וירוסים

[shai.m]

היי,

גם לי יש את אותה הבעיה.

אני מקבל הודעת שגיאה כשווינדווס עולה:
RUNDLL | Error loading augry.vko. The specified module could not be found

הרצתי כל דבר אפשרי, גם בSAFE MODE וגם בעזרת MINI XP דרך HIREN CD וכלום לא עזר (כל מיני כלי סריקה כמו COMBOFIX, MBAM,MS,NOD32 ועוד)

מה אני יכול לעשות?

אגב,

יש כאן את הדיווח שלי על התקלה (בשפה האנגלית). אם לא מקובל להעלות דברים כאלה כאן לפורום אז אני אערוך ואמחק את זה. תודה על העזרה!!!

Hi,

My computer is infected, and no matter what I did (Working on it 2 days already), the problem still occurs.

Problem description:
1. An error message is popping up after windows finish loading. This is the message – "RUNDLL | Error loading augry.vko. The specified module could not be found"

Problem
2. When I open a folder for example "c:\my folder's\mymusic", the
folder/window is getting closed and desktop disappears and appears
again.
Which means that I can't use the files in this folder.

I tried to "Clean" this infection by doing many many things:
1.
Used Hiren's cd and run different tests like: Malwarebytes'
Anti-Malware, Spybot – Search & Destroy. Also Microsoft Security
Essentials, AVG scan, NOD32 online scan etc.
2. I did the scans above also in SAFE MODE and in XP mini OS (Available in Hiren's CD).

These scans did find many infections and I think that also cleaned all of them.. (Sort of..)

3. I run also ComboFix but the problem still occurs.
ComboFix showed me this 2 messages:

System file is infected !! Attempting to restore
"X:\i386\system32\lpk.dll"

System file is infected !! Attempting to restore
"X:\i386\system32\imm32.dll"

But in the second Scan I did with ComboFix – It didn't show it anymore.

4. I did restored the com via the Microsoft "Restore point" method.

But the problem/VIRUS still occurs!

This is the ComboFix logs:

QUOTE

**Log number 1:ComboFix 10-07-23.01 – Shai.m 07/24/2010 3:21.2.2 – x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.958.746 [GMT 3:00]
Running from: c:\documents and settings\Shai.m\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
—- Previous Run ——-
.
c:\program files\Shared

