Jak w temacie… Wirusy wszelakie wyczyszczone Malwarebytes, natomiast
przeglądarki nie wpuszczają na stronę Facebooka.
Powyzej link do raportu skanowania przez OTL z następującymi własnymi opcjami:
%systemdrive%*.*
/md5start
agp440.sys
atapi.sys
beep.sys
cdrom.sys
ndis.sys
winlogon.exe
userinit.exe
/md5stop
Proszę o poradę - co dalej z tym fantem. W okolicy 180 linii raportu
jest coś o hostach i facebooku, niestety nie znajduję na komputerze
Folderu Sysnative w Windows. HELP.
Malwarebytes chyba nawet nie dotknął twojego “głównego” wirusa, a jest nim rootkit zeroaccess. Facebookiem zajmiemy się później zresztą Combofix i tak usunie znaczną cześć i tej infekcji.
Proszę pobrać na pulpit Combofixa instrukcja http://www.fixitpc.pl/topic/7-dezynfekc … -combofix/ kopiujesz plik na pulpit Klikasz na ikonce prawym przyciskiem myszy Z menu wybierasz Uruchom jako administrator Jak się uda i narzędzie skończy pracę pokaż raport na forum
Facebook już działa, pliki usunięte, więc chyba już nie muszę wklejać raportu ? 
klaudiaz7 To że działa Facebook o niczym nie świadczy Wystarczy zresetować hosts i będzie działał a reszta infekcji zostanie. Skoro wiesz że Combofix usunął wszystko zrekonstruował naruszony przez rootkita łańcuch winsock to Ok Skoro wiesz że należy pozmieniać hasła itp to nie musisz podawać żadnych raportów.
ComboFix 11-11-04.04 - user 2011-11-04 21:46:41.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1250.48.1045.18.2815.1830 [GMT 1:00]
Uruchomiony z: c:\users\user\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\windows\assembly\tmp\U
c:\windows\assembly\tmp\U\000000c0.@
c:\windows\assembly\tmp\U\000000cb.@
c:\windows\assembly\tmp\U\000000cf.@
c:\windows\assembly\tmp\U\80000000.@
c:\windows\assembly\tmp\U\800000c0.@
c:\windows\assembly\tmp\U\800000cb.@
c:\windows\assembly\tmp\U\800000cf.@
c:\windows\av_ico
c:\windows\av_ico\ico_avast_desktop.ico
c:\windows\av_ico\ico_avast_start.ico
c:\windows\btc_client_iplist.txt
c:\windows\front_ip_list.txt
c:\windows\geoiplist
c:\windows\iecheck_iplist.txt
c:\windows\info1
c:\windows\iplist.txt
c:\windows\IsUn0415.exe
c:\windows\loader2.exe_ok
c:\windows\phoenix
c:\windows\phoenix\kernels\phatk__init__.py
c:\windows\phoenix\kernels\phatk__init__.pyc
c:\windows\phoenix\kernels\phatk\BFIPatcher.py
c:\windows\phoenix\kernels\phatk\BFIPatcher.pyc
c:\windows\phoenix\kernels\phatk\kernel.cl
c:\windows\phoenix\kernels\poclbm__init__.py
c:\windows\phoenix\kernels\poclbm__init__.pyc
c:\windows\phoenix\kernels\poclbm\BFIPatcher.py
c:\windows\phoenix\kernels\poclbm\BFIPatcher.pyc
c:\windows\phoenix\kernels\poclbm\kernel.cl
c:\windows\phoenix\phoenix.exe
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\proc_list1.log
c:\windows\system32\consrv.dll
c:\windows\system32\drivers\etc\HSTS~1
c:\windows\update.1
c:\windows\update.2
c:\windows\update.5.0
c:\windows\winlog-dirs.txt
c:\windows\winlog-ids.txt
c:\windows\winsetupapi.log
.
.
((((((((((((((((((((((((( Pliki utworzone od 2011-10-04 do 2011-11-04 )))))))))))))))))))))))))))))))
.
.
