nogen forsøger at "stjæle" min maskine

Hej (igen)!

Jeg har haft et temmelig irriterende problem i et par dage nu. For et par dage siden fandt AVG Antivirus en virus, som jeg selvfølgelig kylede i karantæne med det samme, og senere slettede. Derfor kan jeg ikke huske hvilken det var - men det burde jeg nok ha skrevet ned. Siden har min netforbindelse været genstand for utallige "overtagelsesforsøg" - et par stykker med success.

Problemet viser sig at opstå, når maskinen beder om fornyelse af rettigheder hos DHCP serveren (i mit og StofaNet's tilfælde hver 2. time). Jeg får somregel den samme IP tildelt fra stofa, men de gange hvor det er gået galt, er både IP og subnet mask pludselig en anden (og bestemt ikke stofa's). Samtlige observationer peger på svchost.exe som synderen, men hverken AVG Antivirus, AVG Antispyware, Spybot S&D, SUPERantispyware, vundofix, combofix, stinger eller nogen af alle de andre tools jeg har kørt finder noget som helst, andet end cookies.

Jeg ved godt i er i tvivl om Peerguardians anvendelse og effektivitet, men jeg poster lige en bid af dens log, for a give et overblik alligevel:

2007-10-19 12:14:02;255;10.5.255.254:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:03;255;10.5.255.254:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:04;;10.10.128.1:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:04;;10.10.128.1:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:06;255;10.5.255.254:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:06;255;10.5.255.254:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:06;;10.10.128.1:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:06;;10.10.128.1:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:07;;10.10.128.1:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:08;;10.10.128.1:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:10;;10.10.128.1:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:10;;10.10.128.1:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:11;;10.10.128.1:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:11;;10.10.128.1:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:12;255;10.5.255.254:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:12;;10.10.128.1:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:15;;10.10.128.1:67;255.255.255.255:68;UDP;Blocked
2007-10-19 12:14:15;;10.10.128.1:67;255.255.255.255:68;UDP;Blocked


Ydermere har jeg siden installeret Comodo firewall (efter en anbefaling andetsteds herinde), og den viser sig at være ganske effektiv. Den kan f.eks. registrere følgende:

COMODO Firewall Pro Logs

       

Date Created: 02:25:17 19-10-2007


Log Scope:: Today
       

Date/Time :2007-10-19 02:25:17
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:255.255.255.255:  :bootp(67))
Application: C:\WINNT\system32\svchost.exe
Parent: C:\WINNT\system32\services.exe
Protocol: UDP Out
Destination: 255.255.255.255::bootp(67)

Date/Time :2007-10-19 02:25:15
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 10.10.128.1, Port = dhcp(68))
Protocol: UDP Incoming
Source: 10.10.128.1:bootp(67)
Destination: 255.255.255.255:dhcp(68)
Reason: Network Control Rule ID = 5

Date/Time :2007-10-19 02:25:15
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 10.5.255.254, Port = dhcp(68))
Protocol: UDP Incoming
Source: 10.5.255.254:bootp(67)
Destination: 255.255.255.255:dhcp(68)
Reason: Network Control Rule ID = 5

Date/Time :2007-10-19 02:25:05
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 10.5.255.254, Port = dhcp(68))
Protocol: UDP Incoming
Source: 10.5.255.254:bootp(67)
Destination: 255.255.255.255:dhcp(68)
Reason: Network Control Rule ID = 5

Date/Time :2007-10-19 02:25:05
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 10.10.128.1, Port = dhcp(68))
Protocol: UDP Incoming
Source: 10.10.128.1:bootp(67)
Destination: 255.255.255.255:dhcp(68)
Reason: Network Control Rule ID = 5

og så videre... hverken IP'en 10.10.128.1 eller 10.5.255.254 er en del af Stofa's net (deres DNS hedder f.eks. 212.10.10.4, og DHCP 212.10.10.20).

Hva fa'en stiller jeg op? Der er ikke umiddelbart noget mistænkeligt i HiJackThis loggen, men i får den lige, for god ordens skyld:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:26:42, on 19-10-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Comodo\Firewall\cmdagent.exe
E:\-= protools =-\digidesign\protools\Digidesign\Drivers\MMERefresh.exe
C:\WINNT\system32\oodag.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Programmer\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\ASUS\Asus Probe\AsusProb.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmer\Java\jre1.6.0_02\bin\jusched.exe
E:\-= protools =-\iTunes\iTunesHelper.exe
C:\Programmer\Mozilla Thunderbird\thunderbird.exe
C:\Programmer\Winamp\winampa.exe
C:\Programmer\Comodo\Firewall\CPF.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Programmer\Last.fm\LastFMHelper.exe
C:\Programmer\VIA\RAID\raid_tool.exe
C:\Programmer\mIRC\mirc.exe
C:\Programmer\Winamp\winamp.exe
C:\Programmer\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINNT\system32\wscntfy.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\MSN Messenger\usnsvc.exe
C:\Programmer\Mozilla Firefox\firefox.exe
C:\Programmer\PeerGuardian2\pg2.exe
C:\WINNT\system32\NOTEPAD.EXE
F:\Firefox downloads\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Jet Detection] C:\Programmer\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [MBM 5] "C:\Programmer\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Programmer\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose /waitstart
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Asus Probe\AsusProb.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\-= protools =-\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] E:\-= protools =-\digidesign\protools\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [Thunderbird] "C:\Programmer\Mozilla Thunderbird\thunderbird.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Programmer\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programmer\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Programmer\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOKAL TJENESTE')
O4 - Startup: mIRC.lnk = C:\Programmer\mIRC\mirc.exe
O4 - Startup: Winamp.lnk = C:\Programmer\Winamp\winamp.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Programmer\Last.fm\LastFMHelper.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Programmer\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Programmer\Comodo\Firewall\cmdagent.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - E:\-= protools =-\digidesign\protools\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - E:\-= protools =-\digidesign\protools\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe

--
End of file - 6790 bytes


Håber nogen ved hva jeg ka gøre for at få dem ned med nakken ;)

På forhånd tak!