Powracający wirus Win32:confi jak sie go pozbyć?

Dla specjalistów Bezpieczeństwo
#1

Ciągle avas wyłapuje mi win32:confi. Tu jest raport z otl OTL http://www.wklej.org/id/742397/

Proszę o pomoc .

Dodane 29.04.2012 (N) 16:24

Tu jeszcz jest drugi raport extras.txt http://www.wklej.org/id/742402/

Dodane 29.04.2012 (N) 16:45

prosze o pomoc!

#2

Przede wszystkim musisz aktualizować system.

Na początek zainstaluj poprawki MS08-067, MS08-068 oraz MS09-001 wymienione w tym artykule:

Klik

Odinstaluj SweetPacks Toolbar for Internet Explorer, SweetIM for Messenger,BS Player Toolbar

  1. Do okna Własne opcje skanowania / skrypt wklej:

    :OTL

    SRV - File not found [Auto | Stopped] – C:\WINDOWS\system32\jlrmcxu.dll – (nhtrfs)

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com/?crg=3.1010000&barid={6EBA4CA4-32C0-49FB-8E1D-EA49DF1DCAD4}

    IE - HKLM…\SearchScopes{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: “URL” = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}

    IE - HKLM…\SearchScopes{EEE6C360-6118-11DC-9C72-001320C79847}: “URL” = http://search.sweetim.com/search.asp?src=6&crg=3.1010000&q={searchTerms}&barid={6EBA4CA4-32C0-49FB-8E1D-EA49DF1DCAD4}

    IE - HKU.DEFAULT…\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found

    IE - HKU\S-1-5-18…\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found

    IE - HKU\S-1-5-21-1659004503-1757981266-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com/?crg=3.1010000&barid={6EBA4CA4-32C0-49FB-8E1D-EA49DF1DCAD4}

    IE - HKU\S-1-5-21-1659004503-1757981266-1801674531-1003…\URLSearchHook: {fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5} - C:\Program Files\BS_Player\prxtbBS_0.dll (Conduit Ltd.)

    IE - HKU\S-1-5-21-1659004503-1757981266-1801674531-1003…\SearchScopes{95B7759C-8C7F-4BF1-B163-73684A933233}: “URL” = http://isearch.avg.com/search?cid={146532C4-CC7E-4DC1-A2E7-0CF292E83E6F}&mid=5a2a0b1ecb5b5483e34ecbb2f2cc5338-01bc8995348a8c5a6820d36f964221f7d3c63b74〈=pl&ds=AVG&pr=fr&d=2011-12-05 18:24:44&v=8.0.0.40&sap=dsp&q={searchTerms}

    IE - HKU\S-1-5-21-1659004503-1757981266-1801674531-1003…\SearchScopes{afdbddaa-5d3f-42ee-b79c-185a7020515b}: “URL” = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1750559

    IE - HKU\S-1-5-21-1659004503-1757981266-1801674531-1003…\SearchScopes{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: “URL” = http://search.avg.com/route/?d=4bc6bfa7&v=6.10.6.4&i=23&tp=chrome&q={searchTerms}&lng={language}&iy=&ychte=us

    IE - HKU\S-1-5-21-1659004503-1757981266-1801674531-1003…\SearchScopes{EEE6C360-6118-11DC-9C72-001320C79847}: “URL” = http://search.sweetim.com/search.asp?src=6&crg=3.1010000&q={searchTerms}&barid={6EBA4CA4-32C0-49FB-8E1D-EA49DF1DCAD4}

    FF - prefs.js…browser.search.defaultenginename: “SweetIM Search”

    FF - prefs.js…browser.search.defaultthis.engineName: “BS Player Customized Web Search”

    FF - prefs.js…browser.search.defaulturl: “”

    FF - prefs.js…browser.search.selectedEngine: “SweetIM Search”

    FF - prefs.js…browser.startup.homepage: “http://home.sweetim.com/?crg=3.1010000&barid={6EBA4CA4-32C0-49FB-8E1D-EA49DF1DCAD4}

    FF - prefs.js…keyword.URL: “http://search.avg.com/route/?d=4bc6bfa7&v=7.005.030.004&i=23&tp=ab&iy=&ychte=us&lng=pl&q=

    FF - prefs.js…sweetim.toolbar.previous.browser.search.defaultenginename: “AVG Secure Search”

    FF - prefs.js…sweetim.toolbar.previous.browser.search.selectedEngine: “BS Player Customized Web Search”

    FF - prefs.js…sweetim.toolbar.previous.browser.search.defaulturl: “http://search.conduit.com/ResultsExt.aspx?ctid=CT1750559&SearchSource=3&q={searchTerms}

    [2011-08-29 18:44:20 | 000,000,000 | —D | M] (BS Player Community Toolbar) – C:\Documents and Settings\OLA\Dane aplikacji\Mozilla\Firefox\Profiles\x5cke1l5.default\extensions{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}

    [2011-12-15 23:27:45 | 000,000,000 | —D | M] (Babylon) – C:\Documents and Settings\OLA\Dane aplikacji\Mozilla\Firefox\Profiles\x5cke1l5.default\extensions\ffxtlbr@babylon.com

    [2010-11-23 13:02:32 | 000,000,921 | ---- | M] () – C:\Documents and Settings\OLA\Dane aplikacji\Mozilla\Firefox\Profiles\x5cke1l5.default\searchplugins\conduit.xml

    [2012-04-29 12:50:45 | 000,003,987 | ---- | M] () – C:\Documents and Settings\OLA\Dane aplikacji\Mozilla\Firefox\Profiles\x5cke1l5.default\searchplugins\sweetim.xml

    O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found

    [2012-04-29 15:48:22 | 000,168,371 | ---- | M] () – C:\WINDOWS\System32\x

    :Reg

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    “4077:TCP”=-

    :Commands

    [emptytemp]

Kliknij Wykonaj skrypt i zatwierdź restart. Pokaż raport z usuwania. 2. Wklej do OTL i kliknij Skanuj

netsvcs

Pokaż ten log.

#3

raport z usuwania http://www.wklej.org/id/742457/

Dodane 29.04.2012 (N) 18:20

log http://www.wklej.org/id/742462/

Dodane 29.04.2012 (N) 18:35

i co cos jest lepiej?

#4

Uruchom OTL i kliknij Sprzątanie.

Wyłącz i ponownie włącz przywracanie systemu:

http://support.microsoft.com/kb/310405/pl

Dysk przeskanuj Dr.WEB CureIt

Aktualizuj programy:

Windows XP Service Pack 3

IE - Internet Explorer 8 (XP)

Adobe Reader

Adobe Shockwave Player

Flash Player zainstaluj dwukrotnie:

Dla IE -> Flash Player 11.2.202.233 (32 bit) Internet Explorer

Dla Firefox -> Flash Player 11.2.202.233 (32 bit) Plugin-based browsers