Brontok.a10 wirus

przez **misiaczun** » 28 Paź 2012, 14:24

http://wklej.eu/index.php?id=a4bd7faa80&view=nl
http://wklej.eu/index.php?id=a9e8f853e1
morze ktoś na to spojrzeć
?

przez **mateo8898** » 28 Paź 2012, 14:46

Temat wydzielam.

1. Odinstaluj: Babylon toolbar on IE, Bandoo, Claro LTD toolbar, Conduit Engine, DealPly, Norton Security Scan, Searchqu Toolbar, SFT_Polska Toolbar, Wincore MediaBar, MarketResearch
2. Użyj AdwCleaner

http://forum.instalki.pl/otl-gmer-silent-runners-sdfix-i-inne-poradnik-t13967-15.html#p139531 z opcji Delete i podaj log.
3. Uruchom OTL

w oknie Własne opcje skanowania/skrypt wklej:

:OTL
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=1238&systemid=1&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=1238&systemid=1&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3031817
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&q={searchTerms}
IE - HKU\S-1-5-21-322022990-2889285901-2092114242-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.claro-search.com/?affID=116198&tt=4312_6&babsrc=HP_ss&mntrId=780a20da000000000000ec55f907ed48
IE - HKU\S-1-5-21-322022990-2889285901-2092114242-1000\..\SearchScopes\{0E4E445B-7B71-471D-8030-2887A90DF2A1}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=BCPA&o=16145&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=QK&apn_dtid=YYYYYYU3PL&apn_uid=196D6BE9-CC3C-44DE-8534-B461670D55D9&apn_sauid=D24995F4-1291-4630-AEB6-2254380CC8D1
IE - HKU\S-1-5-21-322022990-2889285901-2092114242-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www.claro-search.com/?q={searchTerms}&affID=116198&tt=4312_6&babsrc=SP_ss&mntrId=780a20da000000000000ec55f907ed48
IE - HKU\S-1-5-21-322022990-2889285901-2092114242-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=1238&systemid=1&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-322022990-2889285901-2092114242-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3031817
IE - HKU\S-1-5-21-322022990-2889285901-2092114242-1000\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&q={searchTerms}
FF - prefs.js..browser.search.defaultenginename: "Claro Search"
FF - prefs.js..browser.search.order.1: "Claro Search"
FF - prefs.js..browser.startup.homepage: "http://www.claro-search.com/?affID=116198&tt=4312_6&babsrc=HP_ss&mntrId=780a20da000000000000ec55f907ed48"
FF - prefs.js..keyword.URL: "http://www.claro-search.com/?affID=116198&tt=4312_6&babsrc=KW_ss&mntrId=780a20da000000000000ec55f907ed48&q="
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_4_402_287.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Users\Dorota\AppData\Roaming\Mozilla\Firefox\Profiles\gbxzfewb.default\extensions\[email protected]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Users\Dorota\AppData\Roaming\Mozilla\Firefox\Profiles\addvvjpx.default-1351278844258\extensions\[email protected] [2012/10/27 15:10:24 | 000,000,000 | ---D | M]
[2012/10/27 15:10:24 | 000,000,000 | ---D | M] (Bandoo for Firefox) -- C:\Users\Dorota\AppData\Roaming\mozilla\Firefox\Profiles\addvvjpx.default-1351278844258\extensions\[email protected]
[2012/10/27 23:39:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions\[email protected]
[2012/10/27 23:39:10 | 000,006,520 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
[2012/09/11 21:21:25 | 000,002,519 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\Search_Results.xml
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [Bron-Spizaetus] C:\Windows\ShellNew\sempalong.exe ()
O4 - HKU\S-1-5-21-322022990-2889285901-2092114242-1000..\Run: [Tok-Cirrhatus] C:\Users\Dorota\AppData\Local\smss.exe ()
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - Startup: C:\Users\Dorota\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif ()
O8:64bit: - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000 File not found
O7 - HKU\S-1-5-21-322022990-2889285901-2092114242-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\S-1-5-21-322022990-2889285901-2092114242-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
[2012/10/27 23:39:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Claro LTD
[2012/10/27 23:38:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\BRONTOKRemoval Tool
[2012/10/27 23:04:21 | 000,000,000 | ---D | C] -- C:\Users\Dorota\AppData\Local\Bron.tok-12-28
[2012/10/27 15:10:52 | 000,000,000 | ---D | C] -- C:\Users\Dorota\AppData\Local\STDUViewer
[2012/10/27 15:10:22 | 000,000,000 | ---D | C] -- C:\Users\Dorota\AppData\Local\Bron.tok-12-27
[2012/10/26 02:56:55 | 000,000,000 | ---D | C] -- C:\Users\Dorota\AppData\Local\Bron.tok-12-26
[2012/10/25 15:54:51 | 000,000,000 | ---D | C] -- C:\Users\Dorota\AppData\Local\Bron.tok-12-25
[2012/10/24 20:08:41 | 000,000,000 | ---D | C] -- C:\Users\Dorota\AppData\Local\Bron.tok-12-24
[2012/10/22 23:53:52 | 000,000,000 | ---D | C] -- C:\Users\Dorota\AppData\Local\Bron.tok-12-23
[2012/10/18 23:03:55 | 000,000,000 | ---D | C] -- C:\Users\Dorota\AppData\Local\Bron.tok-12-19
[2012/10/17 23:00:00 | 000,000,000 | ---D | C] -- C:\Users\Dorota\AppData\Local\Bron.tok-12-18
[2012/10/03 20:17:45 | 000,000,000 | ---D | C] -- C:\Users\Dorota\AppData\Local\Bron.tok-12-3
[2012/10/26 20:23:15 | 000,000,450 | -H-- | M] () -- C:\Windows\tasks\Norton Security Scan for Dorota.job
[2012/10/25 20:00:00 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\RegTask.job
[2012/10/28 12:21:17 | 000,012,393 | ---- | M] () -- C:\Users\Dorota\AppData\Local\Bron.tok.A12.em.bin
[2012/07/29 17:44:28 | 000,042,692 | -H-- | C] () -- C:\Windows\eksplorasi.exe
[2012/07/29 17:44:28 | 000,042,692 | ---- | C] () -- C:\Users\Dorota\AppData\Local\winlogon.exe
[2012/07/29 17:44:28 | 000,042,692 | ---- | C] () -- C:\Users\Dorota\AppData\Local\smss.exe
[2012/07/29 17:44:28 | 000,042,692 | ---- | C] () -- C:\Users\Dorota\AppData\Local\services.exe
[2012/07/29 17:44:28 | 000,042,692 | ---- | C] () -- C:\Users\Dorota\AppData\Local\lsass.exe
[2012/07/29 17:44:28 | 000,042,692 | ---- | C] () -- C:\Users\Dorota\AppData\Local\inetinfo.exe
[2012/07/29 17:44:28 | 000,042,692 | ---- | C] () -- C:\Users\Dorota\AppData\Local\csrss.exe

