Brontok.a 10

Dla specjalistów Bezpieczeństwo
#1

Witam, mam takiego wirusa jak w temacie.

http://wklej.to/m0SRi otl

http://wklej.to/ZxBMl extras

Proszę o przeanalizowanie i poprawienie tego. Mam nadzieję, że wszystko zrobiłem tak jak należy.

Z góry dziękuję i proszę o szybką odpowiedź. Przez robaka nie mogę za bardzo pisać pracy(ściągać potrzebnych plików etc.)

 

Pozdrawiam. :slight_smile:

#2

http://forum.dobreprogramy.pl/farbar-recovery-scan-tool-raport-obowi%C4%85zkowy-t478727/

#3

Spróbuj :

WIN+R

MRT.exe

#4

http://www.wklej.org/id/1695630/ FRST

http://www.wklej.org/id/1695631/ Addition

http://www.wklej.org/id/1695632/ Shortcut

 

Dziekuję, będę stosował się do dalszych instrukcji :slight_smile:

 

Niestety po uruchomieniu MRT.exe system się restartuje.

#5

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

CloseProcesses:
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM-x32\...\Run: [Lakn-Maheswara] => C:\Windows\INF\nkaLats.exe [54784 2010-09-03] (666)
HKU\S-1-5-21-4066269966-2894228195-717434399-1000\...\Run: [Ats-Hermawati] => C:\Users\Kotek\AppData\Local\smss.exe [54784 2010-09-03] (666)
HKU\S-1-5-21-4066269966-2894228195-717434399-1000\...\Policies\system: [DisableRegistryTools] 1
HKU\S-1-5-21-4066269966-2894228195-717434399-1000\...\Policies\system: [DisableCMD] 0
HKU\S-1-5-21-4066269966-2894228195-717434399-1000\...\Policies\Explorer: [NoFolderOptions] 1
Startup: C:\Users\Kotek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Indra.pif [2010-07-09] (666)
ShellIconOverlayIdentifiers: [GGDriveOverlay1] -> {E68D0A50-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll No File
ShellIconOverlayIdentifiers: [GGDriveOverlay2] -> {E68D0A51-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll No File
ShellIconOverlayIdentifiers: [GGDriveOverlay3] -> {E68D0A52-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll No File
ShellIconOverlayIdentifiers: [GGDriveOverlay4] -> {E68D0A53-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-4066269966-2894228195-717434399-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-4066269966-2894228195-717434399-1000 -> {24588FA4-10F1-41D7-B19D-6E22361E47FA} URL = http://www.baidu.com/s?wd={searchTerms}&tn=site888_1_pg&cl=3&ie=utf-8
SearchScopes: HKU\S-1-5-21-4066269966-2894228195-717434399-1000 -> {68547BC6-0F3F-41B2-B96C-B83F6B39E946} URL = http://www.mysearchresults.com/search?c=3524&t=01&q={searchTerms}
S2 AxAutoMntSrv; C:\Program Files (x86)\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe [X]
S3 NMIndexingService; "C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe" [X]
U3 ajvcvvdm; No ImagePath
S3 BRDriver64_1_3_3_E02B25FC; \??\C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRDriver64.sys [X]
S3 dump_wmimmc; \??\D:\Gry\Lineage2\NCsoft\Lineage II\system\GameGuard\dump_wmimmc.sys [X]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 NPPTNT2; \??\C:\Windows\system32\npptNT2.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
2015-04-24 00:57 - 2015-04-24 00:57 - 00087612 _____ () C:\Users\Kotek\AppData\Local\Update.3.Lakn.Ats.bin
2015-04-24 00:42 - 2015-04-24 00:42 - 00000000 ____ D () C:\Users\Kotek\AppData\Local\Lakn.ats-3-24
2015-04-22 23:26 - 2015-04-22 23:26 - 00087612 _____ () C:\Users\Kotek\AppData\Local\Lakn.ats.C3.em.bin
2015-03-31 00:00 - 2015-03-31 00:00 - 00000000 ____ D () C:\Users\Kotek\AppData\Local\Lakn.ats-3-31
2015-03-30 09:10 - 2015-03-30 09:10 - 00000000 ____ D () C:\Users\Kotek\AppData\Local\Lakn.ats-3-30
