fionka888
(Fionka888)
23 Sierpień 2011 20:32
#1
Witam!
Na kompie pojawił się fałszywy antywirus Personal Shield Pro, po przeczytaniu kilku instrukcji jak zachować się takim momencie, przeskanowano komputer i usunięto te wszystkie trojany, ale… nie wiem co z logami. Proszę o pomoc.
Oto logi:
OTL
Log: http://wklej.to/xmbup
Extract: http://wklej.to/wHw9j
Z góry dzięki
Leon1
(Leon$)
23 Sierpień 2011 20:44
#2
OTL w oknie Custom Scans-Fixes (własne opcje skanowania/skrypt)wklej następujący skrypt:
:OTL IE - HKCU…\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found FF - HKLM\Software\MozillaPlugins@real.com/nsJSRealPlayerPlugin;version=: File not found O2 - BHO: (no name) - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - No CLSID value found. O3 - HKCU…\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found. O3 - HKCU…\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found. O3 - HKCU…\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found. O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (Reg Error: Key error.) O33 - MountPoints2{05d461ac-3b04-11de-8a3e-00164198a577}\Shell\PRM\command - “” = I:\Thumbs.exe -start O33 - MountPoints2{1e30aeed-061a-11dd-86fc-001302c4c8cd}\Shell - “” = AutoRun O33 - MountPoints2{1e30aeed-061a-11dd-86fc-001302c4c8cd}\Shell\AutoRun\command - “” = I:\LaunchU3.exe -a O33 - MountPoints2{1e30aeee-061a-11dd-86fc-001302c4c8cd}\Shell - “” = AutoRun O33 - MountPoints2{1e30aeee-061a-11dd-86fc-001302c4c8cd}\Shell\AutoRun\command - “” = %SystemRoot%\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs O33 - MountPoints2{23c89916-a230-11e0-9070-001302c4c8cd}\Shell\AutoRun\command - “” = I:\setup.exe O33 - MountPoints2{2c6e6d3e-32a2-11de-8a1a-001302c4c8cd}\Shell\PRM\command - “” = Thumbs.exe -start O33 - MountPoints2{4355d8aa-8b75-11dc-8591-001302c4c8cd}\Shell\AutoRun\command - “” = C:\WINDOWS\explorer.exe – [2008-04-14 19:21:16 | 001,035,264 | ---- | M] (Microsoft Corporation) O33 - MountPoints2{4355d8aa-8b75-11dc-8591-001302c4c8cd}\Shell\explore\Command - “” = C:\WINDOWS\explorer.exe – [2008-04-14 19:21:16 | 001,035,264 | ---- | M] (Microsoft Corporation) O33 - MountPoints2{4355d8aa-8b75-11dc-8591-001302c4c8cd}\Shell\open\Command - “” = C:\WINDOWS\explorer.exe – [2008-04-14 19:21:16 | 001,035,264 | ---- | M] (Microsoft Corporation) O33 - MountPoints2{521a4080-f646-11df-8ebb-001302c4c8cd}\Shell - “” = AutoRun O33 - MountPoints2{521a4080-f646-11df-8ebb-001302c4c8cd}\Shell\AutoRun\command - “” = I:\LaunchU3.exe -a O33 - MountPoints2{5c6e5e12-fb98-11de-8c4d-001302c4c8cd}\Shell - “” = AutoRun O33 - MountPoints2{5c6e5e12-fb98-11de-8c4d-001302c4c8cd}\Shell\AutoRun\command - “” = I:\LaunchU3.exe -a O33 - MountPoints2{76504b54-fa37-11de-8c49-001302c4c8cd}\Shell\AutoRun\command - “” = I:\i00dvoym.exe O33 - MountPoints2{76504b54-fa37-11de-8c49-001302c4c8cd}\Shell\open\Command - “” = I:\i00dvoym.exe O33 - MountPoints2{ad3a4f8c-8280-11dd-8819-001302c4c8cd}\Shell\Auto\command - “” = fun.xls.exe O33 - MountPoints2{ad3a4f8c-8280-11dd-8819-001302c4c8cd}\Shell\AutoRun\command - “” = %SystemRoot%\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe O33 - MountPoints2{ad3a4f8d-8280-11dd-8819-001302c4c8cd}\Shell\Auto\command - “” = fun.xls.exe O33 - MountPoints2{ad3a4f8d-8280-11dd-8819-001302c4c8cd}\Shell\AutoRun\command - “” = %SystemRoot%\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe O33 - MountPoints2{d324a594-b7ce-11dc-8625-001302c4c8cd}\Shell\AutoRun\command - “” = C:\WINDOWS\explorer.exe – [2008-04-14 19:21:16 | 001,035,264 | ---- | M] (Microsoft Corporation) O33 - MountPoints2{d324a594-b7ce-11dc-8625-001302c4c8cd}\Shell\explore\Command - “” = C:\WINDOWS\explorer.exe – [2008-04-14 19:21:16 | 001,035,264 | ---- | M] (Microsoft Corporation) O33 - MountPoints2{d324a594-b7ce-11dc-8625-001302c4c8cd}\Shell\open\Command - “” = C:\WINDOWS\explorer.exe – [2008-04-14 19:21:16 | 001,035,264 | ---- | M] (Microsoft Corporation) O33 - MountPoints2{d324a595-b7ce-11dc-8625-001302c4c8cd}\Shell\Auto\command - “” = activexdebugger32.exe f O33 - MountPoints2{d324a595-b7ce-11dc-8625-001302c4c8cd}\Shell\AutoRun\command - “” = %SystemRoot%\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f O33 - MountPoints2{d324a595-b7ce-11dc-8625-001302c4c8cd}\Shell\explore\Command - “” = activexdebugger32.exe f O33 - MountPoints2{d324a595-b7ce-11dc-8625-001302c4c8cd}\Shell\open\Command - “” = activexdebugger32.exe f O33 - MountPoints2{d8f442e8-07cb-11dd-8703-001302c4c8cd}\Shell\AutoRun\command - “” = I:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe O33 - MountPoints2{d8f442e8-07cb-11dd-8703-001302c4c8cd}\Shell\open\command - “” = I:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe O33 - MountPoints2{dfd1be45-94a5-11dd-8858-001302c4c8cd}\Shell - “” = AutoRun O33 - MountPoints2{dfd1be45-94a5-11dd-8858-001302c4c8cd}\Shell\Auto\command - “” = C:\WINDOWS\System32\wupdmgr.exe – [2004-08-04 10:00:00 | 000,032,256 | ---- | M] (Microsoft Corporation) O33 - MountPoints2{dfd1be45-94a5-11dd-8858-001302c4c8cd}\Shell\AutoRun\command - “” = %SystemRoot%\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wupdmgr.exe O33 - MountPoints2{e2b2cc78-3fce-11de-8a58-00164198a577}\Shell\AutoRun\command - “” = I:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe O33 - MountPoints2{e2b2cc78-3fce-11de-8a58-00164198a577}\Shell\open\command - “” = I:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe O33 - MountPoints2{e67386c0-c1ca-11e0-9772-00164198a577}\Shell - “” = AutoRun O33 - MountPoints2{e67386c0-c1ca-11e0-9772-00164198a577}\Shell\AutoRun\command - “” = I:\LaunchU3.exe -a O33 - MountPoints2{e949e778-93e0-11dd-8855-001302c4c8cd}\Shell\AutoRun\command - “” = RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe O33 - MountPoints2{e949e778-93e0-11dd-8855-001302c4c8cd}\Shell\open\command - “” = RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe O33 - MountPoints2{f4b2c3a6-3fb0-11de-8a56-001302c4c8cd}\Shell - “” = Autorun O33 - MountPoints2{f4b2c3a6-3fb0-11de-8a56-001302c4c8cd}\Shell\AutoRun\command - “” = C:\WINDOWS\System32\setup.exe – [2008-04-14 19:21:39 | 000,023,040 | ---- | M] (Microsoft Corporation) [2011-08-23 13:47:56 | 000,000,000 | —D | C] – C:\Documents and Settings\All Users\Dane aplikacji\oO13602OkJkJ13602 :Reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] :Commands [CLEARALLRESTOREPOINTS] [RESETHOSTS] [emptytemp]
Kliknij w Run Fix (Wykonaj scrypt). Zatwierdź restart komputera.
Pokaż log z usuwania.
potem nowy log OTL robiony opcją Run Scan (Skanuj)
fionka888
(Fionka888)
23 Sierpień 2011 21:22
#3
Leon1
(Leon$)
23 Sierpień 2011 21:33
#4
Pobierz i uruchom narzędzie The Avenger Zaznaczasz tekst podany do usunięcia na forum
kopiuj >> klikasz na Paste Script from Clipboard >> Execute >> Potwierdzasz i zgadzasz się na restart klikając OK .
Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt
fionka888
(Fionka888)
23 Sierpień 2011 21:37
#5
Nie mogę uruchomić tego programu Avenger wyskakują jakieś komunikaty Winowsa
– Dodane 23.08.2011 (Wt) 23:39 –
Takie są komunikaty. To jest avenger.txt
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 3)
Tue Aug 23 23:35:46 2011
23:35:42: Warning: %systemroot% (C:\WINDOWS) is not the same as %windir% (%SystemRoot%).
Use caution: unexpected results may arise!
23:35:43: Error: Fatal error: %systemdrive% (C:) is not a prefix of %windir% (%SystemRoot%).
23:35:45: Error: Fatal error: %windir% (%SystemRoot%) is not a prefix of %system% (C:\WINDOWS\system32).
//////////////////////////////////////////
Leon1
(Leon$)
23 Sierpień 2011 22:10
#6
Avenger musi startować na koncie z uprawnieniami administratora !
fionka888
(Fionka888)
24 Sierpień 2011 14:46
#7
Ale ja jestem zalogowana na koncie z uprawnieniami administratorskimi