2011-11-04 20:57 . 2011-11-04 20:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-03 18:36 . 2011-11-03 18:36 -------- d-----w- c:\users\user\AppData\Roaming\Malwarebytes
2011-11-03 18:36 . 2011-11-03 18:36 -------- d-----w- c:\programdata\Malwarebytes
2011-11-03 18:36 . 2011-11-03 18:36 -------- d-----w- c:\program files (x86)\Malwarebytes’ Anti-Malware
2011-11-03 18:36 . 2011-08-31 16:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-03 17:03 . 2011-11-03 17:03 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-03 15:37 . 2011-11-03 15:37 -------- d-----w- c:\users\Default\AppData\Local\Power2Go
2011-11-03 15:30 . 2011-11-03 15:30 -------- d-----w- c:\users\user\AppData\Roaming\U3
2011-11-03 15:21 . 2011-11-03 15:21 -------- d-----w- c:\program files\CCleaner
2011-11-03 15:18 . 2011-11-03 15:18 -------- d-----w- c:\windows\Sun
2011-11-03 15:02 . 2011-11-03 18:44 -------- d–h--w- c:\windows\update.tray-7-0
2011-11-03 15:02 . 2011-11-03 15:02 -------- d–h--w- c:\windows\update.tray-7-0-lnk
2011-11-03 15:00 . 2011-09-06 21:36 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-03 15:00 . 2011-09-06 21:38 301912 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-03 15:00 . 2011-09-06 21:36 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-03 15:00 . 2011-09-06 21:38 601944 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-03 15:00 . 2011-09-06 21:36 58200 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-03 15:00 . 2011-09-06 21:45 254400 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-03 15:00 . 2011-09-06 21:36 65368 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-11-03 14:58 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-03 14:58 . 2011-09-06 21:45 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-11-03 14:58 . 2011-11-03 14:58 -------- d-----w- c:\program files\AVAST Software
2011-11-01 18:49 . 2011-11-01 18:49 -------- d-----w- c:\users\user\AppData\Local\AMD
2011-11-01 18:28 . 2011-11-03 16:32 -------- d-----w- c:\programdata\AMD
2011-11-01 18:28 . 2010-02-18 08:18 46136 ----a-w- c:\windows\system32\drivers\amdiox64.sys
2011-11-01 18:26 . 2011-11-01 18:26 -------- d-----w- c:\users\Default\AppData\Roaming\ATI
2011-11-01 18:26 . 2011-11-01 18:26 -------- d-----w- c:\users\Default\AppData\Local\ATI
2011-11-01 18:16 . 2011-11-01 18:16 -------- d-----w- C:\ATI
2011-11-01 18:05 . 2011-11-01 18:05 -------- d-----w- c:\windows\ufa
2011-11-01 18:01 . 2011-11-01 18:01 -------- d-sh–w- c:\windows\system32%APPDATA%
2011-11-01 18:00 . 2011-11-01 18:00 -------- d-----w- c:\windows\system32\Macromed
2011-10-24 16:22 . 2011-10-24 16:22 -------- d–h--r- c:\users\user\AppData\Roaming\SecuROM
2011-10-24 16:08 . 2011-10-24 16:08 -------- d-----w- c:\program files (x86)\Electronic Arts
2011-10-24 16:05 . 2011-10-24 16:05 270912 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-10-24 16:05 . 2011-10-24 16:05 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
2011-10-24 16:05 . 2011-10-24 16:07 -------- d-----w- c:\users\user\AppData\Roaming\DAEMON Tools Lite
2011-10-24 16:04 . 2011-10-24 16:07 -------- d-----w- c:\programdata\DAEMON Tools Lite
2011-10-24 16:02 . 2011-10-24 16:02 -------- d-----w- c:\users\user\AppData\Roaming\CyberLink
2011-10-24 16:02 . 2011-10-24 16:02 -------- d-----w- c:\users\Public\CyberLink
2011-10-23 17:11 . 2011-10-23 17:12 -------- d-----w- c:\users\user\AppData\Local\Microsoft Games
2011-10-22 16:38 . 2011-10-22 16:38 -------- d-----w- c:\users\user\AppData\Roaming\Microsoft Games
2011-10-22 16:38 . 2011-10-22 16:38 -------- d-----w- c:\programdata\Microsoft Games
2011-10-20 16:31 . 2011-10-20 16:31 -------- d-----w- c:\program files (x86)\Gimnazjum klasa 1 - Gra muzyka!
