Niemożność wejścia na stronę FB po usunięciu wirusa

Jak w temacie… Wirusy wszelakie wyczyszczone Malwarebytes, natomiast

przeglądarki nie wpuszczają na stronę Facebooka.

http://wklej.org/id/620417/

Powyzej link do raportu skanowania przez OTL z następującymi własnymi opcjami:

%systemdrive%*.*

/md5start

agp440.sys

atapi.sys

beep.sys

cdrom.sys

ndis.sys

winlogon.exe

userinit.exe

/md5stop

Proszę o poradę - co dalej z tym fantem. W okolicy 180 linii raportu

jest coś o hostach i facebooku, niestety nie znajduję na komputerze

Folderu Sysnative w Windows. HELP.

Malwarebytes chyba nawet nie dotknął twojego “głównego” wirusa, a jest nim rootkit zeroaccess. Facebookiem zajmiemy się później zresztą Combofix i tak usunie znaczną cześć i tej infekcji.

Proszę pobrać na pulpit Combofixa instrukcja http://www.fixitpc.pl/topic/7-dezynfekc … -combofix/ kopiujesz plik na pulpit Klikasz na ikonce prawym przyciskiem myszy Z menu wybierasz Uruchom jako administrator Jak się uda i narzędzie skończy pracę pokaż raport na forum

Facebook już działa, pliki usunięte, więc chyba już nie muszę wklejać raportu ? :slight_smile:

klaudiaz7 To że działa Facebook o niczym nie świadczy Wystarczy zresetować hosts i będzie działał a reszta infekcji zostanie. Skoro wiesz że Combofix usunął wszystko zrekonstruował naruszony przez rootkita łańcuch winsock to Ok Skoro wiesz że należy pozmieniać hasła itp to nie musisz podawać żadnych raportów.

ComboFix 11-11-04.04 - user 2011-11-04 21:46:41.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1250.48.1045.18.2815.1830 [GMT 1:00]

Uruchomiony z: c:\users\user\Desktop\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\Install.exe

c:\windows\assembly\tmp\U

c:\windows\assembly\tmp\U\000000c0.@

c:\windows\assembly\tmp\U\000000cb.@

c:\windows\assembly\tmp\U\000000cf.@

c:\windows\assembly\tmp\U\80000000.@

c:\windows\assembly\tmp\U\800000c0.@

c:\windows\assembly\tmp\U\800000cb.@

c:\windows\assembly\tmp\U\800000cf.@

c:\windows\av_ico

c:\windows\av_ico\ico_avast_desktop.ico

c:\windows\av_ico\ico_avast_start.ico

c:\windows\btc_client_iplist.txt

c:\windows\front_ip_list.txt

c:\windows\geoiplist

c:\windows\iecheck_iplist.txt

c:\windows\info1

c:\windows\iplist.txt

c:\windows\IsUn0415.exe

c:\windows\loader2.exe_ok

c:\windows\phoenix

c:\windows\phoenix\kernels\phatk__init__.py

c:\windows\phoenix\kernels\phatk__init__.pyc

c:\windows\phoenix\kernels\phatk\BFIPatcher.py

c:\windows\phoenix\kernels\phatk\BFIPatcher.pyc

c:\windows\phoenix\kernels\phatk\kernel.cl

c:\windows\phoenix\kernels\poclbm__init__.py

c:\windows\phoenix\kernels\poclbm__init__.pyc

c:\windows\phoenix\kernels\poclbm\BFIPatcher.py

c:\windows\phoenix\kernels\poclbm\BFIPatcher.pyc

c:\windows\phoenix\kernels\poclbm\kernel.cl

c:\windows\phoenix\phoenix.exe

c:\windows\pkunzip.pif

c:\windows\pkzip.pif

c:\windows\proc_list1.log

c:\windows\system32\consrv.dll

c:\windows\system32\drivers\etc\HSTS~1

c:\windows\update.1

c:\windows\update.2

c:\windows\update.5.0

c:\windows\winlog-dirs.txt

c:\windows\winlog-ids.txt

c:\windows\winsetupapi.log

.

