ania92bis
-
Postów
12 -
Dołączył
-
Ostatnia wizyta
Odpowiedzi opublikowane przez ania92bis
-
-
Podsumowanie:
-W folderze C:\Documents and Settings\All Users\Dokumenty\Server już nic nie było, usunęłam go w całości.
-Odinstalowałam Kaspersky Virus Removal Tool
-wykonałam wszystkie zalecenia, chociaż nie jestem pewna co do tego czy prawidłowo wyczyściłam foldery Przywracania systemu
-jest problem z usunięciem gry Toolbar, wyskakuje komunikat że nie można otworzyć pliku
Aktualnie nie ma żadnych problemów z komputerem, chyba nigdy wcześniej nie chodził tak dobrze:), nawet nie ma problemu z grafiką co wcześniej objawiało się migającym czarnym ekranem i pikselami na kursorze myszki.
Chciałam pani bardzo, bardzo serdecznie podziękować za pomoc i za poświęcony czas!!! Jestem pod wrażeniem pani ogromnej wiedzy!
-
Troszke to trwało ale mam raport:
Automatyczne skanowanie: błąd (zdarzeń: 2, obiektów: 0, czas: Nieznany)
2011-05-31 05:18:16 Zagrożenie: Trojan-Dropper.Win32.Drooptroop.kko C:\Documents and Settings\All Users\Dokumenty\Server\hlp.dat
2011-05-31 05:16:43 Zadanie zostało uruchomione
Automatyczne skanowanie: zakończono 2 min temu (zdarzeń: 4, obiektów: 167052, czas: 01:09:42)
2011-05-31 06:36:40 Zadanie zostało zakończone
2011-05-31 05:31:26 Usunięty: Trojan-Dropper.Win32.Drooptroop.kko C:\Documents and Settings\All Users\Dokumenty\Server\hlp.dat
2011-05-31 05:28:33 Zagrożenie: Trojan-Dropper.Win32.Drooptroop.kko C:\Documents and Settings\All Users\Dokumenty\Server\hlp.dat
2011-05-31 05:26:58 Zadanie zostało uruchomione
-
log z z AD-Remover:
======= REPORT FROM AD-REMOVER 2.0.0.2,G | ONLY XP/VISTA/7 =======
Updated by TeamXscript on 12/04/11
Contact: AdRemover[DOT]contact[AT]gmail[DOT]com
website: http://www.teamxscript.org
C:\Program Files\Ad-Remover\main.exe (CLEAN [1]) -> Launched at 03:21:22 on 31/05/2011, Safeboot mode
Microsoft Windows XP Professional Dodatek Service Pack 2 (X86)
Ania@53CCD542F731494 ( )
============== ACTION(S) ==============
Folder deleted: C:\Documents and Settings\Ania\Dane aplikacji\Mozilla\FireFox\Profiles\ttr74es4.default\conduit
Folder deleted: C:\Documents and Settings\Ania\Ustawienia lokalne\Dane aplikacji\Conduit
Folder deleted: C:\Program Files\Conduit
Folder deleted: C:\Documents and Settings\Ania\Ustawienia lokalne\Dane aplikacji\OpenCandy
(!) -- Temporary files deleted.
-- File opened: C:\Documents and Settings\Ania\Dane aplikacji\Mozilla\FireFox\Profiles\ttr74es4.default\Prefs.js --
Line deleted: user_pref("CT1561552.SearchEngine", "Search||hxxp://search.conduit.com/Results.aspx?q=UCM_SEARCH_TER...
Line deleted: user_pref("CT1561552.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT156...
Line deleted: user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "chrome://browser-region/locale/region.pr...
Line deleted: user_pref("CommunityToolbar.ToolbarsList", "CT1561552");
Line deleted: user_pref("CommunityToolbar.ToolbarsList2", "CT1561552");
Line deleted: user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT1561552");
-- File closed --
Key deleted: HKLM\Software\Classes\Toolbar.CT1561552
Key deleted: HKLM\Software\Classes\Toolbar.CT2417076
Key deleted: HKLM\Software\Conduit
Key deleted: HKCU\Software\Conduit
============== ADDITIONNAL SCAN ==============
**** Mozilla Firefox Version [3.6.17 (pl)] ****
Plugins\npdnu.dll (AOL LLC)
Plugins\npdnupdater2.dll (AOL LLC)
Plugins\npwachk.dll (Nullsoft, Inc.)
Searchplugins\allegro-pl.xml (hxxp://www.allegro.pl/search.php?string={searchTerms}&sourceid=Mozilla-search)
Searchplugins\fbc-pl.xml (hxxp://fbc.pionier.net.pl/owoc/results)
Searchplugins\merlin-pl.xml (hxxp://www.merlin.com.pl/frontend/search?sourceid=Mozilla-search&fraza={searchTerms}&skad=crhhxmkohb)
Searchplugins\pwn-pl.xml (hxxp://encyklopedia.pwn.pl/szukaj.php?co={searchTerms})
Searchplugins\wikipedia-pl.xml (hxxp://pl.wikipedia.org/wiki/Specjalna:Szukaj)
Searchplugins\wp-pl.xml (hxxp://szukaj.wp.pl/szukaj.html?z=T&r=T&szukaj={searchTerms})
-- C:\Documents and Settings\Ania\Dane aplikacji\Mozilla\FireFox\Profiles\ttr74es4.default --
Extensions\IplextoALL@ALLPlayer.org (Iplex to ALLPlayer)
Prefs.js - browser.download.lastDir, C:\\Documents and Settings\\Ania\\Pulpit
Prefs.js - browser.search.defaultenginename,
Prefs.js - browser.search.defaulturl,
Prefs.js - browser.search.selectedEngine, Google
Prefs.js - browser.startup.homepage, hxxp://pl.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:pl:official
Prefs.js - browser.startup.homepage_override.mstone, rv:1.9.2.17
Prefs.js - privacy.popups.showBrowserMessage, false
-- C:\Documents and Settings\anna lompa\Dane aplikacji\Mozilla\FireFox\Profiles\x71v7lrk.default --
Prefs.js - browser.download.lastDir, C:\\Documents and Settings\\anna lompa\\Pulpit
Prefs.js - browser.startup.homepage_override.mstone, rv:1.9.2.17
========================================
**** Google Chrome Version [11.0.696.71] ****
Extension\icmlaeflemplmjndnaapfdbbnpncnbda (C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx) (?)
-- C:\Documents and Settings\Ania\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default --
Preferences - default_search_provider: "Google" (Enabled: true) (?)
Plugin - "Picasa" (Enabled: true)
Plugin - "Winamp Application Detector" (Enabled: true)
========================================
**** Internet Explorer Version [7.0.5730.13] ****
HKCU_Main|Default_Page_URL - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKCU_Main|Default_Search_URL - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU_Main|Search bar - hxxp://go.microsoft.com/fwlink/?linkid=54896
HKCU_Main|Start Page - hxxp://fr.msn.com/
HKLM_Main|Default_Page_URL - hxxp://go.microsoft.com/fwlink/?LinkId=54896
HKLM_Main|Default_Search_URL - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM_Main|Search bar - hxxp://search.msn.com/spbasic.htm
HKLM_Main|Search Page - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM_Main|Start Page - hxxp://fr.msn.com/
HKLM_Toolbar|{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} (C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll)
HKLM_Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583} - "?" (?)
BHO\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - "avast! WebRep" (C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll)
BHO\{DF925EF3-7A87-44E4-9CAF-8D7B280BF616} - "IplexToALLPlayer" (C:\PROGRA~1\ALLPLA~1\Iplex\IPLEXT~1.DLL)
========================================
C:\Program Files\Ad-Remover\Quarantine: 16 File(s)
C:\Program Files\Ad-Remover\Backup: 16 File(s)
C:\Ad-Report-CLEAN[1].txt - 31/05/2011 03:22:07 (1544 Byte(s))
C:\Ad-Report-SCAN[1].txt - 31/05/2011 02:39:28 (7023 Byte(s))
C:\Ad-Report-SCAN[2].txt - 31/05/2011 02:42:46 (7088 Byte(s))
End at: 03:22:37, 31/05/2011
============== E.O.F ==============
-
Usunęłam Winamp Toolbar, ale miałam problem ze znalezieniem Hotspot Shield Toolbar.
A tutaj nowa dostawa logów:
log powstały z usuwania OTL:
All processes killed
========== OTL ==========
HKU\S-1-5-21-1844237615-1177238915-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Prefs.js: "AOL Web Search" removed from browser.search.defaultenginename
Prefs.js: "Hotspot Shield Customized Web Search" removed from browser.search.defaultthis.engineName
Prefs.js: "http://search.winamp.com/search/search?query={searchTerms}&invocationType=tb50-ff-winamp-chromesbox-en-us&tb_uuid=20110224194650156&tb_oid=24-02-2011&tb_mrud=24-02-2011&query=" removed from browser.search.defaulturl
Prefs.js: "http://search.conduit.com/?ctid=CT1561552&SearchSource=13" removed from browser.startup.homepage
Prefs.js: "http://slirsredirect.search.aol.com/redirector/sredir?sredir=2685&invocationType=tb50-ff-winamp-ab-en-us&tb_uuid=20110224194650156&tb_oid=24-02-2011&tb_mrud=24-02-2011&query=" removed from keyword.URL
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{37B85A29-692B-4205-9CAD-2626E4993404} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B85A29-692B-4205-9CAD-2626E4993404}\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1844237615-1177238915-1801674531-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{37B85A29-692B-4205-9CAD-2626E4993404} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B85A29-692B-4205-9CAD-2626E4993404}\ not found.
Starting removal of ActiveX control {D27CDB6E-AE6D-11CF-96B8-444553540000}
C:\WINDOWS\Downloaded Program Files\swflash.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ not found.
C:\Documents and Settings\Ania\Dane aplikacji\Mozilla\Firefox\Profiles\ttr74es4.default\searchplugins\aol-web-search.xml moved successfully.
C:\Documents and Settings\Ania\Dane aplikacji\Mozilla\Firefox\Profiles\ttr74es4.default\searchplugins\conduit.xml moved successfully.
C:\Documents and Settings\All Users\Dane aplikacji\308eb\SMESys folder moved successfully.
C:\Documents and Settings\All Users\Dane aplikacji\308eb\Quarantine Items folder moved successfully.
C:\Documents and Settings\All Users\Dane aplikacji\308eb\BackUp folder moved successfully.
C:\Documents and Settings\All Users\Dane aplikacji\308eb folder moved successfully.
C:\Documents and Settings\All Users\Dane aplikacji\308ebc folder moved successfully.
C:\Documents and Settings\All Users\Dane aplikacji\SMKSJWE folder moved successfully.
C:\Documents and Settings\Ania\Dane aplikacji\OpenCandy\OpenCandy_EF097B2A9E9146C2BC0504A8538F7192 folder moved successfully.
C:\Documents and Settings\Ania\Dane aplikacji\OpenCandy folder moved successfully.
========== COMMANDS ==========
Restore points cleared and new OTL Restore Point set!
[EMPTYFLASH]
User: Administrator
User: Administrator.53CCD542F731494
User: All Users
User: Ania
->Flash cache emptied: 4318 bytes
User: anna lompa
->Flash cache emptied: 904 bytes
User: Default User
User: Gość
User: LocalService
User: NetworkService
User: UpdatusUser
Total Flash Files Cleaned = 0,00 mb
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 111759 bytes
User: Administrator.53CCD542F731494
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 3465364 bytes
User: All Users
User: Ania
->Temp folder emptied: 1225 bytes
->Temporary Internet Files folder emptied: 81902 bytes
->FireFox cache emptied: 111915663 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: anna lompa
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->FireFox cache emptied: 99421761 bytes
->Flash cache emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Gość
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2114584 bytes
%systemroot%\System32 .tmp files removed: 2596 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 207,00 mb
OTL by OldTimer - Version 3.2.23.0 log created on 05312011_020047
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...
-
Nowy log ComboFixa:
-
Aktualnie stoje w miejscu, bo nie potrafię ręcznie zamienić poniższych plikówi z tymi z C:\Pliki:
c:\windows\system32\winlogon.exe
c:\windows\explorer.exe
Bardzo proszę o pomoc jak mam to zrobić
-
-
Avast dalej wykrywa infekcje w postaci Win32:Batimal-AE, w dalszym ciągu gdy wchodzę na stronę internetową zostaje przekierowana na google.
Tutaj podaje aktualny log z ComboFix
-
-
Dodatkowy log z ComboFixu
-
1.Problem:
- Avast co kilkadziesiąt minut wykrywa Win32:Bamital-AE jego lokalizacja to c:\windows\system32\winlogon.exe.
- często gdy chcę wejść na konkretną stronę internetową przeglądarka przekierowuje sie na google.pl
- od kilku dni mam problem z obrazem, na ekranie pojawia się czarny ekran a na kursorze myszki widać czarne piksele, prawdopodobnie siadła karta graficzna, chociaż przypuszczam ze w wyniku tej infekcji
- używałam różnych programów to usuwania infekcji minn. ComboFixa
2. Logi:
1.Gmer:
GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-29 01:31:15
Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 ST3160811AS rev.3.AAE
Running: x7cj8jwm.exe; Driver: C:\DOCUME~1\Ania\USTAWI~1\Temp\ffpdiaoc.sys
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[724] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[724] WS2_32.dll!send 71A5428A 5 Bytes JMP 00165ACB
.text C:\Program Files\Mozilla Firefox\firefox.exe[724] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 00165CC8
.text C:\Program Files\Mozilla Firefox\firefox.exe[724] WS2_32.dll!gethostbyname 71A54FD4 5 Bytes JMP 00166224
.text C:\Program Files\Mozilla Firefox\firefox.exe[724] WS2_32.dll!recv 71A5615A 5 Bytes JMP 00165B3E
.text C:\Program Files\Mozilla Firefox\firefox.exe[724] WS2_32.dll!WSASend 71A56233 5 Bytes JMP 00165C19
.text C:\Program Files\Mozilla Firefox\firefox.exe[724] WS2_32.dll!closesocket 71A59639 5 Bytes JMP 00165F43
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1432] USER32.dll!TrackPopupMenu 7E3B526E 5 Bytes JMP 1040C334 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\Explorer.EXE[1980] kernel32.dll!CreateProcessInternalW 7C819724 5 Bytes JMP 00B78369
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)
---- EOF - GMER 1.0.15 ----
2.OTL w załączniku
3.OTL Extras w załączniku
3.Checkup:
Results of screen317's Security Check version 0.99.12
Windows XP Service Pack 2
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
avast! Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
CCleaner
Driver Cleaner 3
Flash Player Out of Date!
Adobe Flash Player 10.2.153.1
Adobe Reader 9.4.0 - Polish
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.17) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````
Z góry dziękuję za rozpatrzenie mojego problemu.
Win32:Bamital-AE w winlogon.exe
w Dział pomocy doraźnej
Opublikowano
Czyli dobrze wyczyściłam foldery Przywracania systemu, miałam pewne wątpliwości co do tego bo wydawało mi się to zbyt proste:D
Gra Toolbar usunięta!