2011-10-14 19:48 . 2011-10-14 19:48 -------- d-----w- c:\users\user\AppData\Local\Conduit
2011-10-14 19:48 . 2011-10-14 19:48 -------- d-----w- c:\program files (x86)\uTorrent
2011-10-14 19:35 . 2011-10-29 16:27 -------- d-----w- c:\users\user\AppData\Roaming\uTorrent
2011-10-14 19:35 . 2011-10-14 19:35 -------- d-----w- c:\users\user\AppData\Local\uTorrent
2011-10-12 15:50 . 2011-11-04 14:31 -------- d-----w- c:\users\user\AppData\Local\Adobe
2011-10-12 13:24 . 2011-09-06 03:03 3138048 ----a-w- c:\windows\system32\win32k.sys
2011-10-12 13:24 . 2011-08-17 05:26 613888 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-12 13:24 . 2011-08-17 05:25 108032 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-12 13:24 . 2011-08-17 04:24 465408 ----a-w- c:\windows\SysWow64\psisdecd.dll
2011-10-12 13:24 . 2011-08-17 04:19 75776 ----a-w- c:\windows\SysWow64\psisrndr.ax
2011-10-12 13:24 . 2011-08-27 05:37 861696 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-12 13:24 . 2011-08-27 05:37 331776 ----a-w- c:\windows\system32\oleacc.dll
2011-10-12 13:24 . 2011-08-27 04:26 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-10-12 13:24 . 2011-08-27 04:26 233472 ----a-w- c:\windows\SysWow64\oleacc.dll
2011-10-11 18:29 . 2011-10-11 18:29 -------- d-----w- c:\program files (x86)\Conduit
2011-10-11 18:29 . 2011-11-03 16:32 -------- d-----w- c:\program files (x86)\BS_Player
2011-10-11 18:29 . 2011-10-11 18:47 -------- d-----w- c:\users\user\AppData\Roaming\BSplayer
2011-10-11 18:29 . 2011-10-11 18:29 -------- d-----w- c:\users\user\AppData\Roaming\BSplayer Pro
2011-10-11 18:29 . 2011-10-11 18:29 -------- d-----w- c:\program files (x86)\Webteh
2011-10-07 18:12 . 2011-10-07 18:17 -------- d-----w- c:\users\user\AppData\Local\WMTools Downloaded Files
2011-10-07 18:03 . 2011-10-07 18:03 -------- d-----w- c:\program files (x86)\Movie Maker 2.6
2011-10-07 18:00 . 2011-10-07 18:00 -------- d-----w- c:\users\user\AppData\Local\Mozilla
2011-10-07 17:56 . 2011-10-07 17:56 -------- d-----w- c:\program files (x86)\YouTube Downloader
2011-10-07 17:50 . 2011-10-07 17:50 -------- d-----w- c:\users\user\AppData\Roaming\AnvSoft
2011-10-07 17:50 . 2011-10-07 17:50 -------- d-----w- c:\program files (x86)\AnvSoft
2011-10-07 17:40 . 2011-10-07 17:40 -------- d-----w- c:\program files\Any Video Converter
2011-10-07 16:13 . 2011-10-07 16:15 -------- d-----w- c:\users\user\AppData\Local\Google
2011-10-07 14:55 . 2011-10-07 14:55 -------- d-----w- c:\users\user\AppData\Local\Diagnostics
2011-10-07 12:25 . 2011-10-07 12:25 -------- d-----w- c:\program files (x86)\Microsoft Works
2011-10-07 12:23 . 2011-10-07 12:23 -------- d-----w- c:\windows\PCHEALTH
2011-10-07 12:23 . 2011-10-07 12:23 -------- d-----w- c:\program files (x86)\Microsoft.NET
2011-10-07 12:20 . 2011-10-07 12:20 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 8
2011-10-07 12:19 . 2011-10-07 12:19 -------- d-----w- c:\users\user\AppData\Local\Microsoft Help
2011-10-07 12:18 . 2011-10-07 12:18 -------- d-----r- C:\MSOCache
2011-10-06 15:41 . 2011-10-06 15:41 -------- d-----w- c:\users\user\AppData\Local\Seven Zip
2011-10-06 15:05 . 2011-10-07 18:23 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2011-10-06 14:54 . 2011-10-06 14:54 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-10-06 13:12 . 2011-10-06 13:12 -------- d-----w- c:\users\user\AppData\Local\GHISLER
2011-10-06 13:05 . 2011-10-07 18:25 -------- d-----w- c:\programdata\Norton
