Prosze o pomoc w usunięciu wirusa Ukash

Dla specjalistów Bezpieczeństwo
#1

Witam.

Prosze o pomoc bo mój komputer niestety tez został zaatakowany przez ukash. konto administratora jest przez wirusa zablokowane ale siostra miala jeszcze jedno konto tak zwany “gośc” wiec zrobilem skan (czy cos takiego) przez otl i podaje Logi:

http://wklej.to/hVKxp z pliku OTL.txt

http://wklej.to/zD9UJ z pliku Extras.txt

Bardzo jeszcze raz prosze o pomoc:)

#2
  1. Do okna Własne opcje skanowania / skrypt wklej:

Kliknij Wykonaj skrypt i zatwierdź restart.

Pokaż raport z usuwania.

  1. W panelu sterowania odinstaluj:

Contextual Tool Extrafind

Browsers Protector

Babylon toolbar on IE

Free Lunch Design TB Toolbar

HyperCam Toolbar

McAfee Security Scan Plus

Searchqu Toolbar

toolplugin

uTorrentBar Toolbar

Winamp Toolbar

Yahoo! Companion

DealPly

  1. Pobierz AdwCleaner

Zamknij przeglądarkę internetową.

Uruchom AdwCleaner i kliknij Delete

  1. Pokaż nowy log Skanuj.
#3

Moge to wykonac na tym drugim koncie czy musze w trybie awaryjnym???

Dodane 24.07.2012 (Wt) 0:14

To jest chyba ten raport skanowania(sory za niepewnosc )

All processes killed

========== OTL ==========

Error: No service named atidgllk was found to stop!

No service named atidgllk was found to delete!

File C:\DOCUME~1\xp\USTAWI~1\Temp~Af13653\Upgrade\atidgllk.sys not found.

Error: No service named NMSAccessU was found to stop!

No service named NMSAccessU was found to delete!

File C:\Documents and Settings\xp\Ustawienia lokalne\Temp{963D9E3F-A139-4AF4-8CA8-0B28485C07C0}\NMSAccessU.exe not found.

Folder C:\Documents and Settings\xp\Dane aplikacji\Mozilla\Firefox\Profiles\ite8xs48.default\extensions{57cc715d-37ca-44e4-9ec2-8c2cbddb25ec}\ not found.

Folder C:\Documents and Settings\xp\Dane aplikacji\Mozilla\Firefox\Profiles\ite8xs48.default\extensions{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.

Folder C:\Documents and Settings\xp\Dane aplikacji\Mozilla\Firefox\Profiles\ite8xs48.default\extensions{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}\ not found.

Folder C:\Documents and Settings\xp\Dane aplikacji\Mozilla\Firefox\Profiles\ite8xs48.default\extensions{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\ not found.

Folder C:\Documents and Settings\xp\Dane aplikacji\Mozilla\Firefox\Profiles\ite8xs48.default\extensions\DTToolbar@toolbarnet.com\ not found.

Folder C:\Documents and Settings\xp\Dane aplikacji\Mozilla\Firefox\Profiles\ite8xs48.default\extensions\engine@conduit.com\ not found.

Folder C:\Documents and Settings\xp\Dane aplikacji\Mozilla\Firefox\Profiles\ite8xs48.default\extensions\welcome@toolmin.com\ not found.

File C:\Documents and Settings\xp\Dane aplikacji\Mozilla\Firefox\Profiles\ite8xs48.default\searchplugins\aol-web-search.xml not found.

Folder C:\Documents and Settings\xp\Dane aplikacji\Mozilla\Firefox\Profiles\ite8xs48.default\extensions{0b38152b-1b20-484d-a11f-5e04a9b0661f}\ not found.

File move failed. C:\Program Files\Mozilla Firefox\searchplugins\Search the web.src scheduled to be moved on reboot.

File move failed. C:\Program Files\Mozilla Firefox\searchplugins\Search_Results.xml scheduled to be moved on reboot.

File move failed. C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml scheduled to be moved on reboot.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\7F9405 deleted successfully.

File move failed. C:\WINDOWS\system32\140CC8\7F9405.EXE scheduled to be moved on reboot.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\avast deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\DATAMNGR deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\DriverCD deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\tray_ico deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\tray_ico1 deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\tray_ico2 deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\tray_ico3 deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\tray_ico4 deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UserFaultCheck deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\wincredprovider deleted successfully.