2015-03-28 01:00 - 2015-03-28 01:00 - 00000000 ____ D () C:\Users\Kotek\AppData\Local\Lakn.ats-3-28
2015-03-27 18:20 - 2015-03-27 18:20 - 00000000 ____ D () C:\Users\Kotek\AppData\Local\Lakn.ats-3-27
2015-03-26 02:35 - 2015-03-26 02:35 - 00000000 ____ D () C:\Users\Kotek\AppData\Local\Lakn.ats-3-26
2015-03-25 08:34 - 2015-03-25 08:34 - 00000000 ____ D () C:\Users\Kotek\AppData\Local\Lakn.ats-3-25
2015-03-30 12:45 - 2015-03-11 13:54 - 00000000 ____ D () C:\ProgramData\conntiniUetoosyavee
2015-03-30 12:45 - 2015-03-11 13:54 - 00000000 ____ D () C:\ProgramData\AVG Secure Search
2015-03-30 12:45 - 2015-03-11 13:54 - 00000000 ____ D () C:\ProgramData\~Browser Manager
2015-03-30 12:45 - 2015-03-11 13:54 - 00000000 ____ D () C:\Program Files (x86)\MyPC Backup
2015-03-30 12:45 - 2015-03-11 13:54 - 00000000 ____ D () C:\Program Files (x86)\Conduit
2015-03-30 12:45 - 2015-03-11 13:54 - 00000000 ____ D () C:\Program Files (x86)\AVG Secure Search
C:\Users\Kotek\AppData\Local\*.exe
C:\Windows\INF\nkaLats.exe
2015-03-02 19:42 - 2015-03-02 19:42 - 0000052 _____ () C:\Users\Kotek\AppData\Local\Kosong.Lakn.Ats.txt
2015-04-22 23:26 - 2015-04-22 23:26 - 0087612 _____ () C:\Users\Kotek\AppData\Local\Lakn.ats.C3.em.bin
2015-04-24 00:57 - 2015-04-24 00:57 - 0087612 _____ () C:\Users\Kotek\AppData\Local\Update.3.Lakn.Ats.bin
2013-09-06 11:12 - 2013-09-06 11:13 - 0000000 _____ () C:\Users\Kotek\AppData\Local\{6C67A94B-53A5-428D-8D72-D7B746196FE4}
2013-09-05 11:21 - 2013-09-05 11:21 - 0000000 _____ () C:\Users\Kotek\AppData\Local\{28C900DA-FBB3-4CB9-8C72-0851F4D3B6D5}
2013-09-01 04:36 - 2013-09-01 04:37 - 0000000 _____ () C:\Users\Kotek\AppData\Local\{142BBCC3-401F-434D-911F-39BFAE9CEEAC}
CustomCLSID: HKU\S-1-5-21-4066269966-2894228195-717434399-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Kotek\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-4066269966-2894228195-717434399-1000_Classes\CLSID\{E68D0A55-3C40-4712-B90D-DCFA93FF2534}\InprocServer32 -> C:\Users\Kotek\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll No File
CustomCLSID: HKU\S-1-5-21-4066269966-2894228195-717434399-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Kotek\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File
Task: {09C8FF6B-99B6-488E-AE45-41FBE372D3F7} - System32\Tasks\{90EE12F6-0573-49E5-88A2-B8CBB3D3D808} => pcalua.exe -a C:\Users\Kotek\Downloads\AA3DeployInstaller.exe -d C:\Users\Kotek\Downloads
Task: {11BC9FF2-02DB-491A-BCEB-4314E8402B82} - System32\Tasks\{43514C02-B005-4C27-A490-B7AE1D787044} => pcalua.exe -a C:\Users\Kotek\Desktop\spolszczenie_ts3.exe -d C:\Users\Kotek\Desktop
Task: {1CC44791-285E-4AFC-A986-C9EF928A2395} - System32\Tasks\{5DA78F7C-FF26-46A8-A6BB-F6A2A18353DA} => Chrome.exe http://ui.skype.com/ui/0/6.7.0.102/pl/abandoninstall?page=tsMain
Task: {3016732D-BA85-41C6-8A4E-4286AFC9335F} - System32\Tasks\{F58717E6-9249-427B-A2FB-F82F0ECCA94F} => pcalua.exe -a "D:\Gry\The Elder Scrolls V Skyrim\Uninstall.exe" -d "D:\Gry\The Elder Scrolls V Skyrim"
Task: {751E6F8D-0D4F-404C-96F2-BF513056C643} - System32\Tasks\{AAF9355D-2480-42AC-973B-442B3EBCEAE2} => pcalua.exe -a C:\Users\Kotek\Desktop\gtasa_pl_0.91.exe -d C:\Users\Kotek\Desktop
Task: {88F23F70-EE9B-49F3-B807-6EADB7FF2779} - System32\Tasks\{E852FBCD-9904-4622-A8B1-FD914EE9E94A} => pcalua.exe -a "D:\ja /cenzura/\FarCry Install\setup.exe" -d "D:\ja /cenzura/\FarCry Install"
Task: {8D190B49-0714-4488-94FF-D14A3068A4FF} - System32\Tasks\{F50132E8-5AB8-4D60-9052-81BCDC576D0E} => pcalua.exe -a "C:\Program Files\AVAST Software\Avast\aswRunDll.exe" -c "C:\Program Files\AVAST Software\Avast\Setup\setiface.dll" RunSetup