2011-10-06 13:04 . 2011-10-06 13:04 -------- d-----w- c:\users\user\AppData\Roaming\OpenOffice.org
2011-10-06 13:03 . 2011-10-06 13:03 -------- d-----w- c:\program files (x86)\JRE
2011-10-06 13:03 . 2011-10-06 13:03 -------- d-----w- c:\program files (x86)\OpenOffice.org 3
2011-10-06 12:59 . 2011-05-04 02:52 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-10-06 12:59 . 2011-10-06 14:50 -------- d-----w- c:\program files (x86)\Java
2011-10-06 12:57 . 2011-10-06 13:11 -------- d-----w- C:\totalcmd
2011-10-06 12:57 . 2011-10-06 12:57 -------- d-----w- c:\users\user\AppData\Roaming\GHISLER
2011-10-06 12:57 . 2006-07-26 04:55 545 ----a-w- c:\windows\UC.PIF
2011-10-06 12:57 . 2006-07-26 04:55 545 ----a-w- c:\windows\RAR.PIF
2011-10-06 12:57 . 2006-07-26 04:55 545 ----a-w- c:\windows\NOCLOSE.PIF
2011-10-06 12:57 . 2006-07-26 04:55 545 ----a-w- c:\windows\LHA.PIF
2011-10-06 12:57 . 2006-07-26 04:55 545 ----a-w- c:\windows\ARJ.PIF
2011-10-06 12:55 . 2011-10-06 12:55 -------- d-----w- c:\program files (x86)\DivX
2011-10-06 12:55 . 2011-10-06 12:55 -------- d-----w- c:\program files (x86)\Common Files\DivX Shared
2011-10-06 12:53 . 2008-06-30 14:47 421888 ----a-w- c:\windows\system32\ac3filter.acm
2011-10-06 12:53 . 2011-10-06 12:53 -------- d-----w- c:\program files (x86)\AC3Filter
2011-10-06 12:48 . 2011-10-06 12:48 -------- d-----w- c:\programdata\ASUS
2011-10-06 12:48 . 2011-10-06 12:48 -------- d-----w- c:\users\user\AppData\Local\ASUS
2011-10-06 11:13 . 2011-10-06 11:13 -------- d-----w- c:\windows\SysWow64\Wat
2011-10-06 11:13 . 2011-10-06 11:13 -------- d-----w- c:\windows\system32\Wat
2011-10-06 09:59 . 2011-10-06 09:59 66048 ----a-w- c:\program files\Internet Explorer\JSProfilerCore.dll
2011-10-06 09:59 . 2011-10-06 09:59 603648 ----a-w- c:\windows\system32\vbscript.dll
2011-10-06 09:59 . 2011-10-06 09:59 165888 ----a-w- c:\windows\system32\iexpress.exe
2011-10-06 09:59 . 2011-10-06 09:59 160256 ----a-w- c:\windows\system32\wextract.exe
2011-10-06 09:36 . 2011-07-09 05:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-10-06 09:36 . 2011-07-09 04:29 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-10-06 09:34 . 2011-07-16 05:21 6144 —ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-10-06 09:31 . 2010-12-23 10:42 961024 ----a-w- c:\windows\system32\CPFilters.dll
2011-10-06 09:31 . 2010-12-23 10:42 723968 ----a-w- c:\windows\system32\EncDec.dll
2011-10-06 09:31 . 2010-12-23 10:42 1118720 ----a-w- c:\windows\system32\sbe.dll
2011-10-06 09:31 . 2010-12-23 10:36 259072 ----a-w- c:\windows\system32\mpg2splt.ax
2011-10-06 09:31 . 2010-12-23 05:54 850944 ----a-w- c:\windows\SysWow64\sbe.dll
2011-10-06 09:31 . 2010-12-23 05:54 642048 ----a-w- c:\windows\SysWow64\CPFilters.dll
2011-10-06 09:31 . 2010-12-23 05:54 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-10-06 09:31 . 2010-12-23 05:50 199680 ----a-w- c:\windows\SysWow64\mpg2splt.ax
2011-10-06 09:29 . 2011-04-25 02:34 499200 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-06 09:29 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe
2011-10-06 09:29 . 2011-04-09 05:56 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
2011-10-06 09:27 . 2011-03-11 05:33 1164288 ----a-w- c:\windows\SysWow64\mfc42u.dll
2011-10-06 09:22 . 2011-02-23 04:55 90624 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-10-06 09:21 . 2011-06-23 04:33 3912576 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-10-06 09:21 . 2011-06-23 05:43 5561216 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-06 09:21 . 2011-06-23 04:33 3967872 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
