Witam, padłem ofiarą znanego ostatnio wirusa o cyberprzestępczości. Udało mi się przywrócić system do działania, lecz mam pozostałości po tym wirusie. Przeskanowałem system OTL, poniżej podaję logi. W miarę możliwości proszę o pomoc.
http://www.wklej.org/id/891528/ - otl
http://www.wklej.org/id/891531/ - extras
Leon1
(Leon$)
8 Grudzień 2012 20:17
#2
Usuń pozostałości po Combofixe tym http://oldtimer.geekstogo.com/OTC.exe
OTL w oknie Custom Scans-Fixes (własne opcje skanowania/skrypt)wklej następujący skrypt:
:OTL IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com/?crg=3.1010000.10011&barid={BB5DC17D-E6DE-11E1-AAA6-00134648D00E} IE - HKLM…\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847} IE - HKLM…\SearchScopes{3476EC0F-C0C6-4D0A-B8D8-D1AE857C15BA}: “URL” = http://startsear.ch/?aff=1&src=sp&cf=d2 … 648d00e&q={searchTerms} IE - HKLM…\SearchScopes{EEE6C360-6118-11DC-9C72-001320C79847}: “URL” = http://search.sweetim.com/search.asp?sr … t=1&barid={BB5DC17D-E6DE-11E1-AAA6-00134648D00E}&q={searchTerms}&barid={BB5DC17D-E6DE-11E1-AAA6-00134648D00E} IE - HKLM…\SearchScopes{F4F4E361-C446-4E1E-852D-9B0DBBD36CD2}: “URL” = http://startsear.ch/?aff=1&q={searchTerms} IE - HKU\S-1-5-21-823518204-1614895754-682003330-1003…\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - No CLSID value found IE - HKU\S-1-5-21-823518204-1614895754-682003330-1003…\SearchScopes{043C5167-00BB-4324-AF7E-62013FAEDACF}: “URL” = http://vshare.toolbarhome.com/search.aspx?q={searchTerms}&srch=dsp IE - HKU\S-1-5-21-823518204-1614895754-682003330-1003…\SearchScopes{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: “URL” = http://websearch.ask.com/redirect?clien … src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=PV&apn_dtid=YYYYYYYYPL&apn_uid=31BED4E2-D4FC-43CB-946A-7836A047379D&apn_sauid=A5100C94-1157-482C-AD44-6BCA555959BF IE - HKU\S-1-5-21-823518204-1614895754-682003330-1003…\SearchScopes{3476EC0F-C0C6-4D0A-B8D8-D1AE857C15BA}: “URL” = http://startsear.ch/?aff=1&src=sp&cf=d2 … 648d00e&q={searchTerms} IE - HKU\S-1-5-21-823518204-1614895754-682003330-1003…\SearchScopes{afdbddaa-5d3f-42ee-b79c-185a7020515b}: “URL” = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1060933 IE - HKU\S-1-5-21-823518204-1614895754-682003330-1003…\SearchScopes{EEE6C360-6118-11DC-9C72-001320C79847}: “URL” = http://search.sweetim.com/search.asp?sr … t=1&barid={BB5DC17D-E6DE-11E1-AAA6-00134648D00E}&q={searchTerms}&barid={BB5DC17D-E6DE-11E1-AAA6-00134648D00E} IE - HKU\S-1-5-21-823518204-1614895754-682003330-1003…\SearchScopes{F4F4E361-C446-4E1E-852D-9B0DBBD36CD2}: “URL” = http://startsear.ch/?aff=1&q={searchTerms} FF - prefs.js…browser.search.defaultengine: “Web Search” FF - prefs.js…browser.search.defaultthis.engineName: “Freecorder Customized Web Search” FF - prefs.js…browser.search.defaulturl: “http://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms} ” FF - prefs.js…browser.search.order.1: “Ask.com ” FF - prefs.js…extensions.enabledItems: vshare@toolbar:1.0.0 FF - prefs.js…keyword.URL: “http://search.sweetim.com/search.asp?src=2&crg=3.1010000.10011&q= ” [2011-04-30 19:54:41 | 000,002,568 | ---- | M] () – C:\Documents and Settings\xxx\Dane aplikacji\Mozilla\Firefox\Profiles\niftxmgx.default\searchplugins\askcom.xml [2012-04-17 17:21:32 | 000,000,923 | ---- | M] () – C:\Documents