SafeGroup
pomoc przy logach - Wersja do druku

+- SafeGroup (https://safegroup.pl)
+-- Dział: Bezpieczeństwo (https://safegroup.pl/forum-10.html)
+--- Dział: Pomoc po zainfekowaniu (https://safegroup.pl/forum-5.html)
+--- Wątek: pomoc przy logach (/thread-5901.html)



pomoc przy logach - monco - 18.11.2012

Będę wdzięczny za pomocSmile

OTL:

[Aby zobaczyć linki, zarejestruj się tutaj]

Extras:

[Aby zobaczyć linki, zarejestruj się tutaj]

GMER:

[Aby zobaczyć linki, zarejestruj się tutaj]


Objawy: nie można kopiować plików, brak drukarek i połączeń sieciowych na liście, okna Windowsa nie są widoczne po zminimalizowaniu na pasek.


Re: pomoc przy logach - Waves - 18.11.2012

Do OTL w własne pole skanowania/skrypt wklej:
Kod:
:Processes
Killallprocesses

:OTL
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\zfhsh5usr6i6u43t2q3awhrejaew81.exe -- (zfhsh5usr6i6u43t2q3awhrejaew80)ഀ
SRV - File not found [Auto | Stopped] -- C:\Program Files\sys\sys.dll -- (sys)ഀ
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\sopidkc.exe -- (sopidkc)ഀ
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\msncache.dll -- (msncache)ഀ
IE - HKCU\..\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}: "URL" = http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCxdm490YYPL&fl=0&ptb=rIrI.LBLdePeaomjOF1gYQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}ഀ
IE - HKLM\..\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}: "URL" = http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCxdm490YYPL&fl=0&ptb=rIrI.LBLdePeaomjOF1gYQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}ഀ

O2 - BHO: (QXK Olive) - {83EB5BB1-B24D-41FB-8D66-7F570E5BFA80} - C:\WINDOWS\gfetqaxsmnw.dll File not foundഀ
O2 - BHO: (Reg Error: Value error.) - {8f6ced3a-721e-4b79-8c71-0fe68eec613c} - C:\WINDOWS\system32\bcevgo.dll File not foundഀ
O20 - AppInit_DLLs: (C c:\progra~1\Manson\liser.dll) -File not foundഀ
O20 - AppInit_DLLs: (C:\WINDOWS\system32\bujokatu.dll) -File not foundഀ
O20 - HKCU Winlogon: Shell - (C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\psysnew.exe) -File not foundഀ
O20 - HKCU Winlogon: Shell - (C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1343\jwjqa.exe) -File not foundഀ
O20 - HKCU Winlogon: Shell - (C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1457\system.exe) -File not foundഀ
O20 - HKCU Winlogon: Shell - (C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe) -File not foundഀ
O20 - HKCU Winlogon: Shell - (C:\RECYCLER\S-1-5-21-4854517753-7932706285-670339032-6724\winmap32.exe) -File not foundഀ
O20 - Winlogon\Notify\ljJAQHyW: DllName - (ljJAQHyW.dll) -File not foundഀ
O30 - LSA: Authentication Packages - (C:\WINDOWS\system32\qoMeDWpP) -File not foundഀ
O33 - MountPoints2\{06b92adf-3367-11dc-864d-0019db76b349}\Shell\AutoRun\command - "" = 9.cmdഀ
O33 - MountPoints2\{06b92adf-3367-11dc-864d-0019db76b349}\Shell\explore\Command - "" = 9.cmdഀ
O33 - MountPoints2\{06b92adf-3367-11dc-864d-0019db76b349}\Shell\open\Command - "" = 9.cmdഀ
O33 - MountPoints2\{0cfdea2a-cc91-11e0-8c7d-0019db76b349}\Shell - "" = AutoRunഀ
O33 - MountPoints2\{0cfdea2a-cc91-11e0-8c7d-0019db76b349}\Shell\AutoRun\command - "" = F:\AutoRun.exeഀ
O33 - MountPoints2\{0cfdea2c-cc91-11e0-8c7d-0019db76b349}\Shell - "" = AutoRunഀ
O33 - MountPoints2\{0cfdea2c-cc91-11e0-8c7d-0019db76b349}\Shell\AutoRun\command - "" = F:\AutoRun.exeഀ
O33 - MountPoints2\{0cfdea2f-cc91-11e0-8c7d-0019db76b349}\Shell - "" = AutoRunഀ
O33 - MountPoints2\{0cfdea2f-cc91-11e0-8c7d-0019db76b349}\Shell\AutoRun\command - "" = F:\AutoRun.exeഀ
O33 - MountPoints2\{199d859a-38d2-11e0-8be4-0019db76b349}\Shell - "" = AutoRunഀ
O33 - MountPoints2\{199d859a-38d2-11e0-8be4-0019db76b349}\Shell\AutoRun\command - "" = J:\AutoRun.exeഀ
O33 - MountPoints2\{469e8c1b-df0a-11de-8a4d-0019db76b349}\Shell - "" = AutoRunഀ
O33 - MountPoints2\{469e8c1b-df0a-11de-8a4d-0019db76b349}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -aഀ
O33 - MountPoints2\{47d349f0-edf6-11dd-88fb-d69c11072ea0}\Shell\AutoRun\command - "" = d9c.batഀ
O33 - MountPoints2\{47d349f0-edf6-11dd-88fb-d69c11072ea0}\Shell\open\Command - "" = d9c.batഀ
O33 - MountPoints2\{4d2b7e20-0a58-11df-8a7d-0019db76b349}\Shell - "" = AutoRunഀ
O33 - MountPoints2\{4d2b7e20-0a58-11df-8a7d-0019db76b349}\Shell\AutoRun\command - "" = G:\AutoRun.exeഀ
O33 - MountPoints2\{545403e6-5e18-11e1-8d2b-0019db76b349}\Shell - "" = AutoRunഀ
O33 - MountPoints2\{545403e6-5e18-11e1-8d2b-0019db76b349}\Shell\AutoRun\command - "" = F:\AutoRun.exeഀ
O33 - MountPoints2\{73f8887e-44c4-11dc-8663-0019db76b349}\Shell - "" = AutoRunഀ
O33 - MountPoints2\{73f8887e-44c4-11dc-8663-0019db76b349}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -aഀ
O33 - MountPoints2\{7666c83e-0a59-11df-8a7e-0019db76b349}\Shell - "" = AutoRunഀ
O33 - MountPoints2\{7666c83e-0a59-11df-8a7e-0019db76b349}\Shell\AutoRun\command - "" = G:\AutoRun.exeഀ
O33 - MountPoints2\{7bf9d90b-b304-11de-8a1a-0019db76b349}\Shell\AutoRun\command - "" = I:\9.cmdഀ
O33 - MountPoints2\{7bf9d90b-b304-11de-8a1a-0019db76b349}\Shell\explore\Command - "" = I:\9.cmdഀ
O33 - MountPoints2\{7bf9d90b-b304-11de-8a1a-0019db76b349}\Shell\open\Command - "" = I:\9.cmdഀ
O33 - MountPoints2\{8fcda50f-160f-11df-8a86-0019db76b349}\Shell - "" = AutoRunഀ
O33 - MountPoints2\{8fcda50f-160f-11df-8a86-0019db76b349}\Shell\AutoRun\command - "" = F:\AutoRun.exeഀ
O33 - MountPoints2\{ac783244-552d-11e0-8c00-0019db76b349}\Shell - "" = AutoRunഀ
O33 - MountPoints2\{ac783244-552d-11e0-8c00-0019db76b349}\Shell\AutoRun\command - "" = G:\AutoRun.exeഀ
O33 - MountPoints2\{caa404db-323c-11dd-87ec-0019db76b349}\Shell\AutoRun\command - "" = I:\pkkwng.exeഀ
O33 - MountPoints2\{caa404db-323c-11dd-87ec-0019db76b349}\Shell\open\Command - "" = I:\pkkwng.exeഀ
@Alternate Data Stream - 199 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:683E787Cഀ
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:A1454082ഀ

:Commands
[EMPTYTEMP]
[EMPTYFLASH]


Wykonaj skrypt. Pokaż nowy log po usuwaniu oraz log z usuwania.

Po tym przeskanuj komputer MBAM oraz przeczyść system plików i rejestr.


Re: pomoc przy logach - monco - 18.11.2012

Dostałem instrukcję od innego użytkownika - wkleiłem do otl to co poniżej i usunąłem mks_vir_online:

:OTL

SRV - File not found [Auto | Stopped]-- C:\WINDOWS\zfhsh5usr6i6u43t2q3awhrejaew81.exe -- (zfhsh5usr6i6u43t2q3awhrejaew80)
SRV - File not found [Auto | Stopped]-- C:\Program Files\sys\sys.dll -- (sys)
SRV - File not found [Auto | Stopped]-- C:\WINDOWS\system32\sopidkc.exe -- (sopidkc)
SRV - File not found [Auto | Stopped]-- C:\WINDOWS\system32\msncache.dll -- (msncache)
DRV - File not found [Kernel | On_Demand | Stopped]-- C:\WINDOWS\system32\PCAMPR5.SYS -- (PCAMPR5)
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" =

[Aby zobaczyć linki, zarejestruj się tutaj]

{searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}: "URL" =

[Aby zobaczyć linki, zarejestruj się tutaj]

... searchfor={searchTerms}
IE - HKCU\..\SearchScopes,DefaultScope = {56256A51-B582-467e-B8D4-7786EDA79AE0}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" =

[Aby zobaczyć linki, zarejestruj się tutaj]

{searchTerms}&src={referrer:source?}
IE - HKCU\..\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}: "URL" =

[Aby zobaczyć linki, zarejestruj się tutaj]