.

((((((((((((((((((((((((( Pliki utworzone od 2011-10-04 do 2011-11-04 )))))))))))))))))))))))))))))))

.

.

2011-11-04 20:57 . 2011-11-04 20:57 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-11-03 18:36 . 2011-11-03 18:36 -------- d-----w- c:\users\user\AppData\Roaming\Malwarebytes

2011-11-03 18:36 . 2011-11-03 18:36 -------- d-----w- c:\programdata\Malwarebytes

2011-11-03 18:36 . 2011-11-03 18:36 -------- d-----w- c:\program files (x86)\Malwarebytes’ Anti-Malware

2011-11-03 18:36 . 2011-08-31 16:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-03 17:03 . 2011-11-03 17:03 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-11-03 15:37 . 2011-11-03 15:37 -------- d-----w- c:\users\Default\AppData\Local\Power2Go

2011-11-03 15:30 . 2011-11-03 15:30 -------- d-----w- c:\users\user\AppData\Roaming\U3

2011-11-03 15:21 . 2011-11-03 15:21 -------- d-----w- c:\program files\CCleaner

2011-11-03 15:18 . 2011-11-03 15:18 -------- d-----w- c:\windows\Sun

2011-11-03 15:02 . 2011-11-03 18:44 -------- d–h--w- c:\windows\update.tray-7-0

2011-11-03 15:02 . 2011-11-03 15:02 -------- d–h--w- c:\windows\update.tray-7-0-lnk

2011-11-03 15:00 . 2011-09-06 21:36 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-11-03 15:00 . 2011-09-06 21:38 301912 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-11-03 15:00 . 2011-09-06 21:36 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-11-03 15:00 . 2011-09-06 21:38 601944 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-11-03 15:00 . 2011-09-06 21:36 58200 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-11-03 15:00 . 2011-09-06 21:45 254400 ----a-w- c:\windows\system32\aswBoot.exe

2011-11-03 15:00 . 2011-09-06 21:36 65368 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2011-11-03 14:58 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr

2011-11-03 14:58 . 2011-09-06 21:45 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe

2011-11-03 14:58 . 2011-11-03 14:58 -------- d-----w- c:\program files\AVAST Software

2011-11-01 18:49 . 2011-11-01 18:49 -------- d-----w- c:\users\user\AppData\Local\AMD

2011-11-01 18:28 . 2011-11-03 16:32 -------- d-----w- c:\programdata\AMD

2011-11-01 18:28 . 2010-02-18 08:18 46136 ----a-w- c:\windows\system32\drivers\amdiox64.sys

2011-11-01 18:26 . 2011-11-01 18:26 -------- d-----w- c:\users\Default\AppData\Roaming\ATI

2011-11-01 18:26 . 2011-11-01 18:26 -------- d-----w- c:\users\Default\AppData\Local\ATI

2011-11-01 18:16 . 2011-11-01 18:16 -------- d-----w- C:\ATI

2011-11-01 18:05 . 2011-11-01 18:05 -------- d-----w- c:\windows\ufa

2011-11-01 18:01 . 2011-11-01 18:01 -------- d-sh–w- c:\windows\system32%APPDATA%

2011-11-01 18:00 . 2011-11-01 18:00 -------- d-----w- c:\windows\system32\Macromed

2011-10-24 16:22 . 2011-10-24 16:22 -------- d–h--r- c:\users\user\AppData\Roaming\SecuROM

2011-10-24 16:08 . 2011-10-24 16:08 -------- d-----w- c:\program files (x86)\Electronic Arts

2011-10-24 16:05 . 2011-10-24 16:05 270912 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2011-10-24 16:05 . 2011-10-24 16:05 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite

2011-10-24 16:05 . 2011-10-24 16:07 -------- d-----w- c:\users\user\AppData\Roaming\DAEMON Tools Lite

2011-10-24 16:04 . 2011-10-24 16:07 -------- d-----w- c:\programdata\DAEMON Tools Lite

2011-10-24 16:02 . 2011-10-24 16:02 -------- d-----w- c:\users\user\AppData\Roaming\CyberLink

2011-10-24 16:02 . 2011-10-24 16:02 -------- d-----w- c:\users\Public\CyberLink

2011-10-23 17:11 . 2011-10-23 17:12 -------- d-----w- c:\users\user\AppData\Local\Microsoft Games

2011-10-22 16:38 . 2011-10-22 16:38 -------- d-----w- c:\users\user\AppData\Roaming\Microsoft Games

2011-10-22 16:38 . 2011-10-22 16:38 -------- d-----w- c:\programdata\Microsoft Games

2011-10-20 16:31 . 2011-10-20 16:31 -------- d-----w- c:\program files (x86)\Gimnazjum klasa 1 - Gra muzyka!

2011-10-14 19:48 . 2011-10-14 19:48 -------- d-----w- c:\users\user\AppData\Local\Conduit

2011-10-14 19:48 . 2011-10-14 19:48 -------- d-----w- c:\program files (x86)\uTorrent

2011-10-14 19:35 . 2011-10-29 16:27 -------- d-----w- c:\users\user\AppData\Roaming\uTorrent

2011-10-14 19:35 . 2011-10-14 19:35 -------- d-----w- c:\users\user\AppData\Local\uTorrent

2011-10-12 15:50 . 2011-11-04 14:31 -------- d-----w- c:\users\user\AppData\Local\Adobe

2011-10-12 13:24 . 2011-09-06 03:03 3138048 ----a-w- c:\windows\system32\win32k.sys

2011-10-12 13:24 . 2011-08-17 05:26 613888 ----a-w- c:\windows\system32\psisdecd.dll

2011-10-12 13:24 . 2011-08-17 05:25 108032 ----a-w- c:\windows\system32\psisrndr.ax

2011-10-12 13:24 . 2011-08-17 04:24 465408 ----a-w- c:\windows\SysWow64\psisdecd.dll

2011-10-12 13:24 . 2011-08-17 04:19 75776 ----a-w- c:\windows\SysWow64\psisrndr.ax

2011-10-12 13:24 . 2011-08-27 05:37 861696 ----a-w- c:\windows\system32\oleaut32.dll

2011-10-12 13:24 . 2011-08-27 05:37 331776 ----a-w- c:\windows\system32\oleacc.dll

2011-10-12 13:24 . 2011-08-27 04:26 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll

2011-10-12 13:24 . 2011-08-27 04:26 233472 ----a-w- c:\windows\SysWow64\oleacc.dll

2011-10-11 18:29 . 2011-10-11 18:29 -------- d-----w- c:\program files (x86)\Conduit

2011-10-11 18:29 . 2011-11-03 16:32 -------- d-----w- c:\program files (x86)\BS_Player

2011-10-11 18:29 . 2011-10-11 18:47 -------- d-----w- c:\users\user\AppData\Roaming\BSplayer

2011-10-11 18:29 . 2011-10-11 18:29 -------- d-----w- c:\users\user\AppData\Roaming\BSplayer Pro

2011-10-11 18:29 . 2011-10-11 18:29 -------- d-----w- c:\program files (x86)\Webteh

2011-10-07 18:12 . 2011-10-07 18:17 -------- d-----w- c:\users\user\AppData\Local\WMTools Downloaded Files

2011-10-07 18:03 . 2011-10-07 18:03 -------- d-----w- c:\program files (x86)\Movie Maker 2.6

2011-10-07 18:00 . 2011-10-07 18:00 -------- d-----w- c:\users\user\AppData\Local\Mozilla

