COMODO ISP znajduje cały czas robala Suspicioons itp

masgre · 6 Maj 2013 21:12

Witam

Jak w temacie, antywirus wykrywa wirusa Suspicioons@#9nt3846astrv i Backdoor.Win32., po usunięciu uaktywnia się ponownie. Na początku ataku zablokował przeglądarki , instalacyjne programów i wiele innych funkcji systemu win7.

Po odłączeniu netu i wyłączeniu lapka (5 sekund przycisk zasilania) system uruchomił się normalnie, włączyłem odrazu pełne skanowanie COMODO ISP.

Odinstalowałem tabulatory które sie zainstalowały bez mojej wiedzy

Proszę o pomoc, nie mogę sie pozbyć tego gadostwa i oczywiście logi

OTL- http://www.wklejto.pl/159558

Extras- http://www.wklejto.pl/159560

Atis · 6 Maj 2013 21:29

Do okna Własne opcje skanowania / skrypt wklej:

:OTL SRV - [2013-02-19 20:22:14 | 000,968,880 | ---- | M] () [Auto | Running] – C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe – (vToolbarUpdater14.2.0) DRV - [2013-02-19 20:22:15 | 000,033,112 | ---- | M] (AVG Technologies) [Kernel | System | Running] – C:\Windows\System32\drivers\avgtpx86.sys – (avgtp) DRV - File not found [Kernel | On_Demand | Stopped] – System32\drivers\rdvgkmd.sys – (VGPU) DRV - File not found [Kernel | On_Demand | Stopped] – system32\drivers\tsusbhub.sys – (tsusbhub) DRV - File not found [Kernel | On_Demand | Stopped] – System32\drivers\synth3dvsc.sys – (Synth3dVsc) DRV - File not found [Kernel | On_Demand | Stopped] – E:\PROGRAMY\WCPUID\NRKCTL32.SYS – (NRKCTL32) DRV - File not found [Kernel | On_Demand | Stopped] – system32\DRIVERS\mcdbus.sys – (mcdbus) DRV - File not found [File_System | Boot | Stopped] – system32\DRIVERS\Lbd.sys – (Lbd) DRV - File not found [Kernel | On_Demand | Stopped] – C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys – (esgiguard) DRV - File not found [Kernel | On_Demand | Stopped] – C:\Windows\system32\drivers\EagleXNt.sys – (EagleXNt) DRV - File not found [Kernel | On_Demand | Stopped] – C:\Windows\system32\drivers\EagleNT.sys – (EagleNT) DRV - File not found [Kernel | On_Demand | Unknown] – C:\Users\PAAP\AppData\Local\Temp\awlcyaoc.sys – (awlcyaoc) O4 - HKU\S-1-5-21-559355895-4025309670-3908966105-1001…\Run: [] File not found [2013-04-26 16:57:55 | 000,000,000 | —D | C] – C:\Users\PAAP\Doctor Web [2013-04-26 13:57:51 | 000,000,000 | —D | C] – C:\Users\PAAP\AppData\Roaming\ArcaVirMicroScan [2013-04-26 12:23:22 | 000,000,000 | —D | C] – C:\Program Files\Enigma Software Group @Alternate Data Stream - 24 bytes -> C:\Windows:A7D4876C1374441B :Files C:\Program Files\Common Files\AVG Secure Search :Commands [emptytemp]

Kliknij Wykonaj skrypt i zatwierdź restart.

Pokaż raport z usuwania i nowy log Skanuj.

masgre · 6 Maj 2013 21:48

Raport

All processes killed

========== OTL ==========

Service vToolbarUpdater14.2.0 stopped successfully!

Service vToolbarUpdater14.2.0 deleted successfully!

C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe moved successfully.

Service avgtp stopped successfully!

Service avgtp deleted successfully!

C:\Windows\System32\drivers\avgtpx86.sys moved successfully.

Service VGPU stopped successfully!

Service VGPU deleted successfully!

File System32\drivers\rdvgkmd.sys not found.

Service tsusbhub stopped successfully!

Service tsusbhub deleted successfully!

File system32\drivers\tsusbhub.sys not found.

Service Synth3dVsc stopped successfully!

Service Synth3dVsc deleted successfully!

File System32\drivers\synth3dvsc.sys not found.

Service NRKCTL32 stopped successfully!

Service NRKCTL32 deleted successfully!

File E:\PROGRAMY\WCPUID\NRKCTL32.SYS not found.

Service mcdbus stopped successfully!

Service mcdbus deleted successfully!

File system32\DRIVERS\mcdbus.sys not found.

Service Lbd stopped successfully!

Service Lbd deleted successfully!

File system32\DRIVERS\Lbd.sys not found.

Service esgiguard stopped successfully!

Service esgiguard deleted successfully!

File C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys not found.

Service EagleXNt stopped successfully!

Service EagleXNt deleted successfully!

File C:\Windows\system32\drivers\EagleXNt.sys not found.

Service EagleNT stopped successfully!

Service EagleNT deleted successfully!

File C:\Windows\system32\drivers\EagleNT.sys not found.

