Cyberprzestepczosc

[Mikou@j]

Mam ten sam problem co kolega i proszę o pomoc. Całe to OLT zrobiłem pierwszy raz, więc proszę powoli i dużymi literami.

[wojtas]

są dwie infekcje. podłącz urządzenia które podłaczasz do kompa ( pendrive, telefon itp)
Uruchom OTL i w sekcji własne opcje skanowania / skrypt wklej:

:OTL
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\kbynqnolt.sys -- (zfjfztdqi)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ewusbmdm.sys -- (hwdatacard)
IE - HKLM\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
IE - HKLM\..\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&query={searchTerms}&invocationType=tb50winampie7
IE - HKU\S-1-5-21-4112475418-3279765023-2630270959-1006\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
IE - HKU\S-1-5-21-4112475418-3279765023-2630270959-1006\..\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&query={searchTerms}&invocationType=tb50winampie7
FF - prefs.js..browser.search.defaultenginename: "Winamp Search"
FF - prefs.js..browser.search.defaulturl: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query="
FF - prefs.js..keyword.URL: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query="
[2012-12-02 13:12:37 | 000,000,000 | ---D | M] (Winamp Toolbar) -- C:\Documents and Settings\User\Dane aplikacji\Mozilla\Firefox\Profiles\htsg2yed.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}
[2010-09-13 16:16:39 | 000,001,196 | ---- | M] () -- C:\Documents and Settings\User\Dane aplikacji\Mozilla\Firefox\Profiles\htsg2yed.default\searchplugins\winamp-search.xml
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [LanzarL2007] "C:\DOCUME~1\User\USTAWI~1\Temp\{C1C5AFFE-CAA7-49AC-BD9D-E0855146E944}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0015" File not found
O4 - HKU\S-1-5-21-4112475418-3279765023-2630270959-1006..\Run: [EXPLORER.EXE] C:\WINDOWS\System32\EXPLORER.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-4112475418-3279765023-2630270959-1006..\Run: [wsctf.exe] wsctf.exe File not found
O4 - HKLM..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun File not found
O4 - Startup: C:\Documents and Settings\User\Menu Start\Programy\Autostart\AutorunsDisabled [2012-12-08 16:11:58 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\User\Menu Start\Programy\Autostart\ctfmon.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\User\Menu Start\Programy\Autostart\ubisoft register.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O20 - HKLM Winlogon: UserInit - (EXPLORER.EXE) - C:\WINDOWS\System32\EXPLORER.EXE (Microsoft Corporation)
O32 - AutoRun File - [2009-04-28 04:56:18 | 000,000,123 | RHS- | M] () - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009-04-28 06:09:00 | 000,000,105 | RHS- | M] () - D:\AUTORUN.FCB -- [ FAT32 ]
O32 - AutoRun File - [2009-07-19 11:48:28 | 000,000,105 | RHS- | M] () - D:\AUTORUN.INF -- [ FAT32 ]
O32 - AutoRun File - [2009-03-21 15:21:24 | 000,059,308 | RHS- | M] () - F:\AutoRun.inf -- [ FAT32 ]
O33 - MountPoints2\{033b7472-4eb5-11de-bd4f-0016367b01bd}\Shell\AutoRun\command - "" = SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
O33 - MountPoints2\{033b7472-4eb5-11de-bd4f-0016367b01bd}\Shell\open\command - "" = SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
O33 - MountPoints2\{0b4ffa12-90fd-11e0-bea3-0016367b01bd}\Shell - "" = AutoRun
O33 - MountPoints2\{0b4ffa12-90fd-11e0-bea3-0016367b01bd}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL
O33 - MountPoints2\{0f952f7b-0fd0-11e1-beb7-0016367b01bd}\Shell - "" = AutoRun
O33 - MountPoints2\{0f952f7b-0fd0-11e1-beb7-0016367b01bd}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{16df7514-b1e6-11de-bd79-0016367b01bd}\Shell\autorun\command - "" = F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
O33 - MountPoints2\{16df7514-b1e6-11de-bd79-0016367b01bd}\Shell\open\command - "" = F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
O33 - MountPoints2\{41306506-44a8-11e0-be96-0016367b01bd}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
O33 - MountPoints2\{41306506-44a8-11e0-be96-0016367b01bd}\Shell\Open(&0)\command - "" = F:\Recycled\ctfmon.exe -- [2007-01-29 11:22:34 | 000,020,480 | RHS- | M] ()
O33 - MountPoints2\{4aea4426-4114-11e1-bec4-0016367b01bd}\Shell - "" = AutoRun
O33 - MountPoints2\{4aea4426-4114-11e1-bec4-0016367b01bd}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{652b3743-f944-11dd-bd3c-0016367b01bd}\Shell\AutoRun\command - "" = F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
O33 - MountPoints2\{652b3743-f944-11dd-bd3c-0016367b01bd}\Shell\open\command - "" = F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
O33 - MountPoints2\{7506317c-00b8-11e0-be43-0016367b01bd}\Shell\AutoRun\command - "" = F:\EXPLORER.EXE -- [2006-10-25 01:32:36 | 000,036,864 | RHS- | M] (Microsoft Corporation)
O33 - MountPoints2\{7506317c-00b8-11e0-be43-0016367b01bd}\Shell\explore\Command - "" = F:\EXPLORER.EXE -- [2006-10-25 01:32:36 | 000,036,864 | RHS- | M] (Microsoft Corporation)
O33 - MountPoints2\{7506317c-00b8-11e0-be43-0016367b01bd}\Shell\open\Command - "" = F:\EXPLORER.EXE -- [2006-10-25 01:32:36 | 000,036,864 | RHS- | M] (Microsoft Corporation)
O33 - MountPoints2\{85cd17d1-fe90-11de-bdb7-0016367b01bd}\Shell\AutoRun\command - "" = F:\EXPLORER.EXE -- [2006-10-25 01:32:36 | 000,036,864 | RHS- | M] (Microsoft Corporation)
O33 - MountPoints2\{85cd17d1-fe90-11de-bdb7-0016367b01bd}\Shell\explore\Command - "" = F:\EXPLORER.EXE -- [2006-10-25 01:32:36 | 000,036,864 | RHS- | M] (Microsoft Corporation)
O33 - MountPoints2\{85cd17d1-fe90-11de-bdb7-0016367b01bd}\Shell\open\Command - "" = F:\EXPLORER.EXE -- [2006-10-25 01:32:36 | 000,036,864 | RHS- | M] (Microsoft Corporation)
O33 - MountPoints2\{8c6a8f86-8fa8-11dc-bc2e-0016367b01bd}\Shell - "" = AutoRun
O33 - MountPoints2\{8c6a8f86-8fa8-11dc-bc2e-0016367b01bd}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{b2672a36-65b2-11df-bdf3-0016367b01bd}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
O33 - MountPoints2\{b2672a36-65b2-11df-bdf3-0016367b01bd}\Shell\Open(&0)\command - "" = F:\Recycled\ctfmon.exe -- [2007-01-29 11:22:34 | 000,020,480 | RHS- | M] ()
O33 - MountPoints2\{bfbb5dc4-0620-11e0-be46-0016367b01bd}\Shell - "" = AutoRun
O33 - MountPoints2\{bfbb5dc4-0620-11e0-be46-0016367b01bd}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{c81bc32c-82ea-11df-be00-0016367b01bd}\Shell - "" = AutoRun
O33 - MountPoints2\{c81bc32c-82ea-11df-be00-0016367b01bd}\Shell\autorun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{dc1c4ca9-0bef-11de-bd3d-0016367b01bd}\Shell\AutoRun\command - "" = F:\0bcobed.exe
O33 - MountPoints2\{dc1c4ca9-0bef-11de-bd3d-0016367b01bd}\Shell\open\Command - "" = F:\0bcobed.exe
O33 - MountPoints2\{e65068c8-7feb-11dc-bc16-0016367b01bd}\Shell\AutoRun\command - "" = F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
O33 - MountPoints2\{e65068c8-7feb-11dc-bc16-0016367b01bd}\Shell\open\command - "" = F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
O33 - MountPoints2\{efd34af4-67d4-11dd-bd05-0016367b01bd}\Shell - "" = AutoRun
O33 - MountPoints2\{efd34af4-67d4-11dd-bd05-0016367b01bd}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{efd34af6-67d4-11dd-bd05-0016367b01bd}\Shell - "" = AutoRun
O33 - MountPoints2\{efd34af6-67d4-11dd-bd05-0016367b01bd}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\EXPLORER.EXE
O33 - MountPoints2\G\Shell\explore\Command - "" = G:\EXPLORER.EXE
O33 - MountPoints2\G\Shell\open\Command - "" = G:\EXPLORER.EXE
[2012-12-08 16:53:09 | 095,023,320 | ---- | M] () -- C:\Documents and Settings\All Users\Dane aplikacji\0tbpw.pad
[2012-12-08 14:47:49 | 000,000,798 | ---- | M] () -- C:\Documents and Settings\User\Menu Start\Programy\Autostart\runctf.lnk

:Commands
[emptytemp]

Kliknij wykonaj skrypt. I potwierdź reset komputera . ( system zostanie odblokowany)

odinstaluj:
Winamp Toolbar

Użyj AdwCleaner i kliknij w nim Delete (w przypadku Visty/Windows7 uruchom z prawokliku jako Administrator)
Pokaż raport z niego

Następnie uruchamiasz OTL z opcją skanuj. Pokazujesz nowy log OTL.txt oraz raport z czyszczenia (zawartość notatnika, która otworzyła się po restarcie).
Przy podpiętym urządzeniu przenośnym (pendrive, telefon - to co jest podłączane do komputera) , uruchom USBFIX z opcji Listing i pokaż raport na forum.

[hulek]

Zalaczam dwa pliki. Niestety ten plik USBFIX mi się nie otworzył..

[wojtas]

Uruchom OTL i w sekcji własne opcje skanowania / skrypt wklej:

:OTL
SRV - [2009-03-21 15:21:24 | 000,167,324 | RHS- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ryzyhhac.dll -- (feclvgmd)
O4 - HKLM..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" File not found
O4 - HKLM..\Run: [INPROCOMMWireless] C:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe File not found
O32 - AutoRun File - [2009-03-21 15:21:24 | 000,059,308 | RHS- | M] () - F:\autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{85cd17d1-fe90-11de-bdb7-0016367b01bd}\Shell - "" = AutoRun
O33 - MountPoints2\{85cd17d1-fe90-11de-bdb7-0016367b01bd}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
[2012-12-08 22:19:03 | 095,023,320 | ---- | M] () -- C:\Documents and Settings\All Users\Dane aplikacji\0tbpw.pad
[2012-12-08 22:09:17 | 000,000,798 | ---- | M] () -- C:\Documents and Settings\User\Menu Start\Programy\Autostart\runctf.lnk

:Files
[override]
C:\WINDOWS\system32\EXPLORER.EXE
[stopoverride]


:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"4529:TCP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"SuperHidden"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000001
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
@=""

:Commands
[emptytemp]

Kliknij wykonaj skrypt. I potwierdź reset komputera .

Następnie uruchamiasz OTL z opcją skanuj. Pokazujesz nowy log OTL.txt oraz raport z czyszczenia (zawartość notatnika, która otworzyła się po restarcie).

[hulek]

Wykonane