2011-10-07 17:56 . 2011-10-07 17:56 -------- d-----w- c:\program files (x86)\YouTube Downloader

2011-10-07 17:50 . 2011-10-07 17:50 -------- d-----w- c:\users\user\AppData\Roaming\AnvSoft

2011-10-07 17:50 . 2011-10-07 17:50 -------- d-----w- c:\program files (x86)\AnvSoft

2011-10-07 17:40 . 2011-10-07 17:40 -------- d-----w- c:\program files\Any Video Converter

2011-10-07 16:13 . 2011-10-07 16:15 -------- d-----w- c:\users\user\AppData\Local\Google

2011-10-07 14:55 . 2011-10-07 14:55 -------- d-----w- c:\users\user\AppData\Local\Diagnostics

2011-10-07 12:25 . 2011-10-07 12:25 -------- d-----w- c:\program files (x86)\Microsoft Works

2011-10-07 12:23 . 2011-10-07 12:23 -------- d-----w- c:\windows\PCHEALTH

2011-10-07 12:23 . 2011-10-07 12:23 -------- d-----w- c:\program files (x86)\Microsoft.NET

2011-10-07 12:20 . 2011-10-07 12:20 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 8

2011-10-07 12:19 . 2011-10-07 12:19 -------- d-----w- c:\users\user\AppData\Local\Microsoft Help

2011-10-07 12:18 . 2011-10-07 12:18 -------- d-----r- C:\MSOCache

2011-10-06 15:41 . 2011-10-06 15:41 -------- d-----w- c:\users\user\AppData\Local\Seven Zip

2011-10-06 15:05 . 2011-10-07 18:23 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared

2011-10-06 14:54 . 2011-10-06 14:54 -------- d-----w- c:\program files (x86)\Common Files\Java

2011-10-06 13:12 . 2011-10-06 13:12 -------- d-----w- c:\users\user\AppData\Local\GHISLER

2011-10-06 13:05 . 2011-10-07 18:25 -------- d-----w- c:\programdata\Norton

2011-10-06 13:04 . 2011-10-06 13:04 -------- d-----w- c:\users\user\AppData\Roaming\OpenOffice.org

2011-10-06 13:03 . 2011-10-06 13:03 -------- d-----w- c:\program files (x86)\JRE

2011-10-06 13:03 . 2011-10-06 13:03 -------- d-----w- c:\program files (x86)\OpenOffice.org 3

2011-10-06 12:59 . 2011-05-04 02:52 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll

2011-10-06 12:59 . 2011-10-06 14:50 -------- d-----w- c:\program files (x86)\Java

2011-10-06 12:57 . 2011-10-06 13:11 -------- d-----w- C:\totalcmd

2011-10-06 12:57 . 2011-10-06 12:57 -------- d-----w- c:\users\user\AppData\Roaming\GHISLER

2011-10-06 12:57 . 2006-07-26 04:55 545 ----a-w- c:\windows\UC.PIF

2011-10-06 12:57 . 2006-07-26 04:55 545 ----a-w- c:\windows\RAR.PIF

2011-10-06 12:57 . 2006-07-26 04:55 545 ----a-w- c:\windows\NOCLOSE.PIF

2011-10-06 12:57 . 2006-07-26 04:55 545 ----a-w- c:\windows\LHA.PIF

2011-10-06 12:57 . 2006-07-26 04:55 545 ----a-w- c:\windows\ARJ.PIF

2011-10-06 12:55 . 2011-10-06 12:55 -------- d-----w- c:\program files (x86)\DivX

2011-10-06 12:55 . 2011-10-06 12:55 -------- d-----w- c:\program files (x86)\Common Files\DivX Shared

2011-10-06 12:53 . 2008-06-30 14:47 421888 ----a-w- c:\windows\system32\ac3filter.acm

