kelo71 Napisano Październik 28, 2010 Zgłoś Share Napisano Październik 28, 2010 Witam i pozdrawiam forumowiczow, Mam problem jak w temacie. Zlapalem jakies robactwo i nie moge sie go pozbyc. Nie moge wejsc na zadna partycje double-klikajac na nia etc. Bardzo bym prosil o pomoc gdyz sam tego nie ogarne gdzyz jestem zielony w temacie. System swiezo postawiony. Zalaczam logi z OTL i Malware'. Pozdrawiam i dziekuje. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Wersja bazy: 4978 Windows 5.1.2600 Dodatek Service Pack 3 Internet Explorer 6.0.2900.5512 2010-10-28 22:30:42 mbam-log-2010-10-28 (22-30-42).txt Typ skanowania: Pełne skanowanie (C:\|D:\|E:\|F:\|) Przeskanowano obiektów: 220194 Upłynęło: 50 minut(y), 5 sekund(y) Zainfekowanych procesów w pamięci: 0 Zainfekowanych modułów w pamięci: 0 Zainfekowanych kluczy rejestru: 0 Zainfekowanych wartości rejestru: 0 Zainfekowane informacje rejestru systemowego: 1 Zainfekowanych folderów: 0 Zainfekowanych plików: 1 Zainfekowanych procesów w pamięci: (Nie znaleziono zagrożeń) Zainfekowanych modułów w pamięci: (Nie znaleziono zagrożeń) Zainfekowanych kluczy rejestru: (Nie znaleziono zagrożeń) Zainfekowanych wartości rejestru: (Nie znaleziono zagrożeń) Zainfekowane informacje rejestru systemowego: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken. Zainfekowanych folderów: (Nie znaleziono zagrożeń) Zainfekowanych plików: C:\Parche.exe (Trojan.Bancos) -> No action taken. OTL.Txt Link do komentarza Udostępnij na innych stronach More sharing options...
Sevard Napisano Październik 28, 2010 Zgłoś Share Napisano Październik 28, 2010 Nie podczepiaj się do cudzych tematów. Niech Malwarebytes' usunie to, co znalazł, następnie: 1. Uruchom OTL i w sekcji Własne opcje skanowania / skrypt wklej: :Files RECYCLER /alldrives autorun.inf /alldrives Parche.exe /alldrives :OTL DRV - File not found [Kernel | Boot | Running] -- F:\WINDOWS\System32\drivers\pxscan.sys -- (pxscan) DRV - File not found [File_System | System | Running] -- F:\WINDOWS\System32\drivers\pxrts.sys -- (pxrts) DRV - File not found [Kernel | On_Demand | Running] -- F:\WINDOWS\System32\drivers\pxkbf.sys -- (pxkbf) O33 - MountPoints2\{39bae8d1-e2a4-11df-80ac-806d6172696f}\Shell\AutoRun\command - "" = lpl.exe O33 - MountPoints2\{39bae8d1-e2a4-11df-80ac-806d6172696f}\Shell\open\Command - "" = lpl.exe O33 - MountPoints2\{39bae8d2-e2a4-11df-80ac-806d6172696f}\Shell\AutoRun\command - "" = lpl.exe O33 - MountPoints2\{39bae8d2-e2a4-11df-80ac-806d6172696f}\Shell\open\Command - "" = lpl.exe O33 - MountPoints2\{39bae8d3-e2a4-11df-80ac-806d6172696f}\Shell\AutoRun\command - "" = lpl.exe O33 - MountPoints2\{39bae8d3-e2a4-11df-80ac-806d6172696f}\Shell\open\Command - "" = lpl.exe O33 - MountPoints2\{39bae8d5-e2a4-11df-80ac-806d6172696f}\Shell\AutoRun\command - "" = lpl.exe O33 - MountPoints2\{39bae8d5-e2a4-11df-80ac-806d6172696f}\Shell\open\Command - "" = lpl.exe :Commands [emptyflash] [emptytemp] i kliknij Uruchom skrypt. Po restarcie otrzymasz log. 2. Wygeneruj nowy log w OTL. 3. Ściągnij program GMER i wygeneruj za jego pomocą log, tak jak jest to opisane w tym poście. Po zrobieniu wszystkiego zamieść logi powstałe w krokach 1, 2 oraz 3. Jeśli korzystałeś na tym komputerze z kont bankowych, to rozsądnie by było zmienić hasło dostępu do konta. To jest infekcja z pamięci przenośnej, więc później usuniemy szkodniki również z nich, żeby nie doszło do ponownej infekcji. Na razie nie korzystaj z tego typu nośników. Link do komentarza Udostępnij na innych stronach More sharing options...
kelo71 Napisano Październik 29, 2010 Autor Zgłoś Share Napisano Październik 29, 2010 Malwarebytes naprawil to co mogl. Wykonalem podany skrypt w OTL i ponizej załaczam log. Odnosnie punktu 3, czy jest on konieczny gdyz logowalem sie w wiele miejsc w tym na 2 kontach bankowych i zmiana hasel etc bylaby wielce uciazliwa. Nosnik, od ktorego sie "zarazilem" nie jest moj i juz go pozegnalem... Dzieki wielkie za pomoc!! All processes killed ========== FILES ========== C:\RECYCLER\S-1-5-21-854245398-1972579041-839522115-1003 folder moved successfully. C:\RECYCLER\S-1-5-21-842925246-879983540-682003330-1003 folder moved successfully. C:\RECYCLER\S-1-5-21-796845957-1214440339-725345543-1003 folder moved successfully. C:\RECYCLER\S-1-5-21-746137067-117609710-839522115-1003 folder moved successfully. C:\RECYCLER\S-1-5-21-507921405-963894560-725345543-1003 folder moved successfully. C:\RECYCLER\S-1-5-21-1715567821-1563985344-839522115-1004 folder moved successfully. C:\RECYCLER\S-1-5-21-1482476501-838170752-725345543-1003 folder moved successfully. C:\RECYCLER\S-1-5-21-1343024091-113007714-725345543-1003 folder moved successfully. C:\RECYCLER\S-1-5-21-1292428093-1972579041-839522115-500\Dg14\MANIAC folder moved successfully. C:\RECYCLER\S-1-5-21-1292428093-1972579041-839522115-500\Dg14 folder moved successfully. C:\RECYCLER\S-1-5-21-1292428093-1972579041-839522115-500 folder moved successfully. C:\RECYCLER\S-1-5-21-117609710-746137067-839522115-1004 folder moved successfully. C:\RECYCLER folder moved successfully. D:\RECYCLER\S-1-5-21-854245398-1972579041-839522115-1003 folder moved successfully. D:\RECYCLER\S-1-5-21-842925246-879983540-682003330-1003 folder moved successfully. D:\RECYCLER\S-1-5-21-796845957-1214440339-725345543-1003 folder moved successfully. D:\RECYCLER\S-1-5-21-1715567821-1563985344-839522115-1004 folder moved successfully. D:\RECYCLER\S-1-5-21-117609710-746137067-839522115-1004 folder moved successfully. D:\RECYCLER folder moved successfully. E:\RECYCLER\S-1-5-21-854245398-1972579041-839522115-1003 folder moved successfully. E:\RECYCLER\S-1-5-21-842925246-879983540-682003330-1003 folder moved successfully. E:\RECYCLER\S-1-5-21-796845957-1214440339-725345543-1003\Df9.XVID-IMAGiNE folder moved successfully. E:\RECYCLER\S-1-5-21-796845957-1214440339-725345543-1003\Df5.XVID-IMAGiNE folder moved successfully. E:\RECYCLER\S-1-5-21-796845957-1214440339-725345543-1003\Df4.XVID-IMAGiNE folder moved successfully. E:\RECYCLER\S-1-5-21-796845957-1214440339-725345543-1003\Df13.XVID-IMAGiNE folder moved successfully. E:\RECYCLER\S-1-5-21-796845957-1214440339-725345543-1003 folder moved successfully. E:\RECYCLER\S-1-5-21-746137067-117609710-839522115-1003 folder moved successfully. E:\RECYCLER\S-1-5-21-1715567821-1563985344-839522115-1004 folder moved successfully. E:\RECYCLER\S-1-5-21-1482476501-838170752-725345543-1003 folder moved successfully. E:\RECYCLER\S-1-5-21-1343024091-113007714-725345543-1003 folder moved successfully. E:\RECYCLER\S-1-5-21-117609710-746137067-839522115-1004\Df1 folder moved successfully. E:\RECYCLER\S-1-5-21-117609710-746137067-839522115-1004 folder moved successfully. E:\RECYCLER folder moved successfully. F:\RECYCLER\S-1-5-21-1715567821-1563985344-839522115-1004 folder moved successfully. F:\RECYCLER folder moved successfully. RECYCLER not found in G:\ C:\autorun.inf moved successfully. D:\autorun.inf moved successfully. E:\autorun.inf moved successfully. F:\autorun.inf moved successfully. File move failed. G:\autorun.inf scheduled to be moved on reboot. Parche.exe not found in C:\ Parche.exe not found in D:\ Parche.exe not found in E:\ Parche.exe not found in F:\ Parche.exe not found in G:\ ========== OTL ========== Error: No service named pxscan was found to stop! Service\Driver key pxscan not found. File F:\WINDOWS\System32\drivers\pxscan.sys not found. Error: No service named pxrts was found to stop! Service\Driver key pxrts not found. File F:\WINDOWS\System32\drivers\pxrts.sys not found. Error: No service named pxkbf was found to stop! Service\Driver key pxkbf not found. File F:\WINDOWS\System32\drivers\pxkbf.sys not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39bae8d1-e2a4-11df-80ac-806d6172696f}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39bae8d1-e2a4-11df-80ac-806d6172696f}\ not found. File lpl.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39bae8d1-e2a4-11df-80ac-806d6172696f}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39bae8d1-e2a4-11df-80ac-806d6172696f}\ not found. File lpl.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39bae8d2-e2a4-11df-80ac-806d6172696f}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39bae8d2-e2a4-11df-80ac-806d6172696f}\ not found. File lpl.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39bae8d2-e2a4-11df-80ac-806d6172696f}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39bae8d2-e2a4-11df-80ac-806d6172696f}\ not found. File lpl.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39bae8d3-e2a4-11df-80ac-806d6172696f}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39bae8d3-e2a4-11df-80ac-806d6172696f}\ not found. File lpl.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39bae8d3-e2a4-11df-80ac-806d6172696f}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39bae8d3-e2a4-11df-80ac-806d6172696f}\ not found. File lpl.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39bae8d5-e2a4-11df-80ac-806d6172696f}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39bae8d5-e2a4-11df-80ac-806d6172696f}\ not found. File lpl.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39bae8d5-e2a4-11df-80ac-806d6172696f}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39bae8d5-e2a4-11df-80ac-806d6172696f}\ not found. File lpl.exe not found. ========== COMMANDS ========== [EMPTYFLASH] User: All Users User: Default User User: LocalService User: NetworkService User: olunieczek Total Flash Files Cleaned = 0,00 mb [EMPTYTEMP] User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 402 bytes User: olunieczek ->Temp folder emptied: 28376217 bytes ->Temporary Internet Files folder emptied: 43757836 bytes ->FireFox cache emptied: 28809538 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 2250358 bytes %systemroot%\System32 .tmp files removed: 2596 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 91240 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 99,00 mb OTL by OldTimer - Version 3.2.17.1 log created on 10292010_160356 Files\Folders moved on Reboot... File move failed. G:\autorun.inf scheduled to be moved on reboot. File\Folder F:\WINDOWS\temp\kls2CB5.tmp not found! Registry entries deleted on Reboot... Link do komentarza Udostępnij na innych stronach More sharing options...
Sevard Napisano Listopad 1, 2010 Zgłoś Share Napisano Listopad 1, 2010 Czyszczenie przebiegło poprawnie, ale nie zamieściłeś nowych logów z OTL i logu z GMERa, a więc nie jestem w stanie stwierdzić, czy coś jeszcze gdzieś nie siedzi. Link do komentarza Udostępnij na innych stronach More sharing options...
