SafeGroup

SafeGroup > Bezpieczeństwo > Pomoc po zainfekowaniu > Sprawdzenie OTL po Infekcji !
Pełna wersja: Sprawdzenie OTL po Infekcji !
Aktualnie przeglądasz uproszczoną wersję forum. Kliknij tutaj, by zobaczyć wersję z pełnym formatowaniem.

Vicek

05.02.2014, 11:46
Objawy zainfekowania:
Niedawno miałem spore problemy z komputerem,zamulał i jestem pewny że coś zostało

Wykonywane działania:
MBAM,Combofix,R-Kill,Hitman Pro,JRT,Cure It!,AVG 2014

Logi:
OTL :

[Aby zobaczyć linki, zarejestruj się tutaj]

Extras :

[Aby zobaczyć linki, zarejestruj się tutaj]

KaMiL

05.02.2014, 12:06
Następnym razem nie używaj Combofixa na własną rękę.
Wykonaj też logi FRST.

Vicek

05.02.2014, 12:12
FRST :

[Aby zobaczyć linki, zarejestruj się tutaj]


additional :

[Aby zobaczyć linki, zarejestruj się tutaj]

tachion

06.02.2014, 13:55
No a combofix po co był użyty?


Do notatnika wklej i zapisz jako fixlist.txt

Kod:
HKLM-x32\...\Winlogon: [Shell] explorer.exe [ ] ()
HKU\.DEFAULT\...\Policies\Explorer: [DisableLocalMachineRun] 0
HKU\.DEFAULT\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKU\.DEFAULT\...\Policies\Explorer: [DisableCurrentUserRun] 0
HKU\.DEFAULT\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoShellSearchButton] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoFile] 0
HKU\.DEFAULT\...\Policies\Explorer: [HideClock] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoSetFolders] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoDeletePrinter] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoDFSTab] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoLogoff] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoEncryptOnMove] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoResolveSearch] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoSaveSettings] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoHardwareTab] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKU\S-1-5-19\...\Policies\system: [DisableCMD] 0
HKU\S-1-5-19\...\Policies\system: [NoDispAppearancePage] 0
HKU\S-1-5-19\...\Policies\system: [NoDispBackgroundPage] 0
HKU\S-1-5-19\...\Policies\system: [NoDispSettingsPage] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoViewOnDrive] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-19\...\Policies\Explorer: [DisableLocalMachineRun] 0
HKU\S-1-5-19\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKU\S-1-5-19\...\Policies\Explorer: [DisableCurrentUserRun] 0
HKU\S-1-5-19\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoViewContextMenu] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoShellSearchButton] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoFind] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoFile] 0
HKU\S-1-5-19\...\Policies\Explorer: [HideClock] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoTrayContextMenu] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoSetFolders] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoDeletePrinter] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoDFSTab] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoLogoff] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoEncryptOnMove] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoResolveSearch] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoHardwareTab] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKU\S-1-5-20\...\Policies\system: [DisableCMD] 0
HKU\S-1-5-20\...\Policies\system: [NoDispAppearancePage] 0
HKU\S-1-5-20\...\Policies\system: [NoDispBackgroundPage] 0
HKU\S-1-5-20\...\Policies\system: [NoDispSettingsPage] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoViewOnDrive] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-20\...\Policies\Explorer: [DisableLocalMachineRun] 0
HKU\S-1-5-20\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKU\S-1-5-20\...\Policies\Explorer: [DisableCurrentUserRun] 0
HKU\S-1-5-20\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoViewContextMenu] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoShellSearchButton] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoFind] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoFile] 0
HKU\S-1-5-20\...\Policies\Explorer: [HideClock] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoTrayContextMenu] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoSetFolders] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoDeletePrinter] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoDFSTab] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoLogoff] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoEncryptOnMove] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoResolveSearch] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoHardwareTab] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
HKCU\Software\Microsoft\Internet Explorer\Main,Default_search_url = http://home.microsoft.com/search/search.asp
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = aboutblank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =http://home.microsoft.com/search/search.asp
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = aboutblank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search bar = http://home.microsoft.com/search/lobby/search.asp
SearchScopes: HKCU - ${searchCLSID} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
Toolbar: HKLM-x32 - No Name - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} -No File
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
U0 SR;
U2 srservice;
C:\Windows\ERUNT
C:\Windows\erdnt
C:\Users\GrzegorzPL\Doctor Web
C:\ProgramData\Doctor Web
C:\Qoobox
C:\Windows\system32\Drivers\etc\hosts_SREBACK_20140203113450
C:\Users\GrzegorzPL\AppData\Roaming\TuneUp Software
C:\Users\GrzegorzPL\AppData\Roaming\Wise Care 365
C:\Users\GrzegorzPL\AppData\Local\{93F12E73-5AED-46C1-AE84-4E311A4255D1}
C:\ProgramData\5df72cd5fbdb4180
C:\Users\GrzegorzPL\AppData\Local\Privatefirewall
C:\ProgramData\InstallMate
C:\Users\GrzegorzPL\AppData\Roaming\PhrozenSoft
C:\ProgramData\FileSplitUpLoad.dll
C:\ProgramData\Privacyware
Task: {2B5E2FC8-C141-43FD-A855-0756120FFE92} - System32\Tasks\JetCleanLoginCheckUpdate => C:\Program Files (x86)\BlueSprig\JetClean\AutoUpdate.exe [2013-05-14] (BlueSprig)
Task: {4BCD88FC-7A2A-409D-8DC8-403E9EB319F3} - System32\Tasks\SlimCleaner Run => C:\Program Files (x86)\SlimCleaner\SlimCleaner.exe [2013-07-10] (SlimWare Utilities, Inc.)
Task: {B5243002-900B-43D0-B42A-41D5CFA15598} - System32\Tasks\ASC7_SkipUac_GrzegorzPL => C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASC.exe [2013-12-10] (IObit)
AlternateDataStreams: C:\bootmgr:{A2D8EDF8-5645-4215-BA47-8B9F6CBDB86B}
AlternateDataStreams: C:\System Volume Information:{46604D88-21D1-4477-95B7-751DACD76A5B}
AlternateDataStreams: C:\ProgramData\TEMP:905844AA
AlternateDataStreams: C:\Users\GrzegorzPL\Downloads:Shareaza.GUID
AlternateDataStreams: C:\Users\GrzegorzPL\Downloads\HostsXpert:Shareaza.GUID
AlternateDataStreams: C:\Users\GrzegorzPL\Downloads\Kaspersky Internet Security 2014 14.0.0.5448d Final+Trail Reset:Shareaza.GUID
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRkrn => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRSVC => ""="Service"