:Commands
[clearallrestorepoints]
[resethosts]
[emptytemp]

Klikasz Wykonaj skrypt. Dajesz log z usuwania + nowe logi z OTL + log z TDSSKiller

http://forum.instalki.pl/otl-gmer-silent-runners-sdfix-i-inne-poradnik-t13967-15.html#p120292 + log z Autoruns

http://forum.instalki.pl/otl-gmer-silent-runners-sdfix-i-inne-poradnik-t13967-15.html#p138589

Kolejność jak podałem.

przez **misiaczun** » 28 Paź 2012, 16:38

log z usówania:
http://www.wklej.eu/index.php?id=3c674bdb10
logi z OTL:
http://www.wklej.eu/index.php?id=e57a4761ac
log z TDSS:
http://www.wklej.eu/index.php?id=fb7a053190
log autoruns:
http://www23.zippyshare.com/v/26058620/file.html

przez **misiaczun** » 28 Paź 2012, 16:39

mam nadzieje ze nie bedzie to żle wyglądało

przez **mateo8898** » 28 Paź 2012, 20:05

Nie użyłeś AdwCleaner, uzupełnij.

przez **misiaczun** » 28 Paź 2012, 21:07

log AdwCleaner

http://www.wklej.eu/index.php?id=cf02f5efde

przez **mateo8898** » 28 Paź 2012, 21:48

W AdwCleaner

Uninstall

W Autoruns odznacz i usuń:
zakładka Logon:

rdpclip
HotKeysCmds
IgfxTray
ODDPwr
Persistence
RtHDVBg
RtHDVCpl
Adobe ARM
BackupManagerTray
EgisUpdate
EgisTecPMMUpdate
HP Software Update
IAStorIcon
LManager
SunJavaUpdateSched
TkBellExe
Microsoft Windows
Microsoft Windows
MobileDocuments

zakładka Services (tylko odznacz):

AdobeARMservice
Live Updater Service
odserv
ose
WinDefend
WMPNetworkSvc

Odinstaluj Bonjour

W OTL wklej:

:OTL
IE - HKCU\..\URLSearchHook: {5c5b9468-d672-4eb7-b52f-b5afabf28c5b} - No CLSID value found
FF - prefs.js..browser.startup.homepage: "http://www.claro-search.com/?affID=116198&tt=4312_6&babsrc=HP_ss&mntrId=780a20da000000000000ec55f907ed48"
O3:64bit: - HKLM\..\Toolbar: (no name) - !!{8dcb7100-df86-4384-8842-8fa844297b3f} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !!{8dcb7100-df86-4384-8842-8fa844297b3f} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {5C5B9468-D672-4EB7-B52F-B5AFABF28C5B} - No CLSID value found.
[2012/10/28 15:00:18 | 000,012,393 | ---- | M] () -- C:\Users\Dorota\AppData\Local\Update.12.Bron.Tok.bin

Klikasz Wykonaj skrypt, później Sprzątanie

Przeczyść dysk oraz rejestr CCleaner

Wykonaj pełne skanowanie Malwarebytes' Anti-Malware - jeśli coś znajdzie usuń i daj raport (po uruchomieniu odrzuć okres testowy)

Zainstaluj SP1

http://www.instalki.pl/programy/downloa ... ack_1.html

Zaktualizuj IE do najnowszej wersji (nawet jeśli go nie używasz)

http://www.instalki.pl/programy/downloa ... rer_9.html

Zainstaluj antywira

Post nr. 9000