.
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-05 14:24 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-10-05 14:24 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-10-05 09:07 . 2011-10-05 09:07 159080 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10138.bin
2011-08-24 19:19 . 2011-08-24 19:19 56320 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2011-08-24 19:18 . 2011-08-24 19:18 13601280 ----a-w- c:\windows\SysWow64\amdocl.dll
2011-08-24 19:17 . 2011-08-24 19:17 43520 ----a-w- c:\windows\SysWow64\OpenCL.dll
.
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}”= “c:\program files (x86)\BS_Player\tbBS_P.dll” [2010-11-29 3908192]
“{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}”= “c:\program files (x86)\uTorrentBar\prxtbuTor.dll” [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}]
.
[HKEY_CLASSES_ROOT\clsid{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node~\Browser Helper Objects{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-29 13:26 3908192 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node~\Browser Helper Objects{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\uTorrentBar\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node~\Browser Helper Objects{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}]
2010-11-29 13:26 3908192 ----a-w- c:\program files (x86)\BS_Player\tbBS_P.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
“{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}”= “c:\program files (x86)\BS_Player\tbBS_P.dll” [2010-11-29 3908192]
“{30F9B915-B755-4826-820B-08FBA6BD249D}”= “c:\program files (x86)\ConduitEngine\ConduitEngine.dll” [2010-11-29 3908192]
“{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}”= “c:\program files (x86)\uTorrentBar\prxtbuTor.dll” [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}]
.
[HKEY_CLASSES_ROOT\clsid{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CLASSES_ROOT\clsid{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“DAEMON Tools Lite”=“c:\program files (x86)\DAEMON Tools Lite\DTLite.exe” [2011-08-02 4910912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
“UpdateLBPShortCut”=“c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe” [2009-05-20 222504]
“UpdateP2GoShortCut”=“c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe” [2008-12-04 218408]
“HControlUser”=“c:\program files (x86)\ASUS\ATK Hotkey\HControlUser.exe” [2009-06-19 105016]
“ATKOSD2”=“c:\program files (x86)\ASUS\ATKOSD2\ATKOSD2.exe” [2009-08-17 6859392]
“ATKMEDIA”=“c:\program files (x86)\ASUS\ATK Media\DMedia.exe” [2009-08-20 170624]
“SunJavaUpdateSched”=“c:\program files (x86)\Common Files\Java\Java Update\jusched.exe” [2011-04-08 254696]
“Adobe ARM”=“c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe” [2009-09-04 935288]
“Adobe Reader Speed Launcher”=“c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2009-10-03 35696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“ConsentPromptBehaviorAdmin”= 5 (0x5)
“ConsentPromptBehaviorUser”= 3 (0x3)
“EnableLUA”= 0 (0x0)
“EnableSecureUIAPaths”= 0 (0x0)
“EnableUIADesktopToggle”= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /A:* /L:1045 /KBD:2 /wow /dir:C:\Program
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“FirewallOverride”=dword:00000001
“DisableThumbnailCache”=dword:00000001
.
