Fake Win 7 Security oraz pytanie skąd się to wzięło...

[Sanch0]

Dzisiaj dostałem komputer w którym aplikacja ta zaczęła się pojawiać. Na czas skanu OTL zabiłem proces o nazwie pit.exe dzięki czemu na chwilę był spokój. Niczego więcej nie ruszałem ponieważ nie maiłem pewności czy coś jeszcze siedzi oraz nie chciałem zacierać śladów.

 

Użytkownik twierdzi, że nic podejrzanego nie instalował... Ja chwilowo też nie moge dojść skąd się ta aplikacja u niego wzięła.

 

Results of screen317's Security Check version 0.99.30

Windows 7 x64 (UAC is enabled)

Internet Explorer 9

``````````````````````````````

Antivirus/Firewall Check:

Avira Free Antivirus

WMI entry may not exist for antivirus; attempting automatic update.

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Java™ 6 Update 24

Java version out of date!

Adobe Flash Player 9 Flash Player out of date!

Adobe Flash Player 10.1.82.76 Flash Player out of Date!

Adobe Reader 9 Adobe Reader out of date!

Mozilla Firefox (9.0.1)

Mozilla Thunderbird (x86 pl..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

``````````End of Log````````````

OTL.Txt

Extras.Txt

[Landuss]

1. Uruchom OTL i w oknie Własne opcje skanowania/Skrypt wklej następujący tekst:

 

:OTL
FF - prefs.js..browser.search.defaultenginename: "Web Search..."
FF - prefs.js..extensions.enabledItems: radiobar@toolbar:1.0.0
FF - prefs.js..keyword.URL: "http://radiobar.toolbarhome.com/search.aspx?srch=ku&q="
[2010-03-14 20:05:22 | 000,000,000 | ---D | M] (RadioBar Toolbar) -- C:\Users\Konrad\AppData\Roaming\mozilla\Firefox\Profiles\mm1z4ahd.default\extensions\radiobar@toolbar
[2010-02-09 12:33:22 | 000,002,055 | ---- | M] () -- C:\Users\Konrad\AppData\Roaming\Mozilla\Firefox\Profiles\mm1z4ahd.default\searchplugins\daemon-search.xml
[2010-03-14 20:05:29 | 000,001,589 | ---- | M] () -- C:\Users\Konrad\AppData\Roaming\Mozilla\Firefox\Profiles\mm1z4ahd.default\searchplugins\web-search.xml
O4 - HKLM..\Run: []  File not found
O4 - HKU\S-1-5-21-3829192350-1106481819-3590728672-1000..\Run: []  File not found
O4 - HKU\S-1-5-21-3829192350-1106481819-3590728672-1000..\Run: [Power2GoExpress]  File not found
O37 - HKU\S-1-5-21-3829192350-1106481819-3590728672-1000\...exe [@ = dc] -- "C:\Users\Konrad\AppData\Local\pit.exe" -a "%1" %* (Microsoft Corporation)
[2011-12-27 17:24:49 | 000,007,306 | -HS- | C] () -- C:\Users\Konrad\AppData\Local\06ewu38qj7mc806pf85h12
[2011-12-27 17:24:49 | 000,007,306 | -HS- | C] () -- C:\ProgramData\06ewu38qj7mc806pf85h12
[2011-12-27 17:23:28 | 000,331,264 | ---- | C] () -- C:\Users\Konrad\AppData\Local\rumoxbosr.exe
 
:Commands
[emptytemp]

 

Kliknij w Wykonaj skrypt. Zatwierdź restart komputera.

 

2. Przejdź do panelu usuwania programów i odinstaluj zbędne paski sponsoringowe - Ask Toolbar oraz DAEMON Tools Toolbar

 

3. Następnie uruchamiasz OTL ponownie, tym razem wywołujesz opcję Skanuj. Pokazujesz nowe logi z OTL oraz AD-Remover z opcji Scan.

[Sanch0]

Załączam nowe logi:

 

All processes killed

========== OTL ==========

Prefs.js: "Web Search..." removed from browser.search.defaultenginename

Prefs.js: radiobar@toolbar:1.0.0 removed from extensions.enabledItems

Prefs.js: "http://radiobar.toolbarhome.com/search.aspx?srch=ku&q=" removed from keyword.URL

C:\Users\Konrad\AppData\Roaming\mozilla\Firefox\Profiles\mm1z4ahd.default\extensions\radiobar@toolbar\META-INF folder moved successfully.

