Skocz do zawartości


Zdjęcie

Logi - Zawirusowany komputer

Rozpoczęty przez kurdebele , 18 01 2013 21:51

  • Zamknięty Temat jest zamknięty
8 odpowiedzi w tym temacie

#1 kurdebele

kurdebele

    Obserwator

  • 5 postów

Napisano 18 01 2013 - 21:51

Jakiś paskudny "UnslassifiedMalware@1" zawirusował mi laptopa. Niby antywirus go zlikwidował, ale mimo wszystko nie mam pewności.
Do tego mam wrażenie, że lapek zaczął mi zamulać.
Sprawdzi ktoś logi? Zrobiłam wszystko zgodnie z instrukcją. Tutaj OTL:
http://wklej.org/id/929596/
http://wklej.org/id/929592/
A tutaj GMER:
http://wklej.org/id/929708/
Tylko proszę o wyjaśnienie mi wszystkiego po kolei co powinnam robić, bo w tych sprawach jestem naprawdę ciemna..

  • 0

#2 pawel315

pawel315

    Uzależniony od forum

  • 1 553 postów

Napisano 18 01 2013 - 22:06

Cześć
W logu z GMER'a nie podobają mi się te liczne hooki blioteki ntdll.dll 
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                             000000007763f9c0 5 bytes JMP 000000011001d080
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                  000000007763fc90 5 bytes JMP 000000011002fac0
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                          000000007763fd44 5 bytes JMP 000000011002dfa0
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                       000000007763fda8 5 bytes JMP 000000011002ec30
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                             000000007763fea0 5 bytes JMP 000000011002c270
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                     000000007763ff84 5 bytes JMP 000000011002e640
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                      000000007763ffe4 5 bytes JMP 000000011002ff20
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                   0000000077640064 5 bytes JMP 000000011002fce0
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                        0000000077640094 5 bytes JMP 000000011002e2a0
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                   0000000077640398 5 bytes JMP 000000011002cc90
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                           0000000077640530 5 bytes JMP 000000011002b520
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                       0000000077640674 5 bytes JMP 000000011002f750
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                          000000007764086c 5 bytes JMP 000000011002be90
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                    0000000077640884 5 bytes JMP 000000011002c8f0
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                        0000000077640dd4 5 bytes JMP 000000011002f540
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                               0000000077640eb8 5 bytes JMP 000000011002f0c0
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                              0000000077641bc4 5 bytes JMP 000000011002f300
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                    0000000077641c94 5 bytes JMP 000000011002c520
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                0000000077641d6c 5 bytes JMP 000000011002eec0
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                          000000007765c45a 5 bytes JMP 0000000110027df0
.text    C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[5436] C:\Windows\SysWOW64\ntdll.dll!
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                 000000007763f9c0 5 bytes JMP 000000011001d080
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                      000000007763fc90 5 bytes JMP 000000011002fac0
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                              000000007763fd44 5 bytes JMP 000000011002dfa0
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                           000000007763fda8 5 bytes JMP 000000011002ec30
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                 000000007763fea0 5 bytes JMP 000000011002c270
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                         000000007763ff84 5 bytes JMP 000000011002e640
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                          000000007763ffe4 5 bytes JMP 000000011002ff20
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                       0000000077640064 5 bytes JMP 000000011002fce0
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                            0000000077640094 5 bytes JMP 000000011002e2a0
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                       0000000077640398 5 bytes JMP 000000011002cc90
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                               0000000077640530 5 bytes JMP 000000011002b520
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                           0000000077640674 5 bytes JMP 000000011002f750
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                              000000007764086c 5 bytes JMP 000000011002be90
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                        0000000077640884 5 bytes JMP 000000011002c8f0
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                            0000000077640dd4 5 bytes JMP 000000011002f540
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                   0000000077640eb8 5 bytes JMP 000000011002f0c0
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                  0000000077641bc4 5 bytes JMP 000000011002f300
.text    C:\Windows\SysWOW64\RunDll32.exe[5268] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem

I jest tego więcej niestety
Na 99% jet tu jakaś infekcja plików wykonywalnych.
wejdź do kwarantanny Comodo i daj mi screen'a z tego okna.
zakażony wg.comodo plik przeskanuj tu ->http://virustotal.com
Teraz zajmiemy się usuwaniem smieci

Odinstaluj:
Wincore MediaBar
ESET Online Scanner v3
Search-Results Toolbar
mks_vir 9
Spybot - Search & Destroy 2
Uruchom OTL w okienku Własne opcje skanowania/skrypt wklej: 
:OTL
SRV:[b]64bit:[/b] - [2010-05-06 16:13:46 | 000,452,392 | ---- | M] () [Auto | Running] -- C:\Program Files\mks_vir_9\bin\mks_services.exe -- (mks_services)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1Qzu0FtD0D0E0FtCzy0C0FyDyB0B0DyEzy0FtN0D0Tzu0CtByDtAtN1L2XzutBtFtCtFtCtFtAtCtB&cr=596668387
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}: "URL" = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=0&systemid=2&apn_dtid=IME002&apn_ptnrs=AG2&o=APN10641&apn_uid=5203086322404224&q={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v9.com/?utm_source=b&utm_medium=idg&from=idg&uid=HITACHI_HTS547550A9E384_J2160051HD8ZVDHD8ZVDX&ts=1352642123
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Default_Page_URL = http://search.certified-toolbar.com?si=41460&home=true&tid=2938
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.certified-toolbar.com?si=41460&home=true&tid=2938
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.v9.com/web/?q={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Search Bar = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Search Page = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.v9.com/web/?q={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Default_Page_URL = http://search.certified-toolbar.com?si=41460&home=true&tid=2938
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://search.certified-toolbar.com?si=41460&home=true&tid=2938
IE - HKLM\..\SearchScopes\{7277F4B5-E072-3BF0-2E3D-515565DB6428}: "URL" = http://search.certified-toolbar.com?si=41460&bs=true&tid=592&q={searchTerms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://search.certified-toolbar.com?si=41460&bs=true&tid=592&q={searchTerms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}: "URL" = http://search.certified-toolbar.com?si=41460&bs=true&tid=2938&q={searchTerms}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.certified-toolbar.com?si=41460&bs=true&tid=2938&q={searchTerms}
 IE - HKU\S-1-5-21-1071849303-3358288552-2711997244-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Backup.Old.Start Page = https://isearch.avg.com/?cid={AC585E11-78D3-4E25-9D74-FC2F3D691FED}&mid=b21d8f422ca147d09c1eb1915f06912c-240b2f810d944bcb46dfb7ff3c3a5869a1cd81b8&lang=pl&ds=xn011&pr=sa&d=2012-09-09 19:27:56&v=12.2.0.5&sap=hp
IE - HKU\S-1-5-21-1071849303-3358288552-2711997244-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v9.com/?utm_source=b&utm_medium=idg&from=idg&uid=HITACHI_HTS547550A9E384_J2160051HD8ZVDHD8ZVDX&ts=1352642123
IE - HKU\S-1-5-21-1071849303-3358288552-2711997244-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
IE - HKU\S-1-5-21-1071849303-3358288552-2711997244-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
IE - HKU\S-1-5-21-1071849303-3358288552-2711997244-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
IE - HKU\S-1-5-21-1071849303-3358288552-2711997244-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page Before = http://search.certified-toolbar.com?si=41460&tid=592&bs=true&q=
IE - HKU\S-1-5-21-1071849303-3358288552-2711997244-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Default_Page_URL = http://search.certified-toolbar.com?si=41460&home=true&tid=2938
IE - HKU\S-1-5-21-1071849303-3358288552-2711997244-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Before = https://isearch.avg.com/?cid={AC585E11-78D3-4E25-9D74-FC2F3D691FED}&mid=b21d8f422ca147d09c1eb1915f06912c-240b2f810d944bcb46dfb7ff3c3a5869a1cd81b8&lang=pl&ds=xn011&pr=sa&d=2012-09-09 19:27:56&v=12.2.0.5&sap=hp
IE - HKU\S-1-5-21-1071849303-3358288552-2711997244-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
IE - HKU\S-1-5-21-1071849303-3358288552-2711997244-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Search Bar = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
IE - HKU\S-1-5-21-1071849303-3358288552-2711997244-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Search Page = http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q=
IE - HKU\S-1-5-21-1071849303-3358288552-2711997244-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Start Default_Page_URL = http://search.certified-toolbar.com?si=41460&home=true&tid=2938
IE - HKU\S-1-5-21-1071849303-3358288552-2711997244-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://search.certified-toolbar.com?si=41460&home=true&tid=2938
FF - prefs.js..browser.search.defaultengine: "Web Search"
FF - prefs.js..browser.search.defaultenginename: "Web Search"
FF - prefs.js..browser.search.order.1: "Web Search"
FF - prefs.js..browser.search.selectedEngine: "Web Search"
FF - prefs.js..keyword.URL: "http://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q="
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O4:[b]64bit:[/b] - HKLM..\Run: [mks_9] C:\Program Files\mks_vir_9\bin\mks_9.exe (Mks Sp. z o.o.)
O4 - HKLM..\Run: [DATAMNGR] C:\PROGRA~2\IMESHA~1\MediaBar\Datamngr\DATAMN~1.EXE File not found
O4 - HKLM..\Run: [ROC_roc_ssl_v12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12 File not found
O4 - HKU\S-1-5-21-1071849303-3358288552-2711997244-1000..\Run: [ChomikBox] C:\Program Files (x86)\ChomikBox\chomikbox.exe File not found
O4 - HKU\S-1-5-21-1071849303-3358288552-2711997244-1000..\Run: [Spybot-S&D Cleaning] C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe (Safer-Networking Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1

:Commands
[emptytemp]
Kliknij Wykonaj skrypt daj log z usuwania.
Następnie:


  • 1

#3 kurdebele

kurdebele

    Obserwator

  • 5 postów

Napisano 19 01 2013 - 14:10

Ok, zrobiłam wszystko jak kazałeś.
W kwarantannie Comodo mam tylko to coś..
http://screenshooter.../vm/yb/wtwj.jpg
Przeskanowałam i nic.
Antivirus scan for 5b89846bcda8b3bb8080d8c3c70e5b96 at 2013-01-19 11:50:56 UTC - VirusTotal

A co do tych śmieci, tutaj log z usuwania:
Wklejka #930233 – Wklej.org

Naprawdę dużo z tym roboty? Mam nadzieję, że obędzie się bez formatowania. :(

Edit:
Przeskanowałam jeszcze to i proszę, trojan...
https://www.virustotal.com/file/c590d921cb884a36cb71893b181dab45f0faf7b73fe1d91101e971c237508d81/analysis/1358597496/

Użytkownik kurdebele edytował ten post 19 01 2013 - 14:12

  • 0

#4 pawel315

pawel315

    Uzależniony od forum

  • 1 553 postów

Napisano 19 01 2013 - 14:23

E, moje przypuszczenia się nie sprawdziły ;) już zmierzamy ku końcowi
Zrób pełny skan Mbam teraz i usuń to co znajdzie ->http://download.cnet...art=dl-10804572

Użytkownik pawel315 edytował ten post 19 01 2013 - 14:24

  • 0

#5 kurdebele

kurdebele

    Obserwator

  • 5 postów

Napisano 19 01 2013 - 15:50

Zrobione, ale ten trojan w EjectODD cały czas siedzi.
  • 0

#6 pawel315

pawel315

    Uzależniony od forum

  • 1 553 postów

Napisano 19 01 2013 - 17:11

Usuń ten plik poprzez naciśnięcie Shift + del

Użytkownik pawel315 edytował ten post 19 01 2013 - 17:11

  • 0

#7 kurdebele

kurdebele

    Obserwator

  • 5 postów

Napisano 19 01 2013 - 17:14

I to już wszystko?
  • 0

#8 pawel315

pawel315

    Uzależniony od forum

  • 1 553 postów

Napisano 19 01 2013 - 17:16

W OTL'u kliknij "Sprzątanie" i wszystko ;)
A nie masz już problemów ?
  • 0

#9 kurdebele

kurdebele

    Obserwator

  • 5 postów

Napisano 19 01 2013 - 17:37

Nie, już wszystko w porządku. Bardzo dziękuję za pomoc :)

  • 0
Wróć do Bezpieczeństwo (wirusy i trojany)


Użytkownicy przeglądający ten temat: 0

0 użytkowników, 0 gości, 0 anonimowych

  1. Forum Komputerowe Tweaks.pl
  2. Oprogramowanie
  3. Bezpieczeństwo (wirusy i trojany)
  4. Polityka prywatności
  5. Szukaj
  6. Regulamin Forum ·