.exe - Zły obraz

[bartek94]

Objawy zainfekowania:
Program c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll nie jest przeznaczony do uruchamiania
w systemie Windows albo zawiera błąd.

Wykonywane działania:
Po wykonaniu skanu Malwarebytes Anti-Malware, znalazł 98 wirusów, ktore usunałem. Od tamtego czasu wyskakuje ten bład.

Logi:
OTL

[Aby zobaczyć linki, zarejestruj się tutaj]

RSIT

[Aby zobaczyć linki, zarejestruj się tutaj]

[tachion]

Odinstaluj:

AVG SafeGuard toolbar
BrowserDefender
Delta Chrome Toolbar
Mozilla Maintenance Service
Qtrax Player
Qtrax Connection Manager
Pokki

"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java™ 6 Update 24
"{26A24AE4-039D-4CA4-87B4-2F83217021FF}" = Java 7 Update 21

W trybie awaryjnym z tego samego konta w własne opcje skanowania skrypt wklej i wykonaj:

Kod:

:OTL
PRC - [2013-06-06 03:02:22 | 007,519,512 | ---- | M] (Pokki) -- C:\Users\Natalia\AppData\Local\Pokki\Engine\pokki.exe
DRV - File not found [Kernel | On_Demand | Unknown] ---- (ag3x40ig)
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = ${URL_SEARCHPAGE}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2102507
IE - HKLM\..\SearchScopes\{F310F2F6-35C7-4C09-9353-C8C908AAE321}: "URL" = http://www.tangosearch.com/?q={searchTerms}&a=SEARCH
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,bProtector Start Page = http://www.delta-search.com/?affID=119357&babsrc=HP_ss&mntrId=727300225F22994C
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=pl&l=pl&s=pad
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.orange.pl
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = ${URL_SEARCHPAGE}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=119357&babsrc=HP_ss_din2g&mntrId=727300225F22994C
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - No CLSID value found
IE - HKCU\..\URLSearchHook: {2c965f3f-8efd-4bfc-a2c5-1672845fdbbf} - No CLSID value found
IE - HKCU\..\URLSearchHook: {c86eb8a9-ccc2-4b6c-b75d-73576ed591bf} - No CLSID value found
IE - HKCU\..\SearchScopes,bProtectorDefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKCU\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=121845&babsrc=SP_ss_sps&mntrId=727300225F22994C
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADFA_pl
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://mysearch.avg.com/search?cid={FAEBBAFD-6C0E-4F86-99C5-2A61CB81C62E}&mid=cd3e516bce6e47d39961d16836625d9f-8ff78a57813f589d26829972772aab7a3193fc02&lang=en&ds=co011&pr=sa&d=2013-06-18 22:14:59&v=15.2.0.5&pid=safeguard&sg=0&sap=dsp&q={searchTerms}
IE - HKCU\..\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}: "URL" = http://www.daemon-search.com/search?q={searchTerms}
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2102507
IE - HKCU\..\SearchScopes\{BFF1657A-1265-4EF6-B531-1EEF82C61A8C}: "URL" = http://searchou.com/?q={searchTerms}&id=72734f2300000000000000225f22994c&affilt=5&r=239
IE - HKCU\..\SearchScopes\{F310F2F6-35C7-4C09-9353-C8C908AAE321}: "URL" = http://www.tangosearch.com/?q={searchTerms}&a=SEARCH
FF - prefs.js..browser.search.order.1: "Delta Search"
FF - prefs.js..browser.search.selectedEngine: "Delta Search"
FF - prefs.js..browser.startup.homepage: "http://www1.delta-search.com/?babsrc=HP_ss&mntrId=727300234EA290C7&affID=119357&tsp=4971"
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Natalia\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Natalia\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
O2 - BHO: (AVG SafeGuard toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG SafeGuard toolbar\15.5.0.2\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {09EC805C-CB2E-4D53-B0D3-A75A428B81C7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2C965F3F-8EFD-4BFC-A2C5-1672845FDBBF} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG SafeGuard toolbar\vprot.exe ()
O4 - HKCU..\Run: [GoD] "C:\Users\Natalia\Documents\GoD\iGoD.exe" File not found
O4 - HKCU..\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe File not found
O4 - HKCU..\Run: [Pokki] C:\Windows\system32\rundll32.exe "%LOCALAPPDATA%\Pokki\Engine\LaunchDeskband.dll",RunLaunchDeskband File not found
O4 - HKCU..\Run: [QtraxNotification] C:\Users\Natalia\Qtrax\Player\Notification.exe ()
O4 - HKCU..\Run: [rioom] C:\Users\Natalia\rioom.exe File not found
O4 - HKCU..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" File not found
O4 - Startup: C:\Users\Natalia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A2BF58.lnk =File not found
O8 - Extra context menu item: Funkcja Google Sidewiki - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
O12 - Plugin for: .pca - \Plugins\nppcaplg.dll File not found
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/CursorManiaInitialSetup1.0.1.1.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O20 - AppInit_DLLs: (c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll) - c:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.dll ()
@Alternate Data Stream - 108 bytes -> C:\ProgramData\TEMP:4EE74317

:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

:Files
C:\Windows\tasks\*.*
C:\Users\Natalia\AppData\Roaming\mozilla\firefox\profiles\kz5y8ii0.default\searchplugins\babylon.xml
C:\Users\Natalia\AppData\Roaming\mozilla\firefox\profiles\kz5y8ii0.default\searchplugins\BrowserDefender.xml
C:\Users\Natalia\AppData\Roaming\mozilla\firefox\profiles\kz5y8ii0.default\searchplugins\delta.xml
C:\Users\Natalia\AppData\Roaming\mozilla\firefox\profiles\kz5y8ii0.default\searchplugins\privitize.xml
C:\Windows\System32\custmon32i.dll
C:\Windows\System32\F8021022C5.sys

:Commands
[EMPTYTEMP]

Ściągnij program

[Aby zobaczyć linki, zarejestruj się tutaj]

i uruchom AdwCleanerz opcji Delete .

Google Chrome

Otwórz Google Chrome, kliknij ikonkę z prawym górnym rogu, przejdź do ustawień, wybierz “Zarządzaj wyszukiwarkami”. Zmień wyszukiwarkę na google albo inną, usuń Dealta Search z listy. Potem przejdź do zakładki “Po uruchomieniu” i upewnij się, że widzisz pustą stronę po utworzeniu nowej karty.

Zainstaluj

[Aby zobaczyć linki, zarejestruj się tutaj]

do najnowszej wersji.

Ściągnij program

[Aby zobaczyć linki, zarejestruj się tutaj]

kliknij skanuj i przedstaw raport z niego.

Następnie uruchom OTLponownie i kliknij Skanuj . Przedstaw nowy log oraz raport po wykonaniu z OTLoraz raport z Adwcleaner .

Ściągnij

[Aby zobaczyć linki, zarejestruj się tutaj]

Uruchom,kliknij w File > Savei zapisz jako AutoRuns.arn ,plik prześlij na jakiś hosting np.tu

[Aby zobaczyć linki, zarejestruj się tutaj]

i przedstaw na forum.

[bartek94]

AdwCleaner

[Aby zobaczyć linki, zarejestruj się tutaj]

OTL

[Aby zobaczyć linki, zarejestruj się tutaj]

Autoruns

[Aby zobaczyć linki, zarejestruj się tutaj]

Nie da sie zainstalowac Java. Wyskakuje Error

Qtrax nie chce sie usunac

[tachion]

Do OTL w własne opcje skanowania skrypt wklej i wykonaj:

Kod:

:Files
C:\Windows\System32\custmon32i.dll
C:\Users\Natalia\AppData\Roaming\wklnhst.dat
C:\ProgramData\ezsidmv.dat
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2147441048-2333071477-3264449991-1000UA.job
C:\Windows\tasks\Adobe Flash Player Updater.job
C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-2147441048-2333071477-3264449991-1000UA.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2147441048-2333071477-3264449991-1000Core1ce41b2b60eabb9.job
C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-2147441048-2333071477-3264449991-1000Core.job

