BProtect D

bengrush · 14 Marca 2014

Witam! Chciałbym prosić o pomoc w usunięciu tego wirusa. Podczas skanowania Avastem przy rozruchu systemu pojawia się kilkukrotnie komunikat o znlezieniu BProtect-D w plikach archiwum w katalogu \...\Internet Temporary Files\content.ie5\9GNK1U8P\pack[1].7z i avast nic nie może z tym zrobić. Dodatkowo log z Gmer-a nie chce zostać przesłany, pojawia się komunikat "Nie masz uprawnień do przesyłania tego typu plików". Załączam go tutaj:

GMER 2.1.19357 - http://www.gmer.net

Rootkit scan 2014-03-13 21:25:35

Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHZ2320BH_G2 rev.00000009 298,09GB

Running: pjpxvb74.exe; Driver: C:\Users\bengrush\AppData\Local\Temp\kxlcqpod.sys

---- System - GMER 2.1 ----

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwAddBootEntry [0x90A4FACC]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x90A505AA]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateEvent [0x90A5C692]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateEventPair [0x90A5C6DE]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x90A5C878]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateMutant [0x90A5C600]

SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwCreateSection [0x90B06426]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x90A5C648]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateThread [0x90A50AE0]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateThreadEx [0x90A50CFC]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateTimer [0x90A5C832]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x90A51398]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x90A4FB32]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwDuplicateObject [0x90A54BE4]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwLoadDriver [0x90A4F71E]

SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwMapViewOfSection [0x90B06506]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x90A4FB98]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x90A54FDA]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x90A51EDE]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenEvent [0x90A5C6BC]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenEventPair [0x90A5C700]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x90A5C89C]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenMutant [0x90A5C626]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenProcess [0x90A544DE]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenSection [0x90A5C7B0]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x90A5C670]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenThread [0x90A548C6]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenTimer [0x90A5C856]

SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x90B062AA]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwQueryObject [0x90A51CF4]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x90A51A02]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x90A4FBFE]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetBootOptions [0x90A4FC64]

SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwSetContextThread [0x90B06602]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x90A4F7B8]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x90A4F98A]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwShutdownSystem [0x90A4F918]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSuspendProcess [0x90A51562]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSuspendThread [0x90A516C4]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x90A4FA12]

SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwTerminateProcess [0x90B06378]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwTerminateThread [0x90A511F2]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwVdmControl [0x90A4FCCA]

SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0x90A50606]

---- Kernel code sections - GMER 2.1 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82C80A15 1 Byte [06]

.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CBA212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

.text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82CC1460 4 Bytes [CC, FA, A4, 90] {INT 3 ; CLI ; MOVSB ; NOP }

.text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82CC14E8 4 Bytes [AA, 05, A5, 90]

.text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82CC153C 8 Bytes [92, C6, A5, 90, DE, C6, A5, ...]

.text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82CC1548 4 Bytes [78, C8, A5, 90] {JS 0xffffffca; MOVSD ; NOP }

.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82CC1564 4 Bytes [00, C6, A5, 90] {ADD DH, AL; MOVSD ; NOP }

.text ...

PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82E7C4DF 4 Bytes CALL 90A525C5 \??\C:\Windows\system32\drivers\aswSnx.sys

PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82E96347 4 Bytes CALL 90A525DB \??\C:\Windows\system32\drivers\aswSnx.sys

.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9180B000, 0x2D5378, 0xE8000020]

---- User code sections - GMER 2.1 ----

.text C:\Windows\system32\taskhost.exe[112] kernel32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62]

.text C:\Windows\system32\csrss.exe[464] kernel32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62]

.text C:\Program Files\blueconnect Z\UIExec.exe[528] kernel32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62]

.text C:\Windows\system32\csrss.exe[532] kernel32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62]

.text C:\Windows\system32\wininit.exe[540] kernel32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62]

.text ...

.text C:\Program Files\Mozilla Firefox\firefox.exe[4032] ntdll.dll!LdrUnloadDll 7772C8DE 5 Bytes JMP 001E03FC

.text C:\Program Files\Mozilla Firefox\firefox.exe[4032] ntdll.dll!LdrLoadDll 777322AE 5 Bytes JMP 6E6E1FFD C:\Program Files\Mozilla Firefox\mozglue.dll

.text C:\Program Files\Mozilla Firefox\firefox.exe[4032] KERNEL32.dll!K32GetDeviceDriverBaseNameW + 5D 7657941E 7 Bytes JMP 57C1049D C:\Program Files\Mozilla Firefox\xul.dll

.text C:\Program Files\Mozilla Firefox\firefox.exe[4032] KERNEL32.dll!QueryPerformanceCounter + 13 7657C425 7 Bytes JMP 57C10455 C:\Program Files\Mozilla Firefox\xul.dll

.text C:\Program Files\Mozilla Firefox\firefox.exe[4032] KERNEL32.dll!LoadAppInitDlls + 355 7657F4E6 7 Bytes JMP 57825A06 C:\Program Files\Mozilla Firefox\xul.dll

.text C:\Program Files\Mozilla Firefox\firefox.exe[4032] KERNEL32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62]

.text C:\Program Files\Mozilla Firefox\firefox.exe[4032] GDI32.dll!GetViewportOrgEx + 26C 7628884B 7 Bytes JMP 57C104C4 C:\Program Files\Mozilla Firefox\xul.dll

.text C:\Windows\System32\svchost.exe[4836] kernel32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62]

.text C:\Users\bengrush\Downloads\pjpxvb74.exe[5580] kernel32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62]

.text C:\Windows\system32\AUDIODG.EXE[6020] kernel32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62]

---- User IAT/EAT - GMER 2.1 ----

IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [741024CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll

IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [740E562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll

IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [740E56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll

IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74102546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll

IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [740F85AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll

IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [740F4D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll

IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [740F5105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll

IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [740F51DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll

IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [740F6707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll

IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [740F8301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll

IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [740F8850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll

IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [740F90B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll

IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [740FE254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll

IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [740F4C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e370e3438

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e370e3438@9471ac2ab711 0x27 0x93 0xAE 0x86 ...

