Zainfekowane pliki systemowe w folderze winsxs

Dla specjalistów Bezpieczeństwo
#1

Witam, ostatnio próbowałem zainstalować sterowniki karty graficznej, lecz operacja zakończyła się niepowodzeniem i skutkiem tego wywaliło mi kartę z systemu i komputer jej nie widzi. Przeskanowałem komputer w poszukiwaniu powodu i odnalazło mi 9 wirusów w folderze winsxs. Nie mam pojęcia co z tym zrobić, bo antywirus (avast) nic nie robi z tymi plikami (wyskakuje “odmowa dostępu (5)” lub “żądanie nie jest obsługiwane (50)”) poziom zagrożenia to wysoki a stan: Zagrożenie Rootkit: hidden file. Proszę o poradę. post-260378-0-28508000-1401690393_thumb. 

#2

Pobierz Farbar Recovery Scan Tool http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ zgodny z wersją systemu 32-bit lub 64-bit.

#3

frst addition

#4

Raporty umieść na http://wklej.org/ i podaj link.

#5

http://wklej.org/id/1380124/

#6

Odinstaluj Alcohol 120% Packages,AVG PC TuneUp 2014,AVG Security Toolbar,awesomehp Browser Protecter,Browser Tab Search by Ask for Google Chrome,IePluginService12.27.0.3326,PDF Writer Packages,SweetIM for Messenger 3.6,SweetPacks Toolbar for Internet Explorer 4.5,Update for PDF Writer,UpdateChecker,WinZipper.Użyj AdwCleaner http://www.bleepingcomputer.com/download/adwcleaner/ z funkcji Skan(Szukaj) a następnie Clean(usuń) (w przypadku Visty/Windows7 uruchom z prawokliku jako Administrator).

Pokaż nowe logi z FRST.

#7

Prosze, zrobiłem jak poleciłeś http://wklej.org/id/1380202/

#8

Miałeś odinstalować AVG PC TuneUp 2014. Otwórz Notatnik i wklej:

