jessica
(jessica)
24 Styczeń 2010 14:36
#1
To już od dawna wiadomo, że każdy gracz w Tibię ma u siebie Keyloggera. Większość graczy o tym nawet nie wie, bo większość tych Keyloggerów jest niewykrywalna, choć są bardzo proste w budowie. Najprostszy Keylogger może być zrobiony przez 8-letnie dziecko. Problem tkwi tylko w tym, jak go podesłać wybranemu graczowi.
Daję inne usuwania:
Uruchom OTL i w oknie Custom Scans/Fixes wklej to:
:OTL SRV - File not found [Auto | Stopped] – -- (Sukoku Service) SRV - File not found [Auto | Stopped] – -- (QuestService Service) IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.gamingharbor.com/ FF - HKLM\software\mozilla\Firefox\Extensions\{2224E955-00E9-4613-A844-CE69FCCAAE91}: C:\Program Files\Internet Saving Optimizer\3.7.0.4550\FF [2009-08-30 08:18:17 | 00,000,000 | —D | M] FF - HKLM\software\mozilla\Firefox\Extensions\{0BA0192D-94A5-45e3-B2B8-3EC5A1A0B5EC}: C:\Program Files\Media Access Startup\1.5.6.910\FF [2009-08-30 08:39:00 | 00,000,000 | —D | M] FF - HKLM\software\mozilla\Firefox\Extensions\{E63605FC-D583-4C81-867F-9457BDB3EA1B}: C:\Program Files\Web Search Operator\3.1.0.1840\FF [2009-12-02 16:14:09 | 00,000,000 | —D | M] FF - HKLM\software\mozilla\Firefox\Extensions\{8141440E-08F0-4339-9959-5C31C6A69F23}: C:\Program Files\Automated Content Enhancer\4.1.0.5190\FF [2009-12-02 16:14:16 | 00,000,000 | —D | M] FF - HKLM\software\mozilla\Firefox\Extensions\{E889F097-B0BE-471B-89AD-B86B6F04B506}: C:\Program Files\Customized Platform Advancer\3.1.0.1630\FF [2009-12-02 16:14:25 | 00,000,000 | —D | M] O2 - BHO: (Automated Content Enhancer) - {1D74E9DD-8987-448b-B2CB-67FFF2B8A932} - C:\Program Files\Automated Content Enhancer\4.1.0.5190\ACEIEAddOn.dll () O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com ) O2 - BHO: (UrlHelper Class) - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll () O2 - BHO: (Content Management Wizard) - {B72681C0-A222-4b21-A0E2-53A5A5CA3D41} - C:\Program Files\Content Management Wizard\1.1.0.1870\CMWIE.dll () O2 - BHO: (TCP) - {CAC89FF9-34A9-4431-8CFE-292A47F843BC} - C:\Program Files\Textual Content Provider\1.1.0.1610\TCPIE.dll () O2 - BHO: (Web Search Operator) - {EB4A577D-BCAD-4b1c-8AF2-9A74B8DD3431} - C:\Program Files\Web Search Operator\3.1.0.1840\WSO.dll () O2 - BHO: (XBTBPos00 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\BigSeekPro Toolbar\tbcore3.dll () O3 - HKLM…\Toolbar: (BigSeekPro Toolbar) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\BigSeekPro Toolbar\tbcore3.dll () O3 - HKLM…\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com ) O3 - HKLM…\Toolbar: (BearShare MediaBar) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareMediaBar.dll (BearShare) O3 - HKLM…\Toolbar: (Gameztar Toolbar) - {D45817B8-3EAD-4d1d-8FCA-EC63A8E35DE2} - C:\Program Files\Gameztar Toolbar\2.1.1.5750\mvb0.dll () O3 - HKCU…\Toolbar\WebBrowser: (BigSeekPro Toolbar) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\BigSeekPro Toolbar\tbcore3.dll () O3 - HKCU…\Toolbar\WebBrowser: (BearShare MediaBar) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareMediaBar.dll (BearShare) O3 - HKCU…\Toolbar\WebBrowser: (Gameztar Toolbar) - {D45817B8-3EAD-4D1D-8FCA-EC63A8E35DE2} - C:\Program