Powered by Cloud VPS - High Availability Cloud Servers Steun Nucia, doneer!
Wil je zelf ook een blog kunnen starten? Word dan lid van de groep "bloggers". De instellingen daarvoor kun je hier vinden.

Bekijk RSS Feed

EvelineGirl

TDL3 opsporen.

Beoordeel dit Bericht
Gmer bied vaak geen helderheid omdat het programma vaak blijft crashen, foutmeldingen of een BSOD geeft en de pc herstart of er eeuwen lang over doet om de scan te voltooien.

Indien Gmer blijft crashen kan het programma Rootkit Unhooker worden gebruikt om zo de geinfecteerde driver te kunnen identificeren.

NOTE: Rootkit Unhooker is niet geschikt voor 64Bits systemen.

* Download Rootkit Unhooker en plaats deze op het bureaublad.
* Dubbelklik op RKUnhookerLE.EXE om het programma uit te voeren.
* Klik op het Report tab, en dan op scan.
* Zorg dat de volgende items staan aangevinkt, Drivers en Stealth. Vink alle anderen uit en klik op OK.
* Wacht tot het scannen voltooid is en klik File, Save Report.
* Sla het log bestand ergens op waar je hem makkelijk kan terug vinden.
* Sluit het programma.

Kopieer en plak het logje in je volgende antwoord.

NOTE: Je kan de onderstaande waarschuwing krijgen. Deze kan je negeren.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove the parasite, okay?"


Een paar voorbeeld logjes.

Indien geinfecteerd laat RKUnhooker ons het volgende zien:


!!!!!!!!!!!Hidden driver: 0x86494AEA ?_empty_? 1302 bytes
!!!!!!!!!!!Hidden driver: 0x86586D78 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xF73C8000 WARNING: suspicious driver modification [iastor.sys::0x86494AEA]
0x05620000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x863C1DA0 ] PID: 464, 1077248 bytes
0x05790000 Hidden Image-->System.ServiceProcess.dll [ EPROCESS 0x863C1DA0 ] PID: 464, 126976 bytes
0x03BE0000 Hidden Image-->System.XML.dll [ EPROCESS 0x863C1DA0 ] PID: 464, 2060288 bytes
0x04360000 Hidden Image-->System.Data.dll [ EPROCESS 0x863C1DA0 ] PID: 464, 2961408 bytes
0x037F0000 Hidden Image-->System.dll [ EPROCESS 0x863C1DA0 ] PID: 464, 3158016 bytes
0x03B70000 Hidden Image-->System.configuration.dll [ EPROCESS 0x863C1DA0 ] PID: 464, 438272 bytes
0xF7744000 WARNING: Virus alike driver modification [imapi.sys], 45056 bytes
0x012D0000 Hidden Image-->Intuit.Spc.Foundations.Portability.dll [ EPROCESS 0x863C1DA0 ] PID: 464, 471040 bytes
0x047F0000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x863C1DA0 ] PID: 464, 479232 bytes
0x04EA0000 Hidden Image-->System.Windows.Forms.dll [ EPROCESS 0x863C1DA0 ] PID: 464, 5033984 bytes
0x01240000 Hidden Image-->Intuit.Spc.Foundations.Primary.Logging.dll [ EPROCESS 0x863C1DA0 ] PID: 464, 53248 bytes
0x05470000 Hidden Image-->System.Drawing.dll [ EPROCESS 0x863C1DA0 ] PID: 464, 634880 bytes
0x03B00000 Hidden Image-->Intuit.Spc.Foundations.Primary.ExceptionHandling.dll [ EPROCESS 0x863C1DA0 ] PID: 464, 77824 bytes
0x042A0000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x863C1DA0 ] PID: 464, 778240 bytes
0x03B40000 Hidden Image-->Intuit.Spc.Foundations.Primary.Config.dll [ EPROCESS 0x863C1DA0 ] PID: 464, 86016 bytes

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!!
In dit logje is dus imapi.sys de feitelijke geinfecteerde driver en is iastor.sys alleen in het geheugen geinfecteerd.

