Drugi krok wykonalem bez desktopa, ale musialem go wykonac recznie w regedicie - z jakiegos powodu klucz do usuniecia nie zostal znaleziony, a do dodania byl access denied. Pierwszy usunalem, a drugi zamiast stworzyc, zmienilem Default na sciezke "C:WINDOWS\system32\wbem\fastprox.dll". (Default) byl REG_SZ, a nie REG_EXPAND_SZ, ale tego sie nie dalo zmienic. Po restarcie desktop sie odpalil i pojawil sie log:
All processes killed
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell deleted successfully.
========== FILES ==========
D:\userdata\WRO01692\Application Data\skype.dat moved successfully.
D:\userdata\WRO01692\Application Data\skype.ini moved successfully.
C:\Program Files\Enigma Software Group\SpyHunter\Log folder moved successfully.
C:\Program Files\Enigma Software Group\SpyHunter folder moved successfully.
C:\Program Files\Enigma Software Group folder moved successfully.
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1593251271-2640304127-1825641215-96630\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\HideSCAHealth deleted successfully.
Service esgiguard stopped successfully!
Service esgiguard deleted successfully!
File C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys not found.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: CLEARC_SVC003_PL
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
User: wro01692
->Temp folder emptied: 139178345 bytes
->Temporary Internet Files folder emptied: 85421175 bytes
->Java cache emptied: 1525607 bytes
->Opera cache emptied: 89076221 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2309332 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 104389 bytes
RecycleBin emptied: 9914 bytes
Total Files Cleaned = 303,00 mb
OTL by OldTimer - Version 3.2.69.0 log created on 04252013_095351
Files\Folders moved on Reboot...
File\Folder C:\Users\wro01692\AppData\Local\Temp\hsperfdata_wro01692\11188 not found!
C:\Users\wro01692\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\wro01692\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RU9D2YW6\17213-ransomware-po-fińsku[1].htm moved successfully.
C:\Users\wro01692\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RU9D2YW6\fastbutton[1].htm moved successfully.
C:\Users\wro01692\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P1DAEVOE\search[2].htm moved successfully.
C:\Users\wro01692\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\L72XDCL3\xd_arbiter[1].htm moved successfully.
C:\Users\wro01692\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\L72XDCL3\xd_arbiter[2].htm moved successfully.
C:\Users\wro01692\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K73K9L1T\fastbutton[3].htm moved successfully.
C:\Users\wro01692\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K73K9L1T\like[2].htm moved successfully.
C:\Users\wro01692\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K73K9L1T\xd_arbiter[3].htm moved successfully.
C:\Users\wro01692\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
C:\Users\wro01692\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BK1T5EIE\calendar[1].htm moved successfully.
C:\Users\wro01692\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\36U91LL5\blank[4].htm moved successfully.
File move failed. C:\WINDOWS\temp\tm_icrcL_A606D985_38CA_41ab_BCD9_60F771CF800D scheduled to be moved on reboot.
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
ale jednoczesnie pojawil sie znow update Adobe Flash Player, od ktorego sie wszystko zaczelo i nie wiem, czy to Adobowy, czy fake'owy updater:
Jak to sprawdzic i ewentualnie sie tego pozbyc, jesli to fake'owy?
Procz tego nie odpala mi sie Cisco Anyconnect, co sie wczesniej nie zdarzalo:
Jade z krokami w miedzyczasie dalej.
Log z drugiego uruchomienia OTL zalaczony.
Log z Farbar Service Scanner:
Farbar Service Scanner Version: 14-04-2013
Ran by wro01692 (administrator) on 25-04-2013 at 11:30:05
Running from "C:\Users\wro01692\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GNOMFQLM"
Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Attempt to access Google.com returned error: Google.com is offline
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Attempt to access Yahoo.com returned error: Yahoo.com is offline
Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=DWORD:0
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc: "C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted".
The ServiceDll of wscsvc service is OK.
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=DWORD:1
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to open SharedAccess registry key. The service key does not exist.
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
**** End of log ****
Ciekawy, bo wg niego dostep do sieci jest niemozliwy, a net jest, wiec moze chodzi o to, ze nie potrafi sie przedostac przez Proxy.
Log z System Looka:
SystemLook 30.07.11 by jpshortstuff
Log created at 11:33 on 25/04/2013 by wro01692
(Limited User)
========== dir ==========
C:\$Recycle.Bin - Parameters: "/s"
---Files---
None found.
C:\$Recycle.Bin\S-1-5-21-1593251271-2640304127-1825641215-96630 d--hs-- [09:03 25/04/2013]
desktop.ini --ahs-- 129 bytes [09:03 25/04/2013] [09:03 25/04/2013]
========== reg ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects]
(No values found)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{003e0278-eca8-4bb8-a256-3689ca1c2600}]
"AutoStart"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{3BF043EF-A974-49B3-8322-B853CF1E5EC5}]
"AutoStart"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{566296fe-e0e8-475f-ba9c-a31ad31620b1}]
"AutoStart"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{68ddbb56-9d1d-4fd9-89c5-c0da2a625392}]
"AutoStart"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{7007ACCF-3202-11D1-AAD2-00805FC1270E}]
"AutoStart"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{7849596a-48ea-486e-8937-a2a3009f31a9}]
"AutoStart"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{900c0763-5cad-4a34-bc1f-40cd513679d5}]
(No values found)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{A1607060-5D4C-467a-B711-2B59A6F25957}]
"AutoStart"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{AAA288BA-9A4C-45B0-95D7-94D524869DB5}]
"AutoStart"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{C2796011-81BA-4148-8FCA-C6643245113F}]
"AutoStart"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{C51F0A6B-2A63-4cf4-8938-24404EAEF422}]
"AutoStart"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{DA67B8AD-E81B-4c70-9B91-B417B5E33527}]
"AutoStart"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{EF4D1E1A-1C87-4AA8-8934-E68E4367468D}]
"AutoStart"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{F08C5AC2-E722-4116-ADB7-CE41B527994B}]
@="Bluetooth Authentication Agent SSO"
"AutoStart"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{F20487CC-FC04-4B1E-863F-D9801796130B}]
"AutoStart"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
"AutoStart"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{ff363bfe-4941-4179-a81c-f3f1ca72d820}]
@="HomeGroup SSO"
"AutoStart"=""
-= EOF =-
Prosze rowniez o porade, jak sie ustrzec przed powrotem tego policyjnego wirusa (procz nieotwierania zalacznikow, odwiedzania podejrzanych stron itd.). Jakas latka? Soft blokujacy? Trend Micro Office niestety przed niczym nie chroni.
OTL.Txt