Podejrzenie keyloggera, log z OTL

lexus1991 (Lexus1996) 2012-03-22 14:42:10 UTC #1

http://www.wklej.org/id/715144/

Podejrzewam Keyloggera, proszę o sprawdzenie.

Acorus (Acorus) 2012-03-22 14:58:34 UTC #2

Odinstaluj StartSearchToolBar,Babylon Toolbar,Funmoods Toolbar,facemoods Toolbar,SweetPacks Toolbar for Internet Explorer.Uruchom OTL i w okno (Własne opcje skanowania/Script)wklej:

:OTL SRV - [2011-10-12 00:34:05 | 000,111,632 | ---- | M] (TMRG, Inc.) [Auto | Running] -- C:\Program Files (x86)\RelevantKnowledge\rlservice.exe -- (RelevantKnowledge) IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com/?barid={9B5600AB-6507-11E1-A6A2-0026180F4AC1} IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.facemoods.com/?a=ddr&s={searchTerms}&f=4 IE - HKLM..\SearchScopes{463A06A0-7B0F-4184-89E4-A6D59FA7D7F0}: "URL" = http://startsear.ch/?aff=2&src=sp&cf=28 ... 80f4ac1&q={searchTerms} IE - HKLM..\SearchScopes{9742A791-C00A-4998-BFBA-DF0BF07E7386}: "URL" = http://startsear.ch/?aff=2&src=sp&cf=28 ... 80f4ac1&q={searchTerms} IE - HKLM..\SearchScopes{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&q={searchTerms}&barid={9B5600AB-6507-11E1-A6A2-0026180F4AC1} IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=w7th IE - HKCU..\SearchScopes{0D7562AE-8EF6-416d-A838-AB665251703A}: "URL" = http://start.funmoods.com/results.php?f=4&a=w7th&q={searchTerms} IE - HKCU..\SearchScopes{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://startsear.ch/?aff=1&src=sp&cf=28 ... 80f4ac1&q={searchTerms} IE - HKCU..\SearchScopes{463A06A0-7B0F-4184-89E4-A6D59FA7D7F0}: "URL" = http://startsear.ch/?aff=2&src=sp&cf=28 ... 80f4ac1&q={searchTerms} IE - HKCU..\SearchScopes{86F14831-D88C-4BC8-B871-C8FB24D95D9B}: "URL" = http://www.questbasic.com/?prt=QstbscWD4&keywords={searchTerms} IE - HKCU..\SearchScopes{B2865641-D171-4ECB-8F2C-A932CB3A5515}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=SP\_ss&affID=1101316&mntrId=a2f66a850000000000000026180f4ac1 IE - HKCU..\SearchScopes{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&q={searchTerms}&barid={9B5600AB-6507-11E1-A6A2-0026180F4AC1} FF - prefs.js..browser.search.defaultengine: "Web Search" FF - prefs.js..browser.search.defaultenginename: "Search" FF - prefs.js..browser.search.order.1: "Web Search" FF - prefs.js..browser.search.selectedEngine: "Search" FF - prefs.js..browser.startup.homepage: "http://start.funmoods.com/?f=1&a=w7th" FF - prefs.js..keyword.URL: "http://www.questbasic.com/?tmp=nemo_results_removelink&prt=QstbscWD4&keywords=" FF - prefs.js..sweetim.toolbar.previous.browser.search.defaultenginename: "Web Search" FF - prefs.js..sweetim.toolbar.previous.browser.search.selectedEngine: "Web Search" FF - prefs.js..browser.startup.homepage: "http://startsear.ch/?aff=2&cf=2809cdbd-1ddd-11e1-8d02-0026180f4ac1" 2012-01-07 14:44:30 | 000,000,000 | ---D | M -- C:\Users\Wiesiek\AppData\Roaming\mozilla\Firefox\Profiles\jm2wfwao.default\extensions\ffxtlbr@Facemoods.com 2012-03-16 14:55:12 | 000,000,000 | ---D | M -- C:\Users\Wiesiek\AppData\Roaming\mozilla\Firefox\Profiles\jm2wfwao.default\extensions\ffxtlbr@funmoods.com 2012-03-16 14:55:11 | 000,001,798 | ---- | M -- C:\Users\Wiesiek\AppData\Roaming\Mozilla\Firefox\Profiles\jm2wfwao.default\searchplugins\funmoods.xml 2012-02-25 20:31:46 | 000,000,792 | ---- | M -- C:\Users\Wiesiek\AppData\Roaming\Mozilla\Firefox\Profiles\jm2wfwao.default\searchplugins\startsear.xml 2012-03-03 09:05:29 | 000,003,974 | ---- | M -- C:\Users\Wiesiek\AppData\Roaming\Mozilla\Firefox\Profiles\jm2wfwao.default\searchplugins\sweetim.xml 2012-01-02 10:48:42 | 000,083,456 | ---- | M -- C:\Program Files (x86)\mozilla firefox\plugins\npvsharetvplg.dll 2012-01-05 16:50:47 | 000,002,051 | ---- | M -- C:\Program Files (x86)\mozilla firefox\searchplugins\fcmdSrch.xml 2010-12-13 13:36:54 | 000,002,035 | ---- | M -- C:\Program Files (x86)\mozilla firefox\searchplugins\fcmdSrchddr.xml O2 - BHO: (CescrtHlpr Object) - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.3\bh\facemoods.dll (facemoods.com BHO) O2 - BHO: (Funmoods Helper Object) - {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll (Funmoods BHO) O2 - BHO: (IE5BarLauncherBHO Class) - {78F3A323-798E-4AEA-9A57-88F4B05FD5DD} - C:\Program Files (x86)\StartSearch plugin\ssBarLcher.dll (StartSearch Inc.) O2 - BHO: (SweetPacks Browser Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O3 - HKLM..\Toolbar: (StartSearchToolBar) - {7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} - C:\Program Files (x86)\StartSearch plugin\ssBarLcher.dll (StartSearch Inc.) O3 - HKLM..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.) O3 - HKLM..\Toolbar: (Funmoods Toolbar) - {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll (Funmoods) O3 - HKLM..\Toolbar: (facemoods Toolbar) - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.3\facemoodsTlbr.dll (facemoods.com) O3 - HKLM..\Toolbar: (SweetPacks Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O3 - HKCU..\Toolbar\WebBrowser: (StartSearchToolBar) - {7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} - C:\Program Files (x86)\StartSearch plugin\ssBarLcher.dll (StartSearch Inc.) O3 - HKCU..\Toolbar\WebBrowser: (SweetPacks Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O4 - HKLM..\Run: [facemoods] C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.3\facemoodssrv.exe (facemoods.com) [2012-03-22 14:59:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge [2012-03-16 14:55:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\RelevantKnowledge :Commands [emptytemp]

