Wirus skrót na pendrive

Dla specjalistów Bezpieczeństwo
#1

Witam,

 

Mam problem z wirusem tworzącym skrót do pendrive’a na pendrive.

 

FRST http://www.wklej.org/id/1734837/

 

Addition http://www.wklej.org/id/1734843/

 

Shortcut http://www.wklej.org/id/1734846/

 

OTL http://www.wklej.org/id/1734839/

 

Extras http://www.wklej.org/id/1734842/

 

USB Fix http://www.wklej.org/id/1734850/

 

Bardzo proszę o pomoc.

#2

Użyj USBFix z funkcji Usuń(Clean).Pokaż z niego log.

Pokaż nowe logi z FRST.

#3

USBFix http://wklej.org/id/1735342/

 

FRST http://wklej.org/id/1735344/

 

Addition http://wklej.org/id/1735345/

 

Shortcut http://wklej.org/id/1735346/

#4

Otwórz notatnik systemowy i wklej:

HKLM-x32\...\Run: [GrooveMonitor] = C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [35736 2010-11-10] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] = C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [932288 2010-11-10] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] = C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [iTunesHelper] = C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKLM-x32\...\RunOnce: [] = [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction ======= ATTENTION
HKU\S-1-5-21-4134693007-1300664000-2011552887-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction ======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\.DEFAULT - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4134693007-1300664000-2011552887-1000 - {576A940B-DBC4-4A5E-9C25-9BF62C005C2A} URL = http://search.yahoo.com/search?fr=chr-greentree_ieei=utf-8type=937811p={searchTerms}
FF Extension: No Name - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn [not found]
FF Extension: No Name - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn [not found]
FF Extension: No Name - C:\ProgramData\AVG Secure Search\10.0.0.7\ [not found]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [not found]
S2 HP Support Assistant Service; "C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe" [X]
S2 Update FindRight; "C:\Program Files (x86)\FindRight\updateFindRight.exe" [X]
S2 Util FindRight; "C:\Program Files (x86)\FindRight\bin\utilFindRight.exe" [X]
S3 catchme; \\C:\ComboFix\catchme.sys [X]
U4 eabfiltr; No ImagePath
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.

#5

Fixlog http://wklej.org/id/1735522/

 

 

Nowy FRST po wykonaniu Fix

 

http://wklej.org/id/1735521/

#6

Jak wszystko gra to skasuj folder C:\FRST.W USBFix użyj opcji Uninstall.

#7

Wszystko gra, wielkie dzięki.