MyCity » Ambulanta -> Arhiva Ambulante » Sumnja na keylogger

Sumnja na keylogger

Napisano na dan: 30.11.2009

Sumnja na keylogger
Sledeća strana Pagination

Idi na vrh

Poslao: 30 Nov 2009 17:53
Idi na vrh
offline
  • Pridružio: 28 Jan 2008
  • Poruke: 17

Pozdrav,
Ukraden password za mail i ne radi internet (ne prolazi ni ping prema routeru, a adresu uredno "kupi" od dhcp-a,). Isto se desava kad je sygate personal firewall iskljucen i ukljucen.
evo logova - gmer izbacuje error jos u uvodnom skeniranju


DDS (Ver_09-11-29.01) - NTFSx86
Run by EastCode at 17:27:47,29 on Mon 11/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.199 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Real Alternative\Update_OB\realsched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hispasec\CheckDialer\ChkDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AirLive\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\AirLive\Bluetooth Software\BTTray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Documents and Settings\EastCode\Desktop\Anti\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?.home=ytie
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mDefault_Page_URL = hxxp://www.yahoo.com/?.home=ytie
mStart Page = hxxp://www.yahoo.com/?.home=ytie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_01\bin\jusched.exe
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "c:\program files\real alternative\update_ob\realsched.exe" -osboot
mRun: [CheckDialer] c:\program files\hispasec\checkdialer\ChkDial.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\airlive\bluetooth software\BTTray.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Download using Download &Express - c:\program files\download express\Add_Url.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\airlive\bluetooth software\btsendto_ie_ctx.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\airlive\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TCP: {9901053D-F453-4467-95EA-5E65923FE4BB} = 81.93.64.1,81.93.64.9
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\downlo~1\mdpph.dll
Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\downlo~1\mdpph.dll
Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\downlo~1\mdpph.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\eastcode\applic~1\mozilla\firefox\profiles\reu290xk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\eastcode\application data\mozilla\firefox\profiles\reu290xk.default\extensions\{d249fd00-4df9-11d9-9fdc-0080481ada61}\components\mpint.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll

============= SERVICES / DRIVERS ===============

R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [2006-9-16 61184]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-5 130936]
R0 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [2007-3-15 159616]
R0 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [2007-3-15 5248]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-13 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-4-15 26824]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-13 76040]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-20 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-20 231704]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-2 217600]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [2006-9-16 31104]
R3 CommFilter;CommFilter;c:\program files\hispasec\checkdialer\commfilt.sys [2002-12-29 33796]
S3 PPDrv;Protector Plus Driver (UnRegistered);\??\c:\protector plus\ppdrv.sys --> c:\protector plus\PPDrv.sys [?]
S3 PPEMSCAN;Protector Plus Email Scan Driver;\??\c:\protector plus\ppemscan.sys --> c:\protector plus\PPEMSCAN.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-5-3 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-5-3 1095560]

=============== Created Last 30 ================

2009-11-30 16:11:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-11-30 15:37:19 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-11-19 09:08:07 24 ----a-w- c:\windows\winamp.ini

==================== Find3M ====================

2008-05-14 19:10:57 18466120 ----a-w- c:\program files\sdsetup.exe.DE
2008-05-13 20:19:48 47787248 ----a-w- c:\program files\avg_free_stf_en_8_100a1295.exe
2007-06-16 11:18:59 5149152 -c--a-w- c:\program files\rminstal 1.exe
2007-05-07 14:48:11 1122479 -c--a-w- c:\program files\rminstall.exe
2007-04-08 18:01:03 2542977 -c--a-w- c:\program files\lines1.exe
2007-03-30 15:34:21 2437248 -c--a-w- c:\program files\yahoo_antispy_01.14.00_us_setup_.exe
2007-03-17 18:40:38 201971 -c--a-w- c:\program files\checkdialer.exe
2009-04-13 17:35:50 56 --sh--r- c:\windows\system32\6A97276015.sys
2009-04-13 17:35:51 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 17:28:11,09 ===============

mycity.rs/must-login.png

mycity.rs/must-login.png



mycity.rs/must-login.png

Poslao: 30 Nov 2009 19:59
Idi na vrh
offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Pozdrav.