Kliknij Wykonaj skrypt.Zatwierdź restart komputera. Zapisz raport, który pokaże się po restarcie. Następnie uruchom OTL ponownie, tym razem kliknij (Skanuj).

Pokaż nowy log OTL.txt oraz raport z usuwania.

Użyj AdwCleaner http://general-changelog-team.fr/outils/289-adwcleaner z funkcji Delete.

lexus1991 (Lexus1996) 2012-03-22 15:37:06 UTC #3

http://www.wklej.org/id/715186/

http://www.wklej.org/id/715193/

z adw http://www.wklej.org/id/715198/

Acorus (Acorus) 2012-03-22 15:45:47 UTC #4

W OTL użyj opcji Sprzątanie.Wyłącz i włącz przywracanie systemu.

http://www.searchengines.pl/Czyszczenie ... 41981.html

Przeskanuj progr.Malwarebytes Anti-Malware

http://www.dobreprogramy.pl/Malwarebyte ... 13117.html

Przed skanowaniem wykonaj RĘCZNĄ AKTUALIZACJĘ BAZY SYGNATUR WIRUSÓW

Zainstaluj aktualizacje do programow wskazanych przez: http://screen317.spywareinfoforum.org/SecurityCheck.exe jako out of date.

Oparte na Discourse, najlepiej oglądać z włączonym JavaScriptem