Infekcije koje KIS ne detektuje

Infekcije koje KIS ne detektuje

offline
  • Pridružio: 02 Apr 2010
  • Poruke: 5

Koristim Kaspersky Internet Security već skoro 2 g., za to vreme nijednom nisam radio reinstalaciju sistema. Do sada je bilo ozbiljnih infekcija, dešavalo se da sam morao da šaljem fajlove za koje sam sumnjao da su maliciozni na proveru virus-analitičarima kompanije, koji bi posle potvrdili moje sumnje. Elem, pre par dana rešio sam da još nekim zaštitinim softverom proverim delotvornost KIS-a. Skenirao sam sistem Spy Sweeper-om. Pronašao je tri infekcije koje KIS ne detektuje: Trojan-zoeken (is a remote access Trojan that may allow a hacker to gain unrestricted access to your computer when you are online), Troj/Agent-GAU (Installs itself in the registry, downloads code from the Internet) i adware Sabotch. Problem je što u besplatnoj verziji Spy Sweeper em što ne obriše zarazu em što ne pokaže njihovu lokaciju.

Moram priznati da ne primećujem bilo kakvo čudno ponašanje u radu kompjutera, što naravno ne znači i da nije zaražen. Zato mi i treba vaše mišljenje.


DDS (Ver_10-10-21.02) - NTFSx86
Run by Bojan at 14:08:08,36 on uto 26.10.2010
Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1251.381.1033.18.3032.1858 [GMT 2:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\OEM\OSD_1.16\OsdService.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\OEM\OSD_1.16\osd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Bojan\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://eis.esnips.com/page/search/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live pomagac za prijavljivanje: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: eSnipsBHO Class: {b530a9a4-1722-4d16-aad6-aa85e3ad2ade} - c:\program files\logia\esnipsdownloader\eSnipsBHO.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"
mRun: [RtHDVCpl] "RtHDVCpl.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [OSD] "c:\program files\oem\osd_1.16\osd.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [fsc-reg] c:\programdata\fsc-reg\fscreg.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Dodaj u zastitu od reklama - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: {6660C955-B2A8-40FA-876E-71EB6EF97E59} = 194.247.192.33,194.247.192.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\bojan\appdata\roaming\mozilla\firefox\profiles\maziq4pv.default\
FF - prefs.js: browser.search.selectedEngine - Р’РёРєРёРїРµРґРёС˜Р° (sr)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-11-3 21520]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340520]
R2 OsdService;OSD Service;c:\program files\oem\osd_1.16\OsdService.exe [2008-2-22 94208]
R3 GpdDevDPort;GpdDevDPort;c:\windows\system32\directport.sys [2008-6-17 7168]
R3 GpdKbFilter;GpdKbFilter;c:\windows\system32\kbfiltr.sys [2008-3-31 8192]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-7-17 3660800]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-6 136176]

=============== Created Last 30 ================

2010-10-24 17:22:01 -------- d-----w- c:\program files\MSSOAP
2010-10-24 17:22:01 -------- d-----w- c:\program files\common files\MSSoap
2010-10-24 17:21:49 -------- d-----w- c:\program files\Webroot
2010-10-16 17:34:14 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-10-03 16:37:02 -------- d-----w- c:\users\bojan\appdata\roaming\FLV Extract
2010-10-03 15:57:15 -------- d-----w- C:\myyoutube
2010-10-03 15:56:09 -------- d-----w- c:\program files\1-Click YouTube Downloader
2010-10-03 12:09:58 307200 ----a-w- c:\windows\system32\TubeFinder.exe
2010-10-03 12:09:57 9728 ----a-w- c:\windows\system32\PCCLPFR.DLL
2010-10-03 12:09:57 84512 ----a-w- c:\windows\system32\PICCLP32.OCX
2010-10-03 12:09:57 364544 ----a-w- c:\windows\system32\PropertyGrid.ocx
2010-10-03 12:09:57 24576 ----a-w- c:\windows\system32\ControlSubX.ocx
2010-10-03 12:09:57 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2010-10-03 12:09:57 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2010-10-03 12:09:57 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-10-03 12:09:56 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2010-10-03 12:09:56 -------- d-----w- c:\users\bojan\appdata\roaming\FreeFLVConverter

==================== Find3M ====================

2010-09-15 02:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll

============= FINISH: 14:08:42,19 ===============
mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Pozdrav i dobrodošao na MyCity. Smile


Postavi mi izveštaj/log od Spy Sweeper-a.

offline
  • Pridružio: 02 Apr 2010
  • Poruke: 5

Pozdrav.

Spy Sweeper sam obrisao sa računara. Inače, program je tako napravljen da ne možeš da saznaš ama baš ništa o infekcijama ako ga ne kupiš. Ne obriše ih, ne stavi ih u karantin (koji ne postoji u besplatnoj verziji) i ne ukaže na njihovu lokaciju. Sve što je moglo da se dozna od Spz Sweepera napisao sam u prvom postu.

