Live Security Platinum

[Gregor]

Witam, mam problem odnośnie złośliwego oprogramowania jak w temacie. Proszę o pomoc.

 

załączniki:

Extras.Txt

OTL.Txt

[Landuss]

Uruchom SystemLook i w oknie wklej:

 

:reg
HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
 
:filefind
services.exe

 

Klik w Look. Przedstaw wynikowy skan.

[Gregor]

witam, oto wynikowy skan:

 

SystemLook 30.07.11 by jpshortstuff

Log created at 07:58 on 31/07/2012 by Administrator

Administrator - Elevation successful

========== reg ==========

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

(Unable to open key - key not found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}]

@="Microsoft WBEM New Event Subsystem"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]

@="\\.\globalroot\systemroot\Installer\{a3f47521-3c1e-2fee-61c4-7bbb133f3dfd}\n."

"ThreadingModel"="Both"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

@="MruPidlList"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

@="%SystemRoot%\system32\shdocvw.dll"

"ThreadingModel"="Apartment"

 

========== filefind ==========

Searching for "services.exe"

C:\WINDOWS\system32\services.exe --a---- 109056 bytes [12:00 15/04/2008] [12:00 15/04/2008] 3E3AE424E27C4CEFE4CAB368C7B570EA

C:\WINDOWS\system32\dllcache\services.exe --a--c- 109056 bytes [12:00 15/04/2008] [12:00 15/04/2008] 3E3AE424E27C4CEFE4CAB368C7B570EA

-= EOF =-

[Landuss]

1. Start > Uruchom > cmd i wklep:

 

reg add HKLM\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32 /ve /t REG_SZ /d C:\WINDOWS\system32\wbem\wbemess.dll /f

 

2. Uruchom OTL i w oknie Własne opcje skanowania/Skrypt wklej następujący tekst:

 

:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = "http://www.v9.com/?utm_source=b&utm_medium=ins&from=ins&uid=67266_16910336_4244381_3219782655_A8BC0C73&ts=1342119433"
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = "http://www.v9.com/?utm_source=b&utm_medium=ins&from=ins&uid=67266_16910336_4244381_3219782655_A8BC0C73&ts=1342119433"
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = "http://search.v9.com/web/?q={searchTerms}"
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = "http://search.v9.com/web/?q={searchTerms}"
 
:Files
C:\WINDOWS\Installer\{a3f47521-3c1e-2fee-61c4-7bbb133f3dfd}
C:\Documents and Settings\Seba\Ustawienia lokalne\Dane aplikacji\{a3f47521-3c1e-2fee-61c4-7bbb133f3dfd}
C:\Documents and Settings\All Users\Dane aplikacji\036DFF420009913BF3F0C95081CB3EF3
C:\Documents and Settings\All Users\Dane aplikacji\Babylon
C:\Documents and Settings\Seba\Dane aplikacji\Babylon
C:\Documents and Settings\Seba\Dane aplikacji\pdfforge
 
:Commands
[emptytemp]

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Kliknij w Wykonaj skrypt. Zatwierdź restart komputera.

 

3. Uruchamiasz OTL ponownie, tym razem wywołujesz opcję Skanuj. Pokazujesz nowy log z OTL (bez extras) oraz nowy z SystemLook.

[Gregor]

po uruchomieniu komputera LSP już nie widzę.

 

raport z OTL i SystemLook:

 

SystemLook 30.07.11 by jpshortstuff

Log created at 11:33 on 31/07/2012 by Seba

Administrator - Elevation successful

 

========== reg ==========

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

(No values found)

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]

"ThreadingModel"="Both"

@="C:\Documents and Settings\Seba\Ustawienia lokalne\Dane aplikacji\{a3f47521-3c1e-2fee-61c4-7bbb133f3dfd}\n."

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}]

@="Microsoft WBEM New Event Subsystem"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]

@="\\.\globalroot\systemroot\Installer\{a3f47521-3c1e-2fee-61c4-7bbb133f3dfd}\n."

"ThreadingModel"="Both"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

@="MruPidlList"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

@="%SystemRoot%\system32\shdocvw.dll"

"ThreadingModel"="Apartment"

 

 

========== filefind ==========

 

Searching for "services.exe"

C:\WINDOWS\system32\services.exe --a---- 109056 bytes [12:00 15/04/2008] [12:00 15/04/2008] 3E3AE424E27C4CEFE4CAB368C7B570EA

C:\WINDOWS\system32\dllcache\services.exe --a--c- 109056 bytes [12:00 15/04/2008] [12:00 15/04/2008] 3E3AE424E27C4CEFE4CAB368C7B570EA

 

-= EOF =-

OTL.Txt

[Landuss]

Punkt numer 1 nie wykonany. SystemLook nadal pokazuje wartość kierującą na folder infekcji. Zrób to raz jeszcze.

[Gregor]

Wykonałem ponownie podane kroki.

 

SystemLook 30.07.11 by jpshortstuff

Log created at 12:29 on 31/07/2012 by Seba

Administrator - Elevation successful

 

========== reg ==========

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

(No values found)

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]

"ThreadingModel"="Both"

@="C:\Documents and Settings\Seba\Ustawienia lokalne\Dane aplikacji\{a3f47521-3c1e-2fee-61c4-7bbb133f3dfd}\n."

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}]

@="Microsoft WBEM New Event Subsystem"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]

@="\\.\globalroot\systemroot\Installer\{a3f47521-3c1e-2fee-61c4-7bbb133f3dfd}\n."

"ThreadingModel"="Both"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

@="MruPidlList"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

@="%SystemRoot%\system32\shdocvw.dll"

"ThreadingModel"="Apartment"

 

 

========== filefind ==========

 

Searching for "services.exe"

C:\WINDOWS\system32\services.exe --a---- 109056 bytes [12:00 15/04/2008] [12:00 15/04/2008] 3E3AE424E27C4CEFE4CAB368C7B570EA

C:\WINDOWS\system32\dllcache\services.exe --a--c- 109056 bytes [12:00 15/04/2008] [12:00 15/04/2008] 3E3AE424E27C4CEFE4CAB368C7B570EA

 

-= EOF =-

[Landuss]

Nadal jest źle. Przepisz to raz jeszcze. Coś musisz źle wpisywać.

[Gregor]

kolejny raz wpisalem w cmd to co prosiles

raport z SystemLook:

 

SystemLook 30.07.11 by jpshortstuff

Log created at 14:08 on 31/07/2012 by Seba

Administrator - Elevation successful

 

========== reg ==========

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

(No values found)

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]

"ThreadingModel"="Both"

@="C:\Documents and Settings\Seba\Ustawienia lokalne\Dane aplikacji\{a3f47521-3c1e-2fee-61c4-7bbb133f3dfd}\n."

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}]

@="Microsoft WBEM New Event Subsystem"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]

@="C:\WINDOWS\system32\wbem\wbemess.dll"

"ThreadingModel"="Both"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

@="MruPidlList"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

@="%SystemRoot%\system32\shdocvw.dll"

"ThreadingModel"="Apartment"

 

 

========== filefind ==========

 

Searching for "services.exe"

C:\WINDOWS\system32\services.exe --a---- 109056 bytes [12:00 15/04/2008] [12:00 15/04/2008] 3E3AE424E27C4CEFE4CAB368C7B570EA

C:\WINDOWS\system32\dllcache\services.exe --a--c- 109056 bytes [12:00 15/04/2008] [12:00 15/04/2008] 3E3AE424E27C4CEFE4CAB368C7B570EA

 

-= EOF =-

[Landuss]

Log nadal pokazuje, ze nie wykonało się to poprawnie. Zmieniam metodę.

 

1. Wklej do Notatnika ten tekst:

 

reg add HKLM\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32 /ve /t REG_SZ /d C:\WINDOWS\system32\wbem\wbemess.dll /f

 

Z menu Notatnika >>> Plik >>> Zapisz jako >>> Ustaw rozszerzenie na Wszystkie pliki >>> Zapisz jako FIX.BAT >>> uruchom ten plik

 

2. Do oceny nowy log z SystemLook.

[Gregor]

zrobione wedle instrukcji:

 

SystemLook 30.07.11 by jpshortstuff

Log created at 07:05 on 01/08/2012 by Seba

Administrator - Elevation successful

 

========== reg ==========

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

(No values found)

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]

"ThreadingModel"="Both"

@="C:\Documents and Settings\Seba\Ustawienia lokalne\Dane aplikacji\{a3f47521-3c1e-2fee-61c4-7bbb133f3dfd}\n."

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}]

@="Microsoft WBEM New Event Subsystem"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]

@="C:\WINDOWS\system32\wbem\wbemess.dll"

"ThreadingModel"="Both"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

@="MruPidlList"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

@="%SystemRoot%\system32\shdocvw.dll"

"ThreadingModel"="Apartment"

 

 

========== filefind ==========

 

Searching for "services.exe"

C:\WINDOWS\system32\services.exe --a---- 109056 bytes [12:00 15/04/2008] [12:00 15/04/2008] 3E3AE424E27C4CEFE4CAB368C7B570EA

C:\WINDOWS\system32\dllcache\services.exe --a--c- 109056 bytes [12:00 15/04/2008] [12:00 15/04/2008] 3E3AE424E27C4CEFE4CAB368C7B570EA

 

-= EOF =-

[Landuss]

Aha już wiem, na zły klucz popatrzyłem. Mój błąd.

 

Wklep w cmd to:

 

reg delete HKCU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /f

 

Po tym juz ostatni log z SystemLook

[Gregor]

i jak?

 

SystemLook 30.07.11 by jpshortstuff

Log created at 08:49 on 01/08/2012 by Seba

Administrator - Elevation successful

 

========== reg ==========

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

(Unable to open key - key not found)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}]

@="Microsoft WBEM New Event Subsystem"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]

@="C:\WINDOWS\system32\wbem\wbemess.dll"

"ThreadingModel"="Both"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

@="MruPidlList"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

@="%SystemRoot%\system32\shdocvw.dll"

"ThreadingModel"="Apartment"

 

 

========== filefind ==========

 

Searching for "services.exe"

C:\WINDOWS\system32\services.exe --a---- 109056 bytes [12:00 15/04/2008] [12:00 15/04/2008] 3E3AE424E27C4CEFE4CAB368C7B570EA

C:\WINDOWS\system32\dllcache\services.exe --a--c- 109056 bytes [12:00 15/04/2008] [12:00 15/04/2008] 3E3AE424E27C4CEFE4CAB368C7B570EA

 

-= EOF =-

[Landuss]

W porządku. Możesz finalizować:

 

1. Użyj opcji Sprzątanie z OTL.

 

2. Opróżnij przywracanie systemu: KLIK

 

3. Zaktualizuj wymienione programy do najnowszych wersji:

 

"{AC76BA86-7AD7-1045-7B44-A92000000001}" = Adobe Reader 9.2 - Polish

"Mozilla Firefox 12.0 (x86 pl)" = Mozilla Firefox 12.0 (x86 pl)

 

Szczegóły aktualizacyjne: KLIK

 

4. Dla bezpieczeństwa zmień hasła logowania do serwisów w sieci.