Live security platinium- jak wywalić

[duch3005]

Witam
Tak jak w temacie ktoś wie może jak to usunąć, właśnie mi wyskoczył (nawet nie mam pojęcia skąd się wzięło )
eh chyba muszę wrócić na Kacperskiego , zmieniłem na AVG i od razu mam problemy

[wojtas]

Uruchom SystemLook x64, do okna wklej:

:reg
HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s

:filefind
services.exe

Przedstaw log, klikając opcje Look

[duch3005]

próbowałem CombatFix + Malwarebytes Anti-Malware PRO niby podziałało ale opcja Windows Update i Firewall przestały działać
pewnie jeszcze pozostały jakieś pozostałości w najgorszym wypadku czeka mnie reintalka


Log z SystemLook x64

Kod: Zaznacz wszystko

SystemLook 30.07.11 by jpshortstuff
Log created at 18:15 on 28/07/2012 by BlackDevil
Administrator - Elevation successful

========== reg ==========

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]
(No values found)

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]
"ThreadingModel"="Both"
@="%SystemRoot%\system32\shell32.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}]
@="Microsoft WBEM New Event Subsystem"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
@="%systemroot%\system32\wbem\wbemess.dll"
"ThreadingModel"="Both"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]
@="MruPidlList"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
@="%SystemRoot%\system32\shell32.dll"
"ThreadingModel"="Apartment"


========== filefind ==========

Searching for "services.exe"
C:\Windows\ERDNT\cache64\services.exe   --a---- 328704 bytes   [14:50 19/04/2012]   [01:39 14/07/2009] 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\System32\services.exe   --a---- 328704 bytes   [23:19 13/07/2009]   [01:39 14/07/2009] 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe   --a---- 328704 bytes   [23:19 13/07/2009]   [01:39 14/07/2009] 24ACB7E5BE595468E3B9AA488B9B4FCB

-= EOF =-


[wojtas]

Uruchom OTL i w sekcji własne opcje skanowania / skrypt wklej:

:OTL
O4 - HKCU..\RunOnce: [0C1CFB266B67B9C90007EEF2F875EF60] C:\ProgramData\0C1CFB266B67B9C90007EEF2F875EF60\0C1CFB266B67B9C90007EEF2F875EF60.exe ()
[2012-07-27 18:13:19 | 000,000,000 | ---D | C] -- C:\Users\BlackDevil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
[2012-07-27 18:10:51 | 000,000,000 | ---D | C] -- C:\ProgramData\0C1CFB266B67B9C90007EEF2F875EF60
[2012-07-23 01:27:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Ask
[2012-07-27 18:13:19 | 000,002,030 | ---- | M] () -- C:\Users\BlackDevil\Desktop\Live Security Platinum.lnk
[2012-07-27 18:09:48 | 000,016,896 | ---- | C] () -- C:\Windows\Installer\{75c487c4-4a96-4f21-3bc4-7a0ec49b3435}\U\80000000.@
[2012-07-27 18:09:47 | 000,023,040 | ---- | C] () -- C:\Windows\Installer\{75c487c4-4a96-4f21-3bc4-7a0ec49b3435}\U\800000cb.@
[2012-07-27 18:09:47 | 000,001,712 | ---- | C] () -- C:\Windows\Installer\{75c487c4-4a96-4f21-3bc4-7a0ec49b3435}\U\00000001.@
@Alternate Data Stream - 176 bytes -> C:\Users\BlackDevil\Desktop\skan.jpeg:3or4kl4x13tuuug3Byamue2s4b

:Files
C:\Windows\Installer\{75c487c4-4a96-4f21-3bc4-7a0ec49b3435}

:Commands
[emptytemp]

Kliknij wykonaj skrypt. I potwierdź reset komputera .

Następnie uruchamiasz OTL z opcją skanuj. Pokazujesz nowy log OTL.txt oraz raport z czyszczenia (zawartość notatnika, która otworzy się po restarcie).

[duch3005]

raport z czyszczenia

Kod: Zaznacz wszystko

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\\0C1CFB266B67B9C90007EEF2F875EF60 not found.
File C:\ProgramData\0C1CFB266B67B9C90007EEF2F875EF60\0C1CFB266B67B9C90007EEF2F875EF60.exe not found.
Folder C:\Users\BlackDevil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\ not found.
Folder C:\ProgramData\0C1CFB266B67B9C90007EEF2F875EF60\ not found.
C:\ProgramData\Ask\APN-Stub\PTV folder moved successfully.
C:\ProgramData\Ask\APN-Stub folder moved successfully.
C:\ProgramData\Ask folder moved successfully.
File C:\Users\BlackDevil\Desktop\Live Security Platinum.lnk not found.
File C:\Windows\Installer\{75c487c4-4a96-4f21-3bc4-7a0ec49b3435}\U\80000000.@ not found.
File C:\Windows\Installer\{75c487c4-4a96-4f21-3bc4-7a0ec49b3435}\U\800000cb.@ not found.
File C:\Windows\Installer\{75c487c4-4a96-4f21-3bc4-7a0ec49b3435}\U\00000001.@ not found.
ADS C:\Users\BlackDevil\Desktop\skan.jpeg:3or4kl4x13tuuug3Byamue2s4b deleted successfully.
========== FILES ==========
File\Folder C:\Windows\Installer\{75c487c4-4a96-4f21-3bc4-7a0ec49b3435} not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: BlackDevil
->Temp folder emptied: 12133580 bytes
->Temporary Internet Files folder emptied: 2799025 bytes
->Java cache emptied: 31906267 bytes
->FireFox cache emptied: 269125825 bytes
->Google Chrome cache emptied: 0 bytes
->Opera cache emptied: 9468541 bytes
->Flash cache emptied: 123380 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56468 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56468 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 401408 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 61286 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50534 bytes
RecycleBin emptied: 2906079 bytes

Total Files Cleaned = 314,00 mb


OTL by OldTimer - Version 3.2.55.0 log created on 07282012_215423

Files\Folders moved on Reboot...
C:\Users\BlackDevil\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\BlackDevil\AppData\Local\Mozilla\Firefox\Profiles\7ba4k9tg.default\Cache\_CACHE_001_ moved successfully.
C:\Users\BlackDevil\AppData\Local\Mozilla\Firefox\Profiles\7ba4k9tg.default\Cache\_CACHE_002_ moved successfully.
C:\Users\BlackDevil\AppData\Local\Mozilla\Firefox\Profiles\7ba4k9tg.default\Cache\_CACHE_003_ moved successfully.
C:\Users\BlackDevil\AppData\Local\Mozilla\Firefox\Profiles\7ba4k9tg.default\Cache\_CACHE_MAP_ moved successfully.
C:\Users\BlackDevil\AppData\Local\Mozilla\Firefox\Profiles\7ba4k9tg.default\urlclassifier3.sqlite moved successfully.

PendingFileRenameOperations files...
File C:\Users\BlackDevil\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
File C:\Users\BlackDevil\AppData\Local\Mozilla\Firefox\Profiles\7ba4k9tg.default\Cache\_CACHE_001_ not found!
File C:\Users\BlackDevil\AppData\Local\Mozilla\Firefox\Profiles\7ba4k9tg.default\Cache\_CACHE_002_ not found!
File C:\Users\BlackDevil\AppData\Local\Mozilla\Firefox\Profiles\7ba4k9tg.default\Cache\_CACHE_003_ not found!
File C:\Users\BlackDevil\AppData\Local\Mozilla\Firefox\Profiles\7ba4k9tg.default\Cache\_CACHE_MAP_ not found!
File C:\Users\BlackDevil\AppData\Local\Mozilla\Firefox\Profiles\7ba4k9tg.default\urlclassifier3.sqlite not found!

Registry entries deleted on Reboot...



[wojtas]

odinstaluj : HyperCam Toolbar

*Uruchom OTL z opcji sprzątanie.
* wykonaj optymalizację Windowsa ( instrukcja dla Windowsa XP, lecz w innych systemach jest podobnie )
* zrób pełny skan Malwarebytes Anti-Malware (zaktualizuj, gdy coś znajdzie pokaż raport, i usuń wszystko za pomocą tego programu )
* Skasuj stan przywracania systemu

napisz jak sytuacja

[duch3005]

HyperCam Toolba- odinstalowany
Sprzątanie z OLT wykonane
Skan Malwarebytes Anti-Malware zrobiony (zaktualizowany , nic nie wykrył )

Komputer działa normalnie ale dalej nie mogę włączyć zapory (na początku dostawałem błąd 0x8007042, teraz brak komunikatu o błędzie po prostu się nie włącza ) czy Windows Update (Błąd 80246008 usługi Windows Update)

Dodano Dzisiaj, 16:04:
Ok to już chyba nie wirus podczas sprawdzania opcji Services.msc (Usługi) zauważyłem brak Usługa inteligentnego transferu w tle (BITS)

[wojtas]

no tak :
Uruchom Farbar Service Scanner , zaznacz wszystkie opcje i klik w Scan. Przedstaw log

[duch3005]

Naprawiłem Windows Update ( udało mi się przywrócić ustawienia domyślne przy pomocy psexec.exe "PsTools" i fix dla usługi BITS ) ale utknąłem przy naprawie Zapory

Kod: Zaznacz wszystko

Farbar Service Scanner Version: 26-07-2012
Ran by BlackDevil (administrator) on 29-07-2012 at 18:33:41
Running from "C:\Users\BlackDevil\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy:
==================
ATTENTION!=====> Unable to retrieve HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\\EnableFirewall value. The value does not exist.
ATTENTION!=====> Unable to retrieve HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall value. The value does not exist.


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****



[wojtas]

Napraw to za pomocą tego
po prostu dodaj do rejestru takie opcje jak:

Zapora systemu Windows (MpsSvc)
Udostępnianie połączenia internetowego (ICS) (SharedAccess)

Z tego tematu napraw Windows Defender

potem wklej do notatnika:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000003
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"First Counter"=dword:0000086c
"Last Counter"=dword:0000087c
"First Help"=dword:0000086d
"Last Help"=dword:0000087d
"Object List"="2156"
"PerfMMFileName"="Global\\MMF_BITS_s"
"1008"=hex(b):ed,6c,91,96,c4,35,cd,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]
"Security"=hex:01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,34,00,00,00,02,\
00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
00,00,20,02,00,00,02,00,5c,00,04,00,00,00,00,02,14,00,ff,01,0f,00,01,01,00,\
00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,\
00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,02,\
00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\
00,20,02,00,00

Zaimportuj do systemu. Zrób reset kompa i nowy log z Farbar