Folderi prelaze u aplikacije(.exe) - Win32/Spy.KeyLogger.NHI

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Napisano: 17 Sep 2012 15:17

Skeniran disk sa Avirom, u karanteni završilo nekih 36 fajlova od 50 sumnjiivh.
Nakon skena odradio sam DDS report.

DDS report

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2
Run by Matei at 23:21:10 on 2012-09-16
Microsoft Windows 7 Home Premium 6.1.7601.1.1250.385.1033.18.2039.920 [GMT 2:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV.exe
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\spoolsv.exe
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Realtek\RTL8187 Wireless LAN Utility\RtlService.exe
C:\Program Files\Realtek\RTL8187 Wireless LAN Utility\RtWlan.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\svchost.exe -k bthsvcs
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\Vuzix Corporation\iWear VR920\iWearTaskBar.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\BlazeVideo_zadnji\BlazeDTV 6.0\MediaDetector.exe
C:\Program Files\Nokia\Nokia Suite\NokiaSuite.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe
C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\MCShield\MCShieldRTM.exe
C:\windows\system32\taskhost.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\windows\system32\conhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
mStart Page = [Link mogu videti samo ulogovani korisnici]
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [googletalk] c:\users\matei\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [BlazeServoTool] "c:\program files\blazevideo_zadnji\blazedtv 6.0\MediaDetector.exe"
uRun: [NokiaSuite.exe] c:\program files\nokia\nokia suite\NokiaSuite.exe -tray
uRun: [MCShield Monitor] c:\program files\mcshield\mcshieldrtm.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [iWearMonitor] "c:\program files\vuzix corporation\iwear vr920\iWearTaskBar.exe" -Startup
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\users\matei\appdata\roaming\dvdvideosoftiehelpers\youtubetomp3.htm
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [Link mogu videti samo ulogovani korisnici]
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - [Link mogu videti samo ulogovani korisnici]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [Link mogu videti samo ulogovani korisnici]
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7EA85F30-BA75-4389-908A-DF85D20C2607} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8264EC75-C4F2-47BC-A1D0-BC2C5203734D} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8264EC75-C4F2-47BC-A1D0-BC2C5203734D}\148656C6 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8264EC75-C4F2-47BC-A1D0-BC2C5203734D}\4586F6D637F6E6645314548314 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8264EC75-C4F2-47BC-A1D0-BC2C5203734D}\8445340205F627471626C6560284F6473707F647 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8264EC75-C4F2-47BC-A1D0-BC2C5203734D}\D41657E61602E4564777F627B60294E636E2 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8264EC75-C4F2-47BC-A1D0-BC2C5203734D}\E4F667F6762716469637B6165373 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{F86E513A-5496-4C24-B2FD-CB8A0CE3738E} : DhcpNameServer = 192.168.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\matei\appdata\roaming\mozilla\firefox\profiles\sz37guy9.default\
FF - prefs.js: browser.startup.homepage - [Link mogu videti samo ulogovani korisnici]
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-7-29 218688]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-14 214024]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-7-12 29472]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-12-6 201168]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-12-6 101120]
S3 IT9135BDA;WinFast DTV Dongle Dual Devices;c:\windows\system32\drivers\IT9135BDA.sys [2010-12-19 123008]
S3 iwrstreo;WDF Driver for Vuzix VR920;c:\windows\system32\drivers\iwrstreo.sys [2012-1-12 9728]
S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2010-1-14 79816]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2010-1-14 35272]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2010-1-14 34248]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
.
=============== Created Last 30 ================
.
2012-09-16 19:50:22 -------- d-----w- c:\users\matei\appdata\roaming\Avira
2012-09-16 19:44:52 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-09-16 19:44:52 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-09-16 19:44:51 -------- d-----w- c:\programdata\Avira
2012-09-16 19:44:51 -------- d-----w- c:\program files\Avira
2012-09-16 16:12:28 -------- d-----w- c:\programdata\MCShield
2012-09-16 16:12:28 -------- d-----w- c:\program files\MCShield
2012-09-15 18:05:38 -------- d-----w- C:\file iz windows foldera
2012-09-15 17:03:31 -------- dc----w- c:\users\matei\appdata\local\MigWiz
2012-09-05 09:24:28 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{84729da0-9cf8-4767-afbb-23d006d75d79}\offreg.dll
2012-09-05 09:22:48 7022536 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{84729da0-9cf8-4767-afbb-23d006d75d79}\mpengine.dll
2012-09-04 07:37:56 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-04 07:35:49 -------- d-----w- c:\users\matei\appdata\roaming\SpeedyPC Software
2012-09-04 07:35:49 -------- d-----w- c:\users\matei\appdata\roaming\DriverCure
2012-09-04 07:35:18 -------- d-----w- c:\programdata\SpeedyPC Software
2012-09-01 08:31:40 -------- d-----w- C:\games
2012-08-31 07:42:59 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
2012-08-28 13:25:54 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2012-08-28 13:25:54 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2012-08-28 13:25:54 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2012-08-28 13:22:54 -------- d-----w- C:\Riot Games
2012-08-28 09:14:55 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-08-28 09:14:55 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-08-28 08:55:22 -------- d-----w- c:\users\matei\appdata\local\PMB Files
2012-08-28 08:55:18 -------- d-----w- c:\programdata\PMB Files
2012-08-28 08:54:47 -------- d-----w- c:\program files\Pando Networks
2012-08-23 18:19:04 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
.
==================== Find3M ====================
.
2012-09-04 07:37:45 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-15 00:05:28 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-15 00:05:28 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 23:27:23,74 ===============

evo ga i ATTACH fajl
[Link mogu videti samo ulogovani korisnici]

Nakon toga sam pokrenuo GMER, generirao sam Gmer1 izvještaj:
[Link mogu videti samo ulogovani korisnici]
a kad sam htio kreirati Gmer2 izvještaj, nakon odabrane opcije "Only non MS-dos files" i klika na gumb SCAN dobio sam blue screen (BSOD) i komp se restartao, a pri podizanju windowsa pojavila se greška "cannot find local drive" (ili tako nešto, uglavnom kao da ne prepoznaje disk). Restartiram ga još jednom, opet ista greška. Ulazim u BIOS, tamo je prepoznat disk normalno, izađem van iz BIOS-a, restart, F8, biram opciju "Last known good configuration" i windows se podiže normalno i evo sad tipkam ovaj post.

Dopuna: 17 Sep 2012 15:18

P.S. promijenio lozinke.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Aktivni malware u sistemu si prestao da imaš još od poslednjeg pokretanja CombofIx-a pa ti još ostaje još da uradiš sljedeće.



Koristiš Adobe Reader 9.0 koji je stara, a ujedno i kritična verzija ovog PDF čitača zbog propusta u sigurnosti. Svakako ti je moj predlog da instaliraš najnoviju verziju (Reader X(10.1.4)) ili pređes na alternativu tipa Foxit Reader, Nitro PDF Reader, itd ...;





Posjeti temu Testirajte da li vam je pretraživač ranjiv, pročitaj i isprati link koji stoji u njoj.





MCShield možeš da zardžiš i on će te čuvati od napasti sa USB diskova.


Pozdrav.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

U redu, odradit ću ovo, privatno ionako koristim Foxit za čitanje PDF-ova.
Odradio sam provjeru sigurnosti browsera, samo je JAVA bila ok, flash, quick time i slight u banani.
Mcshield je zakon, definitivno ostaje na kompu.

Hvala na pomoći, sistem je zasad OK, bude li problema javim se!

Jedino mi je bed što sam ostao bez svih svojih tabova u browserima (više njih).

Pitanje nevezano za ambulantu, ali vezano za gubljenje podataka prilikom infekcije sistema:
da li općenito preporučujete radije koristiti portabilne aplikacije (browsere itd.) ili ove "normalne", na instalaciju

Hvala


Pozdrav

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Što se tiče Chrome-a, klikni na francuski ključ u gornjem desnom uglu, a onda idi na Options. U Basics štrikliraj Reopen the pages that were open last. Više o tome:

[Link mogu videti samo ulogovani korisnici]


Što se tiče klasičnih i portabilnih programa, ako praviš rezervne kopije podataka i njihovih podešavanja miran si.

Za ostala pitanja koje budeš imao, pitaj u predviđenim potforumima.


Pozdrav.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Hvala za upute za Chrome, ali nisam na to mislio...

Hvala na informacijama, pozdrav!