File C:\Documents and Settings\xp\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\129\wincredprovider.exe not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Logon deleted successfully.

Registry key HKEY_USERS\S-1-5-21-1957994488-73586283-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Run not found.

Registry key HKEY_USERS\S-1-5-21-1957994488-73586283-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Run not found.

Registry key HKEY_USERS\S-1-5-21-1957994488-73586283-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Run not found.

File C:\Documents and Settings\xp\Ustawienia lokalne\Dane aplikacji\gpyidw.exe not found.

Registry key HKEY_USERS\S-1-5-21-1957994488-73586283-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Run not found.

File C:\Documents and Settings\xp\P-7-78-8964-9648-3874\windll.exe not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Windows Logon deleted successfully.

File move failed. C:\Documents and Settings\xp\Menu Start\Programy\Autostart\7F9405.lnk scheduled to be moved on reboot.

File move failed. C:\WINDOWS\system32\140CC8\7F9405.EXE scheduled to be moved on reboot.

File C:\Documents and Settings\xp\Menu Start\Programy\Autostart\edobq.exe not found.

File move failed. C:\Documents and Settings\xp\Menu Start\Programy\Autostart\Ubisoft register.lnk scheduled to be moved on reboot.

Folder C:\Documents and Settings\xp\Dane aplikacji\hellomoto\ not found.

File C:\Documents and Settings\xp\mine.exe not found.

========== FILES ==========

C:\Documents and Settings\All Users\Dane aplikacji\F4D562C8000010984581790B0CDF10C2 folder moved successfully.

File\Folder C:\Documents and Settings\xp\P-7-78-8964-9648-3874 not found.

File\Folder C:\Documents and Settings\xp\Menu Start\Programy\Autostart\7F9405.lnk not found.

File\Folder C:\Documents and Settings\xp\live.vbs not found.

File move failed. C:\WINDOWS\loader2.exe_ok scheduled to be moved on reboot.

File move failed. C:\WINDOWS\unrar.exe scheduled to be moved on reboot.

File\Folder C:\Documents and Settings\xp\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\129 not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Gość

User: LocalService

User: NetworkService

User: xp

User: xp2

->Temp folder emptied: 154984326 bytes

->Temporary Internet Files folder emptied: 1042209 bytes

->Java cache emptied: 612733 bytes

->FireFox cache emptied: 255324212 bytes

->Google Chrome cache emptied: 7244711 bytes

->Opera cache emptied: 3621085 bytes

->Flash cache emptied: 94590720 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2352022 bytes

%systemroot%\System32 .tmp files removed: 3810340 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

RecycleBin emptied: 54271422 bytes

Total Files Cleaned = 551,00 mb

OTL by OldTimer - Version 3.2.54.0 log created on 07242012_000854

Files\Folders moved on Reboot…

File move failed. C:\Program Files\Mozilla Firefox\searchplugins\Search the web.src scheduled to be moved on reboot.

File move failed. C:\Program Files\Mozilla Firefox\searchplugins\Search_Results.xml scheduled to be moved on reboot.

File move failed. C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml scheduled to be moved on reboot.

File move failed. C:\WINDOWS\system32\140CC8\7F9405.EXE scheduled to be moved on reboot.

File\Folder C:\Documents and Settings\xp\Menu Start\Programy\Autostart\7F9405.lnk not found!

File\Folder C:\Documents and Settings\xp\Menu Start\Programy\Autostart\Ubisoft register.lnk not found!

File move failed. C:\WINDOWS\loader2.exe_ok scheduled to be moved on reboot.

File move failed. C:\WINDOWS\unrar.exe scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\UHGPC3KF\desktop.ini scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\SZ2TW5SP\desktop.ini scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\MX8BUXK7\desktop.ini scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\EZSJ6BO5\desktop.ini scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\desktop.ini scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\desktop.ini scheduled to be moved on reboot.

File move failed. C:\WINDOWS\SET3.tmp scheduled to be moved on reboot.

File move failed. C:\WINDOWS\SET4.tmp scheduled to be moved on reboot.

