Wirus z facebook + logi OTL

ds4 · 28 Maj 2014 20:14

WItam, kolega wysłał mi na facebook pewien plik opatrzony opisem “hahaha” więc bez namysłu go otworzyłem. Był to plik o rozszerzeniu .jar, nazwa Pictr870.jar czy jakoś tak. Później okazało się, że wiadomość wysyłał automatycznie - jakieś ustrojstwo. Przez moją nieopatrzność zainfekowałem i swój komputer. Prosiłbym o pomoc w spojrzeniu na logi i na syf który mam na kompie:

http://www.wklej.org/id/1375805/ - otl

http://www.wklej.org/id/1375821/ - extras

Atis · 28 Maj 2014 20:41

W panelu sterowania odinstaluj Akamai NetSession Interface.

Pobierz i uruchom AdwCleaner Kliknij Szukaj i później Usuń.

Pobierz Farbar Recovery Scan Tool 64-Bit Version

Uruchom FRST i kliknij Scan. Pokaż raport FRST i Addition.

Acorus · 28 Maj 2014 20:44

Odinstaluj Spybot - Search & Destroy,Akamai NetSession Interface.Uruchom OTL i w okno (Własne opcje skanowania/Script)wklej:

:OTL
IE - HKU\S-1-5-21-1960066877-66308576-3240677627-1000\..\SearchScopes\{05B303AC-5458-49FC-94A6-792832B290D1}: "URL" = http://websearch.ask.com/redirect?client=ietb=ORJo=src=crmq={searchTerms}locale=apn_ptnrs=apn_dtid=OSJ000apn_uid=3752AA60-E456-4524-8D73-4B6F41C59119apn_sauid=527BFCAB-BB83-4161-B379-6EE451FF3B12
FF - prefs.js..browser.search.order.1: "Ask.com"
[2012-06-26 22:21:35 | 000,000,000 | ---D | M] (QuickStores-Toolbar) -- C:\Program Files (x86)\Mozilla Firefox\extensions\quickstores@quickstores.de
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll File not found
O3:64bit: - HKLM\..\Toolbar: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {10EDB994-47F8-43F7-AE96-F2EA63E9F90F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll File not found
O3 - HKU\S-1-5-21-1960066877-66308576-3240677627-1000\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll File not found
O4:64bit: - HKLM..\Run: [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA] 1 File not found
O4:64bit: - HKLM..\Run: [itype] c:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1960066877-66308576-3240677627-1000..\Run: [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA] 1 File not found
O4 - HKU\S-1-5-21-1960066877-66308576-3240677627-1000..\Run: [Akamai NetSession Interface] C:\Users\Horadric\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc.)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found

:Commands
[emptytemp]

Kliknij Wykonaj skrypt.Po restarcie uruchom OTL i użyj opcji Sprzątanie.

Pobierz Farbar Recovery Scan Tool http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ zgodny z wersją systemu 32-bit lub 64-bit.

ds4 · 28 Maj 2014 21:14

Dziękuję za szybką reakcję,

oto logi z FRST po wykonaniu reszty w.w. zaleceń:

http://www.wklej.org/id/1375938/ FRST

http://www.wklej.org/id/1375936/ Add

dopiero zauważyłem tą linijkę

O4:64bit: - HKLM…\Run: [itype] c:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)

wg mnie mogło zostać, bo to sterowniki od mojej klawiatury

Atis · 28 Maj 2014 21:41

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
Handler: dialux - {8352FA4C-39C6-11D3-ADBA-00A0244FB1A2} - No File
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\fcmdSrchostpl.xml
S3 ALSysIO; \??\C:\Users\Horadric\AppData\Local\Temp\ALSysIO64.sys [X]
S3 cpuz135; \??\C:\Windows\TEMP\cpuz135\cpuz135_x64.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 ewusbmbb; system32\DRIVERS\ewusbwwan.sys [X]
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 usj; \??\D:\Eden Eternal\EdenEternal\avital\ussjcs64.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\AdwCleaner
Task: {010FF33E-45E9-4FE9-A2BC-296DCE4D00A0} - System32\Tasks\{13256ED5-127B-4D6E-96AD-149955373BF8} => C:\Users\Horadric\Desktop\lide20lide30n670un676un1240uvst7031a_xpen\SetupSG.exe
Task: {0FF73AA4-C1BB-4812-930F-035D499A042A} - System32\Tasks\{C9269FB5-ADA7-4373-8500-61D478D47A06} => C:\Users\Horadric\Desktop\lide20lide30n670un676un1240uvst7031a_xpen\SetupSG.exe
Task: {45CA475B-EEC9-4D44-82DE-1ED602A106C4} - System32\Tasks\{E86E5FD9-9B70-4419-A145-194A2E6435B5} => C:\Users\Horadric\Desktop\CanoScan_Toolbox_v4131.exe
Task: {4F2A2D67-8BBD-4F56-9E14-F492E37610D9} - System32\Tasks\{E81F1BE6-897F-4A93-89A0-98845A7E9499} => C:\Users\Horadric\Desktop\bios update\Afudos238\Afudos.exe
Task: {A9555FA0-D074-436F-AAA2-FC707B636D42} - \Funmoods No Task File <==== ATTENTION
Task: {BC5C541F-7A4A-44E2-B61F-A1AFF3A31780} - System32\Tasks\{F86182CD-1EE4-4EA8-A8B1-ACA46B2DA1CE} =>C:\Users\Horadric\Desktop\bios update\Afudos238\Afudos.exe
AlternateDataStreams: C:\Temp:0228B8BE.dat
AlternateDataStreams: C:\Temp:pid1
AlternateDataStreams: C:\Temp:pid2
AlternateDataStreams: C:\Temp:rnd.dat
AlternateDataStreams: C:\ProgramData\TEMP:9FA1200D
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\facemoods" /f

Uruchom FRST i kliknij Fix. Pokaż raport z usuwania Fixlog.

Kliknij Scan i pokaż nowy raport z FRST bez Addition.