Pozostałości po wirusie z facebooka :(

natalkaaaa · 20 Sierpień 2011 21:22

jakies dwa dni temu weszlam w tego samego wirusa co wszyscy… usuwalam trojany i inne bledy wszystkimi programami jakimi sie tylko dalo, 1,5 dnia bylo wszystko elegancko. komputer dzialal tak jak powinien, jednakze dzis znow Avira znajduje mi jakies trojany… sama juz nie mam sily na instalowanie nowych antyvirusow i sprawdzanie ktory jest najlepszy i ktory poradzi sobie z tym “facebookowym syfem” . Dlatego tez prosze was o pomoc…

mam wielka nadzieje ze dobrze zrobilam te logi bo jestem zielona w tym temacie :

OTL : http://wklej.to/TJ6R

EXTRAS: http://wklej.to/yOEk

Leon1 · 20 Sierpień 2011 21:37

OTL w oknie Custom Scans-Fixes (własne opcje skanowania/skrypt)wklej następujący skrypt:

:OTL IE - HKU\S-1-5-21-1177238915-879983540-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101723&l=dis IE - HKU\S-1-5-21-1177238915-879983540-839522115-1003…\URLSearchHook: {ecdee021-0d17-467f-a1ff-c7a115230949} - Reg Error: Key error. File not found FF - prefs.js…browser.search.defaultengine: “Ask.com” FF - prefs.js…browser.search.defaultenginename: “Ask.com” FF - prefs.js…browser.search.defaulturl: “http://search.conduit.com/ResultsExt.aspx?ctid=CT1098640&SearchSource=3&q={searchTerms}” FF - prefs.js…browser.search.order.1: “Ask.com” FF - prefs.js…browser.search.selectedEngine: “Ask.com” FF - prefs.js…extensions.enabledItems: toolbar@ask.com:3.11.3.15590 FF - prefs.js…extensions.enabledItems: dealio@mybrowserbar.com:4.3 FF - prefs.js…extensions.enabledItems: wtxpcom@mybrowserbar.com:4.3 FF - HKLM\Software\MozillaPlugins@real.com/nsJSRealPlayerPlugin;version=: File not found [2011-07-17 15:51:41 | 000,002,388 | ---- | M] () – C:\Documents and Settings\bla\Dane aplikacji\Mozilla\Firefox\Profiles\arg2y933.default\searchplugins\askcom.xml [2010-01-20 13:16:28 | 000,000,939 | ---- | M] () – C:\Documents and Settings\bla\Dane aplikacji\Mozilla\Firefox\Profiles\arg2y933.default\searchplugins\conduit.xml O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.) O3 - HKLM…\Toolbar: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - No CLSID value found. O3 - HKU.DEFAULT…\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKU\S-1-5-18…\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKU\S-1-5-21-1177238915-879983540-839522115-1003…\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKU\S-1-5-21-1177238915-879983540-839522115-1003…\Toolbar\WebBrowser: (no name) - {ECDEE021-0D17-467F-A1FF-C7A115230949} - No CLSID value found. O4 - HKLM…\Run: [MMReminderService] File not found O4 - HKLM…\Run: [pdfSaver3] File not found O4 - HKLM…\Run: [tray_ico] File not found O4 - HKLM…\Run: [tray_ico1] File not found O4 - HKLM…\Run: [tray_ico2] File not found O4 - HKLM…\Run: [tray_ico3] File not found O4 - HKLM…\Run: [tray_ico4] File not found O4 - HKU\S-1-5-21-1177238915-879983540-839522115-1003…\Run: [Twoje TVN24] File not found O33 - MountPoints2{1c23d69e-6cc3-11df-93e2-001a4d982ef9}\Shell\AutoRun\command - “” = G:\cobn8w3.exe O33 - MountPoints2{1c23d69e-6cc3-11df-93e2-001a4d982ef9}\Shell\open\Command - “” = G:\cobn8w3.exe O33 - MountPoints2{2808fba8-4983-11df-936c-001a4d982ef9}\Shell\AutoRun\command - “” = p3vwxx.exe O33 - MountPoints2{2808fba8-4983-11df-936c-001a4d982ef9}\Shell\open\Command - “” = p3vwxx.exe O33 - MountPoints2{ce76f714-1fce-11df-92f2-001a4d982ef9}\Shell\AutoRun\command - “” = H:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\amp32.exe O33 - MountPoints2{ce76f714-1fce-11df-92f2-001a4d982ef9}\Shell\open\command - “” = H:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\amp32.exe [2011-08-18 23:21:38 | 000,000,000 | -H-D | C] – C:\WINDOWS\update.2 [2011-08-18 23:21:37 | 000,000,000 | -H-D | C] – C:\WINDOWS\update.1 [2011-08-18 23:21:37 | 000,000,000 | —D | C] – C:\WINDOWS\av_ico [2011-08-18 23:19:51 | 000,000,000 | -H-D | C] – C:\WINDOWS\update.3 [2011-08-18 23:15:27 | 000,000,000 | -H-D | C] – C:\WINDOWS\update.tray-8-0-lnk [2011-08-18 23:15:27 | 000,000,000 | -H-D | C] – C:\WINDOWS\update.tray-8-0 [2011-08-01 08:41:25 | 000,000,000 | —D | C] – C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\AskToolbar [2011-07-22 19:18:07 | 000,000,000 | -HSD | C] – C:\found.000 [2011-08-18 23:20:03 | 000,000,734 | ---- | M] () – C:\WINDOWS\System32\drivers\etc\hîsts [2011-08-18 23:19:13 | 000,904,792 | ---- | M] () – C:\WINDOWS\geoiplist.rar [2011-08-18 23:19:13 | 000,246,272 | ---- | M] () – C:\WINDOWS\unrar.exe [2011-08-18 23:18:37 | 000,000,000 | ---- | M] () – C:\WINDOWS\loader2.exe_ok [2011-08-18 23:19:34 | 000,000,178 | ---- | C] () – C:\WINDOWS\info1 [2011-08-18 23:19:14 | 004,636,907 | ---- | C] () – C:\WINDOWS\geoiplist :Reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] “C:\WINDOWS\update.1\svchost.exe”=- “C:\WINDOWS\update.tray-8-0\svchost.exe”=- “C:\WINDOWS\update.2\svchost.exe”=- “C:\WINDOWS\update.3\svchost.exe”=- :Commands [CLEARALLRESTOREPOINTS] [RESETHOSTS] [emptytemp]

Kliknij w Run Fix (Wykonaj scrypt). Zatwierdź restart komputera.

Pokaż log z usuwania.

potem nowy log OTL robiony opcją Run Scan (Skanuj)