ClustrMaps

Locations of visitors to this page

Jos Coenen's blog

The roadrunner is back as never before! See also: My homepage or my very obsolete site
If by any means entries in my blog are considered to be harmful or damaging, please let me know (add comment) or just mail me. In this (unhopely) case I will remove or change the contents.

Tuesday, September 29, 2009

Windows annoyances

De roadrunner heeft een haat/liefde verhouding met B. Gates.
De desktop raakte gisteren besmet met "iets" waardoor bij het opstarten alleen het wallpaper werd getoond.


Na Alt-Ctrl_Delete of fraaier Ctrl-Shift-Esc kwam de taskmanager wel in beeld.
Vervolgens Bestand - Nieuwe taak en explorer en Enter.
En de zaak leek weer te werken.

Echter...
De taken in de taskmanager waren allen user-loos.
Dat geeft toch te denken.
En de Wintelbak was trager dan anders.

Om een heel lang verhaal, met vele reboots, in te korten:
de roadrunner had zijn PC besmet!

Met dank aan MalWareBytes, http://www.malwarebytes.org/, dus niet de talloze zogenaamde cleaners die zelf malware zijn (#@&!), is de zaak naar volle tevredenheid opgelost.

De root of all evil, is natuurlijk het Windows register (regedit om de zaak zelf te vernaggelen).
Waarom bestaat er een register entry als deze:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

Hoe eenvoudig kan het zijn. om daarvan te maken:
"Userinit"="C:\\WINDOWS\\system32\\sdra64.exe,"

En waarom is het zomaar toegestaan om sdr64.exe in system32 te plaatsen?

Google-it en zo maar een hit:

Waarom een parameter als userinit.exe gebruikt moet worden om in te loggen?
Overparameterized ...
"The selection of an appropriate model is critical for the production of good phylogenetic analyses, both because underparameterized or overly restrictive models may produce aberrant behavior when their underlying assumptions are violated, and because overly complex or overparameterized models are computationally expensive and the parameters may be overfit."

Zie ook deze belachelijke doe-het-zelf oplossing:
http://mrmusicmaker.blogspot.com/2009/04/how-to-remove-sdra64exe-yourself-for.html
Hoewel het cynisme terecht is:
"I searched online for 'remove sdra64.exe' and get bombarded by stupid-ass companies who all want to rip you off, by making you think you need their software. Some even say its free.. You use their software, it tells you you have problems (surprise surprise!) and then tells you you need to buy a license to do anything about it. Either that or you just end up on a page that makes out it is about tech support, but is actually just trying to get you there so it can show you no content and a million ads."

Ziehier wat mijn PC allemaal aan piraten boord had:

Malwarebytes' Anti-Malware 1.41
Database versie: 2868
Windows 5.1.2600 Service Pack 3

28-9-2009 21:58:05
mbam-log-2009-09-28 (21-58-05).txt

Scan type: Snelle Scan
Objecten gescand: 105843
Verstreken tijd: 3 minute(s), 24 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 19
Registerwaarden geïnfecteerd: 1
Registerdata bestanden geïnfecteerd: 3
Mappen geïnfecteerd: 1
Bestanden geïnfecteerd: 10

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geïnfecteerd:
HKEY_CLASSES_ROOT\xml.xml (Worm.Allaple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Worm.Allaple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Worm.Allaple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Worm.Allaple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Worm.Allaple) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registerwaarden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registerdata bestanden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Waledac) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Waledac) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Mappen geïnfecteerd:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Bestanden geïnfecteerd:
C:\Program Files\FFF-ReflexV2.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.Waledac) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvs2.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)