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

U logovima nema nikakvih tragova malwarea i beži od tih programa koji traže odmah da platiš nešto što ni ne znaš šta je. Smile


Uz KIS ti je dovoljno da još instaliraš MalwareBytes i ne treba ti ništa više od zaštite pod uslovom da vodiš računa o tome koje sajtove posećuješ.


Ako si i dalje sumnjičav možeš da odradiš skeniranje sa MalwareBytes-om pa postavi izveštaj/log ovde u temi.


Isprati sledeće...


Preuzmi instalaciju za program Malwarebytes Anti-Malware sa sledećeg linka:
http://www.besttechie.net/tools/mbam-setup.exe

Dvoklikom pokreni instalaciju - na samom kraju procesa, proveri da su obeležene opcije:
Update Malwarebytes' Anti-Malware;
Launch Malwarebytes Anti-Malware;

a zatim klikni Finish.

Nakon završenog ažuriranja program će se pokrenuti.

Izaberi opciju Perform Quick Scan i klikni Scan.

Po završetku procesa klikni OK, Show Results: u listi detektovanog malware-a, obeleži sve stavke i klikni Remove Selected.

Po završetku procesa, logfile će se otvoriti u Notepad-u; iskopiraj ga u temu na forumu.
Ukoliko program zatraži restart kako bi se završio proces čišćenja, obavezno ga dozvoliti.

Napomena: ako dođe do restarta na kraju procesa čišćenja, logfile će biti dostupan na Logs kartici (obeleži ga i klikni Open).

offline
  • Pridružio: 02 Apr 2010
  • Poruke: 5

Pronašao je nekoliko infekcija. Najveći broj odnosi se na jedan program za čišćenje registra — RegSweep koji je vrlo kratko bio instaliran na mom kompjuteru. Deinstalirao sam ga još ko-zna-kada. E sad, da li je sve što je Malwarebytes otkrio zaista malware? Nebitno, obrisano je.

Malwarebytes' Anti-Malware 1.46
malwarebytes.org

Database version: 4953

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18943

26.10.2010 20:07:10
mbam-log-2010-10-26 (20-07-10).txt

Scan type: Quick scan
Objects scanned: 139635
Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\D (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RegSweep (Rogue.RegSweep) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WEK9EMDHI9 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\Bojan\AppData\Roaming\RegSweep (Rogue.RegSweep) -> Quarantined and deleted successfully.
C:\Users\Bojan\AppData\Roaming\RegSweep\Log (Rogue.RegSweep) -> Quarantined and deleted successfully.
C:\Users\Bojan\AppData\Roaming\RegSweep\Registry Backups (Rogue.RegSweep) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Bojan\AppData\Roaming\RegSweep\Log\2009 Mar 03 - 06_02_26 PM_488.log (Rogue.RegSweep) -> Quarantined and deleted successfully.
C:\Users\Bojan\AppData\Roaming\RegSweep\Registry Backups\2009-03-02_18-37-41.reg (Rogue.RegSweep) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\RegSweep Scheduled Scan.job (Rogue.RegSweep) -> Quarantined and deleted successfully.

Da li Malwarebytes non-stop radi u pozadini kao i KIS? Plašim se da se ne sudaraju u radu.

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Očistio je ostatke... ne pretstavljaju neku pretnju. Smile


Neće kompromitovati jedan drugog (Mbam i KIS), ako si na to mislio.

Možeš slobodno da ih koristiš i obično jednom, dvaput nedeljno odradiš Quick Scan sa Mbam-om radi provere.


Obzirom da nema malwarea onda ovde i završavamo.


Ukoliko imaš nekih pitanja/nejasnoća slobodno otvori temu u odgovarajućem delu foruma i postavi pitanje.

offline
  • Pridružio: 02 Apr 2010
  • Poruke: 5

Ok, zahvaljujem na ukazanoj pomoći.

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Nema na čemu... kad zatreba znaš gde da nas pronađeš. Ziveli

Ko je trenutno na forumu
 

Ukupno su 879 korisnika na forumu :: 44 registrovanih, 6 sakrivenih i 829 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: aleksmajstor, Andrija357, Apok, bladesu, bokisha253, BRATORIII, Cassius Clay, cenejac111, Dimitrije Paunovic, DPera, dragoljub11987, Duh sa sekirom, ekser222, FOX, ivan1973, ivan979, ivica976, JOntra, Još malo pa deda, Karla, laurusri, lord sir giga, mercedesamg, milanovic, milenko crazy north, Milometer, moldway, radoznao, ruger357, sasa87, slonic_tonic, ss10, Steeeefan, Toper, Trpe Grozni, vaso1, VJ, VP6919, YU-UKI, zbazin, zillbg, Zoca, 125, 79693