2011-10-06 12:53 . 2011-10-06 12:53 -------- d-----w- c:\program files (x86)\AC3Filter

2011-10-06 12:48 . 2011-10-06 12:48 -------- d-----w- c:\programdata\ASUS

2011-10-06 12:48 . 2011-10-06 12:48 -------- d-----w- c:\users\user\AppData\Local\ASUS

2011-10-06 11:13 . 2011-10-06 11:13 -------- d-----w- c:\windows\SysWow64\Wat

2011-10-06 11:13 . 2011-10-06 11:13 -------- d-----w- c:\windows\system32\Wat

2011-10-06 09:59 . 2011-10-06 09:59 66048 ----a-w- c:\program files\Internet Explorer\JSProfilerCore.dll

2011-10-06 09:59 . 2011-10-06 09:59 603648 ----a-w- c:\windows\system32\vbscript.dll

2011-10-06 09:59 . 2011-10-06 09:59 165888 ----a-w- c:\windows\system32\iexpress.exe

2011-10-06 09:59 . 2011-10-06 09:59 160256 ----a-w- c:\windows\system32\wextract.exe

2011-10-06 09:36 . 2011-07-09 05:26 2048 ----a-w- c:\windows\system32\tzres.dll

2011-10-06 09:36 . 2011-07-09 04:29 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2011-10-06 09:34 . 2011-07-16 05:21 6144 —ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2011-10-06 09:31 . 2010-12-23 10:42 961024 ----a-w- c:\windows\system32\CPFilters.dll

2011-10-06 09:31 . 2010-12-23 10:42 723968 ----a-w- c:\windows\system32\EncDec.dll

2011-10-06 09:31 . 2010-12-23 10:42 1118720 ----a-w- c:\windows\system32\sbe.dll

2011-10-06 09:31 . 2010-12-23 10:36 259072 ----a-w- c:\windows\system32\mpg2splt.ax

2011-10-06 09:31 . 2010-12-23 05:54 850944 ----a-w- c:\windows\SysWow64\sbe.dll

2011-10-06 09:31 . 2010-12-23 05:54 642048 ----a-w- c:\windows\SysWow64\CPFilters.dll

2011-10-06 09:31 . 2010-12-23 05:54 534528 ----a-w- c:\windows\SysWow64\EncDec.dll

2011-10-06 09:31 . 2010-12-23 05:50 199680 ----a-w- c:\windows\SysWow64\mpg2splt.ax

2011-10-06 09:29 . 2011-04-25 02:34 499200 ----a-w- c:\windows\system32\drivers\afd.sys

2011-10-06 09:29 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe

2011-10-06 09:29 . 2011-04-09 05:56 123904 ----a-w- c:\windows\SysWow64\poqexec.exe

2011-10-06 09:27 . 2011-03-11 05:33 1164288 ----a-w- c:\windows\SysWow64\mfc42u.dll

2011-10-06 09:22 . 2011-02-23 04:55 90624 ----a-w- c:\windows\system32\drivers\bowser.sys

2011-10-06 09:21 . 2011-06-23 04:33 3912576 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2011-10-06 09:21 . 2011-06-23 05:43 5561216 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-06 09:21 . 2011-06-23 04:33 3967872 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

.

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-05 14:24 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll

2011-10-05 14:24 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll

2011-10-05 09:07 . 2011-10-05 09:07 159080 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10138.bin

2011-08-24 19:19 . 2011-08-24 19:19 56320 ----a-w- c:\windows\SysWow64\OpenVideo.dll

2011-08-24 19:18 . 2011-08-24 19:18 13601280 ----a-w- c:\windows\SysWow64\amdocl.dll

2011-08-24 19:17 . 2011-08-24 19:17 43520 ----a-w- c:\windows\SysWow64\OpenCL.dll

.

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

“{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}”= “c:\program files (x86)\BS_Player\tbBS_P.dll” [2010-11-29 3908192]

“{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}”= “c:\program files (x86)\uTorrentBar\prxtbuTor.dll” [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}]

.

