Problem Worm/AutoRun

kuba567g · 12 Styczeń 2013 19:12

Witam wszystkich

Mam problem z tym wirusem Worm/AutoRun i nie mogę się go pozbyć prawdopodobnie któryś ze znajomych przyniósł go na pendrive ale nie mam pojęcia kiedy.

Czytałem różne poradniki itp ale nie daje sobie z tym rady. Uzywam anty wirusa AVG. Jestem naprawdę amatorskim użytkownikiem komputera i proszę o jak najdokładniejsze wytłumaczenie.

Z góry dziękuje.

http://imageshack.us/scaled/landing/46/beztytuuiyy.png

Atis · 12 Styczeń 2013 19:16

OTL - Raport obowiązkowy:

analiza-dezynfekcja-zestaw-nieingerencyjnych-narzedzi-t485632.html#p3059741

kuba567g · 12 Styczeń 2013 20:03

Raporty OTL:

Extras:

http://wklej.to/QOdS6

http://www.wklej.org/id/922870/

OTL:

http://www.wklej.org/id/922858/

Atis · 12 Styczeń 2013 20:20

Wyłącz AVG, bo będzie blokował usuwanie.

http://www.avg.com/pl-pl/faq.num-5238

Odinstaluj:

Internet Explorer Toolbar 4.6 by SweetPacks

Update Manager for SweetPacks 1.1

Yontoo 1.10.02

IB Updater 2.0.0.530

IB Updater Service

uTorrentControl_v2 Toolbar

Pobierz AdwCleaner

Zamknij przeglądarkę internetową.

Uruchom AdwCleaner i kliknij Usuń.

Do okna Własne opcje skanowania / skrypt wklej:

:OTL DRV - File not found [Kernel | On_Demand | Stopped] – C:\Windows\system32\XDva399.sys – (XDva399) DRV - File not found [Kernel | On_Demand | Stopped] – C:\Windows\system32\drivers\EagleXNt.sys – (EagleXNt) [2012-08-26 22:36:59 | 000,000,000 | —D | M] (uTorrentControl_v2) – C:\Users\Kuba\AppData\Roaming\mozilla\Firefox\extensions{7473b6bd-4691-4744-a82b-7854eb3d70b6} [2012-10-17 21:23:45 | 000,002,203 | ---- | M] () – C:\Users\Kuba\AppData\Roaming\mozilla\firefox\profiles\b8z2nm30.default\searchplugins\MyStart Search.xml [2012-11-24 21:03:56 | 000,003,998 | ---- | M] () – C:\Users\Kuba\AppData\Roaming\mozilla\firefox\profiles\b8z2nm30.default\searchplugins\sweetim.xml [2012-12-01 15:43:21 | 000,002,349 | ---- | M] () – C:\Program Files\mozilla firefox\searchplugins\babylon.xml O2 - BHO: (uTorrentControl_v2 Toolbar) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files\uTorrentControl_v2\prxtbuTor.dll File not found O2 - BHO: (smartdownloader Class) - {F1AF26F8-1828-4279-ABCE-074EF3235BD7} - C:\Program Files\PutLockerDownloader\smarterdownloader.dll File not found O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll File not found O3 - HKLM…\Toolbar: (uTorrentControl_v2 Toolbar) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files\uTorrentControl_v2\prxtbuTor.dll File not found O4 - HKU\S-1-5-21-1677851139-395640339-3247164469-1000…\Run: [PlayNC Launcher] File not found O4 - HKU\S-1-5-21-1677851139-395640339-3247164469-1000…\Run: [uTorrent] “C:\Program Files\uTorrent\uTorrent.exe” /MINIMIZED File not found [2013-01-12 20:26:32 | 000,103,140 | RHS- | C] () – C:\njvqde.exe [2013-01-12 20:26:26 | 000,000,352 | RHS- | C] () – C:\autorun.inf [2013-01-12 20:26:05 | 000,103,140 | RHS- | C] () – C:\tbapso.pif [2013-01-12 20:25:38 | 000,103,140 | RHS- | C] () – C:\frap.exe [2013-01-12 20:25:10 | 000,103,140 | RHS- | C] () – C:\ihpak.pif [2013-01-12 20:24:43 | 000,103,140 | RHS- | C] () – C:\poetgo.pif [2013-01-12 20:24:16 | 000,103,140 | RHS- | C] () – C:\kuxecr.pif [2013-01-12 20:23:49 | 000,103,140 | RHS- | C] () – C:\jxbh.exe [2013-01-12 20:23:22 | 000,103,140 | RHS- | C] () – C:\qinyg.pif [2013-01-12 20:22:55 | 000,103,140 | RHS- | C] () – C:\hdki.exe [2013-01-12 20:22:27 | 000,103,140 | RHS- | C] () – C:\hhgqii.pif [2013-01-12 20:22:00 | 000,103,140 | RHS- | C] () – C:\fhrk.exe [2013-01-12 20:21:32 | 000,103,140 | RHS- | C] () – C:\tuovf.pif [2013-01-12 20:21:05 | 000,103,140 | RHS- | C] () – C:\guffy.pif [2013-01-12 20:20:38 | 000,103,140 | RHS- | C] () – C:\uydhmp.pif [2013-01-12 20:20:10 | 000,103,140 | RHS- | C] () – C:\clqpe.exe [2013-01-12 20:19:43 | 000,103,140 | RHS- | C] () – C:\ebjp.exe [2013-01-12 20:19:16 | 000,103,140 | RHS- | C] () – C:\godqe.exe [2013-01-12 20:18:49 | 000,103,140 | RHS- | C] () – C:\judlmh.exe [2013-01-12 20:18:21 | 000,103,140 | RHS- | C] () – C:\uwrtpo.exe [2013-01-12 20:17:54 | 000,103,140 | RHS- | C] () – C:\lvir.pif [2013-01-12 20:17:27 | 000,103,140 | RHS- | C] () – C:\ojtw.exe [2013-01-12 20:16:59 | 000,103,140 | RHS- | C] () – C:\eijgn.pif [2013-01-12 20:16:32 | 000,103,140 | RHS- | C] () – C:\efjdtp.exe [2013-01-12 20:16:05 | 000,103,140 | RHS- | C] () – C:\fnepgs.pif [2013-01-12 20:15:38 | 000,103,140 | RHS- | C] () – C:\cjsuew.exe [2013-01-12 20:15:10 | 000,103,140 | RHS- | C] () – C:\cedfy.pif [2013-01-12 20:14:42 | 000,103,140 | RHS- | C] () – C:\hkhnlv.pif [2013-01-12 20:14:15 | 000,103,140 | RHS- | C] () – C:\eynv.exe [2013-01-12 20:13:37 | 000,103,140 | RHS- | C] () – C:\jcdeq.pif [2013-01-12 20:13:09 | 000,103,140 | RHS- | C] () – C:\rqch.exe [2013-01-12 20:12:42 | 000,103,140 | RHS- | C] () – C:\ewvu.exe [2013-01-12 20:12:14 | 000,103,140 | RHS- | C] () – C:\lfauvf.exe [2013-01-12 20:11:47 | 000,103,140 | RHS- | C] () – C:\bugow.pif [2013-01-12 20:11:20 | 