Files\Gameztar Toolbar\2.1.1.5750\mvb0.dll () O4 - HKLM…\Run: [internet Today Task] C:\Program Files\Internet Today\1.1.0.1190\InternetToday.exe () O4 - HKCU…\Run: [VideoBarApp] C:\Program Files\Gameztar Toolbar\2.1.1.5750\mvbapp.exe () O4 - Startup: C:\Documents and Settings\oem\Menu Start\Programy\Autostart\vmon.exe () O33 - MountPoints2{1cd12274-b80b-11de-b7ac-001a4d9b554b}\Shell\AutoRun\command - “” = n0euybx.exe O33 - MountPoints2{1cd12274-b80b-11de-b7ac-001a4d9b554b}\Shell\open\Command - “” = n0euybx.exe O33 - MountPoints2{3279c709-b550-11dc-b3fe-001a4d9b554b}\Shell - “” = AutoRun O33 - MountPoints2{86ff1c2a-8530-11dc-b3ee-001a4d9b554b}\Shell\AutoRun\command - “” = F:\EXPLORER.EXE – File not found O33 - MountPoints2{86ff1c2a-8530-11dc-b3ee-001a4d9b554b}\Shell\explore\Command - “” = F:\EXPLORER.EXE – File not found O33 - MountPoints2{86ff1c2a-8530-11dc-b3ee-001a4d9b554b}\Shell\open\Command - “” = F:\EXPLORER.EXE – File not found O33 - MountPoints2{87ae4d0c-7bbc-11dc-bbbc-001a4d4e1a9e}\Shell\Open(&0)\command - “” = Recycled\ctfmon.exe O33 - MountPoints2{c771d9c0-29aa-11de-b6ba-001a4d9b554b}\Shell - “” = AutoRun O33 - MountPoints2{ff40e08a-e57a-11de-b7e6-001a4d9b554b}\Shell\AutoRun\command - “” = G:\wdsync.exe – File not found [2010-01-24 14:37:20 | 00,000,209 | ---- | M] () – C:\Program Files\Common Files\userInit.dll [2010-01-19 09:52:15 | 00,566,047 | ---- | M] () – C:\Documents and Settings\oem\Menu Start\Programy\Autostart\vmon.exe [2009-12-07 14:41:41 | 00,027,958 | ---- | C] () – C:\Program Files\Common Files\logonInit.dll O20 - Winlogon\Notify\LogonInit: DllName - logonInit.dll - C:\Program Files\Common Files\logonInit.dll () :Files C:\Documents and Settings\oem\Menu Start\Programy\Autostart\vmon.exe C:\Program Files\Gameztar Toolbar C:\Program Files\Internet Today :Reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “SuperHidden”=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “Hidden”=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “ShowSuperHidden”=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] “CheckedValue”=dword:00000001 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden] @="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “Userinit”=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “Userinit”=“C:\WINDOWS\system32\userinit.exe,” [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “EXPLORER.EXE”=- :Commands [emptytemp] [resethosts] [Reboot]
Kliknij w Run Fix . Zatwierdź restart komputera.
Następnie uruchom OTL ponownie, tym razem kliknij “Run Scan”.
Pokaż nowy log OTL.txt oraz log z usuwania.
jessi
jessica
(jessica)
24 Styczeń 2010 17:29
#2
W nowym logu nie widzę już niczego szkodliwego.
W OTL kliknij na przycisk “CleanUp” - to go usunie razem z jego Kwarantanną.
Usuń kopie szkodników z folderu “System Volume Information” poprzez chwilowe wyłączenie “Przywracania Systemu”:
>START>Panel Sterowania>System>Przywracanie Systemu>>zaznacz w okienku przy “Wyłącz przywracanie na wszystkich dyskach”>Zastosuj>OK. (W czasie tego chwilowego wyłączenia te kopie usuną się samoczynnie, więc nie ma potrzeby zaglądania do folderu.) Potem możesz powrócić do poprzedniego ustawienia (czyli usunąć zaznaczenie z okienka).
jessi