bengrush Opublikowano 14 Marca 2014 Zgłoś Udostępnij Opublikowano 14 Marca 2014 Witam! Chciałbym prosić o pomoc w usunięciu tego wirusa. Podczas skanowania Avastem przy rozruchu systemu pojawia się kilkukrotnie komunikat o znlezieniu BProtect-D w plikach archiwum w katalogu \...\Internet Temporary Files\content.ie5\9GNK1U8P\pack[1].7z i avast nic nie może z tym zrobić. Dodatkowo log z Gmer-a nie chce zostać przesłany, pojawia się komunikat "Nie masz uprawnień do przesyłania tego typu plików". Załączam go tutaj: GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-13 21:25:35 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHZ2320BH_G2 rev.00000009 298,09GB Running: pjpxvb74.exe; Driver: C:\Users\bengrush\AppData\Local\Temp\kxlcqpod.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwAddBootEntry [0x90A4FACC] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x90A505AA] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateEvent [0x90A5C692] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateEventPair [0x90A5C6DE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x90A5C878] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateMutant [0x90A5C600] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwCreateSection [0x90B06426] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x90A5C648] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateThread [0x90A50AE0] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateThreadEx [0x90A50CFC] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateTimer [0x90A5C832] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x90A51398] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x90A4FB32] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwDuplicateObject [0x90A54BE4] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwLoadDriver [0x90A4F71E] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwMapViewOfSection [0x90B06506] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x90A4FB98] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x90A54FDA] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x90A51EDE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenEvent [0x90A5C6BC] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenEventPair [0x90A5C700] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x90A5C89C] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenMutant [0x90A5C626] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenProcess [0x90A544DE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenSection [0x90A5C7B0] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x90A5C670] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenThread [0x90A548C6] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenTimer [0x90A5C856] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x90B062AA] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwQueryObject [0x90A51CF4] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x90A51A02] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x90A4FBFE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetBootOptions [0x90A4FC64] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwSetContextThread [0x90B06602] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x90A4F7B8] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x90A4F98A] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwShutdownSystem [0x90A4F918] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSuspendProcess [0x90A51562] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSuspendThread [0x90A516C4] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x90A4FA12] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwTerminateProcess [0x90B06378] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwTerminateThread [0x90A511F2] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwVdmControl [0x90A4FCCA] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0x90A50606] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82C80A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CBA212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82CC1460 4 Bytes [CC, FA, A4, 90] {INT 3 ; CLI ; MOVSB ; NOP } .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82CC14E8 4 Bytes [AA, 05, A5, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82CC153C 8 Bytes [92, C6, A5, 90, DE, C6, A5, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82CC1548 4 Bytes [78, C8, A5, 90] {JS 0xffffffca; MOVSD ; NOP } .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82CC1564 4 Bytes [00, C6, A5, 90] {ADD DH, AL; MOVSD ; NOP } .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82E7C4DF 4 Bytes CALL 90A525C5 \??\C:\Windows\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82E96347 4 Bytes CALL 90A525DB \??\C:\Windows\system32\drivers\aswSnx.sys .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9180B000, 0x2D5378, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\taskhost.exe[112] kernel32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62] .text C:\Windows\system32\csrss.exe[464] kernel32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62] .text C:\Program Files\blueconnect Z\UIExec.exe[528] kernel32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62] .text C:\Windows\system32\csrss.exe[532] kernel32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62] .text C:\Windows\system32\wininit.exe[540] kernel32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62] .text ... .text C:\Program Files\Mozilla Firefox\firefox.exe[4032] ntdll.dll!LdrUnloadDll 7772C8DE 5 Bytes JMP 001E03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[4032] ntdll.dll!LdrLoadDll 777322AE 5 Bytes JMP 6E6E1FFD C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4032] KERNEL32.dll!K32GetDeviceDriverBaseNameW + 5D 7657941E 7 Bytes JMP 57C1049D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4032] KERNEL32.dll!QueryPerformanceCounter + 13 7657C425 7 Bytes JMP 57C10455 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4032] KERNEL32.dll!LoadAppInitDlls + 355 7657F4E6 7 Bytes JMP 57825A06 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4032] KERNEL32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[4032] GDI32.dll!GetViewportOrgEx + 26C 7628884B 7 Bytes JMP 