HKU\S-1-5-21-426357400-2998906205-1478579731-1000\...\Run: [Facebook Update] = C:\Users\Robert\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2013-12-11] (Facebook Inc.)
IFEO\backitup.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\cdspeed.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\coverdes.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\DATABASECOMPARE.EXE: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\drivespeed.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\excel.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\groove.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\hamachi-2-ui.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\infopath.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\infotool.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\lolrecorder.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\lolreplay.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\lync.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\msaccess.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\msoev.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\msotd.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\msoxmled.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\mspub.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\nero.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\neroburnrights.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\nerohome.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\neromediahome.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\neroscoutoptions.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\nerostartsmart.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\neroupgrade.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\nerovision.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\OcPubMgr.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\onenote.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\outlook.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\photosnap.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\photosnapviewer.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\powerpnt.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\recode.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\sbase.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\scalc.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\sdraw.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\setupx.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\showtime.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\simpress.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\skype.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\smath.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\soffice.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\SPREADSHEETCOMPARE.EXE: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\swriter.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\Winword.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2488} URL = http://dts.search.ask.com/sr?src=iebgct=dsappid=210systemid=488v=a12834-346apn_uid=5716424096014922apn_dtid=TCH001o=APN11459apn_ptnrs=AG1q={searchTerms}
SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2488} URL = http://dts.search.ask.com/sr?src=iebgct=dsappid=210systemid=488v=a12834-346apn_uid=5716424096014922apn_dtid=TCH001o=APN11459apn_ptnrs=AG1q={searchTerms}
SearchScopes: HKCU - URL http://isearch.babylon.com/?q={searchTerms}babsrc=SP_ss_wls_Btisdt4mntrId=A8428C89A57EF741affID=119357tt=160713_91114tsp=4946
SearchScopes: HKCU - {8FF88915-86F2-4D48-94BA-EEA597148EAE} URL = http://websearch.ask.com/redirect?client=ietb=ORJo=src=kwq={searchTerms}locale=apn_ptnrs=U3apn_dtid=OSJ000YYPLapn_uid=A9215468-44B9-4F5E-8D7D-E949DE16087Fapn_sauid=087F4729-575C-4A12-9014-C418DA5D8D6E
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\15.3.0\\npsitesafety.dll No File
CHR HKLM\...\Chrome\Extension: [icanoneicgaahjbilcgdmnhoocddknbl] - C:\Users\Robert\AppData\Local\InfoBirdPro.crx [2013-08-18]
CHR HKLM\...\Chrome\Extension: [khongjfjjmklggionajlpjcpmnppdace] - C:\Users\Robert\AppData\Local\BargainJoy.crx [2013-09-06]
CHR HKCU\...\Chrome\Extension: [icanoneicgaahjbilcgdmnhoocddknbl] - C:\Users\Robert\AppData\Local\InfoBirdPro.crx [2013-08-18]
CHR HKCU\...\Chrome\Extension: [khongjfjjmklggionajlpjcpmnppdace] - C:\Users\Robert\AppData\Local\BargainJoy.crx [2013-09-06]
CHR HKLM-x32\...\Chrome\Extension: [icanoneicgaahjbilcgdmnhoocddknbl] - C:\Users\Robert\AppData\Local\InfoBirdPro.crx [2013-08-18]
CHR HKLM-x32\...\Chrome\Extension: [khongjfjjmklggionajlpjcpmnppdace] - C:\Users\Robert\AppData\Local\BargainJoy.crx [2013-09-06]
R2 TuneUp.UtilitiesSvc; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe [2185528 2014-04-15] (AVG)
R3 TuneUpUtilitiesDrv; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver64.sys [14112 2014-03-26] (TuneUp Software)
S3 EagleX64; \\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 NTIOLib_1_0_C; \\E:\NTIOLib_X64.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
2014-06-02 11:18 - 2014-06-02 11:20 - 00000000 ____ D () C:\AdwCleaner
2014-06-02 09:43 - 2014-06-02 09:43 - 00002762 _____ () C:\Windows\System32\Tasks\TuneUpUtilities_Task_BkGndMaintenance2013
2014-06-02 08:31 - 2013-12-11 21:26 - 00000932 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-426357400-2998906205-1478579731-1000UA.job
2014-06-01 20:31 - 2013-12-11 21:26 - 00000910 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-426357400-2998906205-1478579731-1000Core.job
2014-06-01 12:49 - 2014-01-09 16:18 - 00002994 _____ () C:\Windows\System32\Tasks\{5C7C6400-E8B9-4006-A640-450AA8AAC0A2}
2014-06-01 12:49 - 2014-01-09 16:16 - 00002994 _____ () C:\Windows\System32\Tasks\{A48F4FC2-6CE3-47E4-B8DB-41626F56CB39}
2014-06-01 12:48 - 2013-02-24 11:42 - 00002960 _____ () C:\Windows\System32\Tasks\{D8EC59A8-96FC-4756-B6AC-5957597F71A7}
2014-06-01 12:48 - 2013-02-24 11:42 - 00002960 _____ () C:\Windows\System32\Tasks\{9F699D65-D6A8-4633-87BA-8C16F8C407C1}
2014-06-01 12:48 - 2013-02-24 11:25 - 00002940 _____ () C:\Windows\System32\Tasks\{4C014CB8-DDD2-4563-B8EE-AD3F6DB37830}
2014-06-01 12:47 - 2012-09-12 15:50 - 00002918 _____ () C:\Windows\System32\Tasks\{A6C1A2F0-7EFB-44D7-B903-2826240E2D2F}
2014-06-01 12:47 - 2012-09-12 15:49 - 00002918 _____ () C:\Windows\System32\Tasks\{4101F85D-8DD0-4992-9A15-BC83E408DF1E}

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST

#9

zrobione :) http://wklej.org/id/1380408/

#10

Skasuj folder C:\FRST Użyj http://www.bleepingcomputer.com/download/tfc/ (uruchom TFC i kliknij Start).

#11

Zrobione