Kaspersky rundll32'yi virüs olarak görüyor

Mustafa Süleyman · 21 Aralık 2020

Kaspersky rundll32.dll yi virüs olarak görüyor ve ardından bir sürü hata veriyor. "c:\users\kullanıcı\appdata\roaming\microsoft\admodnetw4b8" konumunda truva atı buluyor. Acaba sizin bu konumda böyle bir dosya vara mı bakıp SS atabilirseniz sevinirim bu bir hata mı yoksa cidden trojan mı?

iambmys9 · 21 Aralık 2020

Öyle bir konum bulunmuyor.

24099 · 21 Aralık 2020

Gerçekten temiz olsaydı zararlı denmezdi.

Son zamanların moda tekniği rundll32 olarak açılıp AV bypass etmeye çalışmak veya gerçek rundll32'yi kullanmak. Yine de logları, tarama sonuçlarını paylaşabilirseniz bir bakalım.

Mustafa Süleyman · 21 Aralık 2020

24099 · 21 Aralık 2020

Mustafa Süleyman dedi:
Eki Görüntüle 793355

Eki Görüntüle 793356

Tespit edip temizlemiş, herhangi bir sorun olduğunu düşünmüyorum.

Mustafa Süleyman · 21 Aralık 2020

Bu olay 2-3 gündür başıma geliyor.

24099 dedi:
Tespit edip temizlemiş, herhangi bir sorun olduğunu düşünmüyorum.

Bende ilk seferde öyle sandım ama kendini kopyalıyor galiba çünkü 2-3 gündür sürekli bu sorun var sürekli temizliyor sürekli ortaya çıkıyor.

24099 · 21 Aralık 2020

HJ raporu paylaşın. Bir sorun varsa duruma göre başka raporlar da isteyebilirim ama ilk olarak bu lazım

Rehber: HijackThis Log Paylaşımı ve Çözümleri

Sisteminizde yaşadığınız performans düşüşü, kilitlenme, zararlı etkisi, uygulama hatalarından kaynaklanan sorunsalları analiz etmek ve performans iyileştirmesi, zararlı etkisini inaktif etmek için bize HijackThis yazılımı ile yaptığınız tarama Logunu burada paylaşmanız gerekmektedir...

www.technopat.net

ArdaFRKN · 21 Aralık 2020

Zararlı olduğunu söyleyebilirim. Adı Windows veya Microsoft ile alakalı olunca güvenilir olmuyor. Bir keresinde %appdata% konumunda svchost.exe diye bir dosya vardı. Uygulamaların indiği yerde sistem programı bulunamayacağı için silmiştim. Kaspersky'da çıldırıyordu virüs diye arkada. Seninkide sahte bir yazılım olabilir.

Mustafa Süleyman · 31 Aralık 2020

Kod:

Logfile of HiJackThis Fork by Alex Dragokas v.2.9.0.26

Platform:  x64 Windows 10 (Pro), 10.0.19042.685 (ReleaseId: 2009), Service Pack: 0
Time:      21.12.2020 - 17:49 (UTC+03:00)
Language:  OS: Turkish (0x41F). Display: Turkish (0x41F). Non-Unicode: Turkish (0x41F)
Elevated:  Yes
Ran by:    Mustafa    (group: Administrator) on DESKTOP-ONBINNU, FirstRun: yes

Chrome:  87.0.4280.88
Edge:    11.0.19041.546
Internet Explorer: 11.0.19041.1
Default: "C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument %1 (Google Chrome)