!!!!!!!!!!!Hidden driver: 0x8716BAEA ?_empty_? 1302 bytes
0x8716BEC5 unknown_irp_handler 315 bytes
!!!!!!!!!!!Hidden driver: 0x8715BB10 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xF73B6000 WARNING: suspicious driver modification [atapi.sys::0x8716BAEA]
0x7A4D0000 Hidden Image-->System.Runtime.Serialization.ni.dll [ EPROCESS 0x86504020 ] PID: 2536, 1196032 bytes
0x7AA10000 Hidden Image-->System.ServiceModel.Web.ni.dll [ EPROCESS 0x86504020 ] PID: 2536, 143360 bytes
0x7B170000 Hidden Image-->System.Windows.dll [ EPROCESS 0x86504020 ] PID: 2536, 1470464 bytes
0x7B080000 Hidden Image-->System.Windows.Browser.dll [ EPROCESS 0x86504020 ] PID: 2536, 151552 bytes
0x79520000 Hidden Image-->mscorlib.dll [ EPROCESS 0x86504020 ] PID: 2536, 1601536 bytes
0x7A300000 Hidden Image-->System.Net.dll [ EPROCESS 0x86504020 ] PID: 2536, 233472 bytes
0x79EE0000 Hidden Image-->System.Core.ni.dll [ EPROCESS 0x86504020 ] PID: 2536, 2375680 bytes
0x7A190000 Hidden Image-->system.dll [ EPROCESS 0x86504020 ] PID: 2536, 241664 bytes
0x7AA80000 Hidden Image-->System.Xml.dll [ EPROCESS 0x86504020 ] PID: 2536, 331776 bytes
0x7B0B0000 Hidden Image-->System.Windows.Browser.ni.dll [ EPROCESS 0x86504020 ] PID: 2536, 380928 bytes
0x7A460000 Hidden Image-->System.Runtime.Serialization.dll [ EPROCESS 0x86504020 ] PID: 2536, 421888 bytes
0x7B2E0000 Hidden Image-->System.Windows.ni.dll [ EPROCESS 0x86504020 ] PID: 2536, 4460544 bytes
0xF76B5000 WARNING: Virus alike driver modification [imapi.sys], 45056 bytes
0x79E50000 Hidden Image-->System.Core.dll [ EPROCESS 0x86504020 ] PID: 2536, 544768 bytes
0x796B0000 Hidden Image-->mscorlib.ni.dll [ EPROCESS 0x86504020 ] PID: 2536, 6197248 bytes
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\sptd.sys]
0x7A340000 Hidden Image-->System.Net.ni.dll [ EPROCESS 0x86504020 ] PID: 2536, 659456 bytes
0x7A1D0000 Hidden Image-->System.ni.dll [ EPROCESS 0x86504020 ] PID: 2536, 671744 bytes
0x7AAE0000 Hidden Image-->System.Xml.ni.dll [ EPROCESS 0x86504020 ] PID: 2536, 847872 bytes
0x7A9F0000 Hidden Image-->System.ServiceModel.Web.dll [ EPROCESS 0x86504020 ] PID: 2536, 86016 bytes

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!!
Ook hier is imapi.sys (maar dit kan elke willekeurige driver zijn) de feitelijke geinfecteerde driver en is alleen atapi.sys in het geheugen geinfecteerd.

