gmail alert

bună!

am primit o alertă pe contul gmail că a fost accesat de pe un alt IP (8.22.161.54) și mă sfătuia să-mi modific parola.
am căutat cu whois și am găsit că e nu-știu-ce companie de comunicații Level 3 din US.

mă puteți ajuta? ce-i chestia asta? nu mă prea pricep la IT - țineți cont că-s simplu biet nărod utilizator


mulțumesc pentru bunăvoință

Urmeaza sfaturile date de Gmail si schimba parola !

sigur că așa am făcut!!! aș fi dorit să aflu dacă au mai pățit-o și alții, dacă e nashpa etc.

p.s. nu vreau să devin "paranoică"

Dobybest, on 13th May 2010, 16:03, said:

Sper ca nu ai un keylogger in PC.

Sa vedem...

Descarca

Malwarebytes Anti-Malware 1.46

si salveaza-l pe Desktop.

Instaleaza-l si la sfarsit asigura-te ca ai bifat urmatoarele: Update Malwarebytes' Anti-Malware si Launch Malwarebytes' Anti-Malware. Apoi apasa Finish.



Dupa lansarea programului, click pe tab-ul Update si apasa butonul Check for Updates pentru a verifica daca definitiile descarcate sunt ultimele.

Database version: 4XXX



Click pe tab-ul Scanner, selecteaza Perform full scan si apoi apasa pe Scan.



La terminarea scanarii apasa OK si apoi Show Results.





Asigura-te ca e totul bifat si apoi apasa Remove Selected.





La final se va deschide un fisier in Notepad cu rezultatele scanarii. Posteaza continutul lui aici.



Daca ai dat restart pentru indepartare malware din PC, log-ul il gasesti in fereastra principala in cadrul tab-ului Logs. Verifica sa fie ultimul(dupa data din numele fisierului .txt.)

mulțumesc foarte mult - mă apuc de treabă

am să vă spun ce am găsit

Edited by Naoto, 13 May 2010 - 15:21.

p.s.: te conectezi la net prin proxy ?

am ajuns la scanare full (asta face acum în timp ce scriu)

mi-a dat însă Avira următorul mesaj, pe care mi-l afișase și mai devreme când am deschis PC-ul și n-am știut să-l interpretez - nici acum nu știu de fapt


Guard: Autorun blocked
Access to the file "E:Autorun.inf" was blocked for your security

el are de scanat și E: (HP_RECOVERY)


folosesc modem , dar recunosc plaja, variază rar și oricum gmail îmi spune ce IP am eu.


asta era aberant rău, pe al meu îl recunoaște că e de aici, nu din US

dacă nu răspund corect la întrebări, îmi cer scuze, de aia și povestesc ca să înțeleagă un specialist ce bălmăjesc eu

crysty2k5, on 13th May 2010, 16:27, said:

Edited by Naoto, 13 May 2010 - 16:07.

Aha. Lasa sa temine scanarea, pune log-ul aici si apoi fa sa:

Descarca :

Panda USB Vaccine1.0.1.4

Apesi dupa rularea programului: Vaccinate Computer si apoi Vaccinate USB.

Daca ai mai multe stickuri/carduri/MP3 Playere faci operatia de vaccinare pentru fiecare.

crysty2k5, on 13th May 2010, 17:23, said:

scanează de zor

am să postez log-ul când e gata, sigur că da

pe urmă-i trag și "vaccinul", dacă țipă de durere, raportez  

Avira e OK? s-o schimb?

Edited by Naoto, 13 May 2010 - 16:32.

Daca nu te lasa sa vaccinezi, deconectezi netul, opresti Avira, vaccinezi si apoi pornesti Avira. Conectezi net.

crysty2k5, on 13th May 2010, 17:36, said:

da, da, să ajung acolo
deocamdată e în scanare (de 1 h 14 min)

încă o dată, mulțumiri pentru ajutor

a terminat. n-a găsit nimic. pun log-ul:




Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4096

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

13.05.2010 18:31:12
mbam-log-2010-05-13 (18-31-12).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 209416
Time elapsed: 2 hour(s), 3 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Da, log-ul e curat. Vaccineaza PC-ul si apoi...

Posteaza un log HiJackThis 2.0.4 AICI !

Instructiuni: http://forum.softped...howtopic=350515

Edited by crysty2k5, 13 May 2010 - 17:39.

uite cum e consemnat în contul gmail:


Access Type [ ? ]                                                          
(Browser, mobile, POP3, etc.)        Unknown                                                                          
                                                                                  
Location (IP address) [ ? ]  8.22.161.50  

Date/Time  (Displayed in your time zone)    May 12 (1 day ago)      

și sunt 3 (toate de ieri): înseamnă că a intrat de 3 ori!!!!  sesiuni distincte


trec la vaccinare, pe urmă revin

Edited by Naoto, 13 May 2010 - 17:43.

Da. Pune log-ul sa vedem ce misca prin PC. Si pune o parola mai buna.

am vaccinat, Panda Cloud a reparat, iar acum îmi cere să restart

pregătesc log-ul acum

Întrebare: mai întâi dau restartul cerut de Panda și pe urmă pregătesc log-ul conform instrucțiunilor?

îmi răspund totuși că da, vaccinul nu devine efectiv decât după ce restartez

ok

Edited by Naoto, 13 May 2010 - 18:09.

Da. Dupa restart.

Logfile of Trend Micro HiJackThis v2.0.4
Scan saved at 19:25:22, on 13.05.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Wolters Kluwer\SintAct\SintactActualizare.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Wolters Kluwer\SintAct\SDV8m.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
F:\PhoneConnectorVMC.exe
F:\vmc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rcnsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [PSUNMain] "C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" /Traybar
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: PMB Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Sintact Administrare.lnk = C:\Program Files\Wolters Kluwer\SintAct\SDV8m.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com/?fr=fp-yie8
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1269896023765
O17 - HKLM\System\CCS\Services\Tcpip\..\{9355A1EB-C0E3-4FC9-8F2E-251A3D321F65}: NameServer = 81.12.128.206 81.12.132.206
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NanoServiceMain - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sintact - Serviciul de actualizare - [Wolters Kluwer] - Wolters Kluwer - C:\Program Files\Wolters Kluwer\SintAct\SintactActualizare.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11068 bytes

sper că am reușit