Poslao: 26 Okt 2010 15:24
|
offline
- Mihajlo_Lajf
- Novi MyCity građanin
- Pridružio: 02 Apr 2010
- Poruke: 5
|
Koristim Kaspersky Internet Security već skoro 2 g., za to vreme nijednom nisam radio reinstalaciju sistema. Do sada je bilo ozbiljnih infekcija, dešavalo se da sam morao da šaljem fajlove za koje sam sumnjao da su maliciozni na proveru virus-analitičarima kompanije, koji bi posle potvrdili moje sumnje. Elem, pre par dana rešio sam da još nekim zaštitinim softverom proverim delotvornost KIS-a. Skenirao sam sistem Spy Sweeper-om. Pronašao je tri infekcije koje KIS ne detektuje: Trojan-zoeken (is a remote access Trojan that may allow a hacker to gain unrestricted access to your computer when you are online), Troj/Agent-GAU (Installs itself in the registry, downloads code from the Internet) i adware Sabotch. Problem je što u besplatnoj verziji Spy Sweeper em što ne obriše zarazu em što ne pokaže njihovu lokaciju.
Moram priznati da ne primećujem bilo kakvo čudno ponašanje u radu kompjutera, što naravno ne znači i da nije zaražen. Zato mi i treba vaše mišljenje.
DDS (Ver_10-10-21.02) - NTFSx86
Run by Bojan at 14:08:08,36 on uto 26.10.2010
Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1251.381.1033.18.3032.1858 [GMT 2:00]
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\OEM\OSD_1.16\OsdService.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\OEM\OSD_1.16\osd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Bojan\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://eis.esnips.com/page/search/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live pomagac za prijavljivanje: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: eSnipsBHO Class: {b530a9a4-1722-4d16-aad6-aa85e3ad2ade} - c:\program files\logia\esnipsdownloader\eSnipsBHO.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"
mRun: [RtHDVCpl] "RtHDVCpl.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [OSD] "c:\program files\oem\osd_1.16\osd.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [fsc-reg] c:\programdata\fsc-reg\fscreg.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Dodaj u zastitu od reklama - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: {6660C955-B2A8-40FA-876E-71EB6EF97E59} = 194.247.192.33,194.247.192.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\bojan\appdata\roaming\mozilla\firefox\profiles\maziq4pv.default\
FF - prefs.js: browser.search.selectedEngine - Р’РёРєРёРїРµРґРёС˜Р° (sr)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
============= SERVICES / DRIVERS ===============
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-11-3 21520]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340520]
R2 OsdService;OSD Service;c:\program files\oem\osd_1.16\OsdService.exe [2008-2-22 94208]
R3 GpdDevDPort;GpdDevDPort;c:\windows\system32\directport.sys [2008-6-17 7168]
R3 GpdKbFilter;GpdKbFilter;c:\windows\system32\kbfiltr.sys [2008-3-31 8192]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-7-17 3660800]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-6 136176]
=============== Created Last 30 ================
2010-10-24 17:22:01 -------- d-----w- c:\program files\MSSOAP
2010-10-24 17:22:01 -------- d-----w- c:\program files\common files\MSSoap
2010-10-24 17:21:49 -------- d-----w- c:\program files\Webroot
2010-10-16 17:34:14 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-10-03 16:37:02 -------- d-----w- c:\users\bojan\appdata\roaming\FLV Extract
2010-10-03 15:57:15 -------- d-----w- C:\myyoutube
2010-10-03 15:56:09 -------- d-----w- c:\program files\1-Click YouTube Downloader
2010-10-03 12:09:58 307200 ----a-w- c:\windows\system32\TubeFinder.exe
2010-10-03 12:09:57 9728 ----a-w- c:\windows\system32\PCCLPFR.DLL
2010-10-03 12:09:57 84512 ----a-w- c:\windows\system32\PICCLP32.OCX
2010-10-03 12:09:57 364544 ----a-w- c:\windows\system32\PropertyGrid.ocx
2010-10-03 12:09:57 24576 ----a-w- c:\windows\system32\ControlSubX.ocx
2010-10-03 12:09:57 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2010-10-03 12:09:57 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2010-10-03 12:09:57 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-10-03 12:09:56 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2010-10-03 12:09:56 -------- d-----w- c:\users\bojan\appdata\roaming\FreeFLVConverter
==================== Find3M ====================
2010-09-15 02:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
============= FINISH: 14:08:42,19 ===============
mycity.rs/must-login.png
mycity.rs/must-login.png
mycity.rs/must-login.png
mycity.rs/must-login.png
|
|
|
|
|
Poslao: 26 Okt 2010 19:01
|
offline
- Mihajlo_Lajf
- Novi MyCity građanin
- Pridružio: 02 Apr 2010
- Poruke: 5
|
Pozdrav.
Spy Sweeper sam obrisao sa računara. Inače, program je tako napravljen da ne možeš da saznaš ama baš ništa o infekcijama ako ga ne kupiš. Ne obriše ih, ne stavi ih u karantin (koji ne postoji u besplatnoj verziji) i ne ukaže na njihovu lokaciju. Sve što je moglo da se dozna od Spz Sweepera napisao sam u prvom postu.
|
|
|
|
|
Poslao: 26 Okt 2010 20:23
|
offline
- Mihajlo_Lajf
- Novi MyCity građanin
- Pridružio: 02 Apr 2010
- Poruke: 5
|
Pronašao je nekoliko infekcija. Najveći broj odnosi se na jedan program za čišćenje registra — RegSweep koji je vrlo kratko bio instaliran na mom kompjuteru. Deinstalirao sam ga još ko-zna-kada. E sad, da li je sve što je Malwarebytes otkrio zaista malware? Nebitno, obrisano je.
Malwarebytes' Anti-Malware 1.46
malwarebytes.org
Database version: 4953
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18943
26.10.2010 20:07:10
mbam-log-2010-10-26 (20-07-10).txt
Scan type: Quick scan
Objects scanned: 139635
Time elapsed: 4 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\D (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RegSweep (Rogue.RegSweep) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WEK9EMDHI9 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Users\Bojan\AppData\Roaming\RegSweep (Rogue.RegSweep) -> Quarantined and deleted successfully.
C:\Users\Bojan\AppData\Roaming\RegSweep\Log (Rogue.RegSweep) -> Quarantined and deleted successfully.
C:\Users\Bojan\AppData\Roaming\RegSweep\Registry Backups (Rogue.RegSweep) -> Quarantined and deleted successfully.
Files Infected:
C:\Users\Bojan\AppData\Roaming\RegSweep\Log\2009 Mar 03 - 06_02_26 PM_488.log (Rogue.RegSweep) -> Quarantined and deleted successfully.
C:\Users\Bojan\AppData\Roaming\RegSweep\Registry Backups\2009-03-02_18-37-41.reg (Rogue.RegSweep) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\RegSweep Scheduled Scan.job (Rogue.RegSweep) -> Quarantined and deleted successfully.
Da li Malwarebytes non-stop radi u pozadini kao i KIS? Plašim se da se ne sudaraju u radu.
|
|
|
|
|
|
|