Task: {B7DA0826-12AD-4E0D-9AA3-EBBF1A573227} - System32\Tasks\{FDE155F2-B403-4FBA-A770-14ED0E025A18} => pcalua.exe -a "D:\TeamSpeak 3 Client\package_inst.exe" -d "D:\TeamSpeak 3 Client"
Task: {C0C0168C-61CC-4E58-AF28-05C0DA76B85E} - System32\Tasks\{DF446990-BABB-4A90-9ABB-6F3B622B4E6C} => D:\Gry\Wiedźmin\System\witcher.exe
Task: {C5E46671-F13E-4202-A255-CBE8FE3B8A2F} - System32\Tasks\{B0D55569-BC1E-4407-955F-A71E4F2D7F68} => D:\Gry\Wiedźmin\System\witcher.exe
Task: {D6A14605-449A-43FF-B82B-1FFEBE8E68D2} - System32\Tasks\{D9045858-2C79-4C0E-B273-CB911E484170} => pcalua.exe -a "C:\Program Files (x86)\LivePIM\JustInst\JustInst.exe" -d C:\Users\Kotek\Desktop
Task: {DF179C0A-ECD5-4692-A0A5-97B67666BE25} - System32\Tasks\{B77C5357-3A63-46C5-B7B1-90DAB2F975BC} => pcalua.exe -a C:\Users\Kotek\AppData\Local\Temp\ivona_installer.exe -d C:\Windows\system32 -c 4457664
Task: {E4B93E25-A6FF-41B1-B883-BE5E23F649BC} - System32\Tasks\{1D5A2E22-89DE-4700-B946-10F744E2B4D8} => D:\Downloads\formularz__3515_i1205738082_il2216882.exe
Task: {FFB30D37-E61E-47DD-9678-A32FC7F0F05B} - System32\Tasks\{ADF0F70B-F96D-47A0-AAEB-9DFBBF87E260} => pcalua.exe -a C:\Users\Kotek\AppData\Local\Temp\Shortcut_SimDSetup.exe -d C:\Users\Kotek\Desktop -c -Shortcut
AlternateDataStreams: C:\ProgramData:gs5sys
AlternateDataStreams: C:\Windows\Temp:temp
AlternateDataStreams: C:\Users\All Users:gs5sys
AlternateDataStreams: C:\Users\Kotek:gs5sys
AlternateDataStreams: C:\ProgramData\Application Data:gs5sys
AlternateDataStreams: C:\ProgramData\Dane aplikacji:gs5sys
AlternateDataStreams: C:\ProgramData\Szablony:gs5sys
AlternateDataStreams: C:\ProgramData\Templates:gs5sys
AlternateDataStreams: C:\Users\Kotek\Cookies:gs5sys
AlternateDataStreams: C:\Users\Kotek\Dane aplikacji:gs5sys
AlternateDataStreams: C:\Users\Kotek\Szablony:gs5sys
AlternateDataStreams: C:\Users\Kotek\Ustawienia lokalne:gs5sys
AlternateDataStreams: C:\Users\Kotek\AppData\Local:gs5sys
AlternateDataStreams: C:\Users\Kotek\AppData\Roaming:gs5sys
AlternateDataStreams: C:\Users\Kotek\AppData\Local\Dane aplikacji:gs5sys
AlternateDataStreams: C:\Users\Kotek\AppData\Local\Historia:gs5sys
AlternateDataStreams: C:\Users\Kotek\Documents\desktop.ini:gs5sys
AlternateDataStreams: C:\Users\Public\Documents\desktop.ini:gs5sys
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Kotek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Indra.pif" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Kotek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Torpedo.lnk" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Ats-Hermawati" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Lakn-Maheswara" /f
C:\Windows\pss\Indra.pif.Startup
C:\Windows\pss\Torpedo.lnk.Startup
EmptyTemp:

Uruchom FRST i kliknij Fix. Pokaż raport z usuwania Fixlog.

Kliknij Scan i pokaż nowy raport z FRST bez Addition i Shortcut.

#6

http://www.wklej.org/id/1695721/ Fixlog

http://www.wklej.org/id/1695726/ FRST

#7

Skasuj folder C:\FRST

Usuń stare punkty przywracania: Aby usunąć wszystkie punkty przywracania

Dysk przeskanuj ESET Online Scanner

Odinstaluj:

Adobe Flash Player 16 ActiveX

Adobe Flash Player 16 NPAPI

Adobe Reader XI (11.0.02)

Java 7 Update 10

Java 7 Update 65

Java 6 Update 23

Java 6 Update 38

JavaFX 2.1.1

Zainstaluj:

Flash Player 17.0.0.169 NPAPI

Flash Player 17.0.0.169 ActiveX

Adobe Reader XI 11.0.10

Java 8 Update 45