Problem z usunięciem fałszywego PCAntivirus 2010

Dla specjalistów Bezpieczeństwo
#1

W podobnym wątku znalazłem zagadnienie w związku z wirusem fraudo, u mnie niestety Malwarebytes Anti-Malware pomaga tylko na chwilę przy ponownym uruchomieniu komputera fraudo pojawia się ponownie, a z nim wraz fałszywy PCAntivirus 2010. Może ktoś pomoże?

Podaje loga Malwarebytes Anti-Malware

Typ skanowania: Szybkie skanowanie

Przeskanowane obiekty: 92887

Upłynęło: 5 minute(s), 55 second(s)

Zainfekowane procesy w pamięci: 0

Zainfekowane moduły pamięci: 0

Zainfekowane klucze rejestru: 1

Zainfekowane wartości rejestru: 0

Zainfekowane pliki rejestru: 6

Zainfekowane foldery: 1

Zainfekowane pliki: 16

Zainfekowane procesy w pamięci:

(Nie wykryto groźnych plików)

Zainfekowane moduły pamięci:

(Nie wykryto groźnych plików)

Zainfekowane klucze rejestru:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

Zainfekowane wartości rejestru:

(Nie wykryto groźnych plików)

Zainfekowane pliki rejestru:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Zainfekowane foldery:

C:\Documents and Settings\Daniel \Menu Start\Programy\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

Zainfekowane pliki:

C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32_scui.cpl (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.

C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Daniel \Menu Start\Programy\PC_Antispyware2010\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Daniel \Menu Start\Programy\PC_Antispyware2010\Uninstall.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Program Files\Common Files\sevim.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Daniel \Dane aplikacji\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dllcache\figaro.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.

C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Dodane 08.08.2009 (So) 21:52

dodaję jeszcze loga z Avastu

2009-08-05 20:49:25 Daniel 3188 Sign of “Win32:Trojan-gen {Other}” has been found in “c:\windows\system32\cru629.dat” file.

2009-08-05 20:56:29 Daniel 920 Sign of “Win32:Trojan-gen {Other}” has been found in “c:\windows\system32\cru629.dat” file.

2009-08-05 21:04:28 Daniel 1108 Sign of “Win32:Cutwail [Trj]” has been found in “C:\Documents and Settings\Daniel \Ustawienia lokalne\Temp\BN10.tmp[Embedded_I#3ee0][Embedded_Ix#14e8]” file.

2009-08-05 21:05:40 Daniel 1108 Sign of “Win32:Cutwail [Trj]” has been found in “C:\Documents and Settings\Daniel \Ustawienia lokalne\Temp\BN12.tmp[Embedded_I#3ee0][Embedded_Ix#14e8]” file.

2009-08-05 21:05:40 Daniel 1108 Sign of “Win32:Cutwail [Trj]” has been found in “C:\Documents and Settings\Daniel \Ustawienia lokalne\Temp\BN14.tmp[Embedded_I#3ee0][Embedded_Ix#14e8]” file.

2009-08-05 21:05:40 Daniel 1108 Sign of “Win32:Cutwail [Trj]” has been found in “C:\Documents and Settings\Daniel \Ustawienia lokalne\Temp\BN16.tmp[Embedded_I#3ee0][Embedded_Ix#14e8]” file.

2009-08-05 22:04:32 Daniel 1108 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\cru629.dat” file.

2009-08-07 15:33:54 SYSTEM 1620 Sign of “Win32:FakeAlert-CA [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-07 15:54:16 SYSTEM 1620 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Program Files\HomeAntivirus2010\HomeAntivirus2010.exe” file.

2009-08-07 15:54:31 SYSTEM 1620 Sign of “Win32:Cutwail [Trj]” has been found in “C:\DOCUME~1\DANIEL~1\USTAWI~1\Temp\BN6.tmp[Embedded_I#3ee0][Embedded_Ix#14e8]” file.

2009-08-07 15:55:15 SYSTEM 1620 Sign of “Win32:Cutwail [Trj]” has been found in “C:\DOCUME~1\DANIEL~1\USTAWI~1\Temp\BN8.tmp[Embedded_I#3ee0][Embedded_Ix#14e8]” file.

2009-08-07 15:59:39 SYSTEM 1620 Sign of “Win32:FakeAlert-CA [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-07 16:38:42 3256 Sign of “Win32:Fraudo [Trj]” has been found in “c:\program files\homeantivirus2010\avengn.dll” file.

2009-08-07 16:39:44 3256 Sign of “Win32:Fraudo [Trj]” has been found in “c:\program files\homeantivirus2010\homeantivirus2010.exe” file.

2009-08-07 16:39:58 3256 Sign of “Win32:Trojan-gen {Other}” has been found in “c:\windows\system32\cru629.dat” file.

2009-08-07 19:05:10 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\IMZ6AERS\Install[1].exe” file.

2009-08-07 19:13:50 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-07 19:13:55 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-07 20:08:39 SYSTEM 1628 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\IMZ6AERS\Install[1].exe” file.

2009-08-07 20:23:20 SYSTEM 1628 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-07 20:23:28 SYSTEM 1628 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 13:40:07 SYSTEM 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\FMMGVSEU\Install[1].exe” file.

2009-08-08 13:40:18 SYSTEM 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 13:40:22 SYSTEM 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 17:11:22 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\FMMGVSEU\Install[2].exe” file.