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e370e3438 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e370e3438@9471ac2ab711 0x27 0x93 0xAE 0x86 ...

---- EOF - GMER 2.1 ----

picasso · 15 Marca 2014

Raportu GMER nie możesz dołączyć, bo go zapisałeś bezpośrednio przyciskiem a nie przez opcję Kopiuj jak nakazuje instrukcja. Tak zapisany raport tworzy plik o rozszerzeniu *.LOG (niedopuszczalny w załącznikach). Na przyszłość: albo ręczna zmiana nazwy pliku na *.TXT, albo przycisk Kopiuj i zapis do pliku *.TXT.

W raportach brak oznak infekcji, tu na widoku tylko kosmetyka pustych wpisów. To co wykrywa Avast ma nikłe znaczenie, jest to bowiem śmieć na poziomie Tymczasowych plików internetowych. Akcja:

1. Uruchom TFC - Temp Cleaner. Po jego użyciu Avast powinien się uspokoić.

2. Otwórz Notatnik i wklej w nim:

URLSearchHook: HKCU - (No Name) - {d43723ae-1ae1-4a25-a6a4-bf0929273cab} - No File
SearchScopes: HKLM - DefaultScope value is missing.
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 ew_usbenumfilter; system32\DRIVERS\ew_usbenumfilter.sys [X]
S3 huawei_cdcacm; system32\DRIVERS\ew_jucdcacm.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 huawei_ext_ctrl; system32\DRIVERS\ew_juextctrl.sys [X]
S3 huawei_wwanecm; system32\DRIVERS\ew_juwwanecm.sys [X]
S3 WinPhlash; \??\C:\WINDOWS\TEMP\WINPHLASH\PHLASHNT.SYS [X]
Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f
Reg: reg add "HKCU\Software\Microsoft\Internet Explorer\SearchScopes" /v DefaultScope /t REG_SZ /d {0633EE93-D776-472f-A0FF-E1416B8B2E3A} /f
Reg: reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Fix. Powstanie plik fixlog.txt. Przedstaw go.

.

bengrush · 15 Marca 2014

Rzeczywiście Avast już nie wykrywa zagrożeń (zarówno spod Windowsa jak i rozruchu).

Jeszcze raz bardzo dziękuję.

Plik fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2014 01
Ran by bengrush at 2014-03-15 21:35:43 Run:1
Running from C:\FRST
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
URLSearchHook: HKCU - (No Name) - {d43723ae-1ae1-4a25-a6a4-bf0929273cab} - No File
SearchScopes: HKLM - DefaultScope value is missing.
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 ew_usbenumfilter; system32\DRIVERS\ew_usbenumfilter.sys [X]
S3 huawei_cdcacm; system32\DRIVERS\ew_jucdcacm.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 huawei_ext_ctrl; system32\DRIVERS\ew_juextctrl.sys [X]
S3 huawei_wwanecm; system32\DRIVERS\ew_juwwanecm.sys [X]
S3 WinPhlash; \??\C:\WINDOWS\TEMP\WINPHLASH\PHLASHNT.SYS [X]
Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f
Reg: reg add "HKCU\Software\Microsoft\Internet Explorer\SearchScopes" /v DefaultScope /t REG_SZ /d {0633EE93-D776-472f-A0FF-E1416B8B2E3A} /f
Reg: reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
*****************

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{d43723ae-1ae1-4a25-a6a4-bf0929273cab} => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
ew_hwusbdev => Service deleted successfully.
ew_usbenumfilter => Service deleted successfully.
huawei_cdcacm => Service deleted successfully.
huawei_enumerator => Service deleted successfully.
huawei_ext_ctrl => Service deleted successfully.
huawei_wwanecm => Service deleted successfully.
WinPhlash => Service deleted successfully.

========= reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f =========

Operacja ukoäczona pomylnie.

========= End of Reg: =========

========= reg add "HKCU\Software\Microsoft\Internet Explorer\SearchScopes" /v DefaultScope /t REG_SZ /d {0633EE93-D776-472f-A0FF-E1416B8B2E3A} /f =========

Operacja ukoäczona pomylnie.

========= End of Reg: =========

========= reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes" /f =========

Operacja ukoäczona pomylnie.

========= End of Reg: =========

========= reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f =========

Operacja ukoäczona pomylnie.

========= End of Reg: =========

========= reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f =========

Operacja ukoäczona pomylnie.

========= End of Reg: =========

==== End of Fixlog ====

Zaloguj się

BProtect D

Rekomendowane odpowiedzi

bengrush

Odnośnik do komentarza

picasso

Odnośnik do komentarza

bengrush

Odnośnik do komentarza

Jeśli chcesz dodać odpowiedź, zaloguj się lub zarejestruj nowe konto

Zarejestruj nowe konto

Zaloguj się

Ostatnio przeglądający 0 użytkowników

Przeglądaj

Cała aktywność