Witam, wykonałem skan programem Malwarebytes Anti-Malware, wykrył mi on w 4 plikach PUP.BitCoinMiner.
MBAM-log - http://www.wklej.org/id/1039881/
OTL - http://www.wklej.org/id/1039890/
Extras - http://www.wklej.org/id/1039898/
Proszę o pomoc z jego zlikwidowaniem.
Acorus
(Acorus)
15 Maj 2013 14:40
#2
Dałeś do usunięcia?Uruchom OTL i w okno (Własne opcje skanowania/Script)wklej:
:OTL IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.facemoods.com/?a=ironto&s={searchTerms}&f=4 IE - HKLM…\URLSearchHook: {14f6a182-4c6f-45ae-9f5a-aa3ccbb1cfa3} - No CLSID value found IE - HKLM…\URLSearchHook: {c86eb8a9-ccc2-4b6c-b75d-73576ed591bf} - No CLSID value found IE - HKLM…\SearchScopes{afdbddaa-5d3f-42ee-b79c-185a7020515b}: “URL” = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2832599 IE - HKU\S-1-5-21-588857682-310516586-3518797823-1000…\URLSearchHook: {14f6a182-4c6f-45ae-9f5a-aa3ccbb1cfa3} - No CLSID value found IE - HKU\S-1-5-21-588857682-310516586-3518797823-1000…\URLSearchHook: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - No CLSID value found IE - HKU\S-1-5-21-588857682-310516586-3518797823-1000…\URLSearchHook: {c86eb8a9-ccc2-4b6c-b75d-73576ed591bf} - No CLSID value found IE - HKU\S-1-5-21-588857682-310516586-3518797823-1000…\SearchScopes{0D7562AE-8EF6-416d-A838-AB665251703A}: “URL” = http://start.facemoods.com/?a=ironto&s={searchTerms}&f=4 IE - HKU\S-1-5-21-588857682-310516586-3518797823-1000…\SearchScopes{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: “URL” = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=100888&mntrId=decdd81500000000000000241d536dda IE - HKU\S-1-5-21-588857682-310516586-3518797823-1000…\SearchScopes{29C4A1D8-AAF1-44F1-809F-A2EBA2898E73}: “URL” = http://websearch.ask.com/redirect?clien … &src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=AEBAFB21-350C-4782-B930-5B2248C04525&apn_sauid=D48FB543-0FA9-43B1-9132-5C068FCB7964 IE - HKU\S-1-5-21-588857682-310516586-3518797823-1000…\SearchScopes{5B291E6C-9A74-4034-971B-A4B007A0B315}: “URL” = http://radiobar.toolbarhome.com/search.aspx?q={searchTerms}&srch=dsp IE - HKU\S-1-5-21-588857682-310516586-3518797823-1000…\SearchScopes{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB9}: “URL” = http://www.daemon-search.com/search/web?q={searchTerms}4 IE - HKU\S-1-5-21-588857682-310516586-3518797823-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyOverride” = 127.0.0.1:9421; IE - HKU\S-1-5-21-588857682-310516586-3518797823-1002…\URLSearchHook: {14f6a182-4c6f-45ae-9f5a-aa3ccbb1cfa3} - No CLSID value found IE - HKU\S-1-5-21-588857682-310516586-3518797823-1002…\URLSearchHook: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - No CLSID value found IE - HKU\S-1-5-21-588857682-310516586-3518797823-1002…\URLSearchHook: {c86eb8a9-ccc2-4b6c-b75d-73576ed591bf} - No CLSID value found IE - HKU\S-1-5-21-588857682-310516586-3518797823-1002…\SearchScopes{0D7562AE-8EF6-416d-A838-AB665251703A}: “URL” = http://start.facemoods.com/?a=ironto&s={searchTerms}&f=4 IE - HKU\S-1-5-21-588857682-310516586-3518797823-1002…\SearchScopes{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: “URL” = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=100888&mntrId=decdd81500000000000000241d536dda IE - HKU\S-1-5-21-588857682-310516586-3518797823-1002…\SearchScopes{29C4A1D8-AAF1-44F1-809F-A2EBA2898E73}: “URL” = http://websearch.ask.com/redirect?clien … &src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=AEBAFB21-350C-4782-B930-5B2248C04525&apn_sauid=D48FB543-0FA9-43B1-9132-5C068FCB7964 IE - HKU\S-1-5-21-588857682-310516586-3518797823-1002…\SearchScopes{5B291E6C-9A74-4034-971B-A4B007A0B315}: “URL” = http://radiobar.toolbarhome.com/search.aspx?q={searchTerms}&srch=dsp IE - HKU\S-1-5-21-588857682-310516586-3518797823-1002…\SearchScopes{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB9}: “URL” = http://www.daemon-search.com/search/web?q={searchTerms}4 IE - HKU\S-1-5-21-588857682-310516586-3518797823-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyOverride” = 127.0.0.1:9421; [2012-08-23 14:07:42 | 000,000,000 | —D | M] (uTorrentControl_v2) – C:\Users\User\AppData\Roaming\mozilla\Firefox\extensions{7473b6bd-4691-4744-a82b-7854eb3d70b6} O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.) O2 - BHO: (no name) - {c86eb8a9-ccc2-4b6c-b75d-73576ed591bf} - No CLSID value found. O3 - HKLM…\Toolbar: (no name) - {14f6a182-4c6f-45ae-9f5a-aa3ccbb1cfa3} - No CLSID value found. O3 - HKLM…\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.) O3 - HKLM…\Toolbar: (no name) - {98889811-442D-49dd-99D7-DC866BE87DBC} - No CLSID value found. O3 - HKLM…\Toolbar: (no name) - {c86eb8a9-ccc2-4b6c-b75d-73576ed591bf} - No CLSID value found. O3 - HKU\S-1-5-21-588857682-310516586-3518797823-1000…\Toolbar\WebBrowser: (no name) - {14F6A182-4C6F-45AE-9F5A-AA3CCBB1CFA3} - No CLSID value found. O3 - HKU\S-1-5-21-588857682-310516586-3518797823-1000…\Toolbar\WebBrowser: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.) O3 - HKU\S-1-5-21-588857682-310516586-3518797823-1002…\Toolbar\WebBrowser: (no name) - {14F6A182-4C6F-45AE-9F5A-AA3CCBB1CFA3} - No CLSID value found. O3 - HKU\S-1-5-21-588857682-310516586-3518797823-1002…\Toolbar\WebBrowser: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.) O4 - HKU\S-1-5-21-588857682-310516586-3518797823-1000…\Run: [Windows Service Manager] C:\ProgramData\Windows Service Manager0\bzsbkotiu.exe () O4 - HKU\S-1-5-21-588857682-310516586-3518797823-1002…\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found O4 - HKU\S-1-5-21-588857682-310516586-3518797823-1000…\RunOnce: [Windows Service Manager] C:\ProgramData\Windows Service Manager0\bzsbkotiu.exe () O4 - HKU\S-1-5-21-588857682-310516586-3518797823-1002…\RunOnce: [CTPostBootSequencer] “C:\Users\User\AppData\Local\Temp\CTPBSeq.exe” /reglaunch /self_destruct File not found O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) :Commands [emptytemp]
Kliknij Wykonaj skrypt. Zatwierdź restart komputera. Zapisz raport, który pokaże się po restarcie. Następnie uruchom OTL ponownie, tym razem kliknij (Skanuj).
Pokaż nowy log OTL.txt oraz raport z usuwania.
Teraz usunięte - MBAM-log z usuwania http://wklej.org/id/1040177/ .
Dodatkowo przy pomocy Dr.Web CureIt wyleczony
Aktualne raporty:
OTL - http://wklej.org/id/1040183/
MBAM-log - http://wklej.org/id/1040179/
Przy okazji zauważyłem, że “svchost.exe (netsvcs)” zużywa sporo pamięci fizycznej. Jakieś porady wobec poprawy tego w moim przypadku?