- c:\windows\system32\P16XRes.Dll
2011-03-21 13:47 . 2002-04-10 23:41 65536 ----a-w- c:\windows\system32\A3d.dll
2011-03-21 13:47 . 2005-07-22 08:12 39936 ----a-w- c:\windows\system32\P16X.dll
.
.
------- Sigcheck -------
.
[-] 2010-07-13 . A5BC817BB84DCB9E71719FF868144124 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2010-07-13 . 048001C5BBCDE42549EE7280CB768DF0 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9BFBA68E-E21B-458E-AE12-FE85E903D2C1}]
2010-08-31 14:15 257384 ----a-w- c:\program files\AlterGeo\AlterGeo Magic Scanner\2.8.8.615\AlterGeo.BrowserPlugin.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2010-12-23 19:09 67168 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2011-01-11 3301376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedUpMyPC
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-15 19:02 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-11-15 19:02 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-15 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2011-01-20 09:20 1305408 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-03-18 20:25 136176 ----atw- c:\documents and settings\ceza\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2011-01-11 07:37 3301376 ----a-w- c:\program files\Internet Download Manager\IDMan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2000-01-01 00:00 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 15:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 12:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2010-07-04 19:51 17408 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\MicrovoltsDownloader\\MVDownloader.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [21.03.2011 23:27 717296]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [18.03.2011 23:12 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [18.03.2011 23:12 301528]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [23.12.2010 22:00 96600]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18.03.2011 23:12 19544]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [18.03.2011 23:31 218688]
R3 GETND5BV;VIA Velocity Family Gigabit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5bv.sys [21.03.2011 16:46 49152]
S2 gupdate;Google Güncelleme Hizmeti (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05.04.2011 13:01 136176]
S3 NSPacket;NextSecurity Packet Driver;c:\windows\system32\drivers\nspacket.sys [27.03.2011 17:29 32768]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [18.03.2011 23:53 12984]
S3 XDva385;XDva385;\??\c:\windows\system32\XDva385.sys --> c:\windows\system32\XDva385.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-05 20:25]
.
2011-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-05 20:25]
.
2011-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1682526488-1606980848-1004Core.job
- c:\documents and settings\ceza\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-18 20:25]
.
2011-04-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1682526488-1606980848-1004UA.job
- c:\documents and settings\ceza\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-18 20:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.tr/
IE: Bütün linkleri IDM ile indir - c:\program files\Internet Download Manager\IEGetAll.htm
IE: FLV video içeriğini IDM ile indir - c:\program files\Internet Download Manager\IEGetVL.htm
IE: IDM ile indir - c:\program files\Internet Download Manager\IEExt.htm
IE: Microsoft Excel'e Gö&nder - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: MiPony ile indir - file://c:\program files\MiPony\Browser\IEContext.htm
TCP: {17B86A12-A0F5-46E0-9381-B691B0E3AA7E} = 208.67.222.222,208.67.220.220
TCP: {50918A35-0A14-447E-AFEC-2BA33A218548} = 208.67.222.222,208.67.220.220
TCP: {CC0A0958-FF59-4CC3-9DBB-BFA445BC59CC} = 208.67.222.222,208.67.220.220
TCP: {E7BB4728-8543-40E1-9A8E-7E1312E0C9DB} = 208.67.222.222,208.67.220.220
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-PowerSuite - c:\program files\Uniblue\PowerSuite\launcher.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-08 21:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-08 21:24:34
ComboFix-quarantined-files.txt 2011-04-08 18:24
.
Pre-Run: 28.723.384.320 bayt boş
Post-Run: 28.690.579.456 bayt boş
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 3FA0F47856CB8ACE54B8A3D9DB140ADD
-
hocam bu loglara göre pcnde hiçbir şey yok tertemiz ki dediğim gibi yukarıda yazdığım olaydur rootkit diye mesaj çıkartması,
ha için rahat olacaksa bir de bununla bakmanı tavsiye ederim:
http://www.softpedia.com/progDownload/SysProt-AntiRootkit-Download-76913.html
-
+ avast ı kaldır, bunu öneririm, ayarlardan heuristic seçeneğini kaldır eğer kullanacaksan
Kısayol
Şikayet
Özel Mesaj
Alıntı yap
Cevapla