Error: No service named awlcyaoc was found to stop!

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\awlcyaoc deleted successfully.

File C:\Users\PAAP\AppData\Local\Temp\awlcyaoc.sys not found.

Registry value HKEY_USERS\S-1-5-21-559355895-4025309670-3908966105-1001\Software\Microsoft\Windows\CurrentVersion\Run\ deleted successfully.

C:\Users\PAAP\Doctor Web\CureIt Quarantine\DC folder moved successfully.

C:\Users\PAAP\Doctor Web\CureIt Quarantine\C6 folder moved successfully.

C:\Users\PAAP\Doctor Web\CureIt Quarantine\9D folder moved successfully.

C:\Users\PAAP\Doctor Web\CureIt Quarantine\6D folder moved successfully.

C:\Users\PAAP\Doctor Web\CureIt Quarantine\63 folder moved successfully.

C:\Users\PAAP\Doctor Web\CureIt Quarantine\4F folder moved successfully.

C:\Users\PAAP\Doctor Web\CureIt Quarantine\44 folder moved successfully.

C:\Users\PAAP\Doctor Web\CureIt Quarantine\3C folder moved successfully.

C:\Users\PAAP\Doctor Web\CureIt Quarantine\37 folder moved successfully.

C:\Users\PAAP\Doctor Web\CureIt Quarantine\33 folder moved successfully.

C:\Users\PAAP\Doctor Web\CureIt Quarantine\31 folder moved successfully.

C:\Users\PAAP\Doctor Web\CureIt Quarantine\16 folder moved successfully.

C:\Users\PAAP\Doctor Web\CureIt Quarantine\13 folder moved successfully.

C:\Users\PAAP\Doctor Web\CureIt Quarantine folder moved successfully.

C:\Users\PAAP\Doctor Web folder moved successfully.

C:\Users\PAAP\AppData\Roaming\ArcaVirMicroScan folder moved successfully.

C:\Program Files\Enigma Software Group\SpyHunter\Log folder moved successfully.

C:\Program Files\Enigma Software Group\SpyHunter folder moved successfully.

C:\Program Files\Enigma Software Group folder moved successfully.

ADS C:\Windows:A7D4876C1374441B deleted successfully.

========== FILES ==========

C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0 folder moved successfully.

C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater folder moved successfully.

C:\Program Files\Common Files\AVG Secure Search folder moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: PAAP

->Temp folder emptied: 580259415 bytes

->Temporary Internet Files folder emptied: 9800820 bytes

->Java cache emptied: 245852 bytes

->Google Chrome cache emptied: 151982551 bytes

->Opera cache emptied: 28363942 bytes

->Flash cache emptied: 64460 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 1500405 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 234097007 bytes

%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 410497 bytes

RecycleBin emptied: 5073289577 bytes

Total Files Cleaned = 5 798,00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 05062013_233904

Files\Folders moved on Reboot…

PendingFileRenameOperations files…

Registry entries deleted on Reboot…

Atis · 6 Maj 2013 21:57

Naucz się czytać i przestań zaśmiecać forum.

masgre · 6 Maj 2013 22:09

Przepraszam za smietnik;/

Logi

OTL- http://www.wklejto.pl/159567

Extras- http://www.wklejto.pl/159568

Atis · 6 Maj 2013 22:32

Uruchom OTL i kliknij Sprzątanie.

Usuń stare punkty przywracania:

Aby usunąć wszystkie punkty przywracania

Uruchom SecurityCheck i aktualizuj programy oznaczone jako Out of date

masgre · 7 Maj 2013 15:21

Punkty przywracania usunięte, tylko SecurityCheck nie startuje.

Pierwsza linijka:W magazynie brak miejsca dla wykonania tego polecenia

Ostatnia:Nazwa DNS nie istnieje

Atis · 7 Maj 2013 15:26

Pewnie Comodo blokuje SecurityCheck .

Odinstaluj:

Java 6 Update 18

Java 6 Update 37

Java 6 Update 5

Adobe Reader X (10.1.0)

Zainstaluj:

Java 7 Update 21

Adobe Reader

masgre · 7 Maj 2013 15:53

Bardzo dziękuje za pomoc Atis

Pozdrawiam

– Dodane 07.05.2013 (Wt) 19:41 –

Nie wiem ale troche na wyrost sie ucieszyłem.

Zrobilem pełny skan COMODO ISP i czysto, ale potem pełny Ad-Aware i w trakcie skanu Ad-aware Comodo wywala robala i do kwarantanny - lokalizacja C:\Windows\TEMP\SBS_VE_AMBR_20130407185042.035_ 59638 nazwa zagrożenia: Suspicious@9nt3846astrv

I co dalej z tym robić?

Atis · 7 Maj 2013 20:08

Skoro masz COMODO Internet Security to w jakim celu zainstalowałeś drugi program ochronny?

SBS_VE_AMBR to są pliki tymczasowe tworzone przez Ad-Aware.

Odinstaluj Ad-Aware i wyczyść Temp.

Pobierz TFC - Temp File Cleaner Uruchom TFC i kliknij Start.