2009-08-08 17:11:34 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 17:11:46 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\KQ0A5L4E\Install[1].exe” file.

2009-08-08 17:11:55 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 17:12:13 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\IMZ6AERS\Install[2].exe” file.

2009-08-08 17:12:24 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 17:12:40 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\N3S50PNF\Install[1].exe” file.

2009-08-08 17:12:47 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 17:13:03 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\FMMGVSEU\Install[3].exe” file.

2009-08-08 17:13:13 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 17:13:32 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\KQ0A5L4E\Install[2].exe” file.

2009-08-08 17:13:44 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 17:16:15 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 17:16:38 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 17:16:43 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 17:16:50 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 17:16:55 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 17:17:02 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 20:39:24 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe” file.

2009-08-08 20:41:08 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Program Files\PC_Antispyware2010\Uninstall.exe” file.

2009-08-08 20:41:49 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\IMZ6AERS\Install[1].exe” file.

2009-08-08 20:41:59 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 20:42:20 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\N3S50PNF\Install[1].exe” file.

2009-08-08 20:42:28 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 20:42:47 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\FMMGVSEU\Install[1].exe” file.

2009-08-08 20:42:55 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 20:43:09 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\KQ0A5L4E\Install[1].exe” file.

2009-08-08 20:43:16 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 20:43:40 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\IMZ6AERS\Install[2].exe” file.

2009-08-08 20:43:48 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 20:44:06 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\N3S50PNF\Install[2].exe” file.

2009-08-08 20:44:13 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 20:46:41 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 20:46:53 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 20:47:00 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 20:47:05 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 20:47:08 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 20:47:12 Daniel 1632 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 21:37:19 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\FMMGVSEU\Install[1].exe” file.

2009-08-08 21:37:55 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 21:38:08 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\KQ0A5L4E\Install[1].exe” file.

2009-08-08 21:38:15 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 21:38:27 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\IMZ6AERS\Install[1].exe” file.

2009-08-08 21:38:33 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 21:38:48 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\N3S50PNF\Install[1].exe” file.

2009-08-08 21:38:54 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 21:39:07 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\FMMGVSEU\Install[2].exe” file.

2009-08-08 21:39:13 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

2009-08-08 21:39:25 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\KQ0A5L4E\Install[2].exe” file.

2009-08-08 21:39:32 SYSTEM 1636 Sign of “Win32:Fraudo [Trj]” has been found in “C:\WINDOWS\system32\wisdstr.exe” file.

#2

zastosuj

WWDC http://cybertrash.pl/images/tata/WWDC.html

ATF Cleaner http://cybertrash.pl/images/tata/ATF/ATF.html

Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 uruchom dwuklikiem

pokaż log

Podczas pobierania i skanu Combofixem proszę wyłączyć wszelkie zapory i antywirusy

:slight_smile:

#3

Mam problem z pobraniem WWDC coś pisze, że nie można pobrać, coś po angielsku i nie za bardzo rozumiem:

Welcome,

http://www.firewallleaktester.com will not be available for a few months from now primarily due to the money it costs me each month (more than 40Euro).

Also, one of the first purposes of firewallleaktester was to make people aware that software firewalls could be bypassed by many ways, point well taken nowadays by both the end users and the vendors themselves. Current security suites are more secure than before, and are able to detect and block the stealthiest malware out there.

I am keeping the domain name though, as firewallleaktester may come back later, probably about security globally and not just about software firewalls.

Time will tell.

Best Regards,

Guillaume Kaddouch.

#4

http://www.instalki.pl/programy/download/sieciowe/Windows_Worms_Doors_Cleaner.php

:slight_smile:

#5

znowu problem :frowning:

klikam 2 razy Combofix pojawia się uruchom klikam i nic się nie pojawia…

#6

spróbuj w trybie awaryjnym

:slight_smile:

#7

w trybie awaryjnym też nie działa ale po tym WWDC i ATF Cleaner chyba nic nie pomogło bo dalej wywala mi ikonkę infekcji czerwone kółko z białym krzyżykiem i próbuje automatycznie pobrać Pc Antispyware 2010

#8

Pobierz OTListIt2: http://www.searchengines.pl/index.php?s … =392369 przeskanuj daj log OTListIT.txt oraz Extras.txt.

:slight_smile:

#9

Czy mogę jakoś dodać w załączniku ten log o nie mogę wkleić całości (jak wklejam podzielony na 2 to zamiennie mi usuwa poprzedni)?

#10

Logi wklejasz na wklej.org lub wklej.to, a w poście dajesz link.

#11

podaje loga z OTL

http://wklej.org/id/134561/

#12

Zastosuj Malwarebytes’ Anti-Malware http://cybertrash.pl/Tata/MBAM/Malwarebytes_%20Anti-Malware.html pełny skan - jak coś znajdzie to usuń zaznaczone - pokaż log

Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

przeskanuj

Dr.WEB CureIt! http://dobreprogramy.pl/index.php?dz=2& … It!+4.44.5

potem nowy log OTL

:slight_smile:

#13

podaję log z OTL

http://wklej.org/id/135016/

#14

To jest log z Malwarebytes Anti-Malware

#15

Masz zrobić pełny skan a nie szybkie skanowanie

zresztą wszystko masz napisane w poprzednim moim poście

:slight_smile: