Wirus - paysafecard

**Posty:** 1 · przez **hooba** 28 Gru 2012, 03:37

przypałętało się wiruszysko - jak w temacie. wredne wyjątkowo. nawet w trybie awaryjnym blokada. musiałem działać w trybie wiersza poleceń (spore wyzwanie dla takiego laika jak ja)
załączam logi z OTL
będę wdzięczny za pomoc i instrukcje jak dla totalnego żółtodzioba

**Posty:** 4765 · przez **ordynat** 28 Gru 2012, 11:03

1) Uruchom OTL i w oknie Własne opcje skanowania/Skrypt wklej to:

:Files
C:\Documents and Settings\Hooba\Ustawienia lokalne\Temp\wlsidten.dll
C:\Documents and Settings\All Users\Dane aplikacji\netdislw.pad
C:\Documents and Settings\All Users\Dane aplikacji\netdislw.js
C:\Documents and Settings\Hooba\Menu Start\Programy\Autostart\runctf.lnk

:OTL
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Microsoft Driver Setup = C:\WINDOWS\system32\Jnstm.exe
O33 - MountPoints2\{94a62a73-ea73-11de-9a2c-0011092c7769}\Shell\AutoRun\command - "" = I:\RECYCLER\S-51-9-25-3434476501-1644491933-601013362-1214\BSzBT.exe
O33 - MountPoints2\{94a62a73-ea73-11de-9a2c-0011092c7769}\Shell\open\command - "" = I:\RECYCLER\S-51-9-25-3434476501-1644491933-601013362-1214\BSzBT.exe
SRV - [2012-11-08 17:07:22 | 000,711,112 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe -- (vToolbarUpdater13.2.0)
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://startsear.ch/?aff=1
IE - HKLM\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
IE - HKLM\..\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&query={searchTerms}&invocationType=tb50winampie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://startsear.ch/?aff=1
IE - HKCU\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKCU\..\SearchScopes\{40BFFCD4-6BE4-45F4-A272-6CFCA652468A}: "URL" = http://search.avg.com/route/?d=4c12b26d&v=6.10.6.4&i=23&tp=chrome&q={searchTerms}&lng={language}&iy=&ychte=us
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = https://isearch.avg.com/search?cid={C64756BD-00CA-43B9-A717-785338DCD0E7}&mid=64dc9b3eb292cbcc08d2f7d38163bc69-8dec997594e52340dfa2b18edadb2c7a3c361992&lang=pl&ds=AVG&pr=fr&d=2011-11-11 12:28:12&v=12.2.5.32&sap=dsp&q={searchTerms}
IE - HKCU\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://startsear.ch/?aff=1&q={searchTerms}
IE - HKCU\..\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&query={searchTerms}&invocationType=tb50winampie7
FF - prefs.js..browser.search.defaultengine: "Web Search"
FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..browser.search.order.1: "Web Search"
FF - prefs.js..extensions.enabledAddons: avg%40toolbar:12.2.5.32
FF - prefs.js..extensions.enabledItems: avg@toolbar:9.0.0.22
FF - prefs.js..keyword.URL: "https://isearch.avg.com/search?cid={C64756BD-00CA-43B9-A717-785338DCD0E7}&mid=64dc9b3eb292cbcc08d2f7d38163bc69-8dec997594e52340dfa2b18edadb2c7a3c361992&lang=pl&ds=AVG&pr=fr&d=2011-11-11 12:28:12&v=12.2.5.32&sap=ku&q="
FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\13.2.0\\npsitesafety.dll ()
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\Documents and Settings\All Users\Dane aplikacji\AVG Secure Search\12.2.5.32\ [2012-08-29 13:45:16 | 000,000,000 | ---D | M]
[2012-11-13 00:04:21 | 000,000,000 | ---D | M] (Winamp Toolbar) -- C:\Documents and Settings\Hooba\Dane aplikacji\Mozilla\Firefox\Profiles\edzixjdt.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}
[2011-07-11 19:04:02 | 000,000,633 | ---- | M] () -- C:\Documents and Settings\Hooba\Dane aplikacji\Mozilla\Firefox\Profiles\edzixjdt.default\searchplugins\startsear.xml
[2008-12-31 09:55:11 | 000,001,196 | ---- | M] () -- C:\Documents and Settings\Hooba\Dane aplikacji\Mozilla\Firefox\Profiles\edzixjdt.default\searchplugins\winamp-search.xml
[2012-08-29 13:45:16 | 000,000,000 | ---D | M] (AVG Security Toolbar) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\DANE APLIKACJI\AVG SECURE SEARCH\12.2.5.32
[2011-08-31 11:38:58 | 000,082,944 | ---- | M] (vShare.tv ) -- C:\Program Files\mozilla firefox\plugins\npvsharetvplg.dll
[2012-11-08 17:07:26 | 000,003,572 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
O2 - BHO: (Winamp Toolbar Loader) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\avg\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (IE5BarLauncherBHO Class) - {78F3A323-798E-4AEA-9A57-88F4B05FD5DD} - C:\Program Files\vShare.tv plugin\BarLcher.dll (VShare Inc.)
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\12.2.5.32\AVG Secure Search_toolbar.dll ()
O3 - HKLM\..\Toolbar: (VShareToolBar) - {7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} - C:\Program Files\vShare.tv plugin\BarLcher.dll (VShare Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\12.2.5.32\AVG Secure Search_toolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Winamp Toolbar) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKCU\..\Toolbar\WebBrowser: (VShareToolBar) - {7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} - C:\Program Files\vShare.tv plugin\BarLcher.dll (VShare Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O4 - HKLM..\Run: [Device Detector] DevDetect.exe -autorun File not found
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [ROC_roc_dec12] C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe ()
O4 - HKLM..\Run: [ROC_ROC_JULY_P1] C:\Program Files\AVG Secure Search\ROC_ROC_JULY_P1.exe ()
O4 - HKLM..\Run: [ROC_roc_ssl_v12] C:\Program Files\AVG Secure Search\ROC_roc_ssl_v12.exe ()
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe ()
O4 - HKCU..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)

:Commands
[emptytemp]

Kliknij w Wykonaj Skrypt. Zatwierdź restart komputera. Zapisz raport, który pokaże się po restarcie.
Następnie uruchom OTL ponownie, tym razem kliknij Skanuj.
Pokaż nowy log OTL.txt oraz raport z usuwania Skryptem.

2) Użyj >Adw-cleaner (aby pobrać kliknij na dużą zieloną strzałkę po prawej).
Kliknij w nim Usuń
Pokaż raport z niego C:\AdwCleaner[S1].txt

3)

SRV - [2012-12-27 23:33:18 | 000,197,496 | ---- | M] (Корпорация Майкрософт) [Auto | Stopped] -- C:\Documents and Settings\Hooba\Ustawienia lokalne\Temp\wlsidten.dll -- (winmgmt)

Do >SystemLook wklej:

:regfind
wlsidten

Naciśnij Look i pokaż raport.

4) Zainstaluj nowszą, bezpieczniejszą wersję Javy:
>http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html (wybierz: Windows x86 Offline)
.