Keylogger ili ipak nesto drugo

Keylogger ili ipak nesto drugo

offline
  • Yovo 
  • Novi MyCity građanin
  • Pridružio: 08 Okt 2009
  • Poruke: 3

Prilikom podizanja sistema moram po nekoliko puta nasilno gasiti komp jer se ne podignu svi resursi, pa je onemogucen pravilan rad. Posumnjao sam na neke napasti, pa sam koristi Combofix u cilju pronalazenja istih. Izvjestaj od Combofixa cu iskopirati na kraju ovog posta. Problem se poceo javljati od prije mjesec dana, mada sam i ranije uocavao neke nepravilnosti u radu (zamrzavanje u toku rada). Imam ISDN internet konekciju. Mozda su ovo sve problemi vezani za hardver, ali bih ipak zamolio dr_Boru i njegove saradnike da mi kazu ima li ista u mom kompjuteru sto ne treba biti, ili je mozda bilo prije nego li je Combofix odradio svoj dio posla.

Unaprijed zahvalan.

Prema pravilima i uputstvima foruma prvo dajem izvjestaj od DDs-a:

DDS (Ver_09-09-29.01) - NTFSx86
Run by user at 10:51:36,48 on pet 09.10.2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.247.71 [GMT 2:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {c08df07a-3e49-4e25-9ab0-d3882835f153} - QUICKfind BHO Object
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
IE: &Define - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM
IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Look Up in &Encyclopedia - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM
IE: {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM
IE: {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\hqjdss7s.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\java\j2re1.4.2_12\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_12\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_12\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_12\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_12\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_12\bin\NPJPI142_12.dll
FF - plugin: c:\program files\java\j2re1.4.2_12\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://www.travian.org travian.at welt1.travian.de welt2.travian.de welt3.travian.de welt4.travian.de welt5.travian.de welt6.travian.de welt7.travian.de welt8.travian.de welt9.travian.de welt10.travian.de speed.travian.de rs1.travian.com
FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess
FF - user.js: network.http.max-connections-per-server - 4
FF - user.js: network.http.max-persistent-connections-per-server - 2
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 100

============= SERVICES / DRIVERS ===============

R0 WDMCAPI;ISDN PCI CAPI;c:\windows\system32\drivers\WDMCAPI.sys [2002-4-24 612669]
R1 FDCENT;FDCENT;c:\windows\system32\drivers\FDCENT.SYS [2005-11-28 47662]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-8-16 394952]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-8-27 566616]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2008-8-18 468224]
R3 WDMWANMP;NDIS WAN miniport;c:\windows\system32\drivers\wdmwanmp.sys [2001-4-22 26067]
S3 3d23D3;3d23D3;c:\windows\system32\3d23D3.sys [2007-10-18 185824]
S3 ES-620;Edisonsoft ES-620 USB Infrared Adapter;c:\windows\system32\drivers\ES-620.sys [2006-2-22 29076]
S3 ISDN_u;ISDN USB CAPI;c:\windows\system32\drivers\ISDN_u.sys [2002-3-7 590080]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\msn messenger\usnsvc.exe [2007-1-19 97136]
S3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-10-08 15:58 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-10-08 15:58 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-08 15:58 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-08 15:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-08 15:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-08 12:53 <DIR> a-dshr-- C:\cmdcons
2009-10-08 12:40 229,888 a------- c:\windows\PEV.exe
2009-10-08 12:40 161,792 a------- c:\windows\SWREG.exe
2009-10-08 12:40 98,816 a------- c:\windows\sed.exe
2009-09-09 13:20 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-08-05 11:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 21:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2007-11-12 15:17 124,928 a------- c:\docume~1\user\applic~1\GDIPFONTCACHEV1.DAT
2009-02-19 15:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021920090220\index.dat

============= FINISH: 10:53:36,54 ===============

Takođe, prilazem i izvjestaje Attach.txt i 3 izvjestaja od Gmer-a

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

A evo kacim i izvjestaj od Combofixa uz napomenu da je on uradjen prije skeniranja sistema sa DDS i GMER-om. Znam da nisam trebao prvo raditi sa Combofixom, ali kasno sam se sjetio da potrazim pomoc od strucnjaka. Nadam se da cete moci vidjeti iz njegovog izvjestaja da li je nesto bilo u compu sto ne treba.

mycity.rs/must-login.png

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...




Upload-uj file c:\windows\system32\3d23D3.sys


preko ovog linka: http://www.mycity.rs/ambulanta-upload.php

offline
  • Yovo 
  • Novi MyCity građanin
  • Pridružio: 08 Okt 2009
  • Poruke: 3

Boro, uploadovao sam trazeni fajl. Izvinjavam se na zakasnjenju, preko vikenda sam bio odsutan.

Pozdrav, cekam daljnja uputstva.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ovde nema malware-a.


Ono što ima su ostaci dva antivirus programa: McAfee i Norton.

Ukloni ih: http://www.mycity.rs/Antivirus-programi/Deinstalac.....grama.html


Takođe, vidim da imaš neke programe za skrivanje/zaključavanje foldera - probaj i njih da deinstaliraš, možda će to da stabilizuje PC.

Ako se ništa ne promeni, otvori temu u Windows forumu i obrazloži problem.

offline
  • Yovo 
  • Novi MyCity građanin
  • Pridružio: 08 Okt 2009
  • Poruke: 3

Hvala velika na pomoci, Boro. Prvo sam deintalirao Nokia Pc suite i vec mi comp mnogo bolje radi.

Jos bih te samo zamolio da mi kazes sta je to combofix obrisao, a sto se vidi u njegovom logu. Meni se cinilo da su to neki log fajlovi i pomislio sam da nije kakav keylogger.

Veliki pozdrav.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ne bih ti znao reći šta je obrisano pošto sama lista file-ova / foldera ne govori puno.
U svakom slučaju, mislim da ovde nije bilo aktivnog malware-a.

Btw, koristiš jako staru verziju Jave (Java Runtime Environment); poželjno je da što pre odradiš update programa.

Btw2, aktivni su ti ZoneAlarm i Eset-ov FW. To baš i nije optimalna situacija...

Ko je trenutno na forumu
 

Ukupno su 1028 korisnika na forumu :: 52 registrovanih, 11 sakrivenih i 965 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., arsa, Ben Roj, bladesu, brundo65, Dimitrise93, Djokislav, DonRumataEstorski, Dorcolac, dragoljub11987, DragoslavS, Georgius, glada, ivan979, kinez88, kljift, Krusarac, kunktator, Lieutenant, ljuba, lord sir giga, LUDI, Luka Blažević, M1los, Marko.anticc, marsovac 2, mercedesamg, milenko crazy north, MiroslavD, nebkv, nemkea71, Neretva, Parker, savaskytec, Shinobi, slonic_tonic, Smajser, Smiljke, Srky Boy, Steeeefan, Stoilkovic, theNedjeljko, tubular, uruk, VanHelsing, vathra, VJ, Vlad000, voja64, Volkhov-M, zixmix, Čivi