Podejerzenie keyloggera/spyware

[Przemasz]

Witam!
Prawdopodobnie mam na kompie złośliwe oprogramowanie. Proszę kogoś o sprawdzenie logów. Oto logi z OTL:

[defacto19]

Uruchom OTL i w sekcji (Własne opcje skanowania/Skrypt) wklej:

:OTL
IE - HKU\S-1-5-21-448562795-4172729588-1198038377-1000\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}\InprocServer32 File not found
IE - HKU\S-1-5-21-448562795-4172729588-1198038377-1000\..\URLSearchHook: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - No CLSID value found
IE - HKU\S-1-5-21-448562795-4172729588-1198038377-1000\..\SearchScopes\{3D768D0F-8A1C-4c56-A1A9-16AF9D44095A}: "URL" = http://search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=STDVM
IE - HKU\S-1-5-21-448562795-4172729588-1198038377-1000\..\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}: "URL" = http://www.daemon-search.com/search?q={searchTerms}
IE - HKU\S-1-5-21-448562795-4172729588-1198038377-1000\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredimail.com/mb68/?search={searchTerms}&loc=search_box&u=92260311791967831
FF - prefs.js..browser.search.defaultenginename: "v9"
FF - prefs.js..browser.search.order.1: "v9"
FF - prefs.js..browser.search.selectedEngine: "v9"
FF - prefs.js..browser.search.useDBForOrder: true
[2011-05-23 21:40:41 | 000,002,055 | ---- | M] () -- C:\Users\pl\AppData\Roaming\Mozilla\Firefox\Profiles\4wrl3ayd.default\searchplugins\daemon-search.xml
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll File not found
O2 - BHO: (SMTTB2009 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files (x86)\Hyperionics DB Toolbar\tbcore3.dll File not found
O3:64bit: - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll File not found
O3 - HKLM\..\Toolbar: (Hyperionics DB Toolbar) - {338B4DFE-2E2C-4338-9E41-E176D497299E} - C:\Program Files (x86)\Hyperionics DB Toolbar\tbcore3.dll File not found
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll File not found
O3:64bit: - HKU\S-1-5-21-448562795-4172729588-1198038377-1000\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll File not found
O3 - HKU\S-1-5-21-448562795-4172729588-1198038377-1000\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll File not found
O4 - HKU\S-1-5-21-448562795-4172729588-1198038377-1000..\Run: [Wisdom-soft AutoScreenRecorder 3.1 Free] 0 File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - Startup: C:\Users\pl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-21-448562795-4172729588-1198038377-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O8:64bit: - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000 File not found
O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: sony.com ([]* in )
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
[2012-08-13 02:15:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\v9Soft
[2011-11-02 23:36:58 | 000,000,000 | ---D | M] -- C:\Users\Tomek\AppData\Roaming\Babylon
[2012-08-09 22:03:22 | 000,000,000 | ---D | C] -- C:\Ibot1.0.8
[2012-07-28 13:32:16 | 000,000,000 | ---D | C] -- C:\ibot1.0.7

:Commands
[emptyflash]
[emptytemp]

Kliknij wykonaj skrypt. Zatwierdź restart komputera. Zapisz raport, który pokaże się po restarcie. Następnie uruchom OTL ponownie, i kliknij skanuj.
Pokaż nowy log OTL.txt oraz raport z usuwania.

[Przemasz]

Dzięki za pomoc
Oto nowe logi:

[defacto19]

Zastosuj Adwcleaner z opcji Delete.
Pokaż raport z niego C:\AdwCleaner[S1].txt

Uruchom OTL i w sekcji (Własne opcje skanowania/Skrypt) wklej:

:OTL
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.selectedEngine: "Google"
O3 - HKU\S-1-5-21-448562795-4172729588-1198038377-1000\..\Toolbar\WebBrowser: (no name) - {D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0} - No CLSID value found.
O3 - HKU\S-1-5-21-448562795-4172729588-1198038377-1000\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:905844AA

:Files
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

:Commands
[emptytemp]

Kliknij wykonaj skrypt. Zatwierdź restart komputera. Zapisz raport, który pokaże się po restarcie, i przedstaw go na forum.

[Przemasz]

Proszę bardzo:D

[defacto19]

Wszystko pomyślnie się wykonało. Możesz przejść do finalizacji tematu:

Uruchom OTL i użyj opcji sprzątanie. Natomiast w Adwcleaner kliknij na przycisk Uninstall.

Zainstaluj aktualizacje do programów wskazanych przez Security Check jako out of date.

Autor postu otrzymał pochwałę