|
|
|
Keskustelualueet
Keskustelualueet
|
|
|
keylogger koneella
|
|
|
kaurio
Junior Member
|
12. marraskuuta 2009 @ 08:35 |
Linkki tähän viestiin
|
Eli tarvitsen tiedän tietämystä minun ongelmaani.
Epäilen että on KL (keylogger) koneella.
Wowi accountti haxattu 3 kertaa, eka kerta oli omaa tyhmyyttäni.
Hommasin KL-Detectorin koneelle, ja se löysi tämmöistä tekstiä,
C:\Windows\System32\config\SOFTWARE.LOG1
was modified.
C:\Windows\System32\config\SOFTWARE
was modified.
C:\Windows\System32\config\SOFTWARE
was modified.
C:\Users\kaurio\ntuser.dat.LOG1
was modified.
C:\Users\kaurio\NTUSER.DAT
was modified.
C:\Users\kaurio\NTUSER.DAT
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\sessionstore-4.js
was created.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\sessionstore-4.js
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\sessionstore-4.js
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\sessionstore-4.js
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default
was modified.
C:\Users\kaurio\AppData\Local\Temp\flaC8DA.tmp
was removed.
C:\Users\kaurio\AppData\Local\Temp\plugtmp-52\plugin-read2
was removed.
C:\Users\kaurio\AppData\Local\Temp\plugtmp-52\plugin-crossdomain-2.xml
was removed.
C:\Users\kaurio\AppData\Local\Temp\plugtmp-52\plugin-crossdomain.xml
was removed.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\sessionstore-4.js
was created.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\sessionstore-4.js
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\sessionstore-4.js
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\sessionstore-4.js
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
was modified.
C:\Users\kaurio\AppData\Local\Mozilla\Firefox\Profiles\t7rv1asp.default\urlclassifier3.sqlite-journal
was created.
C:\Users\kaurio\AppData\Local\Mozilla\Firefox\Profiles\t7rv1asp.default
was modified.
C:\Users\kaurio\AppData\Local\Mozilla\Firefox\Profiles\t7rv1asp.default\urlclassifier3.sqlite-journal
was modified.
C:\Users\kaurio\AppData\Local\Mozilla\Firefox\Profiles\t7rv1asp.default
was modified.
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
was modified.
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
was modified.
C:\Windows\System32\config\SOFTWARE.LOG1
was modified.
C:\Windows\System32\config\SOFTWARE
was modified.
C:\Windows\System32\config\SOFTWARE
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
was modified.
C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
was modified.
C:\Windows\System32\wbem\Repository\OBJECTS.DATA
was modified.
C:\Windows\System32\wbem\Repository\INDEX.BTR
was modified.
C:\Windows\System32\wbem\Repository\MAPPING1.MAP
was modified.
C:\Windows\System32\config\SOFTWARE.LOG1
was modified.
C:\Windows\System32\config\SOFTWARE
was modified.
C:\Windows\System32\config\SOFTWARE
was modified.
Joskus muutama kk takaperin yritin jotain noista tiedostoista poistaa, että jos ois auttanut, koitin firefoxin kansioista poistaa kyseisiä tiedostoja mistä on tullut valituksia, mutta kone ei antanut niitä poistaa.
antivirus ei ole löytänyt mitään, 2 kertaa viikos on full scan.
Maelware, tai mikä nyt olikaan, se löysy pari jotain juttua, jotka poistin, mut ei näemmä ollut loggereita.
ad-aware löytänyt joskus jotain, mutta ei enään.
ja monta muuta ohjelmaa ajanut eikä mitään löytynyt.
Hickjackthis, ajan sillä nyt, ja postaan sen tänne jos siitä olisi jotain hyötyä.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:00, on 12.11.2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16890)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\USERS\KAURIO\PROCEXP.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
D:\keylogger\KL-Detector.exe
C:\Windows\regedit.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "d:\Program Files\CyberLink\PowerDVD8\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [spywarefighterguard] D:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CurseClient] d:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\partypoker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\partypoker\PartyPoker\RunApp.exe (file missing)
O13 - Gopher Prefix:
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate1c9380ba0392caa) (gupdate1c9380ba0392caa) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: MySQL41 - Unknown owner - D:\MySQL.exe (file missing)
O23 - Service: MySQL5 - Unknown owner - D:\Program.exe (file missing)
O23 - Service: MySQL51 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PTK License-FIGHTERS-268451683 - SPAMfighter - D:\Program Files\Fighters\licenseservice.exe
O23 - Service: PTK Live Update-FIGHTERS-268451683 - SPAMfighter - D:\Program Files\Fighters\updateservice.exe
O23 - Service: PTK Scanner-FIGHTERS-268451683 - SPAMfighter - D:\Program Files\Fighters\ScannerService.exe
O23 - Service: PTK SharedAccess-FIGHTERS-268451683 - SPAMfighter - D:\Program Files\Fighters\configservice.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
--
End of file - 7015 bytes
Olisiko mahdollista saada pientä apua tähän hommaan.
Forkkaus mahdollinen, mutta ei huvittava, joutunut jo moneen kertaan formatoimaan kavereitten koneen, mutta tätä vista paskaa jaksa, ajuri hässäkkä tulee, kun asennan xp:n tähän jos joudun formatoimaan, pyrin etten joutuisi, tälle paketin paskakoneelle, ei ole suoranaisia ajureita xp:lle siis fujitsulla, mutta piirisarjan valmistajilla on, mutta niistä mitään tietoa että toimivatko ne.
Jos pystytte auttamaan, niin s-postia kaurio at luukku.com.
tai sitten suoraan tänne, s-postin vain muistan paremmin, kun joutuu katselemaan vähän väliä sinne.
Ihan hyvin tässä ollut kärsimässä ilman wowia=D mut hyväähän se tekee, mutta eipä tässä muuta.
mutta, huomasin ton hickjackin logeista tuon partypokerin, että miten hemmetissä sen saa pois, tai siis yleensäkkin pop-up hommeleista? terveisin kaurio, ja nyt tupakalle-->
kahvia juodessa, vistieä odotellessa.
|
|
