PDM.Keylogger malware

PDM.Keylogger malware

offline
  • Pridružio: 16 Mar 2009
  • Poruke: 147

Napisano: 12 Apr 2010 0:37

Koristi Windows Vista OS i Kasperski AV mi prijavljuje PDM.Keylogger driver file Kernel mode memory patch kao malware ali ne moze da ga izbrise. Od pre 2 dana svaki put pri startovanju racunara AV ga detektuje. Internet konekcija preko Telenor 3G modema Huawei E1550.
Logovi:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 23:44:17.27 on Sun 04/11/2010
Internet Explorer: 7.0.6001.18000
Windows Windows Vista™ Extreme Edition 6.0.6001.1.1252.1.1033.18.1919.1056 [GMT 2:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\lxdncoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\vmsnap3.exe
C:\Windows\Domino.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Lexmark 2600 Series\lxdnMsdMon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Telenor Internet\Telenor Internet.exe
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
TB: Babylon: {965b54b0-71e0-4611-8de7-f73fa0b20e26} - c:\program files\babylon\babylon toolbar\BabylonIEToolBar.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [VMSnap3] c:\windows\VMSnap3.exe
mRun: [Domino] c:\windows\Domino.exe
mRun: [Babylon Client] c:\program files\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [lxdnmon.exe] "c:\program files\lexmark 2600 series\lxdnmon.exe"
mRun: [lxdnamon] "c:\program files\lexmark 2600 series\lxdnamon.exe"
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableInstallerDetection = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
TCP: {EA84F460-76CD-44B1-9C70-1F134A9A3D17} = 217.65.192.1 217.65.192.52
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
STS: Stardock Vista ControlPanel Extension: {ec654325-1273-c2a9-2b7c-45d29bce68fd} - c:\progra~1\stardock\object~1\desksc~1\DesktopControlPanel.dll
STS: Deskscapes Class: {ec654325-1273-c2a9-2b7c-45d29bce68fb} - c:\progra~1\stardock\object~1\desksc~1\deskscapes.dll
STS: StardockDreamController: {ec654325-1273-c2a9-2b7c-45d29bce68ff} - c:\progra~1\stardock\object~1\desksc~1\DreamControl.dll
STS: AveVistaBackgroundFolder Class: {73526e5a-fd53-4be7-b5e2-d3c89d7413dc} - c:\windows\system32\branding\folderbg\VistaFolderBackground.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-5-15 21008]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-7-3 303376]
R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2010-4-5 103040]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
R3 vvftav303;vvftav303;c:\windows\system32\drivers\vvftav303.sys [2010-4-5 480128]
R3 ZSMC30x;USB PC Camera Service ZSMC30x;c:\windows\system32\drivers\usbVM303.sys [2010-4-5 1472768]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-5 136176]
S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [2008-2-27 98984]

=============== Created Last 30 ================

2010-04-11 17:35:18 0 d-----w- C:\logs
2010-04-11 17:32:57 0 d-----w- c:\program files\Lexmark 2600 Series
2010-04-11 13:47:39 0 d-----w- c:\programdata\App4rTemp
2010-04-08 22:03:00 0 d-----w- c:\users\admini~1\appdata\roaming\Lexmark Productivity Studio
2010-04-08 22:02:01 0 d-----w- c:\program files\Lexmark Tools for Office
2010-04-08 11:41:08 0 d-----w- c:\programdata\Ezprint
2010-04-08 11:39:55 0 d-----w- C:\drivers
2010-04-08 11:30:21 0 d-----w- c:\programdata\lx_Cats
2010-04-07 21:05:03 0 d-----w- c:\program files\Babylon
2010-04-07 21:04:52 0 d-----w- c:\users\admini~1\appdata\roaming\Babylon
2010-04-07 21:04:52 0 d-----w- c:\programdata\Babylon
2010-04-06 18:07:02 189725566 ----a-w- c:\windows\MEMORY.DMP
2010-04-06 07:51:03 0 d-----w- c:\program files\NeoSmart Technologies
2010-04-06 02:38:31 0 d-----w- c:\windows\Panther
2010-04-06 01:57:27 32592 ----a-w- c:\windows\system32\msonpmon.dll
2010-04-06 01:56:01 0 d-----w- c:\program files\Microsoft Visual Studio 8
2010-04-06 01:53:40 0 d-----w- c:\windows\PCHEALTH
2010-04-06 01:51:58 0 d-----w- c:\programdata\Microsoft Help
2010-04-06 01:49:04 0 d-sh--w- c:\windows\Installer
2010-04-06 01:49:04 0 d-----w- c:\programdata\Stardock
2010-04-06 01:48:59 0 d-----w- c:\program files\Stardock
2010-04-05 17:36:41 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-04-05 17:34:09 0 d-----r- c:\program files\Skype
2010-04-05 17:34:05 0 d-----w- c:\programdata\Skype
2010-04-05 17:23:35 0 d-----w- c:\program files\VITSOFT
2010-04-05 17:19:54 0 d-----w- c:\program files\uTorrent
2010-04-05 17:19:25 0 d-----w- c:\users\admini~1\appdata\roaming\uTorrent
2010-04-05 17:15:45 178176 ----a-w- c:\windows\system32\unrar.dll
2010-04-05 17:15:42 0 d-----w- c:\program files\K-Lite Codec Pack
2010-04-05 16:59:57 0 d-----w- c:\program files\Audacity
2010-04-05 16:44:32 0 d-----w- c:\program files\Foxit Software
2010-04-05 16:43:01 61440 ----a-w- c:\program files\usrPX.dll
2010-04-05 16:43:01 49152 ----a-w- c:\program files\_ISREG32.DLL
2010-04-05 16:43:01 294912 ----a-w- c:\program files\APGuitarTuner.exe
2010-04-05 16:43:01 20480 ----a-w- c:\program files\usr.dll
2010-04-05 16:43:01 19968 ----a-w- c:\program files\cpuinf32.dll
2010-04-05 16:43:01 155648 ----a-w- c:\program files\usrA6.dll
2010-04-05 16:43:01 135168 ----a-w- c:\program files\usrM5.dll
2010-04-05 16:43:01 131072 ----a-w- c:\program files\usrM6.dll
2010-04-05 16:43:01 118784 ----a-w- c:\program files\usrP6.dll
2010-04-05 16:41:58 299520 ----a-w- c:\windows\uninst.exe
2010-04-05 02:56:54 621056 ----a-w- c:\windows\system32\drivers\mod7700.sys
2010-04-05 02:56:54 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-04-05 02:56:54 112128 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2010-04-05 02:56:54 103040 ----a-w- c:\windows\system32\drivers\ewusbfake.sys
2010-04-05 02:56:54 102784 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-04-05 02:56:40 0 d-----w- c:\program files\Telenor Internet
2010-04-05 02:56:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-04-05 02:40:02 0 d-----w- c:\program files\Vimicro
2010-04-05 02:23:31 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2010-04-05 02:22:29 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-04-05 02:22:29 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-05 02:21:52 0 d-----w- c:\programdata\Kaspersky Lab
2010-04-05 02:21:52 0 d-----w- c:\program files\Kaspersky Lab
2010-04-05 02:20:59 0 d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-04-05 02:12:33 0 d-----w- c:\program files\GRETECH