Boot mode: Normal

Running processes:
Number | Path
   1  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
   1  C:\Program Files (x86)\Common Files\Steam\SteamService.exe
   1  C:\Program Files (x86)\Google\Update\1.3.36.52\GoogleCrashHandler.exe
   1  C:\Program Files (x86)\Google\Update\1.3.36.52\GoogleCrashHandler64.exe
   1  C:\Program Files (x86)\Kaspersky Lab\Kaspersky Password Manager 9.0.2\kpm.exe
   1  C:\Program Files (x86)\Kaspersky Lab\Kaspersky Password Manager 9.0.2\kpm_service.exe
   1  C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Cloud 21.2\avp.exe
   1  C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Cloud 21.2\avpui.exe
   1  C:\Program Files (x86)\Kaspersky Lab\Kaspersky VPN 5.2\ksde.exe
   1  C:\Program Files (x86)\Kaspersky Lab\Kaspersky VPN 5.2\ksdeui.exe
   1  C:\Program Files (x86)\Origin\OriginWebHelperService.exe
   7  C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
   1  C:\Program Files (x86)\Steam\steam.exe
   1  C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
   1  C:\Program Files\AMD\CNext\CNext\AMDRSServ.exe
   1  C:\Program Files\AMD\CNext\CNext\RadeonSoftware.exe
   1  C:\Program Files\AMD\CNext\CNext\amdow.exe
   1  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
   1  C:\Program Files\Riot Vanguard\vgtray.exe
   1  C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServices.exe
   1  C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe
   1  C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2011.6-0\MsMpEng.exe
   1  C:\Users\Mustafa\Desktop\HiJackThis.exe
   1  C:\Windows\SysWOW64\PnkBstrA.exe
   1  C:\Windows\System32\DriverStore\FileRepository\u0359160.inf_amd64_2abe2598d9a3141f\B358802\atieclxx.exe
   1  C:\Windows\System32\DriverStore\FileRepository\u0359160.inf_amd64_2abe2598d9a3141f\B358802\atiesrxx.exe
   1  C:\Windows\System32\ICEsoundService64.exe
   3  C:\Windows\System32\RuntimeBroker.exe
   1  C:\Windows\System32\SearchIndexer.exe
   1  C:\Windows\System32\SecurityHealthService.exe
   1  C:\Windows\System32\SecurityHealthSystray.exe
   1  C:\Windows\System32\SettingSyncHost.exe
   1  C:\Windows\System32\SgrmBroker.exe
   1  C:\Windows\System32\amdfendrsr.exe
   1  C:\Windows\System32\audiodg.exe
   2  C:\Windows\System32\csrss.exe
   1  C:\Windows\System32\ctfmon.exe
   1  C:\Windows\System32\dwm.exe
   2  C:\Windows\System32\fontdrvhost.exe
   1  C:\Windows\System32\lsass.exe
   1  C:\Windows\System32\services.exe
   1  C:\Windows\System32\sihost.exe
   1  C:\Windows\System32\smartscreen.exe
   1  C:\Windows\System32\smss.exe
   1  C:\Windows\System32\spoolsv.exe
  74  C:\Windows\System32\svchost.exe
   1  C:\Windows\System32\taskhostw.exe
   1  C:\Windows\System32\wbem\WmiPrvSE.exe
   1  C:\Windows\System32\wbem\unsecapp.exe
   1  C:\Windows\System32\wininit.exe
   1  C:\Windows\System32\winlogon.exe
   1  C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
   1  C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
   1  C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
   1  C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
   1  C:\Windows\explorer.exe

