panbulwa
(Fajnekonto)
21 Kwiecień 2011 18:27
#1
Mam chyba popularny ostatnio problem z tym syfem. XP Security pokazuje te niby wirusy i blokuje przeglądarki. Kompletnie się nie znam, ale przeczytałem coś o logach.
OTL:
http://wklej.org/id/516845/
http://wklej.org/id/516847/
GMER
http://wklej.org/id/516848/
Jeśli coś jeszcze trzeba, dajcie znać. Z góry dzięki
Wklej w OTL i naciśnij wykonaj skrypt:
:OTL IE - HKU\S-1-5-21-527237240-436374069-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://vshare.toolbarhome.com/?hp=df FF - prefs.js…extensions.enabledItems: vshare@toolbar:1.0.0 [2010-10-03 16:00:48 | 000,000,000 | —D | M] (vShare Plugin) – C:\Documents and Settings\karik\Application Data\mozilla\Firefox\Profiles\lquxuqyp.default\extensions\vshare@toolbar O2 - BHO: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll () O3 - HKLM…\Toolbar: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll () O3 - HKU\S-1-5-21-527237240-436374069-725345543-1003…\Toolbar\WebBrowser: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll () O18 - Protocol\Handler\vsharechrome {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files\vShare\vshare_toolbar.dll () O33 - MountPoints2{9aecd256-4f0a-11e0-9224-7e9f0a911954}\Shell\AutoRun\command - “” = H:\EXPLORER.EXE O33 - MountPoints2{9aecd256-4f0a-11e0-9224-7e9f0a911954}\Shell\explore\Command - “” = H:\EXPLORER.EXE O33 - MountPoints2{9aecd256-4f0a-11e0-9224-7e9f0a911954}\Shell\open\Command - “” = H:\EXPLORER.EXE O33 - MountPoints2{9f3d237c-52aa-11df-9024-66856845f34b}\Shell - “” = AutoRun O33 - MountPoints2{9f3d237c-52aa-11df-9024-66856845f34b}\Shell\AutoRun\command - “” = F:\Startme.exe O33 - MountPoints2{d228e790-2d8e-11df-8fb8-baec6049c5e0}\Shell\AutoRun\command - “” = G:\Install.exe O33 - MountPoints2{d8c23691-0930-11e0-91a4-d6af0e71a1a4}\Shell\AutoRun\command - “” = H:\setupSNK.exe O33 - MountPoints2{f59342cb-6e54-11df-9067-aa9831b1b457}\Shell\AutoRun\command - “” = hm1bfpuj.exe O33 - MountPoints2{f59342cb-6e54-11df-9067-aa9831b1b457}\Shell\open\Command - “” = hm1bfpuj.exe O35 - HKU\S-1-5-21-527237240-436374069-725345543-1003…exefile [open] – “C:\Documents and Settings\karik\Local Settings\Application Data\wpc.exe” -a “%1” %* (Microsoft Corporation) O37 - HKU\S-1-5-21-527237240-436374069-725345543-1003…exe [@ = exefile] – “C:\Documents and Settings\karik\Local Settings\Application Data\wpc.exe” -a “%1” %* (Microsoft Corporation) [2011-04-20 22:38:36 | 000,339,968 | -HS- | C] (Microsoft Corporation) – C:\Documents and Settings\karik\Local Settings\Application Data\wpc.exe [2011-04-21 17:40:38 | 000,016,298 | -HS- | M] () – C:\Documents and Settings\karik\Local Settings\Application Data\787s705df802d73826t8d [2011-04-21 17:40:38 | 000,016,298 | -HS- | M] () – C:\Documents and Settings\All Users\Application Data\787s705df802d73826t8d @Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:302A9871 :Reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] :Commands [emptytemp]
dajesz log z usuwania i nowe logi z OTL
panbulwa
(Fajnekonto)
21 Kwiecień 2011 19:31
#3
Po ponownym uruchomieniu komputera był taki log ( chyba o to chodziło? )
http://wklej.org/id/516879/
A tu nowy OTL:
http://wklej.org/id/516887/
Czy to już wszystko? Bo już wszystko już jest ok. Nie wiem jak do tego w ogóle doszedłeś, ale wielki, ale to bardzo wielkie dzięki
PS. Czy vshare będę mógł ponownie pobrać?
gera
(Hofsner)
25 Kwiecień 2011 14:11
#4
podobny problem: tym razem vista home security zablokował mi przeglądarki- udało mi się to obejśc ale na dłuższą metę tak nie da rady…
to co wyszło ze skanowania otl:
http://wklej.org/id/518681/
nie mam pojęcia co z tym dalej zrobic. Pomocy!