File move failed. C:\WINDOWS\SET8.tmp scheduled to be moved on reboot.

File move failed. C:\WINDOWS\System32\CONFIG.TMP scheduled to be moved on reboot.

File move failed. C:\WINDOWS\System32\SET36B.tmp scheduled to be moved on reboot.

File move failed. C:\WINDOWS\System32\SET3DC.tmp scheduled to be moved on reboot.

File move failed. C:\WINDOWS\System32\SET3F7.tmp scheduled to be moved on reboot.

File move failed. C:\WINDOWS\System32\SET3F9.tmp scheduled to be moved on reboot.

File move failed. C:\WINDOWS\System32\SET407.tmp scheduled to be moved on reboot.

File move failed. C:\WINDOWS\System32\SET428.tmp scheduled to be moved on reboot.

File move failed. C:\WINDOWS\System32\SETA4.tmp scheduled to be moved on reboot.

File move failed. C:\WINDOWS\System32\SETA8.tmp scheduled to be moved on reboot.

File move failed. C:\WINDOWS\System32\SETB0.tmp scheduled to be moved on reboot.

PendingFileRenameOperations files…

[2011-10-25 21:11:24 | 000,000,158 | ---- | M] () C:\Program Files\Mozilla Firefox\searchplugins\Search the web.src : MD5=38E360316F107C4C7607770C303AE745

[2012-04-24 21:05:02 | 000,002,519 | ---- | M] () C:\Program Files\Mozilla Firefox\searchplugins\Search_Results.xml : MD5=BFC93E2E26B2D63BA0DB7FBDDACA0B7E

[2012-04-21 19:53:52 | 000,002,313 | ---- | M] () C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml : MD5=208625CF2DB01FB9F26F592AD6D24E31

[2012-05-23 22:29:23 | 001,414,106 | RHS- | M] () C:\WINDOWS\system32\140CC8\7F9405.EXE : MD5=FE65E55A566FD7E2E963CFDB8C1C4F21

File C:\Documents and Settings\xp\Menu Start\Programy\Autostart\7F9405.lnk not found!

File C:\Documents and Settings\xp\Menu Start\Programy\Autostart\Ubisoft register.lnk not found!

[2011-07-25 14:23:22 | 000,000,000 | ---- | M] () C:\WINDOWS\loader2.exe_ok : MD5=D41D8CD98F00B204E9800998ECF8427E

[2011-07-25 14:28:36 | 000,246,272 | ---- | M] () C:\WINDOWS\unrar.exe : MD5=49710E363E4C247716508672F909D5BA

[2011-04-19 11:41:43 | 000,000,067 | -HS- | M] () C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\UHGPC3KF\desktop.ini : MD5=4A3DEB274BB5F0212C2419D3D8D08612

[2011-04-19 11:41:43 | 000,000,067 | -HS- | M] () C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\SZ2TW5SP\desktop.ini : MD5=4A3DEB274BB5F0212C2419D3D8D08612

[2011-04-19 11:41:43 | 000,000,067 | -HS- | M] () C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\MX8BUXK7\desktop.ini : MD5=4A3DEB274BB5F0212C2419D3D8D08612

[2011-04-19 11:41:43 | 000,000,067 | -HS- | M] () C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\EZSJ6BO5\desktop.ini : MD5=4A3DEB274BB5F0212C2419D3D8D08612

[2011-04-19 11:41:43 | 000,000,067 | -HS- | M] () C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\desktop.ini : MD5=4A3DEB274BB5F0212C2419D3D8D08612

[2011-04-19 11:41:43 | 000,000,067 | -HS- | M] () C:\Documents and Settings\Default User\Ustawienia lokalne\Temporary Internet Files\desktop.ini : MD5=4A3DEB274BB5F0212C2419D3D8D08612