R4 - SearchScopes: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{8C3078A0-9AAB-4371-85D1-656CA8E46EE8}: [SuggestionsURL_JSON] = https://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part={searchTerms}&clid=2233630 - Yandex
R4 - SearchScopes: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{8C3078A0-9AAB-4371-85D1-656CA8E46EE8}: [URL] = https://yandex.com.tr/search/?text={searchTerms}&clid=2233630 - Yandex
O2 - HKLM\..\BHO: IEToEdge BHO - {1FD49718-1D00-4B19-AF5F-070AF6D5D54C} - C:\Program Files (x86)\Microsoft\Edge\Application\87.0.664.66\BHO\ie_to_edge_bho_64.dll
O2 - HKLM\..\BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_271\bin\jp2ssv.dll
O2 - HKLM\..\BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_271\bin\ssv.dll
O2-32 - HKLM\..\BHO: IEToEdge BHO - {1FD49718-1D00-4B19-AF5F-070AF6D5D54C} - C:\Program Files (x86)\Microsoft\Edge\Application\87.0.664.66\BHO\ie_to_edge_bho.dll
O4 - HKCU\..\Run: [Steam] = C:\Program Files (x86)\Steam\steam.exe -silent
O4 - HKCU\..\Run: [kpm.exe] = C:\Program Files (x86)\Kaspersky Lab\Kaspersky Password Manager 9.0.2\kpm.exe autoStart
O4 - HKCU\..\StartupApproved\Run: [Discord] = C:\Users\Mustafa\AppData\Local\Discord\Update.exe --processStart Discord.exe --process-start-args --start-minimized (2020/12/12)
O4 - HKCU\..\StartupApproved\Run: [EpicGamesLauncher] = C:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win64\EpicGamesLauncher.exe -silent (2020/10/22)
O4 - HKCU\..\StartupApproved\Run: [OneDrive] = C:\Users\Mustafa\AppData\Local\Microsoft\OneDrive\OneDrive.exe /background (2020/10/20)
O4 - HKLM\..\Run: [RTHDVCPL] = C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
O4 - HKLM\..\Run: [Riot Vanguard] = C:\Program Files\Riot Vanguard\vgtray.exe
O4 - HKLM\..\StartupApproved\Run32: [SunJavaUpdateSched] = C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (2020/10/22)
O17 - DHCP DNS 1: 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{07edaa12-79f9-4450-a366-7ca5180b56e4}: [NameServer] = 8.8.4.4 (Well-known DNS: Google)
O17 - HKLM\System\CCS\Services\Tcpip\..\{07edaa12-79f9-4450-a366-7ca5180b56e4}: [NameServer] = 8.8.8.8 (Well-known DNS: Google)
O22 - Task (.job): (disabled) (Not scheduled) CreateExplorerShellUnelevatedTask.job - C:\WINDOWS\explorer.exe /NOUACCHECK
O22 - Task: (disabled) (update) \Microsoft\Windows\UpdateAssistant\UpdateAssistant - C:\WINDOWS\UpdateAssistant\UpdateAssistant.exe /ClientID Win10Upgrade:VNL:NHV24:{} (Microsoft)
O22 - Task: (disabled) (update) \Microsoft\Windows\UpdateAssistant\UpdateAssistantAllUsersRun - C:\WINDOWS\UpdateAssistant\UpdateAssistant.exe /ClientID Win10Upgrade:VNL:NHV24:{} /AllUsersRun (Microsoft)
O22 - Task: (disabled) (update) \Microsoft\Windows\UpdateAssistant\UpdateAssistantCalendarRun - C:\WINDOWS\UpdateAssistant\UpdateAssistant.exe /ClientID Win10Upgrade:VNL:NHV24:{} /CalendarRun (Microsoft)
O22 - Task: (disabled) (update) \Microsoft\Windows\UpdateAssistant\UpdateAssistantWakeupRun - C:\WINDOWS\UpdateAssistant\UpdateAssistant.exe /ClientID Win10Upgrade:VNL:NHV24:{} /WakeupRun (Microsoft)
O22 - Task: (disabled) (update) \Microsoft\Windows\UpdateOrchestrator\Reboot_AC - C:\WINDOWS\system32\MusNotification.exe /RunOnAC RebootDialog (Microsoft)
O22 - Task: (disabled) (update) \Microsoft\Windows\UpdateOrchestrator\Reboot_Battery - C:\WINDOWS\system32\MusNotification.exe /RunOnBattery RebootDialog (Microsoft)
O22 - Task: (disabled) \Agent Activation Runtime\S-1-5-21-900125387-2448592306-3399307716-1001 - C:\WINDOWS\System32\AgentActivationRuntimeStarter.exe
O22 - Task: (disabled) \Microsoft\Windows\Management\Provisioning\Retry - C:\WINDOWS\system32\ProvTool.exe /turn 5 /source ProvRetryTask (Microsoft)
O22 - Task: (disabled) \Microsoft\Windows\Management\Provisioning\RunOnReboot - C:\WINDOWS\system32\ProvTool.exe /turn 5 /source ContinueSessionTask (Microsoft)
O22 - Task: (disabled) \Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work - C:\WINDOWS\system32\usoclient.exe StartMaintenanceWork (Microsoft)
O22 - Task: (disabled) \Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work - C:\WINDOWS\system32\usoclient.exe StartWork (Microsoft)
O22 - Task: (telemetry) \Microsoft\Windows\Application Experience\PcaPatchDbTask - C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\PcaSvc.dll,PcaPatchSdbTask (Microsoft)
O22 - Task: (update) \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker - C:\WINDOWS\system32\MusNotification.exe (Microsoft)
O22 - Task: AMDInstallLauncher - C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe /InstallAUEP
O22 - Task: AMDLinkUpdate - C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe -AMDLinkUpdate
O22 - Task: Adobe Acrobat Update Task - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
O22 - Task: BlueStacksHelper - C:\ProgramData\BlueStacks\Client\Helper\BlueStacksHelper.exe -sr
O22 - Task: GoogleUpdateTaskMachineCore - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
O22 - Task: GoogleUpdateTaskMachineUA - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
O22 - Task: Kaspersky_Upgrade_Launcher_{278ADC42-419D-4547-A6CA-5B74BE0AD901} - C:\Program Files\Common Files\AV\Kaspersky Lab\upgrade_launcher.exe /waitUpgrade
O22 - Task: ModifyLinkUpdate - C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe -UpdateCurrentUser
O22 - Task: PostponeDeviceSetupToast_S-1-5-21-900125387-2448592306-3399307716-1001_0 - {5ded83ef-1e99-48cf-bf83-676d2a6db408},PostponeDeviceSetupToast - C:\Windows\System32\oobe\UserOOBE.dll
O22 - Task: StartCN - C:\Program Files\AMD\CNext\CNext\cncmd.exe startwithdelay
O22 - Task: StartDVR - C:\Program Files\AMD\CNext\CNext\RSServCmd.exe
O22 - Task: \Microsoft\Windows\SMB\UninstallSMB1ClientTask - C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client"
O22 - Task: \Microsoft\Windows\SMB\UninstallSMB1ServerTask - C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Server"
O22 - Task: zAmigoBrowserUpdate - C:\WINDOWS\system32\rundll32.exe C:\Users\Mustafa\AppData\Roaming\Microsoft\AdModNetW4b8\adnekmod8b4.dll,AmigoUpdater
O23 - Service R2: AMD Crash Defender Service - C:\WINDOWS\system32\amdfendrsr.exe
O23 - Service R2: AMD External Events Utility - C:\WINDOWS\System32\DriverStore\FileRepository\u0359160.inf_amd64_2abe2598d9a3141f\B358802\atiesrxx.exe
O23 - Service R2: Adobe Acrobat Update Service - (AdobeARMservice) - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service R2: Gaming Services - (GamingServices) - C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServices.exe
O23 - Service R2: Gaming Services - (GamingServicesNet) - C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe
O23 - Service R2: ICEsound Service - (ICEsoundService) - C:\WINDOWS\system32\ICEsoundService64.exe
O23 - Service R2: Kaspersky Anti-Virus Hizmeti 21.2 - (AVP21.2) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Cloud 21.2\avp.exe -r
O23 - Service R2: Kaspersky Password Manager Service - (kpm_launch_service) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Password Manager 9.0.2\kpm_service.exe
O23 - Service R2: Kaspersky VPN Secure Connection Hizmeti 5.2 - (KSDE5.2) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky VPN 5.2\ksde.exe -r
O23 - Service R2: Origin Web Helper Service - C:\Program Files (x86)\Origin\OriginWebHelperService.exe
O23 - Service R2: PnkBstrA - C:\WINDOWS\system32\PnkBstrA.exe  (file missing)
O23 - Service R2: TeamViewer - C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
O23 - Service R3: Steam Client Service - C:\Program Files (x86)\Common Files\Steam\SteamService.exe /RunAsService
O23 - Service S2: Google Güncelleme Hizmeti (gupdate) - (gupdate) - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /svc
O23 - Service S2: Wallpaper Engine Service - C:\Program Files (x86)\Steam\steamapps\common\wallpaper_engine\bin\wallpaperservice32_c.exe  (file missing)
O23 - Service S3: Google Chrome Elevation Service (GoogleChromeElevationService) - (GoogleChromeElevationService) - C:\Program Files\Google\Chrome\Application\87.0.4280.88\elevation_service.exe
O23 - Service S3: Google Güncelleme Hizmeti (gupdatem) - (gupdatem) - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /medsvc
O23 - Service S3: Kaspersky Volume Shadow Copy Service Bridge 21.2 - (klvssbridge64_21.2) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Cloud 21.2\x64\vssbridge64.exe
O23 - Service S3: Origin Client Service - C:\Program Files (x86)\Origin\OriginClientService.exe
O23 - Service S3: Rockstar Game Library Service - (Rockstar Service) - D:\Launcher\RockstarService.exe
O23 - Service S3: vgc - C:\Program Files\Riot Vanguard\vgc.exe