[HKEY_CLASSES_ROOT\clsid{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_LOCAL_MACHINE\Wow6432Node~\Browser Helper Objects{30F9B915-B755-4826-820B-08FBA6BD249D}]

2010-11-29 13:26 3908192 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngine.dll

.

[HKEY_LOCAL_MACHINE\Wow6432Node~\Browser Helper Objects{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\uTorrentBar\prxtbuTor.dll

.

[HKEY_LOCAL_MACHINE\Wow6432Node~\Browser Helper Objects{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}]

2010-11-29 13:26 3908192 ----a-w- c:\program files (x86)\BS_Player\tbBS_P.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

“{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}”= “c:\program files (x86)\BS_Player\tbBS_P.dll” [2010-11-29 3908192]

“{30F9B915-B755-4826-820B-08FBA6BD249D}”= “c:\program files (x86)\ConduitEngine\ConduitEngine.dll” [2010-11-29 3908192]

“{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}”= “c:\program files (x86)\uTorrentBar\prxtbuTor.dll” [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}]

.

[HKEY_CLASSES_ROOT\clsid{30f9b915-b755-4826-820b-08fba6bd249d}]

.

[HKEY_CLASSES_ROOT\clsid{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“DAEMON Tools Lite”=“c:\program files (x86)\DAEMON Tools Lite\DTLite.exe” [2011-08-02 4910912]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

“UpdateLBPShortCut”=“c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe” [2009-05-20 222504]

“UpdateP2GoShortCut”=“c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe” [2008-12-04 218408]

“HControlUser”=“c:\program files (x86)\ASUS\ATK Hotkey\HControlUser.exe” [2009-06-19 105016]

“ATKOSD2”=“c:\program files (x86)\ASUS\ATKOSD2\ATKOSD2.exe” [2009-08-17 6859392]

“ATKMEDIA”=“c:\program files (x86)\ASUS\ATK Media\DMedia.exe” [2009-08-20 170624]

“SunJavaUpdateSched”=“c:\program files (x86)\Common Files\Java\Java Update\jusched.exe” [2011-04-08 254696]

“Adobe ARM”=“c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe” [2009-09-04 935288]

“Adobe Reader Speed Launcher”=“c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2009-10-03 35696]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“ConsentPromptBehaviorAdmin”= 5 (0x5)

“ConsentPromptBehaviorUser”= 3 (0x3)

“EnableLUA”= 0 (0x0)

“EnableSecureUIAPaths”= 0 (0x0)

“EnableUIADesktopToggle”= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /A:* /L:1045 /KBD:2 /wow /dir:C:\Program

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“FirewallOverride”=dword:00000001

“DisableThumbnailCache”=dword:00000001

.

R3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]

R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [x]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]

R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 WatAdminSvc;Usługa Technologie aktywacji systemu Windows;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [x]

S2 ASMMAP64;ASMMAP64;c:\program files\ATKGFNEX\ASMMAP64.sys [2007-07-24 14904]

S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]

S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]

S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]

.

.

Zawartość folderu ‘Zaplanowane zadania’

.

2011-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1766158696-135371575-3506765333-1001Core.job

  • c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-07 16:13]

.

2011-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1766158696-135371575-3506765333-1001UA.job

  • c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-07 16:13]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ETDWare”=“c:\program files\Elantech\ETDCtrl.exe” [2009-07-30 617856]

“AmIcoSinglun64”=“c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe” [2009-04-09 320000]

“combofix”=“c:\combofix\CF25908.3XE” [2010-11-20 345088]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

“LoadAppInit_DLLs”=0x0

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://search.conduit.com?SearchSource= … =CT1750559

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&ksportuj do programu Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 212.76.34.49 192.168.0.1

FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\931mrjc0.default\

.

        • USUNIĘTO PUSTE WPISY - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKLM-Run-tray_ico - (no file)

Wow6432Node-HKLM-Run-tray_ico1 - (no file)

Wow6432Node-HKLM-Run-tray_ico2 - (no file)

Wow6432Node-HKLM-Run-tray_ico3 - (no file)

Wow6432Node-HKLM-Run-tray_ico4 - (no file)

Wow6432Node-HKLM-Run-avast - c:\program files\AVAST Software\Avast\avastUI.exe

Toolbar-Locked - (no file)

WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)

WebBrowser-{FED66DC5-1B74-4A04-8F5C-15C5ACE2B9A5} - (no file)

ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - c:\program files\AVAST Software\Avast\ashShA64.dll

AddRemove-ASUS_Screensaver - c:\windows\system32\ASUS_Screensaver.scr

AddRemove-Gimnazjum klasa 1 - Gra muzyka! - c:\windows\IsUn0415.exe

.

.

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

.

[HKEY_USERS\S-1-5-21-1766158696-135371575-3506765333-1001\Software\SecuROM\License information*]

“datasecu”=hex:de,47,3e,64,52,42,48,6a,b0,b9,82,69,27,5f,96,3a,42,74,15,52,f7,

62,03,7a,58,ae,54,42,14,53,d6,09,73,20,34,71,93,84,37,ce,3c,c7,63,1e,35,f7,\

“rkeysecu”=hex:7d,f2,b8,21,27,07,80,f5,69,48,e4,91,79,a4,69,78

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@=“FlashBroker”

“LocalizedString”="@c:\Windows\SysWOW64\Macromed\Flash\FlashUtil11c_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

“Enabled”=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@=“c:\Windows\SysWOW64\Macromed\Flash\FlashUtil11c_ActiveX.exe”

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@=“Shockwave Flash Object”

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@=“c:\Windows\SysWOW64\Macromed\Flash\Flash11c.ocx”

“ThreadingModel”=“Apartment”

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@=“0”

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@=“ShockwaveFlash.ShockwaveFlash.10”

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@=“c:\Windows\SysWOW64\Macromed\Flash\Flash11c.ocx, 1”

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@=“1.0”

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@=“ShockwaveFlash.ShockwaveFlash”

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@=“Macromedia Flash Factory Object”

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@=“c:\Windows\SysWOW64\Macromed\Flash\Flash11c.ocx”

“ThreadingModel”=“Apartment”

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@=“FlashFactory.FlashFactory.1”

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@=“c:\Windows\SysWOW64\Macromed\Flash\Flash11c.ocx, 1”

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@=“1.0”

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@=“FlashFactory.FlashFactory”

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@=“IFlashBroker4”

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

“Version”=“1.0”

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

“BlindDial”=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

c:\program files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe

c:\program files\ATKGFNEX\GFNEXSrv.exe

c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files (x86)\ASUS\ATK Hotkey\HControl.exe

c:\program files (x86)\ASUS\ATK Hotkey\ATKOSD.exe

c:\program files (x86)\ASUS\ATK Hotkey\KBFiltr.exe

c:\program files (x86)\ASUS\ATK Hotkey\WDC.exe

c:\program files (x86)\ASUS\SmartLogon\sensorsrv.exe

c:\program files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe

c:\program files (x86)\Common Files\Java\Java Update\jucheck.exe

.

**************************************************************************

.

Czas ukończenia: 2011-11-04 22:18:04 - komputer został uruchomiony ponownie

ComboFix-quarantined-files.txt 2011-11-04 21:17

.

Przed: 47 965 868 032 bajtów wolnych

Po: 47 442 145 280 bajtów wolnych

.