Zapisany skrypt umieść obok ściągniętego programu FRST
Następnie w programie kliknij Fix ,po wykonaniu pokaż raport z tego działania.

FRST notuje:
Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION

W Google Chrome pasku adresu wpisz chrome//settings/ ,następnie na dole klik pokaż ustawienia zaawansowane,zjedź ponownie na sam dół i klik zresetuj ustawienia przeglądarki.
Zobaczymy czy coś pomoże

Odinstaluj:

NoVirusThanks Malware Remover Free - jeśli nie potrzebny
GeekBuddy
HiJackThis
Surfing Protection
XP TCP/IP Repair 2.2
Revo Uninstaller 1.95 też bym sobie darował

Ściągnij program

[Aby zobaczyć linki, zarejestruj się tutaj]

uruchom kliknij w Change paramters,zaznacz wszystko klik ok i następnie Start Scan
Po wszystkim przedstaw raport po skanowaniu,ale nic nie dodawaj do kwarantanny ani nie usuwaj.

Wklej na stronę raport z SecurityCheck

[Aby zobaczyć linki, zarejestruj się tutaj]

Uruchom kliknij w dowolny klawisz,poczekaj aż program zakończy działanie.
SafeGroup > Bezpieczeństwo > Pomoc po zainfekowaniu > Sprawdzenie OTL po Infekcji !