keylogger koneella

Discussion in 'Virukset ja haittaohjelmat - HijackThis -logit' started by kaurio, Nov 12, 2009.

Thread Status:
Not open for further replies.
  1. kaurio

    kaurio Member

    Joined:
    Nov 12, 2009
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    16
    Eli tarvitsen tiedän tietämystä minun ongelmaani.
    Epäilen että on KL (keylogger) koneella.
    Wowi accountti haxattu 3 kertaa, eka kerta oli omaa tyhmyyttäni.
    Hommasin KL-Detectorin koneelle, ja se löysi tämmöistä tekstiä,

    C:\Windows\System32\config\SOFTWARE.LOG1
    was modified.

    C:\Windows\System32\config\SOFTWARE
    was modified.

    C:\Windows\System32\config\SOFTWARE
    was modified.

    C:\Users\kaurio\ntuser.dat.LOG1
    was modified.

    C:\Users\kaurio\NTUSER.DAT
    was modified.

    C:\Users\kaurio\NTUSER.DAT
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\sessionstore-4.js
    was created.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\sessionstore-4.js
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\sessionstore-4.js
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\sessionstore-4.js
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default
    was modified.

    C:\Users\kaurio\AppData\Local\Temp\flaC8DA.tmp
    was removed.

    C:\Users\kaurio\AppData\Local\Temp\plugtmp-52\plugin-read2
    was removed.

    C:\Users\kaurio\AppData\Local\Temp\plugtmp-52\plugin-crossdomain-2.xml
    was removed.

    C:\Users\kaurio\AppData\Local\Temp\plugtmp-52\plugin-crossdomain.xml
    was removed.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\sessionstore-4.js
    was created.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\sessionstore-4.js
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\sessionstore-4.js
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\sessionstore-4.js
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
    was modified.

    C:\Users\kaurio\AppData\Local\Mozilla\Firefox\Profiles\t7rv1asp.default\urlclassifier3.sqlite-journal
    was created.

    C:\Users\kaurio\AppData\Local\Mozilla\Firefox\Profiles\t7rv1asp.default
    was modified.

    C:\Users\kaurio\AppData\Local\Mozilla\Firefox\Profiles\t7rv1asp.default\urlclassifier3.sqlite-journal
    was modified.

    C:\Users\kaurio\AppData\Local\Mozilla\Firefox\Profiles\t7rv1asp.default
    was modified.

    C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    was modified.

    C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    was modified.

    C:\Windows\System32\config\SOFTWARE.LOG1
    was modified.

    C:\Windows\System32\config\SOFTWARE
    was modified.

    C:\Windows\System32\config\SOFTWARE
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
    was modified.

    C:\Users\kaurio\AppData\Roaming\Mozilla\Firefox\Profiles\t7rv1asp.default\places.sqlite-journal
    was modified.

    C:\Windows\System32\wbem\Repository\OBJECTS.DATA
    was modified.

    C:\Windows\System32\wbem\Repository\INDEX.BTR
    was modified.

    C:\Windows\System32\wbem\Repository\MAPPING1.MAP
    was modified.

    C:\Windows\System32\config\SOFTWARE.LOG1
    was modified.

    C:\Windows\System32\config\SOFTWARE
    was modified.

    C:\Windows\System32\config\SOFTWARE
    was modified.

    Joskus muutama kk takaperin yritin jotain noista tiedostoista poistaa, että jos ois auttanut, koitin firefoxin kansioista poistaa kyseisiä tiedostoja mistä on tullut valituksia, mutta kone ei antanut niitä poistaa.

    antivirus ei ole löytänyt mitään, 2 kertaa viikos on full scan.
    Maelware, tai mikä nyt olikaan, se löysy pari jotain juttua, jotka poistin, mut ei näemmä ollut loggereita.
    ad-aware löytänyt joskus jotain, mutta ei enään.
    ja monta muuta ohjelmaa ajanut eikä mitään löytynyt.
    Hickjackthis, ajan sillä nyt, ja postaan sen tänne jos siitä olisi jotain hyötyä.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:28:00, on 12.11.2009
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16890)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\USERS\KAURIO\PROCEXP.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\explorer.exe
    D:\keylogger\KL-Detector.exe
    C:\Windows\regedit.exe
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "d:\Program Files\CyberLink\PowerDVD8\PowerDVD8\Language\Language.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [spywarefighterguard] D:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [CurseClient] d:\Program Files\Curse\CurseClient.exe -silent
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
    O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\partypoker\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\partypoker\PartyPoker\RunApp.exe (file missing)
    O13 - Gopher Prefix:
    O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Google Update Service (gupdate1c9380ba0392caa) (gupdate1c9380ba0392caa) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: MySQL41 - Unknown owner - D:\MySQL.exe (file missing)
    O23 - Service: MySQL5 - Unknown owner - D:\Program.exe (file missing)
    O23 - Service: MySQL51 - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
    O23 - Service: PTK License-FIGHTERS-268451683 - SPAMfighter - D:\Program Files\Fighters\licenseservice.exe
    O23 - Service: PTK Live Update-FIGHTERS-268451683 - SPAMfighter - D:\Program Files\Fighters\updateservice.exe
    O23 - Service: PTK Scanner-FIGHTERS-268451683 - SPAMfighter - D:\Program Files\Fighters\ScannerService.exe
    O23 - Service: PTK SharedAccess-FIGHTERS-268451683 - SPAMfighter - D:\Program Files\Fighters\configservice.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

    --
    End of file - 7015 bytes

    Olisiko mahdollista saada pientä apua tähän hommaan.
    Forkkaus mahdollinen, mutta ei huvittava, joutunut jo moneen kertaan formatoimaan kavereitten koneen, mutta tätä vista paskaa jaksa, ajuri hässäkkä tulee, kun asennan xp:n tähän jos joudun formatoimaan, pyrin etten joutuisi, tälle paketin paskakoneelle, ei ole suoranaisia ajureita xp:lle siis fujitsulla, mutta piirisarjan valmistajilla on, mutta niistä mitään tietoa että toimivatko ne.
    Jos pystytte auttamaan, niin s-postia kaurio at luukku.com.
    tai sitten suoraan tänne, s-postin vain muistan paremmin, kun joutuu katselemaan vähän väliä sinne.
    Ihan hyvin tässä ollut kärsimässä ilman wowia=D mut hyväähän se tekee, mutta eipä tässä muuta.
    mutta, huomasin ton hickjackin logeista tuon partypokerin, että miten hemmetissä sen saa pois, tai siis yleensäkkin pop-up hommeleista? terveisin kaurio, ja nyt tupakalle-->
    kahvia juodessa, vistieä odotellessa.
     
    kaurio, Nov 12, 2009
    #1
Thread Status:
Not open for further replies.

Share This Page