Preuzmi DeFogger sa sledećeg linka... http://www.jpshortstuff.247fixes.com/Defogger.exe

Pokreni ga dvoklikom na ikonicu;

Pojaviće se MsgBox na kome ćeš kliknuti na taster Disable;

Ponovo će se pojaviti MsgBox na kome ćeš kliknuti na Yes;


Po završetku rada programa DeFogger isprati uputstvo za Gmer i postavi logove?



Jedno pitanje, čiji je računar sa koga si postavio ove logove.

Poslao: 01 Dec 2009 14:50
Idi na vrh
offline
  • Pridružio: 28 Jan 2008
  • Poruke: 17

Napisano: 01 Dec 2009 14:49

Od kolege, a racunar koji je zarazen je od njegovog zeta. Zasto?
I samo da dodam da ima internet - moja greska.

Uradio sam ovo - prodje uvodno skeniranje i kod sledeceg koraka racunar nakon 1-2 minuta blokira skroz i samo tako stoji i pomaze samo reset na kucistu (ni mis se ne moze pomjeriti). Evo drzim ga jos dok se neko ne javi, ali nema nikakve aktivnosti.

Dopuna: 01 Dec 2009 14:50

U tom trenutku dole u onom dijelu u kojem pise sta skenira stoji \Cdfs

Poslao: 01 Dec 2009 17:10
Idi na vrh
offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

RiciSambora ::Od kolege, a racunar koji je zarazen je od njegovog zeta. Zasto?


Razlog je pravilnik Ambulante, tačnije član 10. Pravilnika Ambulante... http://www.mycity.rs/Ambulanta/Pravila-ovog-dela-foruma.html


Ovaj put ćemo da odradimo, ali za sledeći put bih te zamolio da otvaraš teme samo za svoj računar, a prijatelje uputi da se sami registruju na MyCity i iznesu problem.

----------------------

Korak 1.

Preuzmi AVZ Antiviral Toolkit sa sledećeg linka :

http://devbuilds.kaspersky-labs.com/devbuilds/AVZ/avz4.zip


Raspakuj arhivu u neki folder (uputstvo), a zatim:
pokreni AVZ (dvoklikom na ikonicu);

u meniju izaberi File > Standard Scripts;

u prozoru koji se otvori štikliraj opciju 2 i klikni Execute Selected Scripts;

klikni Yes;

po završetku skeniranja dobićeš obaveštenje: Script Executed;

izađi iz programa.

Uploaduj fajl virusinfo_syscheck.zip koji se nalazi u avz\log folderu na forum.

Poslao: 02 Dec 2009 16:21
Idi na vrh
offline
  • Pridružio: 28 Jan 2008
  • Poruke: 17

OK. Moram priznati da taj dio nisam (pro)citao. I prethodni racunar je bio od kolege... cinim dobro dijelo... odnosno ne naplacujem to. Lakse mi je i ovo odraditi nego objasnjavati o ovom forumu pa da se registruju samo zbog jedne analize loga, pa da jos oni sami to odrade... nemoguca misija. Hvala vam u svakom slucaju, ali izgleda da cu bas za svoj morati otvarati novi nalog Smile

Evo logova.

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

Poslao: 02 Dec 2009 18:41
Idi na vrh
offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Logovi su čisti i nema tragova nikakvih infekcija...


Potrebno je deinstalirati AVZ Antiviral Toolkit


Pokreni AVZ (dvoklikom na ikonicu);

U meniju izaberi File>Standard Scripts;

U prozoru koji se otvori štikliraj opciju 6 i klikni na Execute Selected Scripts;

Klikni Yes;

Po završetku postupka dobićeš obaveštenje: Script Executed;

Izađi iz programa i obriši folder gde je program raspakovan.

Poslao: 02 Dec 2009 20:11
Idi na vrh
offline
  • Pridružio: 28 Jan 2008
  • Poruke: 17

OK, uradjeno

Hvala

Pozdrav

MyCity » Ambulanta -> Arhiva Ambulante » Sumnja na keylogger

Ko je trenutno na forumu
 

Ukupno su 1030 korisnika na forumu :: 31 registrovanih, 4 sakrivenih i 995 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., antonije64, aramis s, Boris BM, cenejac111, CikaKURE, dankisha, debeli, deimos25, deLacy, Dorcolac, Georgius, helen1, hooraay, Mercury, Milos ZA, milutin134, Mixelotti, Nemanja.M, nenad81, nikoladim, NikolaGTR, NoOneEver Dreams, nuke92, panzerwaffe, RJ, Romibrat, sasa87, vathra, VJ, zbazin