Leon1
(Leon$)
25 Kwiecień 2011 16:05
#5
OTL w oknie Custom Scans-Fixes (własne opcje skanowania/skrypt)wklej następujący skrypt:
:OTL FF - prefs.js…extensions.enabledItems: DTToolbar@toolbarnet.com:1.1.2.0185 FF - prefs.js…extensions.enabledItems: vshare@toolbar:1.0.0 [2011-04-21 21:08:01 | 000,000,000 | —D | M] (No name found) – C:\Documents and Settings\karik\Application Data\mozilla\Firefox\Profiles\lquxuqyp.default\extensions\DTToolbar@toolbarnet.com [2011-04-21 21:08:01 | 000,000,000 | —D | M] (No name found) – C:\Documents and Settings\karik\Application Data\mozilla\Firefox\Profiles\lquxuqyp.default\extensions\vshare@toolbar O3 - HKU\S-1-5-21-527237240-436374069-725345543-1003…\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found. O4 - HKLM…\Run: [WinampAgent] File not found O4 - HKU\S-1-5-21-527237240-436374069-725345543-1003…\Run: [GameTracker] File not found MsConfig - StartUpReg: NvCplDaemon - hkey= - key= - File not found MsConfig - StartUpReg: nwiz - hkey= - key= - File not found :Reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] :Commands [CLEARALLRESTOREPOINTS] [emptytemp]
Kliknij w Run Fix (Wykonaj scrypt). Zatwierdź restart komputera.
potem nowy log OTL robiony opcją Run Scan (Skanuj)
– Dodane 25.04.2011 (Pn) 18:15 –
OTL w oknie Custom Scans-Fixes (własne opcje skanowania/skrypt)wklej następujący skrypt:
:OTL PRC - [2011-04-25 09:51:48 | 000,352,256 | -HS- | M] (Microsoft Corporation) – C:\Users\Ania\AppData\Local\twb.exe O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found. O3 - HKLM…\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKCU…\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O3 - HKCU…\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found. O3 - HKCU…\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found. O3 - HKCU…\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O4 - HKLM…\Run: [bearShare] File not found O4 - HKLM…\Run: [DivX Download Manager] File not found O4 - HKLM…\Run: [Lexmark X1100 Series] File not found O4 - HKLM…\Run: [NDSTray.exe] File not found O4 - HKCU…\Run: [TOSCDSPD] File not found O33 - MountPoints2{3c324adf-49eb-11de-8606-e2edd7331b23}\Shell\AutoRun\command - “” = I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sys32.exe O33 - MountPoints2{3c324adf-49eb-11de-8606-e2edd7331b23}\Shell\open\command - “” = I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sys32.exe O33 - MountPoints2{3d23e84f-02b0-11de-8dcb-000000000000}\Shell - “” = AutoRun O33 - MountPoints2{3d23e84f-02b0-11de-8dcb-000000000000}\Shell\AutoRun\command - “” = G:\autorun.exe O33 - MountPoints2{484d24f3-7992-11dd-80ff-001644ca67c4}\Shell\AutoRun\command - “” = fppg1.exe O33 - MountPoints2{484d24f3-7992-11dd-80ff-001644ca67c4}\Shell\explore\Command - “” = fppg1.exe O33 - MountPoints2{484d24f3-7992-11dd-80ff-001644ca67c4}\Shell\open\Command - “” = fppg1.exe O33 - MountPoints2{8930b407-ac31-11dd-91f9-001644ca67c4}\Shell\AutoRun\command - “” = rdsfk.com O33 - MountPoints2{8930b407-ac31-11dd-91f9-001644ca67c4}\Shell\explore\Command - “” = rdsfk.com O33 - MountPoints2{8930b407-ac31-11dd-91f9-001644ca67c4}\Shell\open\Command - “” = rdsfk.com O33 - MountPoints2{8ac03fb3-bee2-11dd-b72d-001644ca67c4}\Shell\AutoRun\command - “” = G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe O33 - MountPoints2{8ac03fb3-bee2-11dd-b72d-001644ca67c4}\Shell\open\command - “” = G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe O35 - HKCU…exefile [open] – “C:\Users\Ania\AppData\Local\twb.exe” -a “%1” %* (Microsoft Corporation) O37 - HKCU…exe [@ = exefile] – “C:\Users\Ania\AppData\Local\twb.exe” -a “%1” %* (Microsoft Corporation) [2011-04-25 09:51:48 | 000,352,256 | -HS- | C] (Microsoft Corporation) – C:\Users\Ania\AppData\Local\twb.exe [2011-04-25 15:55:00 | 000,000,422 | -H-- | M] () – C:\Windows\tasks\User_Feed_Synchronization-{7E2F12AA-541A-4F34-9E47-6B99A66E1EE2}.job [2011-04-25 15:23:13 | 000,010,286 | -HS- | M] () – C:\Users\Ania\AppData\Local\o5k2p0o7o0878 [2011-04-25 15:23:13 | 000,010,286 | -HS- | M] () – C:\ProgramData\o5k2p0o7o0878 @Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:044C945E :Files C:\Users\Ania\AppData\Local\Temp*.html :Reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] :Commands [CLEARALLRESTOREPOINTS] [emptytemp]
Kliknij w Run Fix (Wykonaj scrypt). Zatwierdź restart komputera.
potem nowy log OTL robiony opcją Run Scan (Skanuj)