Czewiczejs

Witam wyświetliła mi sie informacja ze komputer został zablokowany przez policje, już wcześniej z internetu wiedziałem ze to nie policja a wirus. Uruchomiłem tryb awaryjny przywróciłem system z przed kilku dni i komunikat znikł. Jednak wydaje mi się, że nie wszystko jest w porządku, prawdopodobnie uszkodził mi antywirusa bo gdy próbuje przeskanować zamula maksymalnie komputer a po czasie wyskakuje informacja mcafee że wystąpił nieoczekiwany błąd . Bardzo proszę o pomoc. Extras.Txt08.11.txt OTL.Txt-08.11.txt

Dziękuję za szybką i sprawną pomoc, póki co wszystko działa jak należy. Raz jeszcze dziękuję i pozdrawiam

Malwarebytes Anti-Malware (Okres testowy) 1.61.0.1400 www.malwarebytes.org Wersja bazy: v2012.06.11.04 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Marcin :: MARCIN-KOMPUTER [administrator] Ochrona: Włączona 2012-06-11 16:20:26 mbam-log-2012-06-11 (16-20-26).txt Typ skanowania: Pełne skanowanie Zaznaczone opcje skanowania: Pamięć | Rozruch | Rejestr | System plików | Heurystyka/Dodatkowe | Heuristyka/Shuriken | PUP | PUM Odznaczone opcje skanowania: P2P Przeskanowano obiektów: 370090 Upłynęło: 1 godzin(y), 31 minut(y), 35 sekund(y) Wykrytych procesów w pamięci: 0 (Nie znaleziono zagrożeń) Wykrytych modułów w pamięci: 0 (Nie znaleziono zagrożeń) Wykrytych kluczy rejestru: 0 (Nie znaleziono zagrożeń) Wykrytych wartości rejestru: 0 (Nie znaleziono zagrożeń) Wykryte wpisy rejestru systemowego: 0 (Nie znaleziono zagrożeń) wykrytych folderów: 0 (Nie znaleziono zagrożeń) Wykrytych plików: 1 C:\Users\Marcin\Downloads\DAEMON_Tools_Lite_Downloader.exe (Trojan.StartPage) -> Dodanie do kwarantanny i usunięcie pliku zakończyły się powodzeniem. (zakończone)

Farbar Service Scanner Version: 09-06-2012 Ran by Marcin (administrator) on 11-06-2012 at 15:42:33 Running from "C:\Users\Marcin\Downloads" Microsoft Windows 7 Home Premium Service Pack 1 (X64) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo IP is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Action Center: ============ wscsvc Service is not running. Checking service configuration: The start type of wscsvc service is OK. The ImagePath of wscsvc service is OK. The ServiceDll of wscsvc service is OK. Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== WinDefend Service is not running. Checking service configuration: The start type of WinDefend service is OK. The ImagePath of WinDefend service is OK. The ServiceDll of WinDefend service is OK. Windows Defender Disabled Policy: ========================== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender] "DisableAntiSpyware"=DWORD:1 File Check: ======== C:\Windows\System32\nsisvc.dll => MD5 is legit C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit C:\Windows\System32\dhcpcore.dll => MD5 is legit C:\Windows\System32\drivers\afd.sys => MD5 is legit C:\Windows\System32\drivers\tdx.sys => MD5 is legit C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit C:\Windows\System32\dnsrslvr.dll => MD5 is legit C:\Windows\System32\mpssvc.dll => MD5 is legit C:\Windows\System32\bfe.dll => MD5 is legit C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit C:\Windows\System32\SDRSVC.dll => MD5 is legit C:\Windows\System32\vssvc.exe => MD5 is legit C:\Windows\System32\wscsvc.dll => MD5 is legit C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit C:\Windows\System32\wuaueng.dll => MD5 is legit C:\Windows\System32\qmgr.dll => MD5 is legit C:\Windows\System32\es.dll => MD5 is legit C:\Windows\System32\cryptsvc.dll => MD5 is legit C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit **** End of log ****

# AdwCleaner v1.609 - Logfile created 06/11/2012 at 13:50:16 # Updated 10/06/2012 by Xplode # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits) # User : Marcin - MARCIN-KOMPUTER # Running from : C:\Users\Marcin\Downloads\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** Folder Deleted : C:\Users\Marcin\AppData\LocalLow\Softonic ***** [Registry] ***** ***** [Registre - GUID] ***** Key Deleted : HKLM\SOFTWARE\Classes\AppID\{7ABBFE1C-E485-44AA-8F36-353751B4124D} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5018CFD2-804D-4C99-9F81-25EAEA2769DE} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E87806B5-E908-45FD-AF5E-957D83E58E68} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5018CFD2-804D-4C99-9F81-25EAEA2769DE} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E87806B5-E908-45FD-AF5E-957D83E58E68} [x64] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5} ***** [internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16421 [OK] Registry is clean. -\\ Mozilla Firefox v13.0 (pl) Profile name : default File : C:\Users\Marcin\AppData\Roaming\Mozilla\Firefox\Profiles\qo2p8pqm.default\prefs.js C:\Users\Marcin\AppData\Roaming\Mozilla\Firefox\Profiles\qo2p8pqm.default\user.js ... Deleted ! Deleted : user_pref("extensions.Softonic.admin", false); Deleted : user_pref("extensions.Softonic.aflt", "SD"); Deleted : user_pref("extensions.Softonic.autoRvrt", "false"); Deleted : user_pref("extensions.Softonic.cntry", "PL"); Deleted : user_pref("extensions.Softonic.dfltLng", "pl"); Deleted : user_pref("extensions.Softonic.dfltSrch", false); Deleted : user_pref("extensions.Softonic.envrmnt", "production"); Deleted : user_pref("extensions.Softonic.excTlbr", false); Deleted : user_pref("extensions.Softonic.hdrMd5", "55C4217329786973CE55CC01CBA0EC6E"); Deleted : user_pref("extensions.Softonic.hmpg", false); Deleted : user_pref("extensions.Softonic.id", "7c5079070000000000004ceb426a32eb"); Deleted : user_pref("extensions.Softonic.instlDay", "15451"); Deleted : user_pref("extensions.Softonic.instlRef", "MON00084"); Deleted : user_pref("extensions.Softonic.isdcmntcmplt", false); Deleted : user_pref("extensions.Softonic.lastVrsnTs", "1.5.21.011:03:44"); Deleted : user_pref("extensions.Softonic.logicsmngrdailyreporttime", "02-06-2012"); Deleted : user_pref("extensions.Softonic.mntrvrsn", "1.3.0"); Deleted : user_pref("extensions.Softonic.newTab", false); Deleted : user_pref("extensions.Softonic.prdct", "Softonic"); Deleted : user_pref("extensions.Softonic.prtnrId", "softonic"); Deleted : user_pref("extensions.Softonic.rvrtMsg", "Click Yes to keep current home page and default search set[...] Deleted : user_pref("extensions.Softonic.sg", "cz"); Deleted : user_pref("extensions.Softonic.similarsitesstorage-pid2", "57930a6e-68ae-a86e-6b46-9b79b3d5cd07"); Deleted : user_pref("extensions.Softonic.smplGrp", "none"); Deleted : user_pref("extensions.Softonic.tlbrId", "base"); Deleted : user_pref("extensions.Softonic.tlbrSrchUrl", "hxxp://search.softonic.com/MON00084/tb_v1?SearchSource[...] Deleted : user_pref("extensions.Softonic.vrsn", "1.5.21.0"); Deleted : user_pref("extensions.Softonic.vrsnTs", "1.5.21.011:03:44"); Deleted : user_pref("extensions.Softonic.vrsni", "1.5.21.0"); Deleted : user_pref("extensions.Softonic.xpestat\\xpereportdata", "24-4-2012"); Deleted : user_pref("extensions.Softonic_i.newTab", false); Deleted : user_pref("extensions.Softonic_i.smplGrp", "none"); Deleted : user_pref("extensions.Softonic_i.vrsnTs", "1.5.21.011:03:44"); ************************* AdwCleaner[s1].txt - [3788 octets] - [11/06/2012 13:50:16] ########## EOF - C:\AdwCleaner[s1].txt - [3916 octets] ########## przepraszam za zamieszanie, znalazłem

All processes killed ========== FILES ========== C:\Windows\Installer\{c2efbd8a-4868-9ae9-a532-8f2ea8cd7a3b}\U folder moved successfully. C:\Windows\Installer\{c2efbd8a-4868-9ae9-a532-8f2ea8cd7a3b}\L folder moved successfully. C:\Windows\Installer\{c2efbd8a-4868-9ae9-a532-8f2ea8cd7a3b} folder moved successfully. File move failed. C:\Windows\Assembly\GAC_32\Desktop.ini scheduled to be moved on reboot. File move failed. C:\Windows\Assembly\GAC_64\Desktop.ini scheduled to be moved on reboot. C:\Program Files (x86)\v9Soft folder moved successfully. ========== OTL ========== Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 56466 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Marcin ->Temp folder emptied: 1433618774 bytes ->Temporary Internet Files folder emptied: 281968512 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 100199444 bytes ->Flash cache emptied: 68336 bytes User: Public %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 123242097 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50534 bytes RecycleBin emptied: 456 bytes Total Files Cleaned = 1 849,00 mb OTL by OldTimer - Version 3.2.48.0 log created on 06112012_133619 Files\Folders moved on Reboot... File\Folder C:\Windows\Assembly\GAC_32\Desktop.ini not found! File\Folder C:\Windows\Assembly\GAC_64\Desktop.ini not found! C:\Users\Marcin\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully. Registry entries deleted on Reboot... niestety nie wiem gdzie sie zapisał log z pkt 3

Farbar Service Scanner Version: 09-06-2012 Ran by Marcin (administrator) on 11-06-2012 at 14:14:15 Running from "C:\Users\Marcin\Downloads" Microsoft Windows 7 Home Premium Service Pack 1 (X64) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo IP is accessible. Yahoo.com is accessible. Windows Firewall: ============= mpsdrv Service is not running. Checking service configuration: The start type of mpsdrv service is OK. The ImagePath of mpsdrv service is OK. MpsSvc Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist. Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist. bfe Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist. Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist. Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Action Center: ============ wscsvc Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist. Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist. Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== WinDefend Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist. Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist. Windows Defender Disabled Policy: ========================== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender] "DisableAntiSpyware"=DWORD:1 File Check: ======== C:\Windows\System32\nsisvc.dll => MD5 is legit C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit C:\Windows\System32\dhcpcore.dll => MD5 is legit C:\Windows\System32\drivers\afd.sys => MD5 is legit C:\Windows\System32\drivers\tdx.sys => MD5 is legit C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit C:\Windows\System32\dnsrslvr.dll => MD5 is legit C:\Windows\System32\mpssvc.dll => MD5 is legit C:\Windows\System32\bfe.dll => MD5 is legit C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit C:\Windows\System32\SDRSVC.dll => MD5 is legit C:\Windows\System32\vssvc.exe => MD5 is legit C:\Windows\System32\wscsvc.dll => MD5 is legit C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit C:\Windows\System32\wuaueng.dll => MD5 is legit C:\Windows\System32\qmgr.dll => MD5 is legit C:\Windows\System32\es.dll => MD5 is legit C:\Windows\System32\cryptsvc.dll => MD5 is legit C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit **** End of log **** niestety nie wiem gdzie sie zapisał log z pkt 3 OTL.Txt

2012-06-11 13:05:54, Info CSI 00000009 [sR] Verifying 1 components 2012-06-11 13:05:54, Info CSI 0000000a [sR] Beginning Verify and Repair transaction 2012-06-11 13:05:54, Info CSI 0000000c [sR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:24{12}]"services.exe" from store 2012-06-11 13:05:54, Info CSI 0000000e [sR] Verify complete 2012-06-11 13:05:54, Info CSI 0000000f [sR] Repairing 1 components 2012-06-11 13:05:54, Info CSI 00000010 [sR] Beginning Verify and Repair transaction 2012-06-11 13:05:54, Info CSI 00000012 [sR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:24{12}]"services.exe" from store 2012-06-11 13:05:54, Info CSI 00000014 [sR] Repair complete 2012-06-11 13:05:54, Info CSI 00000015 [sR] Committing transaction 2012-06-11 13:05:54, Info CSI 00000019 [sR] Unable to complete Verify and Repair transaction because some of the files that need to be repaired are in use. A reboot is required to complete this operation. 2012-06-11 13:05:54, Info CSI 0000001a [sR] Repairing 1 components 2012-06-11 13:05:54, Info CSI 0000001b [sR] Beginning Verify and Repair transaction 2012-06-11 13:05:54, Info CSI 0000001d [sR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:24{12}]"services.exe" from store 2012-06-11 13:05:54, Info CSI 0000001f [sR] Repair complete

SystemLook 30.07.11 by jpshortstuff Log created at 12:48 on 11/06/2012 by Marcin Administrator - Elevation successful ========== reg ========== [HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}] (Unable to open key - key not found) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}] @="Microsoft WBEM New Event Subsystem" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32] @="%systemroot%\system32\wbem\wbemess.dll" "ThreadingModel"="Both" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}] @="MruPidlList" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] @="%SystemRoot%\system32\shell32.dll" "ThreadingModel"="Apartment" ========== filefind ========== Searching for "services.exe" C:\Windows\System32\services.exe --a---- 329216 bytes [23:19 13/07/2009] [01:39 14/07/2009] 50BEA589F7D7958BDD2528A8F69D05CC C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe --a---- 328704 bytes [23:19 13/07/2009] [01:39 14/07/2009] 24ACB7E5BE595468E3B9AA488B9B4FCB ========== regfind ========== Searching for "{c2efbd8a-4868-9ae9-a532-8f2ea8cd7a3b}" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager] "PendingFileRenameOperations"="\??\c:\windows\installer\{c2efbd8a-4868-9ae9-a532-8f2ea8cd7a3b}\u\80000032.@" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] "PendingFileRenameOperations"="\??\c:\windows\installer\{c2efbd8a-4868-9ae9-a532-8f2ea8cd7a3b}\u\80000032.@" ========== folderfind ========== Searching for "{c2efbd8a-4868-9ae9-a532-8f2ea8cd7a3b}" C:\Windows\Installer\{c2efbd8a-4868-9ae9-a532-8f2ea8cd7a3b} d--hs-- [18:15 06/04/2012] -= EOF=- Co dalej?

Witam Bardzo proszę o pomoc tj szczegółową instrukcję postępowania. Mój MCafee wykrywa dwa wirusy/ konie trojańskie 1) ZeroAccess w C/windows/asseble/GAC_32/Desktop.ini 2) Generic.dx!b2ms C/windows/asseble/GAC_64/Desktop.ini Blokuje mi napewno zaporę oraz coś miesz w systemie ale nie wiem konkretnie co ale np. laptop traci połączenie z drukarką bezprzewodową. Proszę pilnie o pomoc i o ewentualne info co takiego robią te konie. Z góry dziękuję i pozdrawiam PS. Mam system windows7 home premium 64bitowy oto logi Extras.Txt OTL.Txt