R3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [x]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Usługa Technologie aktywacji systemu Windows;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [x]
S2 ASMMAP64;ASMMAP64;c:\program files\ATKGFNEX\ASMMAP64.sys [2007-07-24 14904]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
.
.
Zawartość folderu ‘Zaplanowane zadania’
.
2011-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1766158696-135371575-3506765333-1001Core.job
.
2011-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1766158696-135371575-3506765333-1001UA.job
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ETDWare”=“c:\program files\Elantech\ETDCtrl.exe” [2009-07-30 617856]
“AmIcoSinglun64”=“c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe” [2009-04-09 320000]
“combofix”=“c:\combofix\CF25908.3XE” [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“LoadAppInit_DLLs”=0x0
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://search.conduit.com?SearchSource= … =CT1750559
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&ksportuj do programu Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 212.76.34.49 192.168.0.1
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\931mrjc0.default\
.
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-tray_ico - (no file)
Wow6432Node-HKLM-Run-tray_ico1 - (no file)
Wow6432Node-HKLM-Run-tray_ico2 - (no file)
Wow6432Node-HKLM-Run-tray_ico3 - (no file)
Wow6432Node-HKLM-Run-tray_ico4 - (no file)
Wow6432Node-HKLM-Run-avast - c:\program files\AVAST Software\Avast\avastUI.exe
Toolbar-Locked - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
WebBrowser-{FED66DC5-1B74-4A04-8F5C-15C5ACE2B9A5} - (no file)
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - c:\program files\AVAST Software\Avast\ashShA64.dll
AddRemove-ASUS_Screensaver - c:\windows\system32\ASUS_Screensaver.scr
AddRemove-Gimnazjum klasa 1 - Gra muzyka! - c:\windows\IsUn0415.exe
.
.
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_USERS\S-1-5-21-1766158696-135371575-3506765333-1001\Software\SecuROM\License information*]
“datasecu”=hex:de,47,3e,64,52,42,48,6a,b0,b9,82,69,27,5f,96,3a,42,74,15,52,f7,
62,03,7a,58,ae,54,42,14,53,d6,09,73,20,34,71,93,84,37,ce,3c,c7,63,1e,35,f7,\
“rkeysecu”=hex:7d,f2,b8,21,27,07,80,f5,69,48,e4,91,79,a4,69,78
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@=“FlashBroker”
“LocalizedString”="@c:\Windows\SysWOW64\Macromed\Flash\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
“Enabled”=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@=“c:\Windows\SysWOW64\Macromed\Flash\FlashUtil11c_ActiveX.exe”
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@=“Shockwave Flash Object”
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@=“c:\Windows\SysWOW64\Macromed\Flash\Flash11c.ocx”
“ThreadingModel”=“Apartment”
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@=“0”
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@=“ShockwaveFlash.ShockwaveFlash.10”
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@=“c:\Windows\SysWOW64\Macromed\Flash\Flash11c.ocx, 1”
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@=“1.0”
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@=“ShockwaveFlash.ShockwaveFlash”
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@=“Macromedia Flash Factory Object”
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@=“c:\Windows\SysWOW64\Macromed\Flash\Flash11c.ocx”
“ThreadingModel”=“Apartment”
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@=“FlashFactory.FlashFactory.1”
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@=“c:\Windows\SysWOW64\Macromed\Flash\Flash11c.ocx, 1”
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@=“1.0”
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@=“FlashFactory.FlashFactory”
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@=“IFlashBroker4”
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
“Version”=“1.0”
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\program files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\ASUS\ATK Hotkey\HControl.exe
c:\program files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
c:\program files (x86)\ASUS\ATK Hotkey\KBFiltr.exe
c:\program files (x86)\ASUS\ATK Hotkey\WDC.exe
c:\program files (x86)\ASUS\SmartLogon\sensorsrv.exe
c:\program files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
c:\program files (x86)\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Czas ukończenia: 2011-11-04 22:18:04 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2011-11-04 21:17
.
