Live Security Platinum problem

[ktm666]

Witam,

 

po surfowaniu w sieci wyskoczyl mi w pewnym momencie monit, ze moj komputer jest zainfekowany i live Security zaczoł skanowanie i nie mogę wyłaczyć tego programu - mimo ze nie mialem zadnego antywirusa zalaczonego. Od tej chwili nie moge:

- wejsc do task menagera

- przegladac stron bez komunikatu o infekcji przy kazdym odswiezeniu strony

- odpalac plikow exe

 

szukajac informacji w internecie doszedlem do wniosku, ze jest to wirus live security platinum. prosze o pomoc w usunieciu tego wirusa.

 

zalaczam wymagane pliki:

Extras.Txt

OTL.Txt

[Landuss]

Uruchom SystemLook, w oknie wklej:

 

:reg
HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
 
:filefind
services.exe

 

Klik w Look. Przedstaw wynikowy raport.

[ktm666]

SystemLook 30.07.11 by jpshortstuff

Log created at 11:38 on 09/08/2012 by Dom

Administrator - Elevation successful

 

========== reg ==========

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

(No values found)

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]

"ThreadingModel"="Both"

@="C:\Users\Dom\AppData\Local\{0e8e998b-6af5-ead1-fb49-58ff48b7baac}\n."

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}]

@="Microsoft WBEM New Event Subsystem"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]

@="%systemroot%\system32\wbem\wbemess.dll"

"ThreadingModel"="Both"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

@="MruPidlList"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

@="%SystemRoot%\system32\shell32.dll"

"ThreadingModel"="Apartment"

 

 

========== filefind ==========

 

Searching for "services.exe"

C:\Windows\System32\services.exe --a---- 259072 bytes [23:11 13/07/2009] [01:14 14/07/2009] A302BBFF2A7278C0E239EE5D471D86A9

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe --a---- 259072 bytes [23:11 13/07/2009] [01:14 14/07/2009] 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

 

-= EOF =-

[Landuss]

1. Start > w polu szukania wpisz cmd > z prawokliku Uruchom jako Administrator > wklej komendę:

 

sfc /scanfile=C:\Windows\System32\services.exe

 

Zresetuj system.

 

2. Start > w polu szukania wpisz cmd > z prawokliku Uruchom jako Administrator > wklej komendę

 

reg delete HKCU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /f

 

3. Uruchom OTL i w oknie Własne opcje skanowania/Skrypt wklej następujący tekst:

 

:OTL
O4 - HKU\S-1-5-21-3369969887-839536815-1759217782-1000..\RunOnce: [036DFF850000E8987743B01CF875EF7E] C:\ProgramData\036DFF850000E8987743B01CF875EF7E\036DFF850000E8987743B01CF875EF7E.exe ()
 
:Files
C:\ProgramData\036DFF850000E8987743B01CF875EF7E
C:\Windows\Installer\{0e8e998b-6af5-ead1-fb49-58ff48b7baac}
C:\Users\Dom\AppData\Local\{0e8e998b-6af5-ead1-fb49-58ff48b7baac}
 
:Reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
 
:Commands
[emptytemp]

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Kliknij w Wykonaj skrypt. Zatwierdź restart komputera.

 

4. Przez Panel sterowania odinstaluj:

 

Bcool / SweetPacks Toolbar for Internet Explorer 4.4 / Softonic Toolbar / Yontoo 1.10.02 / SweetIM for Messenger 3.6 / Akamai NetSession Interface Service / Babylon toolbar on IE / BFlix / BitTorrentBar Toolbar / Complitly / DealBulldog Toolbar Toolbar / SearchYa! Web Search / Softonic toolbar on IE and Chrome / SProtector 1.46 / uTorrentControl2 Toolbar / Deinstalator Strony V9 / Winamp Toolbar / Softonic Toolbar Updater / Live Security Platinum

 

Otwórz Firefox i w Dodatkach odmontuj: uTorrentControl2 Community Toolbar / DealBulldog Toolbar Toolbar / BitTorrentBar Community Toolbar / Bcool / Funmoods.com / Incredibar Toolbar / Bflix / Softonic Toolbar / Winamp Toolbar / Complitly / SweetIM Toolbar for Firefox / searchya.com / Yontoo

 

5. Uruchom AdwCleaner z opcji Delete

 

6. Uruchamiasz OTL ponownie, tym razem wywołujesz opcję Skanuj. Pokazujesz nowy log z OTL (bez extras), nowy z SystemLook oraz z Farbar Service Scanner (zaznacz wszystko do skanowania)

[ktm666]

dzięki Wielkie.

 

 

SystemLook 30.07.11 by jpshortstuff

Log created at 14:08 on 12/08/2012 by Dom

Administrator - Elevation successful

 

========== reg ==========

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

(Unable to open key - key not found)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}]

@="Microsoft WBEM New Event Subsystem"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]

@="%systemroot%\system32\wbem\wbemess.dll"

"ThreadingModel"="Both"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

@="MruPidlList"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

@="%SystemRoot%\system32\shell32.dll"

"ThreadingModel"="Apartment"

 

 

========== filefind ==========

 

Searching for "services.exe"

C:\Windows\System32\services.exe --a---- 259072 bytes [23:11 13/07/2009] [01:14 14/07/2009] 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe --a---- 259072 bytes [23:11 13/07/2009] [01:14 14/07/2009] 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

 

-= EOF =-

OTL.Txt

FSS.txt

[Landuss]

Wykonuj dalsze czynności:

 

1. Uruchom OTL i w oknie Własne opcje skanowania/Skrypt wklej następujący tekst:

 

:OTL
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva388.sys -- (XDva388)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\rdvgkmd.sys -- (VGPU)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\tsusbhub.sys -- (tsusbhub)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\synth3dvsc.sys -- (Synth3dVsc)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\EagleNT.sys -- (EagleNT)
IE - HKLM\..\URLSearchHook:  - No CLSID value found
IE - HKLM\..\SearchScopes\{30F5AB16-9F1E-4E99-93F2-ECB9ABB0EC12}: "URL" = "http://www.searchya.com/?q={searchTerms}&s=1&a=foxtab&chnl=ft-100&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyD0ByBtC0BtC0A0F0DyCtBtN0D0Tzu0CtBtCyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=420614754"
IE - HKLM\..\SearchScopes\{4D066206-27C6-036F-A866-36302F641511}: "URL" = "http://search.my-tools-app.com/?babsrc=home&s=web&as=0&isid=9848&q={searchTerms}"
IE - HKLM\..\SearchScopes\{AA74FE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = "http://search.gboxapp.com/?q={searchTerms}"
IE - HKLM\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = "http://search.gboxapp.com/?q={searchTerms}"
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = "http://search.sweetim.com/search.asp?src=6&q={searchTerms}&barid={B958B9F4-BE90-11E0-A4BF-00FF01000001}"
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Backup.Old.Start Page = "http://search.conduit.com?SearchSource=10&ctid=CT2790392"
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,bProtector Start Page = "http://www.searchalgo.com?ch=10&cid=273"
IE - HKCU\..\URLSearchHook:  - No CLSID value found
IE - HKCU\..\URLSearchHook: {687578b9-7132-4a7a-80e4-30ee31099e03} - No CLSID value found
IE - HKCU\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No CLSID value found
IE - HKCU\..\URLSearchHook: {CA3EB689-8F09-4026-AA10-B9534C691CE0} - SOFTWARE\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32 File not found
IE - HKCU\..\SearchScopes\{024C138C-1A58-44F9-8B48-60BA3EEA9461}: "URL" = "http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3072253"
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = "http://search.babylon.com/?q={searchTerms}&AF=108603&babsrc=SP_ss&mntrId=e662fd6200000000000000ff01000001"
IE - HKCU\..\SearchScopes\{131283AF-4133-4890-8406-A4388D1BAE54}: "URL" = "http://websearch.ask.com/redirect?client=ie&tb=STC-PO&o=1738&src=kw&q={searchTerms}&locale=&apn_ptnrs=^AAU&apn_dtid=^YYYYYY^YY^PL&apn_uid=F347D0C6-C7D0-4BB7-ADC8-5C69EA7E7BBE&apn_sauid=99F47476-7FEA-48F4-97A1-066B6A553DEB"
IE - HKCU\..\SearchScopes\{30F5AB16-9F1E-4E99-93F2-ECB9ABB0EC12}: "URL" = "http://www.searchya.com/?q={searchTerms}&s=1&a=foxtab&chnl=ft-100&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyD0ByBtC0BtC0A0F0DyCtBtN0D0Tzu0CtBtCyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=420614754"
IE - HKCU\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = "http://www.searchalgo.com/search.html?ch=10&cid=273&q={searchTerms}"
IE - HKCU\..\SearchScopes\{4D066206-27C6-036F-A866-36302F641511}: "URL" = "http://search.sweetim.com/search.asp?src=6&q={searchTerms}&barid={B958B9F4-BE90-11E0-A4BF-00FF01000001}"
IE - HKCU\..\SearchScopes\{5E71BDD4-4013-48AD-89D0-E7B0C44ECBA2}: "URL" = "http://search.softonic.com/MON00084/tb_v1?q={searchTerms}&SearchSource=4&cc="
IE - HKCU\..\SearchScopes\{5F3BEBD5-F6C6-A4B8-EDD2-A6F5F61813A8}: "URL" = "http://www.buzqo.com/s/?q={searchTerms}&iesrc={referrer:source?}&cfg=2-401-0-..."
IE - HKCU\..\SearchScopes\{96bd48dd-741b-41ae-ac4a-aff96ba00f7e}: "URL" = "http://www.bigseekpro.com/search/browser/extractnow/{191FFD4B-9663-4539-A0EB-9A8CCEC9158D}?q={searchTerms}"
IE - HKCU\..\SearchScopes\{AA74FE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = "http://search.gboxapp.com/?q={searchTerms}"
IE - HKCU\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = "http://search.gboxapp.com/?q={searchTerms}"
IE - HKCU\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = "http://mystart.incredibar.com/mb119/?search={searchTerms}&loc=IB_DS&a=6Oys4Aa7iO&i=26"
IE - HKCU\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = "http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyD0ByBtC0BtC0A0F0DyCtBtN0D0Tzu0CtCzzzytN1L2XzutBtFtCtFtDtFtAtDtC&cr=1362061721"
IE - HKCU\..\SearchScopes\{FC6AD3DE-E187-4FFF-BC95-E709381B38CE}: "URL" = "http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2790392"
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421;<local>
[2011-10-03 16:48:09 | 000,000,000 | ---D | M] ("Winamp Toolbar") -- C:\Users\Dom\AppData\Roaming\mozilla\Firefox\Profiles\emj9toh0.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}
[2011-08-04 13:56:14 | 000,000,000 | ---D | M] (SweetIM Toolbar for Firefox) -- C:\Users\Dom\AppData\Roaming\mozilla\Firefox\Profiles\emj9toh0.default\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}
[2012-08-02 14:12:59 | 000,000,000 | ---D | M] (searchya.com) -- C:\Users\Dom\AppData\Roaming\mozilla\Firefox\Profiles\emj9toh0.default\extensions\ffxtlbr@searchya.com
[2012-08-02 14:12:59 | 000,000,000 | ---D | M] (searchya.com) -- C:\Users\Dom\AppData\Roaming\mozilla\Firefox\Profiles\extensions\extensions\ffxtlbr@searchya.com
[2012-02-04 14:50:59 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\ffxtlbr@babylon.com
O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - Reg Error: Value error. File not found
O2 - BHO: (no name) - {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - No CLSID value found.
O2 - BHO: (SMTTB2009 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\DealBulldog Toolbar Toolbar\tbcore3.dll File not found
O3 - HKLM\..\Toolbar: (DealBulldog Toolbar Toolbar) - {338B4DFE-2E2C-4338-9E41-E176D497299E} - C:\Program Files\DealBulldog Toolbar Toolbar\tbcore3.dll File not found
O3 - HKLM\..\Toolbar: (no name) - {98889811-442D-49dd-99D7-DC866BE87DBC} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {687578B9-7132-4A7A-80E4-30EE31099E03} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
O8 - Extra context menu item: Search the Web - C:\Program Files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html File not found
[2012-08-02 14:08:23 | 000,000,000 | ---D | C] -- C:\Program Files\SearchYa!
 
:Reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
"Backup.Old.DefaultScope"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
"Backup.Old.DefaultScope"=-
"bProtectorDefaultScope"=-
 
:Commands
[emptytemp]

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Kliknij w Wykonaj skrypt. Zatwierdź restart komputera.

 

2. Przez Panel sterowania odinstaluj: BFlix / Incredibar Toolbar / MyTools

 

3. Odbuduj skasowane usługi (w instrukcjach omiń sfc /scannow):

• Rekonstrukcja usług Zapory systemu Windows (MpSvc + Bfe + SharedAccess): KLIK.
  
• Rekonstrukcja usługi Centrum zabezpieczeń: KLIK.
  
• Rekonstrukcja usługi Windows Defender: KLIK.
  
• Rekonstrukcja usługi Aktualizacje automatyczne (wuauserv + BITS): Pobierz fixa i zaimportuj: KLIK
  

4. Po wykonaniu wszystkiego pokaż nowy log z FSS oraz z OTL

Edytowane 12 Września 2012 przez picasso
12.09.2012 - Temat zostaje zamknięty z powodu braku odpowiedzi. //picasso