==================== Find3M ====================

2010-04-11 17:35:09 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-04-11 17:35:09 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-11 17:35:04 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-06 01:44:35 174 --sha-w- c:\program files\desktop.ini
2010-04-05 16:59:20 98 ----a-w- c:\program files\state.txt
2010-04-05 16:58:47 142 ----a-w- c:\program files\errorlog.txt
2010-04-05 16:43:06 2762 ----a-w- c:\program files\DeIsL1.isu
2010-04-05 16:43:01 147 ----a-w- c:\program files\_DEISREG.ISR
2008-04-04 09:50:14 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2000-07-31 12:42:04 19093 ----a-w- c:\program files\APGTHelp.htm
2000-07-25 10:58:28 1626 ----a-w- c:\program files\preset.txt
2000-07-06 09:37:14 13974 ----a-w- c:\program files\APLogo.bmp
2000-07-06 08:23:34 13974 ----a-w- c:\program files\APLogoOp.bmp
2000-06-06 14:06:28 4194 ----a-w- c:\program files\circle.bmp
2000-06-06 12:20:34 8398 ----a-w- c:\program files\label.bmp
2000-06-05 16:24:44 26082 ----a-w- c:\program files\NumBev.bmp
2000-06-05 16:24:26 26082 ----a-w- c:\program files\NumClr.bmp
2000-06-05 15:42:52 20250 ----a-w- c:\program files\NotesClr.bmp
2000-06-05 15:42:36 20250 ----a-w- c:\program files\NotesBev.bmp
2000-06-05 09:52:46 7014 ----a-w- c:\program files\gBar.bmp
2000-06-05 09:50:20 726 ----a-w- c:\program files\gTic.bmp
2000-06-05 09:07:24 486 ----a-w- c:\program files\string3.bmp
2000-06-05 09:07:24 302 ----a-w- c:\program files\string2.bmp
2000-06-05 09:07:24 302 ----a-w- c:\program files\string1.bmp
2000-05-31 11:46:24 6198 ----a-w- c:\program files\apSmall.bmp
2008-04-04 09:50:14 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 23:45:11.61 ===============

mycity.rs/must-login.png

Dopuna: 12 Apr 2010 0:42

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

Dopuna: 12 Apr 2010 0:56

Jel poznat nekome MFC driver i cemu on sluzi?
Evo kako mi izgleda driver folder za telenor internet:



Kasperski mi je takodje prijavio i taj MFC driver kao sumljiv ali sam ga ja kasnije odblokirao jer mi nije windows mogao da prepozna modem za internet.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Reklo bi se da smo propustili ovu temu... Izvini zbog toga.


Citat:Kasperski AV mi prijavljuje PDM.Keylogger driver file

Tačan naziv detektovanog file-a?






Arrow Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

Ko je trenutno na forumu
 

Ukupno su 1110 korisnika na forumu :: 37 registrovanih, 8 sakrivenih i 1065 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Aleksandar Tomić, AMCXXL, Areal84, Asparagus, Bane san, bojcistv, Brana01, dmdr, dragoljub11987, GandorCC, Georgius, Goran 0000, goxin, hooraay, ivan1973, Karla, kihot, kybonacci, Luka Blažević, milanovic, milos.cbr, Mlav, NoOneEver Dreams, oldtimer, ostoja, Pikac-47, prashinar, Ripanjac, shadower78, simazr, Sirius, stegonosa, Trpe Grozni, vathra, VJ, Vlad000, Vlada78