[2008-04-15 14:00:00 | 001,246,357 | R— | M] () C:\WINDOWS\SET3.tmp : MD5=02A561AD9B8C52D01F02B4E1ADE90B8F

[2008-04-15 14:00:00 | 001,088,840 | R— | M] () C:\WINDOWS\SET4.tmp : MD5=853B029825EFD37D02ADD78D010E1113

[2008-04-15 14:00:00 | 000,016,825 | R— | M] () C:\WINDOWS\SET8.tmp : MD5=43F430B049D7A8ACB929DD3069AEFBCA

[2008-04-15 14:00:00 | 000,002,596 | ---- | M] () C:\WINDOWS\System32\CONFIG.TMP : MD5=012B7C65B95DA39C3BB7DEF297AB74C7

[2009-02-04 18:42:48 | 000,099,840 | ---- | M] (Microsoft Corporation) C:\WINDOWS\System32\SET36B.tmp : MD5=3A69CA26BAC32FB35F708AC0F3929EF5

[2009-01-30 20:34:06 | 000,222,208 | ---- | M] (Microsoft Corporation) C:\WINDOWS\System32\SET3DC.tmp : MD5=C77A18954C448DD9F87585247851501A

[2009-01-30 20:34:02 | 000,254,976 | ---- | M] (Microsoft Corporation) C:\WINDOWS\System32\SET3F7.tmp : MD5=E132AD94798E72ACB650E985984C7F58

[2009-01-30 20:34:02 | 000,166,912 | ---- | M] (Microsoft Corporation) C:\WINDOWS\System32\SET3F9.tmp : MD5=A687C458B80C7D55CBE39649D952ED2A

[2009-01-30 20:35:54 | 000,133,632 | ---- | M] (Microsoft Corporation) C:\WINDOWS\System32\SET407.tmp : MD5=D7D69F304A604387B86BE991CBF07663

[2009-02-04 18:42:48 | 000,099,840 | ---- | M] (Microsoft Corporation) C:\WINDOWS\System32\SET428.tmp : MD5=3A69CA26BAC32FB35F708AC0F3929EF5

[2006-10-18 21:47:18 | 000,222,208 | ---- | M] (Microsoft Corporation) C:\WINDOWS\System32\SETA4.tmp : MD5=808058051C6848FA80622903C12AC950

[2006-10-18 21:47:20 | 000,157,184 | ---- | M] (Microsoft Corporation) C:\WINDOWS\System32\SETA8.tmp : MD5=C4C2BE99F6CCA8022CF0126381FE5390

[2006-10-18 21:47:22 | 002,450,944 | ---- | M] (Microsoft Corporation) C:\WINDOWS\System32\SETB0.tmp : MD5=711CE861C22E64AB180BA9887EF8DDA9

Registry entries deleted on Reboot…

#4

Nie zaśmiecaj forum i wszystkie logi umieszczaj na wklej.org.

Teraz normalnie zaloguj się i wykonaj pozostałe punkty.

#5

sory juz sie poprawiam

prosze:

http://wklej.to/ARzxG

niestety tych niektorych programow nieda sie usunąc:/

#6

Poprawić miałeś w poprzednim poście klikając w przycisk edytuj

Wykonaj kolejne kroki.

#7

http://wklej.to/WXjjT nowy log z punktu 4

niestety większosci tamtych programów nie dało sie usunac z punktu 2

#8

Uruchom system w trybie awaryjnym i wtedy użyj skryptu.

Do okna Własne opcje skanowania / skrypt wklej:

Kliknij Wykonaj skrypt i zatwierdź restart.

Pokaż raport z usuwania i nowy log Skanuj.

#9

noi niestety jest problem bo jesli bym chcial uruchomic system w trybie awaryjnym to mi wyskoczzy takie niebieskie i szybko zniknie restartujac kompa:(:confused:

#10

Pobierz i rozpakuj archiwum:

http://support.kaspersky.com/downloads/ … egkeys.zip

Uruchom plik SafeBootWin XP

Jeżeli nadal nie będzie działać to wykonaj w normalnym trybie.

#11

Jak pobrac to archiwum i gdzie jest ten plik SafeBootWinXP?

Dodane 24.07.2012 (Wt) 2:12

Niestety gdy juz klikam wykonaj skrypt w normalnym trybie to OTL sie ścina:/

#12

Przecież podałem link do archiwum ZIP.

Żeby pobrać wystarczy kliknąć w link.

http://sendfile.pl/191620/SafeBootWinXP.zip

Pobierz i uruchom The Avenger

Do okna programu wklej:

Kliknij w Execute i zatwierdź restart.

Pokaż raport z usuwania i nowy log z OTL.