... searchfor={searchTerms}
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\TEST\Ustawienia lokalne\Dane aplikacji\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\TEST\Ustawienia lokalne\Dane aplikacji\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
O2 - BHO: (Reg Error: Value error.) - {39D67F39-6F48-438A-80A2-F86FE363C215} - C:\WINDOWS\system32\ljJAQHyW.dll File not found
O2 - BHO: (Reg Error: Value error.) - {47baef63-3597-432b-b967-51202bdfe651} - C:\WINDOWS\system32\hapowoko.dll File not found
O2 - BHO: (Reg Error: Value error.) - {6E26DBE1-F022-4E7D-A2DF-A5B183611C51} - C:\WINDOWS\system32\qoMeDWpP.dll File not found
O2 - BHO: (QXK Olive) - {83EB5BB1-B24D-41FB-8D66-7F570E5BFA80} - C:\WINDOWS\gfetqaxsmnw.dll File not found
O2 - BHO: (Reg Error: Value error.) - {8f6ced3a-721e-4b79-8c71-0fe68eec613c} - C:\WINDOWS\system32\bcevgo.dll File not found
O2 - BHO: (Rmn plugin) - {ABADC07C-9990-405a-AA24-2C209B50AE79} - svchstb.dll File not found
O3 - HKLM\..\Toolbar: (gxvpsafm) - {7D1DDA59-1111-444F-95B3-2B3B9264BB4E} - C:\WINDOWS\gxvpsafm.dll File not found
O4 - HKLM..\Run: [RunTasktray]"C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe" --regkeypath=Software\Hewlett-Packard\HP Easy Printer Care\HPPRun --valuename=InstallTTM File not found
O4 - HKLM..\Run: [Salestart]"C:\Program Files\Common Files\OczyszczaczKomputerza\stm.exe" dm=http://oczyszczaczkomputerza.com ad=http://oczyszczaczkomputerza.com sd=http://paistutta.oczyszczaczkomputerza.com File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Lsass Service = C:\Documents and Settings\TEST\Dane aplikacji\Microsoft\Windows\lsass.exe
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: explorer = C:\Documents and Settings\TEST\Dane aplikacji\Microsoft\Windows\iexplorer.exe
O15 - HKLM\..Trusted Domains: hp.com ([] http in Trusted sites)
O15 - HKLM\..Trusted Domains: hp.com ([] https in Trusted sites)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}

[Aby zobaczyć linki, zarejestruj się tutaj]

... 0.15-3.cab (Reg Error: Key error.)
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821}

[Aby zobaczyć linki, zarejestruj się tutaj]

(OggX Control)
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D}

[Aby zobaczyć linki, zarejestruj się tutaj]

(MainControl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

[Aby zobaczyć linki, zarejestruj się tutaj]

... 7726815281 (WUWebControl Class)
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55}

[Aby zobaczyć linki, zarejestruj się tutaj]

(MksSkanerOnline Class)
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}

[Aby zobaczyć linki, zarejestruj się tutaj]

... 03-win.cab (Java Plug-in 1.4.0_03)
O20 - HKCU Winlogon: Shell - (C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1343\jwjqa.exe) - File not found
O20 - HKCU Winlogon: Shell - (C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1457\system.exe) - File not found
O20 - HKCU Winlogon: Shell - (C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe) - File not found
O20 - HKCU Winlogon: Shell - (C:\RECYCLER\S-1-5-21-4854517753-7932706285-670339032-6724\winmap32.exe) - File not found
O20 - HKCU Winlogon: Shell - (C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\psysnew.exe) - File not found
O20 - Winlogon\Notify\ljJAQHyW: DllName - (ljJAQHyW.dll) - File not found
O28 - HKLM ShellExecuteHooks: {39D67F39-6F48-438A-80A2-F86FE363C215} - C:\WINDOWS\system32\ljJAQHyW.dll File not found
O28 - HKLM ShellExecuteHooks: {9b3be9fb-25ca-4911-9339-ee67f76d720b} - C:\WINDOWS\system32\bcevgo.dll File not found
O30 - LSA: Authentication Packages - (C:\WINDOWS\system32\qoMeDWpP) - File not found
[2012-11-15 08:23:37 | 000,040,776 | ---- | C](Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012-11-15 08:23:37 | 000,000,000 | ---D | C]-- C:\Documents and Settings\TEST\Dane aplikacji\Malwarebytes
[2012-11-15 08:23:15 | 000,000,000 | ---D | C]-- C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes
@Alternate Data Stream - 199 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:683E787C
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:A1454082

:Files
C:\WINDOWS\tasks\*.*
C:\Documents and Settings\TEST\Ustawienia lokalne\Dane aplikacji\Google\Update

:Reg
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

:Commands
[clearallrestorepoints]
[emptytemp]

Po wszystkim mam takie logi:

[Aby zobaczyć linki, zarejestruj się tutaj]

OTL po wykonaniu skryptu

[Aby zobaczyć linki, zarejestruj się tutaj]

OTL

[Aby zobaczyć linki, zarejestruj się tutaj]

AdwCleaner

Czy mimo to wykonać Twój log i przesłać wynik??


Re: pomoc przy logach - Waves - 18.11.2012

Nie. Niech tamten user dokończy<!-- sSmile2-->Smile2 <!-- sSmile2-->


Re: pomoc przy logach - monco - 18.11.2012

ok dziękiSmile