Włamanie na poczte, czyli keylogger na win 8.1

Witam. Mam problem.

Dziewczynie ktoś wszedł na poczte, facebook’a poresetował hasła, usunął maile oprócz jednego ze zmiany hasła, mam gościa IP i wszystko, ale to nie ważne. Skanowałem komputer Anvi Smart Defender i nie wiem czy to coś dało, daltego postanowiłem napisać tutaj na forum, jak usunąć tego keyloggera. Wklejam logi z programów. P.S Dzięki za pomoc.

 

OTL:

OTL.txt: http://wklej.org/id/1706887/

 

RSIT

log.txt: http://wklej.org/id/1706848/

 

SlientRunnes 

log: http://wklej.org/id/1706854/

 

FRSC:

Addidion.txt : http://www.wklej.org/id/1706882/

FRST.txt : http://www.wklej.org/id/1706884/

 

ADW Cleaner nie wykrył żadnej nieprawidłowości.

Sprawdź jeszcze tym programem: http://www.gmer.net/

Zgłoś to na Policję

Odinstaluj McAfee Security Scan Plus,Spybot - Search & Destroy.Otwórz notatnik systemowy i wklej:

Task: {1E6D29C5-D14D-469D-9AAD-ED3C9C920DBB} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system = C:\Program Files (x86)\Spybot - Search Destroy 2\SDScan.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {86B228F0-BFF4-4C6E-8980-77753AD3430E} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates = C:\Program Files (x86)\Spybot - Search Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
Task: {9614E06E-17B8-4672-AEFF-940091C4B8E6} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization = C:\Program Files (x86)\Spybot - Search Destroy 2\SDImmunize.exe [2014-06-24] (Safer-Networking Ltd.)
HKLM\...\Run: [] = [X]
HKLM-x32\...\Run: [HP Software Update] = C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-31] (Hewlett-Packard)
HKLM-x32\...\Run: [] = [X]
HKLM-x32\...\Run: [GrooveMonitor] = C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [SDTray] = C:\Program Files (x86)\Spybot - Search Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Winlogon\Notify\igfxcui: igfxdev.dll [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2015-02-26]
ShortcutTarget: McAfee Security Scan Plus.lnk - C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
BootExecute: autocheck autochk * sdnclean64.exe
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1329531316-4023825329-2725924630-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1329531316-4023825329-2725924630-1001 - DefaultScope {DA625E20-FDD3-4B3F-B2ED-BEA853334090} URL =
SearchScopes: HKU\S-1-5-21-1329531316-4023825329-2725924630-1001 - {DA625E20-FDD3-4B3F-B2ED-BEA853334090} URL =
BHO-x32: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll [2014-04-09] (McAfee, Inc.)
FF HKU\S-1-5-21-1329531316-4023825329-2725924630-1001\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
FF Extension: No Name - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014-04-04]
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - http://clients2.google.com/service/update2/crx
R3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 Tosrfcom; No ImagePath
2015-05-08 17:51 - 2015-05-08 17:51 - 00000000 ____ D () C:\Windows\System32\Tasks\Safer-Networking
2015-05-08 17:50 - 2015-05-08 17:50 - 00001418 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-SD Start Center.lnk
2015-05-08 17:50 - 2015-05-08 17:50 - 00001406 _____ () C:\Users\Public\Desktop\Spybot-SD Start Center.lnk
2015-05-08 17:50 - 2015-05-08 17:50 - 00000000 ____ D () C:\ProgramData\Spybot - Search Destroy
2015-05-08 17:50 - 2015-05-08 17:50 - 00000000 ____ D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search Destroy 2
2015-05-08 17:50 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
2015-05-08 17:49 - 2015-05-08 17:51 - 00000000 ____ D () C:\Program Files (x86)\Spybot - Search Destroy 2
2015-05-08 17:49 - 2015-05-08 17:49 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\Weronika\Downloads\spybot-2.4.exe
2015-05-08 17:48 - 2015-05-08 17:48 - 00741672 _____ (Web software ) C:\Users\Weronika\Downloads\Spybot-Search-Destroy(12546)-dp.exe
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.

Przeskanuj programem Malwarebytes Anti-Malware http://www.malwarebytes.org/8/

Dziękuje wielkie za pomoc, wszystko to zrobiłem, zobaczymy jak to będzie :slight_smile: