Problem z trojanem LYRMIX

Dla specjalistów Bezpieczeństwo
#1

Proszę pomóżcie mi usunąć tego trojana

 

o to logi z otl:

 

OTL: http://wklej.org/id/1653688/

 

Extras: http://wklej.org/id/1653692/

#2

Pobierz Farbar Recovery Scan Tool http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ zgodny z wersją systemu 32-bit lub 64-bit.

Uruchom FRST i kliknij Scan. Pokaż raport FRST i Addition.

#3

Po pierwsze dzięki wielkie za odpowiedź

 

tu jest FRST: http://wklej.org/id/1653793/

 

Addition: http://wklej.org/id/1653796/

#4

Odinstaluj YAC(Yet Another Cleaner!).Otwórz notatnik systemowy i wklej:

Task: {16785934-B873-4456-90B9-A3E3C4594F6D} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-3127778819-4152052668-2074035438-1006UA = C:\Users\Jakub Pozorski\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-05-11] (Facebook Inc.)
Task: {658FED84-5609-41C8-B688-9ABC3C252688} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-3127778819-4152052668-2074035438-1006Core = C:\Users\Jakub Pozorski\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-05-11] (Facebook Inc.)
Task: C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-3127778819-4152052668-2074035438-1006Core.job = C:\Users\Jakub Pozorski\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-3127778819-4152052668-2074035438-1006UA.job = C:\Users\Jakub Pozorski\AppData\Local\Facebook\Update\FacebookUpdate.exe
HKU\S-1-5-21-3127778819-4152052668-2074035438-1006\...\Run: [Facebook Update] = C:\Users\Jakub Pozorski\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2014-05-11] (Facebook Inc.)
HKU\S-1-5-21-3127778819-4152052668-2074035438-1006\...\Run: [SwvUpdtr] = C:\Users\Jakub Pozorski\AppData\Local\11647\Updater.exe [876544 2015-01-21] ()
HKU\S-1-5-21-3127778819-4152052668-2074035438-1006\...\MountPoints2: {322c728d-1472-11e3-be82-20689d2d774b} - "H:\AutoRun.exe"
HKU\S-1-5-21-3127778819-4152052668-2074035438-1006\...\MountPoints2: {322c7597-1472-11e3-be82-20689d2d774b} - "H:\AutoRun.exe"
HKU\S-1-5-21-3127778819-4152052668-2074035438-1006\...\MountPoints2: {36474163-4178-11e4-bf7f-20689d2d774b} - "H:\AutoRun.exe"
HKU\S-1-5-21-3127778819-4152052668-2074035438-1006\...\MountPoints2: {523a8a56-3e8b-11e4-bf79-20689d2d774b} - "H:\AutoRun.exe"
HKU\S-1-5-21-3127778819-4152052668-2074035438-1006\...\MountPoints2: {65a98a82-d1d0-11e3-befa-20689d2d774b} - "H:\AutoRun.exe"
HKU\S-1-5-21-3127778819-4152052668-2074035438-1006\...\MountPoints2: {76e3e57d-8bf3-11e3-beb0-20689d2d774b} - "H:\AutoRun.exe"
HKU\S-1-5-21-3127778819-4152052668-2074035438-1006\...\MountPoints2: {d16fbd1f-fd49-11e3-bf2d-20689d2d774b} - "H:\AutoRun.exe"
GroupPolicy: Group Policy on Chrome detected ======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction ======= ATTENTION
ProxyEnable: [S-1-5-21-3127778819-4152052668-2074035438-1006] = Internet Explorer proxy is enabled.
ProxyServer: [S-1-5-21-3127778819-4152052668-2074035438-1006] = http=127.0.0.1:14174;https=127.0.0.1:14174
SearchScopes: HKU\.DEFAULT - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: OffersWizard - {4359A48A-62E5-9696-71B3-1C273503AA37} - C:\Program Files (x86)\ver2OffersWizard\190.dll ()
FF HKU\S-1-5-21-3127778819-4152052668-2074035438-1006\...\Firefox\Extensions: [{85A9DD51-C7AB-8CCB-1BF6-9AF83F578FE1}] - C:\Program Files (x86)\ver2OffersWizard\190.xpi
FF Extension: OffersWizard - C:\Program Files (x86)\ver2OffersWizard\190.xpi [2015-03-03]
CHR RestoreOnStartup: Default - "hxxp://search.yahoo.com/?fr=hp-ddc-bdtype=616_pr __alt__ ddc_dsssyc_bd_com"
R2 iSafeService; C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe [118048 2015-03-03] (Elex do Brasil Participações Ltda)
R1 iSafeKrnl; C:\Program Files (x86)\Elex-tech\YAC\iSafeKrnl.sys [249000 2015-03-03] (Elex do Brasil Participações Ltda)
S3 iSafeKrnlBoot; C:\Windows\System32\DRIVERS\iSafeKrnlBoot.sys [45224 2015-03-03] (Elex do Brasil Participações Ltda)
R1 iSafeKrnlKit; C:\Program Files (x86)\Elex-tech\YAC\iSafeKrnlKit.sys [99496 2015-03-03] (Elex do Brasil Participações Ltda)
R1 iSafeKrnlMon; C:\Program Files (x86)\Elex-tech\YAC\iSafeKrnlMon.sys [42152 2015-03-03] (Elex do Brasil Participações Ltda)
R1 iSafeKrnlR3; C:\Program Files (x86)\Elex-tech\YAC\iSafeKrnlR3.sys [93352 2015-03-03] (Elex do Brasil Participações Ltda)
R1 iSafeNetFilter; C:\Windows\System32\DRIVERS\iSafeNetFilter.sys [52392 2015-02-15] (Elex do Brasil Participações Ltda)
S2 AODDriver4.2.0; \\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [X]
S3 AthBTPort; \SystemRoot\system32\DRIVERS\btath_flt.sys [X]
S3 BTATH_A2DP; \SystemRoot\system32\drivers\btath_a2dp.sys [X]
S3 btath_avdt; \SystemRoot\system32\drivers\btath_avdt.sys [X]
S3 BTATH_BUS; \SystemRoot\System32\drivers\btath_bus.sys [X]
S3 BTATH_HCRP; \SystemRoot\System32\drivers\btath_hcrp.sys [X]
S3 BTATH_LWFLT; \SystemRoot\system32\DRIVERS\btath_lwflt.sys [X]
S3 BTATH_RCP; \SystemRoot\System32\drivers\btath_rcp.sys [X]
2015-03-03 16:05 - 2015-03-03 11:41 - 00045224 _____ (Elex do Brasil Participações Ltda) C:\WINDOWS\system32\Drivers\iSafeKrnlBoot.sys
2015-03-03 16:05 - 2015-02-15 09:37 - 00052392 _____ (Elex do Brasil Participações Ltda) C:\WINDOWS\system32\Drivers\iSafeNetFilter.sys
2015-03-03 16:04 - 2015-03-03 16:05 - 00000000 ____ D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YAC
2015-03-03 16:04 - 2015-03-03 16:04 - 00001930 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\YAC.lnk
2015-03-03 16:04 - 2015-03-03 16:04 - 00000000 ____ D () C:\Users\Jakub Pozorski\AppData\Roaming\Elex-tech
2015-03-03 16:04 - 2015-03-03 16:04 - 00000000 ____ D () C:\Program Files (x86)\Elex-tech
2015-03-03 16:02 - 2015-03-03 16:02 - 00000000 ____ D () C:\Users\Jakub Pozorski\AppData\Roaming\eCyber
2015-03-03 16:01 - 2015-03-03 16:02 - 01022584 _____ (Elex do Brasil Participações Ltda) C:\Users\Jakub Pozorski\Downloads\yet_another_cleaner_sk_2373647.exe
2015-03-03 13:47 - 2015-03-03 15:35 - 00000000 ____ D () C:\AdwCleaner
2015-03-03 12:29 - 2015-03-03 15:45 - 00000452 _____ () C:\WINDOWS\Tasks\OffersWizard Update.job
2015-03-03 12:29 - 2015-03-03 12:29 - 00003110 _____ () C:\WINDOWS\System32\Tasks\OffersWizard Update
2015-03-03 12:29 - 2015-03-03 12:29 - 00000000 ____ D () C:\Program Files (x86)\ver2OffersWizard
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.

#5

Zrobiłem wszystko jak kazałeś i działa elegancko.

Wielkie dzięki za pomoc i poświęcony czas

 

Pozdrawiam

#6

Skasuj folder C:\FRST