Przed: 47 965 868 032 bajtów wolnych
Po: 47 442 145 280 bajtów wolnych
.
Pobierz ponownie OTL otl-gmer-rsit-dss-inne-instrukcje-t370405.html Uruchom
W okno Własne opcje skanowania / skrypt w OTL wklej:
Klikasz na Wykonaj skrypt. Zgadzasz się na restart komputera. Log z usuwania na forum
Następnie ponownie uruchamiasz OTL klikasz raz jeszcze Skanuj i dajesz nowy log na forum Czyli dwa logi jeden z usuwania drugi z nowego skanowania po usuwaniu.
Po co ściągnąć jeszcze raz OTL, jak go mam ?
Rootkit blokuje tego typu narzędzia i nie wiadomo czy będą działać prawidłowo. Jeśli OTL się uruchomi bez problemu nie musisz ściągać.
All processes killed
========== OTL ==========
========== FILES ==========
c:\windows\update.tray-7-0 folder moved successfully.
c:\windows\update.tray-7-0-lnk folder moved successfully.
c:\windows\ufa folder moved successfully.
File\Folder c:\windows\system32%APPDATA% not found.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
User: user
->Temp folder emptied: 13782 bytes
->Temporary Internet Files folder emptied: 11276397 bytes
->Java cache emptied: 6345 bytes
->FireFox cache emptied: 69225671 bytes
->Google Chrome cache emptied: 381908644 bytes
->Flash cache emptied: 16567 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3514 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 23390410 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 463.00 mb
OTL by OldTimer - Version 3.2.31.0 log created on 11052011_120912
Files\Folders moved on Reboot…
C:\Users\user\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
Registry entries deleted on Reboot…
Następnie ponownie uruchamiasz OTL klikasz raz jeszcze Skanuj i dajesz nowy log na forum Jak wszystko będzie OK przejdziemy do kroków końcowych
Loga wklej na www.wklej.org a w poście daj linka do wklejki Będzie łatwiej analizować raport
Odinstaluj Combofixa Start - w pole Wyszukaj pliki i foldery wpisz lub skopiuj
"c:\users\user\Desktop\ComboFix.exe" /uninstall i Enter
To jeszcze nie wszystko Musimy zrekonstruować winsock
W okno Własne opcje skanowania / skrypt w OTL wklej:
Klikasz na Wykonaj skrypt. Zgadzasz się na restart komputera. Log z usuwania na forum
Następnie ponownie uruchamiasz OTL klikasz raz jeszcze Skanuj i dajesz nowy log na forum Czyli dwa logi jeden z usuwania drugi z nowego skanowania po usuwaniu.
Najpierw wyczyścimy co zostało po Combofixie Rozumie, że podjęłaś/eś próbę jego deinstalacji
Usuń ręcznie przez Shift+Del poniższe pliki i katalogi
Winsock nadal trzeba naprawić
Pobierz SystemLook (SystemLook64) http://jpshortstuff.247fixes.com/SystemLook.html Wklej do niego
Klikasz Look pokaż log na forum Dalsze ewentualne wskazówki podam jutro
Raport jest prawidłowy
Start w polu wyszukaj pliki i foldery wpisujesz regedit.exe klikasz prawym przyciskiem myszy na program i z menu wybierasz uruchom jako administrator
Idziesz do klucza
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
Klikasz prawym przyciskiem myszy na Catalog_Entrie z menu wybierasz Exportuj Exportujesz do pliku .reg Zapisujesz plik wrzucasz na hosting np http://www.hostuje.net i podajesz tutaj linka do pliku
Tak samo Idziesz do klucza
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64
Klikasz prawym przyciskiem myszy na Catalog_Entries64 z menu wybierasz Exportuj Exportujesz do pliku .reg Zapisujesz plik wrzucasz na hosting np http://www.hostuje.net i podajesz tutaj linka do pliku
Kopie tych plików proszę sobie zachować