and Settings\xxx\Dane aplikacji\Mozilla\Firefox\Profiles\niftxmgx.default\searchplugins\conduit.xml [2011-07-11 19:04:02 | 000,000,633 | ---- | M] () – C:\Documents and Settings\xxx\Dane aplikacji\Mozilla\Firefox\Profiles\niftxmgx.default\searchplugins\startsear.xml [2012-08-15 19:13:14 | 000,004,030 | ---- | M] () – C:\Documents and Settings\xxx\Dane aplikacji\Mozilla\Firefox\Profiles\niftxmgx.default\searchplugins\sweetim.xml [2011-02-15 20:52:25 | 000,001,592 | ---- | M] () – C:\Documents and Settings\xxx\Dane aplikacji\Mozilla\Firefox\Profiles\niftxmgx.default\searchplugins\web-search.xml O3 - HKU\S-1-5-21-823518204-1614895754-682003330-1003…\Toolbar\WebBrowser: (no name) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - No CLSID value found. O3 - HKU\S-1-5-21-823518204-1614895754-682003330-1003…\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKU\S-1-5-21-823518204-1614895754-682003330-1003…\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found. O4 - HKU.DEFAULT…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 File not found O4 - HKU\S-1-5-18…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 File not found [2012-12-06 21:00:09 | 000,518,144 | ---- | C] (SteelWerX) – C:\WINDOWS\SWREG.exe [2012-12-06 21:00:09 | 000,406,528 | ---- | C] (SteelWerX) – C:\WINDOWS\SWSC.exe [2012-12-06 21:00:09 | 000,212,480 | ---- | C] (SteelWerX) – C:\WINDOWS\SWXCACLS.exe [2012-12-06 21:00:09 | 000,060,416 | ---- | C] (NirSoft) – C:\WINDOWS\NIRCMD.exe [2012-12-06 20:32:56 | 000,000,000 | —D | C] – C:\Qoobox [2012-12-06 20:26:25 | 000,000,000 | —D | C] – C:\WINDOWS\erdnt [2012-12-08 20:26:20 | 000,602,112 | ---- | M] (OldTimer Tools) – C:\Documents and Settings\xxx\Pulpit\OTL.exe [2012-12-08 20:24:00 | 000,001,030 | ---- | M] () – C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2012-12-08 15:27:30 | 000,000,282 | ---- | M] () – C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-823518204-1614895754-682003330-1003.job [2012-12-08 15:27:30 | 000,000,274 | ---- | M] () – C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-823518204-1614895754-682003330-1003.job [2012-12-08 14:48:10 | 000,001,026 | ---- | M] () – C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2012-12-05 22:19:25 | 000,000,780 | ---- | M] () – C:\Documents and Settings\xxx\Menu Start\Programy\Autostart\runctf.lnk [2012-12-06 21:00:09 | 000,256,000 | ---- | C] () – C:\WINDOWS\PEV.exe [2012-12-06 21:00:09 | 000,208,896 | ---- | C] () – C:\WINDOWS\MBR.exe [2012-12-06 21:00:09 | 000,098,816 | ---- | C] () – C:\WINDOWS\sed.exe [2012-12-06 21:00:09 | 000,080,412 | ---- | C] () – C:\WINDOWS\grep.exe [2012-12-06 21:00:09 | 000,068,096 | ---- | C] () – C:\WINDOWS\zip.exe [2012-08-15 19:12:26 | 000,000,000 | —D | M] – C:\Documents and Settings\All Users\Dane aplikacji\SweetIM :Reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] :Commands [emptytemp]
Kliknij w Run Fix (Wykonaj scrypt). Zatwierdź restart komputera.
Pokaż log z usuwania.
potem nowy log OTL robiony opcją Run Scan (Skanuj)
Leon1
(Leon$)
9 Grudzień 2012 15:36
#4
Log wygląda na czysty
Pobierz CCleaner http://www.filehippo.com/download_ccleaner/
przeskanuj nim i wyczyść rejestr.
W OTL kliknij CleanUp (Sprzątanie)
przeskanuj
Dr.WEB CureIt! http://www.dobreprogramy.pl/DrWEB-CureI … 12976.html