Author Topic: Podozrenie na virus  (Read 5843 times)

0 Members and 1 Guest are viewing this topic.

Offline GabrielGorta

  • Full Member
  • ***
  • Posts: 151
Podozrenie na virus
« on: June 22, 2013, 02:48:28 PM »
Mám podozrenie na KeyLogger alebo ineho virusu v mem pocitaci - su spustene procesy ktore neznam (niesu systemove) a na PC sa mi delaji podivne veci (napr. mi zmizne ukazovatel mysi, alebo mi napriklad prestane pisat klavesnica, az do restartu PC,... alebo sa mi ked je vypnuty sam zapne,... a dost casto mi poslednou dobov hlasi error #0 nejaky Write Kannon) mam zaplneni cely procesor i ram (CPU 96% a RAM 91%) [CPU mam 3.6 GHz a RAM 2X4=8 GB]
Mohol by mi niekto pomoct?

LOG:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:38:10, on 22.06.2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v10.0 (10.00.9200.16611)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Mobile Partner\Mobile Partner.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Users\spravca\Desktop\hijackthis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bing.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www2.delta-search.com/?affID=119816&tt=gc_&babsrc=HP_ss&mntrId=FC371C6F65B770B3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.134.1.17:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O2 - BHO: avast! Ad Blocker - {FFCB3198-32F3-4E8B-9539-4324694ED663} - C:\Program Files\AVAST Software\avast! Ad Blocker IE\Adblocker32.dll
O3 - Toolbar: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Mobile Partner] "C:\Program Files\Mobile Partner\Mobile Partner.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: taskmgr.lnk = C:\Windows\System32\taskmgr.exe
O8 - Extra context menu item: E&xportovať do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A3A6ADF-0F6C-4AAC-92F5-FE7F04BA39C6}: NameServer = 85.237.225.250 213.151.200.30
O17 - HKLM\System\CS1\Services\Tcpip\..\{3A3A6ADF-0F6C-4AAC-92F5-FE7F04BA39C6}: NameServer = 85.237.225.250 213.151.200.30
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - (no file)
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: DCService.exe - Unknown owner - C:\ProgramData\DatacardService\DCService.exe
O23 - Service: Služba Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Služba Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: TeamViewer 8 (TeamViewer8) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
O23 - Service: vToolbarUpdater13.2.0 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe

--
End of file - 6470 bytes

« Last Edit: June 22, 2013, 03:16:48 PM by GabrielGorta »

Offline GabrielGorta

  • Full Member
  • ***
  • Posts: 151
Re: Podozrenie na virus
« Reply #1 on: June 30, 2013, 05:50:20 PM »
Uz je to vyresene, nasel som 4 virusy
1 bol virus generator
2 trojan agent
3 trojan
4 keylogger

Offline I_AM_budo

  • Newbie
  • *
  • Posts: 4
Re: Podozrenie na virus
« Reply #2 on: November 05, 2013, 09:19:27 AM »
Ahoj,
i já mám podezření na vir.
1) NTB leží na stole, nikdo na něj ani nesáhne, spuštěné jsou KMPlayer, Opera, Skype a OpenOffice Writer. Najednou vyskočí hláška Avastu, že byl zablokován škodlivý kód.

2) Jindy se stává, že NTB sám od sebe (opět v době, kdy na něm nikdo nepracuje) dělá zvuk "kliknutí", který se přehrává, když v Exploreru procházíme obsah počítače. To mi také nepřipadá v pořádku.

Systém: https://www.dropbox.com/s/o1zk7uj068cj4by/Screenshot%202013-11-05%2009.15.15.png
Avast: https://www.dropbox.com/s/jpq1kvqhtrsskrk/Screenshot%202013-11-05%2009.16.32.png

Ad1) toto se stalo před 20 minutami. Prosím poraďte, kde najdu Avast log o události a co z něj můžeme vyčíst.

Prosím doporučte odkaz s návodem na vytvoření logu Hijackthis - nemám zkušenosti.

Děkuji.


Offline I_AM_budo

  • Newbie
  • *
  • Posts: 4
Re: Podozrenie na virus
« Reply #3 on: November 05, 2013, 11:43:41 AM »
Up!

Offline GabrielGorta

  • Full Member
  • ***
  • Posts: 151
Re: Podozrenie na virus
« Reply #4 on: November 05, 2013, 03:00:51 PM »
Avast log:
C:\ProgramData\AVAST Software\Avast\ (tam to už nájdš)
a bodlo by sa viac informacii.

Offline I_AM_budo

  • Newbie
  • *
  • Posts: 4
Re: Podozrenie na virus
« Reply #5 on: November 05, 2013, 06:32:18 PM »
Jake informace je treba sem dodat?
V tom adresari je sice spousta dat, ale nevim co s tim... Cekal jsem, ze z UI Avastu proste otevru nejaky log a tam se doctu, co to bylo za proces, ktery Avast blokoval ...
Nebo ze mi sem npisete, co mam dodat za soubor a z nej vy zkusenejsi uz neco poznate ...

Ok, zkusim jeste vycist navod na viry.cz
Tam myslim nejaky nvod na tvorbu Hijackthis logu byl ...

Asi trochu naivne, ale cekal jsem, ze na foru Avastu bud vyctu jak na to nebo ze mi tu nekdo poradi. Pokud by se jeste nejaky radce objevil, predem dik.

Offline GabrielGorta

  • Full Member
  • ***
  • Posts: 151
Re: Podozrenie na virus
« Reply #6 on: November 06, 2013, 02:15:37 PM »
Skus sem poslat log z HijackThis v2.0.4 (to je program kory stiahnes a pustis, ono ti to vygeneruje automaticky vsetky informacie o procesoch)

Offline I_AM_budo

  • Newbie
  • *
  • Posts: 4
Re: Podozrenie na virus
« Reply #7 on: November 06, 2013, 03:01:09 PM »
Tím se v podstate dubluje instrukce s tímto:
http://forum.viry.cz/viewtopic.php?f=13&t=133866&p=1267623#p1267623