C:\Users\Konrad\AppData\Roaming\mozilla\Firefox\Profiles\mm1z4ahd.default\extensions\radiobar@toolbar\components folder moved successfully.

C:\Users\Konrad\AppData\Roaming\mozilla\Firefox\Profiles\mm1z4ahd.default\extensions\radiobar@toolbar\chrome folder moved successfully.

C:\Users\Konrad\AppData\Roaming\mozilla\Firefox\Profiles\mm1z4ahd.default\extensions\radiobar@toolbar folder moved successfully.

C:\Users\Konrad\AppData\Roaming\Mozilla\Firefox\Profiles\mm1z4ahd.default\searchplugins\daemon-search.xml moved successfully.

C:\Users\Konrad\AppData\Roaming\Mozilla\Firefox\Profiles\mm1z4ahd.default\searchplugins\web-search.xml moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.

Registry value HKEY_USERS\S-1-5-21-3829192350-1106481819-3590728672-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.

Registry value HKEY_USERS\S-1-5-21-3829192350-1106481819-3590728672-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Power2GoExpress deleted successfully.

Registry key HKEY_USERS\S-1-5-21-3829192350-1106481819-3590728672-1000_Classes\.exe\ deleted successfully.

Registry key HKEY_USERS\S-1-5-21-3829192350-1106481819-3590728672-1000_Classes\dc\ deleted successfully.

HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!

C:\Users\Konrad\AppData\Local\06ewu38qj7mc806pf85h12 moved successfully.

C:\ProgramData\06ewu38qj7mc806pf85h12 moved successfully.

C:\Users\Konrad\AppData\Local\rumoxbosr.exe moved successfully.

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: All Users

 

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 80055 bytes

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Konrad

->Temp folder emptied: 1516460593 bytes

->Temporary Internet Files folder emptied: 13306086 bytes

->Java cache emptied: 1822442 bytes

->FireFox cache emptied: 66556182 bytes

->Flash cache emptied: 23164 bytes

 

User: Public

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 4409474 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50534 bytes

RecycleBin emptied: 62386391 bytes

 

Total Files Cleaned = 1 588,00 mb

 

 

OTL by OldTimer - Version 3.2.31.0 log created on 12272011_221351

 

Files\Folders moved on Reboot...

C:\Users\Konrad\AppData\Local\Temp\radE889D.tmp\bin\Gadget.Interop.dll moved successfully.

C:\Users\Konrad\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

 

Registry entries deleted on Reboot...

Ad-Report-SCAN1.txt

OTL.Txt

Extras.Txt

[Landuss]

Jest lepiej, ale to jeszcze nie koniec usuwania. Kolejny skrypt do wprowadzenia:

 

:Files
C:\Users\Konrad\AppData\Local\pit.exe
 
:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
""="C:\Program Files (x86)\Internet Explorer\iexplore.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
""="C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
[-HKEY_LOCAL_MACHINE\Software\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}]
[-HKEY_USERS\.DEFAULT\Software\Ask.com]
[-HKEY_USERS\.DEFAULT\Software\AskToolbar]
[-HKEY_USERS\S-1-5-18\Software\Ask.com]
[-HKEY_USERS\S-1-5-18\Software\AskToolbar]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}]

 

Do wglądu nowy log z AD-Remover.

[Sanch0]

Nowe logi do wglądu.

Ad-Report-SCAN2.txt

12282011_190933.txt

OTL.Txt

Extras.Txt

[Landuss]

Tym razem wszystko załatwione co do joty i to by było na tyle z usuwania, a problemy powinny minąć. Standardy na koniec:

 

1. Użyj opcji Sprzątanie z OTL.

 

2. Zaktualizuj wymienione oprogramowanie:

 

"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java 6 Update 24

"{AC76BA86-7AD7-1045-7B44-A94000000001}" = Adobe Reader 9.4.7 - Polish

"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin

 

Szczegóły aktualizacyjne: KLIK

 

3. Opróżnij folder przywracania systemu: KLIK