Preventivka, podezreni nahavet, log z DDS (win7)

[Lobin]

Ahoj,

chtel bych poprosit o kontrolu logu z DDS (Win7). Mam podezreni na nejakou havet, protoze se mi obcas zobrazuji nechtenne stranky ve web prohlizeci (yahoo toolbary pocinaje a nejakymi mywebbrowser.com/net/neco konce).

Predem dekuji

--- LOG z DDS nasleduje ... ---

DDS (Ver_09-12-01.01) - NTFSx86
Run by locadmin at 14:51:00,61 on Łt 29.12.2009
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_16
Microsoft Windows 7 Professional 6.1.7600.0.1250.420.1033.18.2038.789 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\alg.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Windows\system32\vmnat.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\miranda\miranda32.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\KeePass\KeePass.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Cisco Systems\VPN Client\ipseclog.exe
C:\Windows\system32\StikyNot.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\msiexec.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\UTILS\viry&havet\analyze\dds.pif
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\pdfforge toolbar\SearchSettings.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\ie\1.1.2\pdfforgeToolbarIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\pdfforge toolbar\SearchSettings.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\ie\1.1.2\pdfforgeToolbarIE.dll
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SearchSettings] c:\program files\pdfforge toolbar\SearchSettings.exe
mRunOnce: [ehssetup] c:\windows\system32\rundll32.exe "c:\windows\ehome\ehssetup.dll",LaunchProcessInputFiles
mRunOnce: [wmssetup] c:\windows\system32\rundll32.exe "c:\program files\windows media player\wmssetup.dll",LaunchProcessInputFiles
mRunOnce: [iessetup] c:\windows\system32\rundll32.exe "c:\program files\internet explorer\iessetup.dll",LaunchProcessInputFiles
mRunOnce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico
uPolicies-explorer: QuickLaunchEnabled = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: MaxGPOScriptWait = 300 (0x12c)
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {50F851B0-0BBE-11D2-A237-00C04FBBD1CD} - hxxp://192.168.9.11/Web/MediaMasCSY.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {1B348EF7-27B0-479B-8247-CE1367B1937D} = 194.228.41.65,194.228.41.113
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\locadmin\appdata\roaming\mozilla\firefox\profiles\dxhsxwt4.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.XMLHttpRequest.channel", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.jit.chrome", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("security.checkloaduri", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("bidi.characterset", 1);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\channel-prefs.js - pref("app.update.channel", "release");
c:\program files\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");

============= SERVICES / DRIVERS ===============

R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2009-12-16 375296]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [2009-3-11 35692]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-2-6 92800]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S2 vmserverdWin32;VMware Registration Service;"c:\program files\vmware\vmware server\vmserverdwin32.exe" --> c:\program files\vmware\vmware server\vmserverdWin32.exe [?]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\drivers\BthAvrcp.sys [2008-7-10 15872]
S3 BTHFILT;Bluetooth Command Filter;c:\windows\system32\drivers\BthFilt.sys [2009-9-14 13824]
S3 DCIOZ;DCIOZ;c:\users\locadmin\appdata\local\temp\DCIOZ.exe [2009-12-26 539520]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-3-19 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-3-19 8320]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 ZKSZMISZ;ZKSZMISZ;c:\users\locadmin\appdata\local\temp\ZKSZMISZ.exe [2009-12-26 531328]

=============== Created Last 30 ================

2009-12-29 11:38:21 0 d-----w- c:\program files\trend micro
2009-12-26 17:41:42 0 d-----w- c:\users\locadmin\appdata\roaming\Wireshark
2009-12-26 17:35:22 0 d-----w- c:\program files\Wireshark
2009-12-25 16:16:08 0 d-----w- c:\program files\Application Updater
2009-12-25 16:16:06 0 d-----w- c:\program files\pdfforge Toolbar
2009-12-25 16:15:19 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2009-12-25 16:15:18 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2009-12-25 16:15:16 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2009-12-25 16:15:15 0 d-----w- c:\program files\PDFCreator
2009-12-21 17:59:05 208836347 ----a-w- c:\windows\MEMORY.DMP
2009-12-18 20:36:28 0 d-----w- C:\!
2009-12-16 21:54:13 0 d-----w- c:\windows\system32\Profiles
2009-12-16 21:52:12 239 ----a-w- c:\windows\system32\AnotherWorld.ini
2009-12-16 21:44:56 0 d-----w- c:\programdata\Trymedia
2009-12-15 23:19:22 4 ----a-w- c:\windows\system32\zserv.ok
2009-12-15 23:18:37 35 ----a-w- c:\windows\system32\zserv32.ini
2009-12-14 17:15:41 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-12-07 02:33:37 0 d-----w- c:\program files\wfavvid
2009-12-02 23:46:50 0 d-----w- c:\program files\WinPcap
2009-11-29 15:04:48 200704 ----a-w- c:\windows\system32\ssleay32.dll
2009-11-29 15:04:48 200704 ----a-w- c:\windows\system32\libssl32.dll
2009-11-29 15:04:48 1017344 ----a-w- c:\windows\system32\libeay32.dll
2009-11-29 15:04:46 0 d-----w- c:\program files\OpenSSL

==================== Find3M ====================

2009-11-18 23:37:29 223432 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-11-02 19:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-16 19:12:02 435200 ----a-w- c:\windows\system32\ipcoin.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-09-13 14:38:56 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-09-13 14:38:56 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-09-13 14:38:56 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-09-13 14:38:56 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 14:51:22,32 ===============

[Rudy]

Pro jistotu dejte log z MBAM: http://www.malwarebytes.org/mbam.php . Předem nic nemažte.

[Lobin]

MBAM vypada v poradku. Pocitac bude asi take, zjistil jsem ze vetsinu problemu s prohlizecem delala nedobrovolne nainstalovana lista od pdfforge v ramci pdf-creatoru
ALe i tak dik za pripadne rady co nevypada dobre a chtelo by odstranit...

LOG z MBAM:

Malwarebytes' Anti-Malware 1.43
Database version: 3478
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2.1.2010 17:07:53
mbam-log-2010-01-02 (17-07-53).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 243688
Time elapsed: 46 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Rudy]

Pdforge je šmejd a MBAM ho neodstranil. Dejte log z ComboFix.

Stahnete a ulozte nejlepe na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode, pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k nezadoucim kolizim s rezidentem antispyware