57C104C4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Windows\System32\svchost.exe[4836] kernel32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62] .text C:\Users\bengrush\Downloads\pjpxvb74.exe[5580] kernel32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62] .text C:\Windows\system32\AUDIODG.EXE[6020] kernel32.dll!GetBinaryTypeW + 70 765969E4 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [741024CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [740E562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [740E56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74102546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [740F85AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [740F4D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [740F5105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [740F51DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [740F6707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [740F8301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [740F8850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [740F90B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [740FE254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [740F4C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e370e3438 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e370e3438@9471ac2ab711 0x27 0x93 0xAE 0x86 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e370e3438 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e370e3438@9471ac2ab711 0x27 0x93 0xAE 0x86 ... ---- EOF - GMER 2.1 ---- Addition.txt Extras.Txt FRST.txt OTL.Txt Shortcut.txt Odnośnik do komentarza
picasso Opublikowano 15 Marca 2014 Zgłoś Udostępnij Opublikowano 15 Marca 2014 Raportu GMER nie możesz dołączyć, bo go zapisałeś bezpośrednio przyciskiem a nie przez opcję Kopiuj jak nakazuje instrukcja. Tak zapisany raport tworzy plik o rozszerzeniu *.LOG (niedopuszczalny w załącznikach). Na przyszłość: albo ręczna zmiana nazwy pliku na *.TXT, albo przycisk Kopiuj i zapis do pliku *.TXT. W raportach brak oznak infekcji, tu na widoku tylko kosmetyka pustych wpisów. To co wykrywa Avast ma nikłe znaczenie, jest to bowiem śmieć na poziomie Tymczasowych plików internetowych. Akcja: 1. Uruchom TFC - Temp Cleaner. Po jego użyciu Avast powinien się uspokoić. 2. Otwórz Notatnik i wklej w nim: URLSearchHook: HKCU - (No Name) - {d43723ae-1ae1-4a25-a6a4-bf0929273cab} - No File SearchScopes: HKLM - DefaultScope value is missing. S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X] S3 ew_usbenumfilter; system32\DRIVERS\ew_usbenumfilter.sys [X] S3 huawei_cdcacm; system32\DRIVERS\ew_jucdcacm.sys [X] S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X] S3 huawei_ext_ctrl; system32\DRIVERS\ew_juextctrl.sys [X] S3 huawei_wwanecm; system32\DRIVERS\ew_juwwanecm.sys [X] S3 WinPhlash; \??\C:\WINDOWS\TEMP\WINPHLASH\PHLASHNT.SYS [X] Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f Reg: reg add "HKCU\Software\Microsoft\Internet Explorer\SearchScopes" /v DefaultScope /t REG_SZ /d {0633EE93-D776-472f-A0FF-E1416B8B2E3A} /f Reg: reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes" /f Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Fix. Powstanie plik fixlog.txt. Przedstaw go. . Odnośnik do komentarza
bengrush Opublikowano 15 Marca 2014 Autor Zgłoś Udostępnij Opublikowano 15 Marca 2014 Rzeczywiście Avast już nie wykrywa zagrożeń (zarówno spod Windowsa jak i rozruchu). Jeszcze raz bardzo dziękuję. Plik fixlog.txt: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2014 01Ran by bengrush at 2014-03-15 21:35:43 Run:1Running from C:\FRSTBoot Mode: Normal==============================================Content of fixlist:*****************URLSearchHook: HKCU - (No Name) - {d43723ae-1ae1-4a25-a6a4-bf0929273cab} - No FileSearchScopes: HKLM - DefaultScope value is missing.S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]S3 ew_usbenumfilter; system32\DRIVERS\ew_usbenumfilter.sys [X]S3 huawei_cdcacm; system32\DRIVERS\ew_jucdcacm.sys [X]S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]S3 huawei_ext_ctrl; system32\DRIVERS\ew_juextctrl.sys [X]S3 huawei_wwanecm; system32\DRIVERS\ew_juwwanecm.sys [X]S3 WinPhlash; \??\C:\WINDOWS\TEMP\WINPHLASH\PHLASHNT.SYS [X]Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /fReg: reg add "HKCU\Software\Microsoft\Internet Explorer\SearchScopes" /v DefaultScope /t REG_SZ /d {0633EE93-D776-472f-A0FF-E1416B8B2E3A} /fReg: reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes" /fReg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /fReg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f*****************HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{d43723ae-1ae1-4a25-a6a4-bf0929273cab} => Value deleted successfully.HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.ew_hwusbdev => Service deleted successfully.ew_usbenumfilter => Service deleted successfully.huawei_cdcacm => Service deleted successfully.huawei_enumerator => Service deleted successfully.huawei_ext_ctrl => Service deleted successfully.huawei_wwanecm => Service deleted successfully.WinPhlash => Service deleted successfully.========= reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f =========Operacja ukoäczona pomylnie.========= End of Reg: ================== reg add "HKCU\Software\Microsoft\Internet Explorer\SearchScopes" /v DefaultScope /t REG_SZ /d {0633EE93-D776-472f-A0FF-E1416B8B2E3A} /f =========Operacja ukoäczona pomylnie.========= End of Reg: ================== reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes" /f =========Operacja ukoäczona pomylnie.========= End of Reg: ================== reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f =========Operacja ukoäczona pomylnie.========= End of Reg: ================== reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f =========Operacja ukoäczona pomylnie.========= End of Reg: ============= End of Fixlog ==== Odnośnik do komentarza
Rekomendowane odpowiedzi
Jeśli chcesz dodać odpowiedź, zaloguj się lub zarejestruj nowe konto
Jedynie zarejestrowani użytkownicy mogą komentować zawartość tej strony.
Zarejestruj nowe konto
Załóż nowe konto. To bardzo proste!
Zarejestruj sięZaloguj się
Posiadasz już konto? Zaloguj się poniżej.
Zaloguj się