000,103,140 | RHS- | C] () – C:\tuehi.exe [2013-01-12 20:10:52 | 000,103,140 | RHS- | C] () – C:\hiro.exe [2013-01-12 20:10:25 | 000,103,140 | RHS- | C] () – C:\nlevfc.pif [2013-01-12 20:09:58 | 000,103,140 | RHS- | C] () – C:\umtsb.exe [2013-01-12 20:09:11 | 000,103,140 | RHS- | C] () – C:\ewei.exe [2013-01-12 20:08:43 | 000,103,140 | RHS- | C] () – C:\phmruq.pif [2013-01-12 20:08:16 | 000,103,140 | RHS- | C] () – C:\xuqh.exe [2013-01-12 20:07:49 | 000,103,140 | RHS- | C] () – C:\fgkr.exe [2013-01-12 20:07:22 | 000,103,140 | RHS- | C] () – C:\cikm.pif [2013-01-12 20:06:55 | 000,103,140 | RHS- | C] () – C:\efjtfb.exe [2013-01-12 20:06:27 | 000,103,140 | RHS- | C] () – C:\hybg.exe [2013-01-12 20:06:00 | 000,103,140 | RHS- | C] () – C:\wqvwxg.exe [2013-01-12 20:05:33 | 000,103,140 | RHS- | C] () – C:\ktisj.exe [2013-01-12 20:05:05 | 000,103,140 | RHS- | C] () – C:\ggkpk.pif [2013-01-12 20:04:38 | 000,103,140 | RHS- | C] () – C:\wuudy.pif [2013-01-12 20:04:11 | 000,103,140 | RHS- | C] () – C:\vsoaal.exe [2013-01-12 20:03:44 | 000,103,140 | RHS- | C] () – C:\tusv.exe [2013-01-12 20:03:17 | 000,103,140 | RHS- | C] () – C:\djgohq.exe [2013-01-12 20:02:49 | 000,103,140 | RHS- | C] () – C:\vxytq.pif [2013-01-12 20:02:20 | 000,103,140 | RHS- | C] () – C:\grski.exe [2013-01-12 20:01:53 | 000,103,140 | RHS- | C] () – C:\qkpbos.exe [2013-01-12 20:01:26 | 000,103,140 | RHS- | C] () – C:\gktcy.exe [2013-01-12 20:00:57 | 000,103,140 | RHS- | C] () – C:\alla.pif [2013-01-12 20:00:30 | 000,103,140 | RHS- | C] () – C:\jsssv.exe [2013-01-12 20:00:03 | 000,103,140 | RHS- | C] () – C:\jftpvv.pif [2013-01-12 19:59:36 | 000,103,140 | RHS- | C] () – C:\fqlfv.pif [2013-01-12 19:59:09 | 000,103,140 | RHS- | C] () – C:\ygioq.pif [2013-01-12 19:58:42 | 000,103,140 | RHS- | C] () – C:\ubfs.exe [2013-01-12 19:58:15 | 000,103,140 | RHS- | C] () – C:\fbfmup.exe [2013-01-12 19:57:47 | 000,103,140 | RHS- | C] () – C:\bkvnt.pif [2013-01-12 19:57:20 | 000,103,140 | RHS- | C] () – C:\beumqv.exe [2013-01-12 19:56:53 | 000,103,140 | RHS- | C] () – C:\dxhdv.pif [2013-01-12 19:56:26 | 000,103,140 | RHS- | C] () – C:\vvnaqd.exe [2013-01-12 19:55:59 | 000,103,140 | RHS- | C] () – C:\gjyf.exe [2013-01-12 19:55:32 | 000,103,140 | RHS- | C] () – C:\qidx.exe [2013-01-12 19:55:05 | 000,103,140 | RHS- | C] () – C:\qnqx.exe [2013-01-12 19:54:37 | 000,103,140 | RHS- | C] () – C:\auopx.exe [2013-01-12 19:54:10 | 000,103,140 | RHS- | C] () – C:\fivbn.exe [2013-01-12 19:53:43 | 000,103,140 | RHS- | C] () – C:\vyum.pif [2013-01-12 19:53:16 | 000,103,140 | RHS- | C] () – C:\togopq.exe [2013-01-12 19:52:49 | 000,103,140 | RHS- | C] () – C:\ydpr.exe [2013-01-12 19:52:22 | 000,103,140 | RHS- | C] () – C:\tveqlu.pif [2013-01-12 19:51:55 | 000,103,140 | RHS- | C] () – C:\skgb.exe [2013-01-12 19:51:28 | 000,103,140 | RHS- | C] () – C:\dynl.exe [2013-01-12 19:51:00 | 000,103,140 | RHS- | C] () – C:\khsko.exe [2013-01-12 19:50:33 | 000,103,140 | RHS- | C] () – C:\wpnnas.pif [2013-01-12 19:50:06 | 000,103,140 | RHS- | C] () – C:\oervt.pif [2013-01-12 19:49:39 | 000,103,140 | RHS- | C] () – C:\shqpa.pif [2013-01-12 19:49:12 | 000,103,140 | RHS- | C] () – C:\srsum.exe [2013-01-12 19:48:45 | 000,103,140 | RHS- | C] () – C:\tiuhr.pif [2013-01-12 19:48:18 | 000,103,140 | RHS- | C] () – C:\uwapb.pif [2013-01-12 19:47:50 | 000,103,140 | RHS- | C] () – C:\vuoh.exe [2013-01-12 19:47:23 | 000,103,140 | RHS- | C] () – C:\euhfkd.exe [2013-01-12 19:46:55 | 000,103,140 | RHS- | C] () – C:\bfdjlb.exe [2013-01-12 19:46:28 | 000,103,140 | RHS- | C] () – C:\ukuj.exe [2013-01-12 19:46:01 | 000,103,140 | RHS- | C] () – C:\favron.pif [2013-01-12 19:45:34 | 000,103,140 | RHS- | C] () – C:\jhhcfk.pif :Files autorun.inf /alldrives :Reg [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] :Commands [emptytemp]

Kliknij Wykonaj skrypt i zatwierdź restart.

Pokaż raport z usuwania.

Wklej do OTL i kliknij Skanuj:

Pokaż ten log.

kuba567g · 12 Styczeń 2013 20:23

Niech Bóg cie błogosławi, zaraz to zrobię i z edytuje post.

Log po resecie:

http://www.wklej.org/id/922903/

Log Skanu:

http://www.wklej.org/id/922919/

AVG teraz już nie wyszkuje worma ale za to Win32:

http://img20.imageshack.us/img20/9533/beztytuueir.png

Atis · 12 Styczeń 2013 20:51

Wirus Sality infekuje wszystkie pliki wykonywalne.

Tymczasowo wyłącz program AVG.

Usuń stare punkty przywracania:

Aby usunąć wszystkie punkty przywracania

Skanuj wszystkie partycje i lecz zainfekowane pliki.

SalityKiller lub Klik
Dr.Web CureIt i przeskanuj wszystkie dyski: Klik

Pokaż nowy log gdy skanery nie będą wykrywały żadnych zainfekowanych plików.

kuba567g · 12 Styczeń 2013 23:36

http://www.wklej.org/id/923142/

Atis · 13 Styczeń 2013 11:01

Wygląda na to, że w ogóle nie przeskanowałeś Dr.Web CureIt.

Do okna Własne opcje skanowania / skrypt wklej:

:OTL SRV - File not found [On_Demand | Stopped] – C:\Program Files\Common Files\Steam\SteamService.exe /RunAsService – (Steam Client Service) SRV - File not found [On_Demand | Stopped] – C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe – (IDriverT) IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com/?crg=3.1010000.10011&barid={067217BD-3672-11E2-8324-1C6F65B8B618} IE - HKLM…\URLSearchHook: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - No CLSID value found IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com/?crg=3.1010000.10011&barid={067217BD-3672-11E2-8324-1C6F65B8B618} IE - HKLM…\SearchScopes{EEE6C360-6118-11DC-9C72-001320C79847}: “URL” = http://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=3.1010000.10011&barid={067217BD-3672-11E2-8324-1C6F65B8B618} IE - HKU\S-1-5-21-1677851139-395640339-3247164469-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=110824 … 4f6a0210c9 IE - HKU\S-1-5-21-1677851139-395640339-3247164469-1000…\URLSearchHook: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - No CLSID value found IE - HKU\S-1-5-21-1677851139-395640339-3247164469-1000…\SearchScopes{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: “URL” = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-1677851139-395640339-3247164469-1000…\SearchScopes{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: “URL” = http://search.babylon.com/?q={searchTerms}&affID=110824&tt=4812_6&babsrc=SP_ss&mntrId=243bea53000000000000004f6a0210c9 IE - HKU\S-1-5-21-1677851139-395640339-3247164469-1000…\SearchScopes{51457BD0-EA3F-44DB-AC26-EED5450C321E}: “URL” = http://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=3.1010000.10011&barid={067217BD-3672-11E2-8324-1C6F65B8B618} IE - HKU\S-1-5-21-1677851139-395640339-3247164469-1000…\SearchScopes{78B7434B-342D-45AE-A159-AEA356A8CAD9}: “URL” = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468 IE - HKU\S-1-5-21-1677851139-395640339-3247164469-1000…\SearchScopes{E5693442-5624-4537-8AA9-9608A4FAA50F}: “URL” = http://mystart.incredibar.com/mb128/?search={searchTerms}&loc=IB_DS&a=6OyRpF4AlS&i=26 FF - prefs.js…browser.search.defaultenginename: “Search the web (Babylon)” FF - prefs.js…browser.search.selectedEngine: “Search the web (Babylon)” FF - prefs.js…browser.startup.homepage: “http://search.babylon.com/?affID=110824&tt=4812_6&babsrc=HP_ss&mntrId=243bea53000000000000004f6a0210c9” FF - prefs.js…keyword.URL: “http://search.sweetim.com/search.asp?barid={067217BD-3672-11E2-8324-1C6F65B8B618}&src=2&crg=3.1010000.10011&q=” FF - prefs.js…sweetim.toolbar.previous.keyword.URL: “http://search.sweetim.com/search.asp?barid={067217BD-3672-11E2-8324-1C6F65B8B618}&src=2&crg=3.1010000.10011&q=” O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.8.3.8\bh\BabylonToolbar.dll File not found O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll File not found O3 - HKLM…\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll File not found O3 - HKLM…\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.8.3.8\BabylonToolbarTlbr.dll File not found O3 - HKU\S-1-5-21-1677851139-395640339-3247164469-1000…\Toolbar\WebBrowser: (no name) - {7473B6BD-4691-4744-A82B-7854EB3D70B6} - No CLSID value found. O4 - HKLM…\Run: [ROC_roc_ssl_v12] “C:\Program Files\AVG Secure Search\ROC_roc_ssl_v12.exe” / /PROMPT /CMPID=roc_ssl_v12 File not found O4 - HKLM…\Run: [vProt] “C:\Program Files\AVG Secure Search\vprot.exe” File not found O4 - HKU\S-1-5-21-1677851139-395640339-3247164469-1000…\Run: [AQQ] C:\PROGRA~1\WapSter\WAPSTE~1\AQQ.exe File not found O4 - HKU\S-1-5-21-1677851139-395640339-3247164469-1000…\Run: [Facebook Update] “C:\Users\Kuba\AppData\Local\Facebook\Update\FacebookUpdate.exe” /c /nocrashserver File not found [2012-08-26 09:47:10 | 000,000,000 | —D | M] – C:\Users\Kuba\AppData\Roaming\Babylon [2012-08-26 09:47:47 | 000,000,000 | —D | M] – C:\Users\Kuba\AppData\Roaming\BabylonToolbar :Files C:\AdwCleaner*.txt D:*.pif D:*.exe E:*.pif E:*.exe K:*.pif K:*.exe :Commands [emptytemp]