    • End Of File - - 583898D0CB0256CCBBADECC7D2A8092D

Pobierz ponownie OTL otl-gmer-rsit-dss-inne-instrukcje-t370405.html Uruchom

W okno Własne opcje skanowania / skrypt w OTL wklej:

Klikasz na Wykonaj skrypt. Zgadzasz się na restart komputera. Log z usuwania na forum

Następnie ponownie uruchamiasz OTL klikasz raz jeszcze Skanuj i dajesz nowy log na forum Czyli dwa logi jeden z usuwania drugi z nowego skanowania po usuwaniu.

Po co ściągnąć jeszcze raz OTL, jak go mam ?

Rootkit blokuje tego typu narzędzia i nie wiadomo czy będą działać prawidłowo. Jeśli OTL się uruchomi bez problemu nie musisz ściągać.

All processes killed

========== OTL ==========

========== FILES ==========

c:\windows\update.tray-7-0 folder moved successfully.

c:\windows\update.tray-7-0-lnk folder moved successfully.

c:\windows\ufa folder moved successfully.

File\Folder c:\windows\system32%APPDATA% not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Public

->Temp folder emptied: 0 bytes

User: user

->Temp folder emptied: 13782 bytes

->Temporary Internet Files folder emptied: 11276397 bytes

->Java cache emptied: 6345 bytes

->FireFox cache emptied: 69225671 bytes

->Google Chrome cache emptied: 381908644 bytes

->Flash cache emptied: 16567 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 3514 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 23390410 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 463.00 mb

OTL by OldTimer - Version 3.2.31.0 log created on 11052011_120912

Files\Folders moved on Reboot…

C:\Users\user\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot…

Następnie ponownie uruchamiasz OTL klikasz raz jeszcze Skanuj i dajesz nowy log na forum Jak wszystko będzie OK przejdziemy do kroków końcowych

Loga wklej na www.wklej.org a w poście daj linka do wklejki Będzie łatwiej analizować raport

http://wklej.org/id/620822/

Odinstaluj Combofixa Start - w pole Wyszukaj pliki i foldery wpisz lub skopiuj

"c:\users\user\Desktop\ComboFix.exe" /uninstall i Enter

To jeszcze nie wszystko Musimy zrekonstruować winsock

W okno Własne opcje skanowania / skrypt w OTL wklej:

Klikasz na Wykonaj skrypt. Zgadzasz się na restart komputera. Log z usuwania na forum

Następnie ponownie uruchamiasz OTL klikasz raz jeszcze Skanuj i dajesz nowy log na forum Czyli dwa logi jeden z usuwania drugi z nowego skanowania po usuwaniu.

http://wklej.org/id/620881/

http://wklej.org/id/620884/

Najpierw wyczyścimy co zostało po Combofixie Rozumie, że podjęłaś/eś próbę jego deinstalacji

Usuń ręcznie przez Shift+Del poniższe pliki i katalogi

Winsock nadal trzeba naprawić

Pobierz SystemLook (SystemLook64) http://jpshortstuff.247fixes.com/SystemLook.html Wklej do niego

Klikasz Look pokaż log na forum Dalsze ewentualne wskazówki podam jutro

Jak naprawić winsock ?

Dodane 05.11.2011 (So) 16:33

http://wklej.org/id/620957/

Raport jest prawidłowy

Start w polu wyszukaj pliki i foldery wpisujesz regedit.exe klikasz prawym przyciskiem myszy na program i z menu wybierasz uruchom jako administrator

Idziesz do klucza

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries

Klikasz prawym przyciskiem myszy na Catalog_Entrie z menu wybierasz Exportuj Exportujesz do pliku .reg Zapisujesz plik wrzucasz na hosting np http://www.hostuje.net i podajesz tutaj linka do pliku

Tak samo Idziesz do klucza

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64

Klikasz prawym przyciskiem myszy na Catalog_Entries64 z menu wybierasz Exportuj Exportujesz do pliku .reg Zapisujesz plik wrzucasz na hosting np http://www.hostuje.net i podajesz tutaj linka do pliku

Kopie tych plików proszę sobie zachować