!!!!!!!!!!!Hidden driver: 0x862E7AEA ?_empty_? 1302 bytes
!!!!!!!!!!!Hidden driver: 0x86369B78 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xF73D3000 WARNING: suspicious driver modification [atapi.sys::0x862E7AEA]
WARNING: Virus alike driver modification [cpqdap01.sys]
WARNING: Virus alike driver modification [nikedrv.sys]
WARNING: Virus alike driver modification [rio8drv.sys]
WARNING: Virus alike driver modification [riodrv.sys]
WARNING: Virus alike driver modification [ws2ifsl.sys]
WARNING: Virus alike driver modification [fsvga.sys]
WARNING: Virus alike driver modification [smclib.sys]
WARNING: Virus alike driver modification [hdaudio.sys]
WARNING: Virus alike driver modification [tsbvcap.sys]
WARNING: Virus alike driver modification [cinemst2.sys]
WARNING: Virus alike driver modification [atmepvc.sys]
WARNING: Virus alike driver modification [rawwan.sys]
WARNING: Virus alike driver modification [atmuni.sys]
0xF7570000 WARNING: Virus alike driver modification [isapnp.sys], 40960 bytes
WARNING: Virus alike driver modification [vdmindvd.sys]
WARNING: Virus alike driver modification [rootmdm.sys]
WARNING: Virus alike driver modification [nwlnknb.sys]
WARNING: Virus alike driver modification [mcd.sys]

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!!
Hoe te herstellen?
TDSSKiller van Kaspersky kan deze infectie aan:

1.
Download TDSSKiller naar je bureaublad en pak het bestand vervolgens uit
  • Dubbelklik op TDSSKiller.exe om het programma te starten.
  • Wanneer het programma klaar is, zal er een log op de C:\ schijf worden aangemaakt.
    De bestandsnaam van dat logje begint met TDSSKiller.
  • Post de inhoud van het logje in je volgende bericht.


Herstart handmatig je pc indien TDSSKiller hier niet om vroeg.

Voorbeeld logs:

11:47:30:922 3304 RDPCDD (81f9f82cb8732d26d23c20de4ece710a) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:47:30:922 3304 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\RDPCDD.sys. Real md5: 81f9f82cb8732d26d23c20de4ece710a, Fake md5: 4912d5b403614ce99c28420f75353332
11:47:30:922 3304 File "C:\WINDOWS\system32\DRIVERS\RDPCDD.sys" infected by TDSS rootkit ... 11:47:31:172 3304 Backup copy found, using it..
11:47:31:187 3304 will be cured on next reboot
11:47:32:625 3304 Reboot required for cure complete..
11:47:33:047 3304 Cure on reboot scheduled successfully
11:47:33:047 3304
11:47:33:047 3304 Completed
11:47:33:047 3304
11:47:33:047 3304 Results:
11:47:33:047 3304 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
11:47:33:047 3304 File objects infected / cured / cured on reboot: 1 / 0 / 1
11:47:33:047 3304
11:47:33:047 3304 KLMD(ARK) unloaded successfully
15:51:53:953 2764 intelppm (aed42df563ba65d2fef3f0b2fec31cd7) C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:51:53:953 2764 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\intelppm.sys. Real md5: aed42df563ba65d2fef3f0b2fec31cd7, Fake md5: 96fce5216c94b0280d35d4e088268df4
15:51:53:953 2764 File "C:\WINDOWS\system32\DRIVERS\intelppm.sys" infected by TDSS rootkit ... 15:51:56:750 2764 Backup copy found, using it..
15:51:56:875 2764 will be cured on next reboot
15:51:58:781 2764 Reboot required for cure complete..
15:51:59:187 2764 Cure on reboot scheduled successfully
15:51:59:187 2764 Completed
15:51:59:187 2764 Results:
15:51:59:187 2764 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:51:59:187 2764 File objects infected / cured / cured on reboot: 1 / 0 / 1
15:51:59:187 2764
15:51:59:187 2764 KLMD(ARK) unloaded successfully
Ook Combofix kan de infectie neutraliseren:

Besmet exemplaar van c:\windows\system32\drivers\redbook.sys werd aangetroffen en gedesinfecteerd
Hersteld exemplaar van - Kitty had a snack
Eveline.

Reacties

  1. Schermafbeelding van Emphyrio
    Mooi, Eve