:OTL
DRV - File not found [Kernel | On_Demand | Unknown] ---- (a864i5w1)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {6D238CC4-FDCE-42E4-A97C-C739498E814A} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C86EB8A9-CCC2-4B6C-B75D-73576ED591BF} - No CLSID value found.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O33 - MountPoints2\{14378e54-0c57-11e0-bd8e-806e6f6e6963}\Shell\AutoRun\command - "" = F:\EXPLORER.EXE
O33 - MountPoints2\{14378e54-0c57-11e0-bd8e-806e6f6e6963}\Shell\explore\Command - "" = F:\EXPLORER.EXE
O33 - MountPoints2\{14378e54-0c57-11e0-bd8e-806e6f6e6963}\Shell\open\Command - "" = F:\EXPLORER.EXE
O33 - MountPoints2\{21d0dc98-ffeb-11e0-912c-00225f22994c}\Shell - "" = AutoRun
O33 - MountPoints2\{21d0dc98-ffeb-11e0-912c-00225f22994c}\Shell\AutoRun\command - "" = F:\USBAutoRun.exe
O33 - MountPoints2\{516a0639-c880-11df-afae-002219db5fb5}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\HaihAep.exE
O33 - MountPoints2\{6460c2a4-d083-11df-b416-002219db5fb5}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\YoayO.eXe
O33 - MountPoints2\{6460c2aa-d083-11df-b416-002219db5fb5}\Shell\AutoRun\command - "" = H:\EXPLORER.EXE
O33 - MountPoints2\{6460c2aa-d083-11df-b416-002219db5fb5}\Shell\explore\Command - "" = H:\EXPLORER.EXE
O33 - MountPoints2\{6460c2aa-d083-11df-b416-002219db5fb5}\Shell\open\Command - "" = H:\EXPLORER.EXE
O33 - MountPoints2\{70c91ef2-acdf-11dd-b29f-00225f22994c}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\rIOom.eXe
O33 - MountPoints2\{8cb34d06-c5ec-11de-be88-00225f22994c}\Shell\AutoRun\command - "" = F:\hjvjte.exe
O33 - MountPoints2\{8cb34d06-c5ec-11de-be88-00225f22994c}\Shell\open\Command - "" = F:\hjvjte.exe
O33 - MountPoints2\{8cb34d0c-c5ec-11de-be88-00225f22994c}\Shell\AutoRun\command - "" = G:\hjvjte.exe
O33 - MountPoints2\{8cb34d0c-c5ec-11de-be88-00225f22994c}\Shell\open\Command - "" = G:\hjvjte.exe
O33 - MountPoints2\{8cb34d65-c5ec-11de-be88-00225f22994c}\Shell\AutoRun\command - "" = F:\nqdymj.exe
O33 - MountPoints2\{8cb34d65-c5ec-11de-be88-00225f22994c}\Shell\open\Command - "" = F:\nqdymj.exe
O33 - MountPoints2\{8cb8bf90-b064-11df-9b02-002219db5fb5}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\rIOoM.exe
O33 - MountPoints2\{c3996bca-d854-11e2-9c78-00225f22994c}\Shell - "" = AutoRun
O33 - MountPoints2\{c3996bca-d854-11e2-9c78-00225f22994c}\Shell\AutoRun\command - "" = F:\AutoRun.exe -- [2008-10-24 01:58:06 | 000,703,552 | R--- | M] (Electronic Arts Inc.)
O33 - MountPoints2\{e03156a2-c0c5-11df-9337-002219db5fb5}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\FUEfUe.EXE
O33 - MountPoints2\{e03156ad-c0c5-11df-9337-002219db5fb5}\Shell\AutoRun\command - "" = F:\RECYCLER\S-51-9-28-3434476501-1644491937-601003330-1213\DegCs.exe
O33 - MountPoints2\{e03156ad-c0c5-11df-9337-002219db5fb5}\Shell\open\command - "" = F:\RECYCLER\S-51-9-28-3434476501-1644491937-601003330-1213\DegCs.exe
O33 - MountPoints2\{e916b1a5-aca3-11dd-929c-00225f22994c}\Shell - "" = AutoRun
O33 - MountPoints2\{e916b1a5-aca3-11dd-929c-00225f22994c}\Shell\AutoRun\command - "" = F:\AutoRunCardDetector.exe
O33 - MountPoints2\{e916b1ac-aca3-11dd-929c-00225f22994c}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\rIOom.eXe
O8 - Extra context menu item: Wyślij obraz do urządzenia &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Wyślij stronę do urządzenia &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra ''Tools'' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()

:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[EMPTYTEMP]

Pokaż raport z wykonania.

[bartek94]

OTL

[Aby zobaczyć linki, zarejestruj się tutaj]

[tachion]

Widać że miałeś podpięte zainfekowane urządzenia przenośne.
Nie pokazałeś raportu z TDSSKillera ,zrób nowy skan w OTL .