--
End of file - Time spent: 8,5 sec. - 26706 bytes, CRC32: FFFFFFFF. Sign: ੀ㹘

Mustafa Süleyman dedi:
O22 - task: Zamigobrowserupdate - C:\WINDOWS\system32\rundll32.exe C:\Users\Mustafa\AppData\Roaming\Microsoft\AdModNetW4b8\adnekmod8b4.dll,AmigoUpdater.

Bu ne acaba ben bilgisayarıma böyle bir şey yüklemedim?

Kod:

C:\WINDOWS\system32\rundll32.exe C:\Users\Mustafa\AppData\Roaming\Microsoft\AdModNetW4b8\adnekmod8b4.dll,AmigoUpdater.

Galiba rundll32.exe buradan geliyor dosya uzantısında rundll32.exe yazıyor.
@24099

Kaspersky rundll32'yi virüs olarak görüyor

Ayrıntılı düzenleme

Mustafa Süleyman

Hectopat

iambmys9

Kilopat

24099

Terapat

Mustafa Süleyman

Hectopat

24099

Terapat

Mustafa Süleyman

Hectopat

24099

Terapat

Rehber: HijackThis Log Paylaşımı ve Çözümleri

ArdaFRKN

Hectopat

Mustafa Süleyman

Hectopat

Benzer konular

Technopat Haberler

Yeni konular

Yeni mesajlar

Gizliliğinize önem veriyoruz