.
((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-24 01:35 . 2010-07-24 01:38 ——– d—–w- C:\Hiren cd
2010-07-23 23:28 . 2010-07-23 23:28 ——– d—–w- c:\windows\system32\wbem\Repository
2010-07-22 18:24 . 2010-07-22 18:24 54016 —-a-w- c:\windows\system32\drivers\vvptwoik.sy s
2010-07-22 17:42 . 2010-07-22 17:42 ——– d—–w- c:\program files\Trend Micro
2010-07-22 17:34 . 2010-07-22 17:36 ——– d—–w- c:\program files\Microsoft Security Essentials
2010-07-22 17:32 . 2010-06-01 17:37 221568 ——w- c:\windows\system32\MpSigStub.exe
2010-07-22
13:25 . 2010-07-22 17:31 ——– d—–w- c:\documents and
settings\All Users\Application Data\Spybot – Search & Destroy
2010-07-22 13:25 . 2010-07-22 13:31 ——– d—–w- c:\program files\Spybot – Search & Destroy
2010-07-21
11:16 . 2010-07-21 11:16 4368224 —-a-w- c:\documents and settings\All
Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-21
11:16 . 2010-07-21 11:16 1107296 —-a-w- c:\documents and settings\All
Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-20 22:49 . 2010-07-20 22:49 22662 —-a-w- c:\windows\msyuv.dll
2010-07-15
18:45 . 2010-07-15 18:45 242896 —-a-w- c:\documents and settings\All
Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-15
18:45 . 2010-07-15 18:45 216200 —-a-w- c:\documents and settings\All
Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-15 18:45 . 2010-07-15 18:45 12536 —-a-w- c:\windows\system32\avgrsstx.dll
2010-07-15
18:43 . 2010-07-15 18:43 813336 —-a-w- c:\documents and settings\All
Users\Application Data\avg9\update\backup\avginet.dll
2010-07-15
18:43 . 2010-07-15 18:43 624920 —-a-w- c:\documents and settings\All
Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-15
18:43 . 2010-07-15 18:43 1690464 —-a-w- c:\documents and settings\All
Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-15 18:43
. 2010-07-15 18:43 1038688 —-a-w- c:\documents and settings\All
Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-13 20:32 . 2010-06-14 14:31 744448 -c—-w- c:\windows\system32\dllcache\helpsvc.e xe
2010-07-09 19:23 . 2010-07-09 19:23 ——– d—–w- c:\windows\system32\winrm
2010-07-09 19:23 . 2010-07-09 19:24 ——– dc-h–w- c:\windows\$968930Uinstall_KB968930$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-23 23:37 . 2008-12-10 17:44 ——– d—–w- c:\documents and settings\All Users\Application Data\Babylon
2010-07-23 23:17 . 2008-11-27 22:21 ——– d—–w- c:\program files\palmOne
2010-07-23 23:12 . 2009-01-29 16:53 ——– d—–w- c:\program files\LogMeIn
2010-07-23 17:38 . 2010-01-08 20:41 ——– d—–w- c:\documents and settings\Shai.m\Application Data\Malwarebytes
2010-07-23 17:38 . 2010-01-08 20:41 ——– d—–w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-22 18:54 . 2008-11-27 22:47 ——– d—–w- c:\documents and settings\Shai.m\Application Data\vlc
2010-07-21 11:12 . 2008-11-28 17:06 ——– d—–w- c:\documents and settings\Shai.m\Application Data\Skype
2010-07-16 20:41 . 2008-11-28 00:34 ——– d—–w- c:\documents and settings\Shai.m\Application Data\dvdcss
2010-07-15 18:45 . 2010-02-05 20:48 243024 —-a-w- c:\windows\system32\drivers\avgtdix.sy s
2010-07-15 18:44 . 2010-02-05 20:48 216400 —-a-w- c:\windows\system32\drivers\avgldx86.s ys
2010-07-14 13:42 . 2010-02-05 20:48 ——– d—–w- c:\documents and settings\All Users\Application Data\avg9
2010-07-09 19:28 . 2008-11-27 22:52 ——– d—–w- c:\program files\Microsoft.NET
2010-06-19 04:28 . 2010-06-19 04:13 664 —-a-w- c:\windows\system32\d3d9caps.dat
2010-06-14 14:31 . 2008-11-27 21:13 744448 —-a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\h elpsvc.exe
2010-06-09 12:35 . 2008-07-24 16:45 13408 —-a-w- c:\windows\system32\drivers\radpms.sys
2010-06-09 12:35 . 2009-01-29 16:53 83360 —-a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-09 12:35 . 2009-01-29 16:53 29568 —-a-w- c:\windows\system32\LMIport.dll
2010-06-09 12:35 . 2009-01-29 16:53 87424 —-a-w- c:\windows\system32\LMIinit.dll
2010-06-04 18:53 . 2009-11-06 15:35 ——– d—–w- c:\program files\Microsoft Silverlight
2010-06-03 06:02 . 2010-02-05 20:48 29584 —-a-w- c:\windows\system32\drivers\avgmfx86.sy s
2010-05-29 16:52 . 2008-12-09 15:24 ——– d—a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-29 12:33 . 2008-12-09 15:23 ——– d—–w- c:\program files\Google
2010-05-14 13:26 . 2003-02-21 04:42 348160 —-a-w- c:\windows\system32\msvcr71.dll
2010-05-14 13:26 . 2003-03-18 20:14 499712 —-a-w- c:\windows\system32\msvcp71.dll
2010-05-06 20:12 . 2010-05-06 20:12 366 —-a-w- c:\windows\MMD.MSP
2010-05-04 17:20 . 2001-08-18 12:00 832512 —-a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2009-07-18 10:28 78336 —-a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2001-08-18 12:00 17408 —-a-w- c:\windows\system32\corpol.dll
2010-05-02
08:14 . 2008-11-28 00:57 89240 —-a-w- c:\documents and
settings\Shai.m\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 05:22 . 2001-08-18 12:00 1851264 —-a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" [2006-10-09 176128]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"NPSStartup"="" [BU]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 18:45 12536 —-a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2008-06-18 11:47 24692 —-a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-09 12:35 87424 —-a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Push Client.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Push Client.LNK
backup=c:\windows\pss\Push Client.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Shai.m^Start Menu^Programs^Startup^ESET NOD32 Antivirus.lnk]
path=c:\documents and settings\Shai.m\Start Menu\Programs\Startup\ESET NOD32 Antivirus.lnk
backup=c:\windows\pss\ESET NOD32 Antivirus.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shai.m^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Shai.m\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2009-05-18 09:10 102400 —-a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2008-12-10 17:46 2841824 —-a-w- c:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 03:42 110592 ——w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverMax]
c:\program files\Innovative Solutions\DriverMax\devices.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 14:33 141600 —-a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
c:\program files\Messenger\msmsgs.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 08:57 1451520 —-a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 21:08 417792 —-a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-26 22:16 149280 —-a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aswUpdSv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\OpenVPN\\bin\\openvpn.exe"=
"d:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Nero\\Nero 7\\ODD Toolkit\\ODDUpdate.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc 1
"5800:TCP"= 5800:TCP:vnc 2
"5662:TCP"= 5662:TCP:Emule TCP Port
"5672:UDP"= 5672:UDP:Emule UDP Port
"5672:TCP"= 5672:TCP:Emule tcp Port-5672
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R3 libusb0;LibUsb-Win32 – Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [14/09/2009 02:11 28672]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [05/02/2010 23:48 216400]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [05/02/2010 23:48 243024]
S1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [18/08/2008 14:27 34312]
S1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [18/06/2008 14:46 2235760]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/07/2010 21:45 308136]
S2
clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN
v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.303 19\mscorsvw.exe
[18/03/2010 13:16 130384]
S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [18/06/2008 14:46 47504]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExSer vice.Exe [13/11/2009 17:20 233472]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856]
S2 VNASC;Check Point Virtual Network Adapter – SecureClient;c:\windows\system32\drivers\vnasc.sys [18/06/2008 14:46 121136]
S2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [18/06/2008 14:46 673872]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [13/11/2009 17:20 36608]
S3

MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\driver s\mbamswissarmy.sys
–> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [09/04/2008 10:28 80256]
S3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [04/04/2008 08:30 70016]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [24/07/2008 19:45 13408]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [01/10/2006 15:37 26624]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [18/08/2001 15:00 14336]
S3
WPFFontCache_v0400;Windows Presentation Foundation Font Cache
4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\ WPFFontCache_v0400.exe
[18/03/2010 13:16 753504]
S4 gupdate;שירות Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/04/2010 13:57 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
– c:\program files\Google\Update\GoogleUpdate.exe [2010-04-26 10:57]

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
– c:\program files\Google\Update\GoogleUpdate.exe [2010-04-26 10:57]

2010-07-23 c:\windows\Tasks\MP Scheduled Scan.job
– c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 18:40]
.
.
——- Supplementary Scan ——-
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE:
Google Sidewiki… – c:\program files\Google\Google
Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D23 6BF8.dll/cmsidewiki.html
IE: Translate with &Babylon – c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.ht m
TCP: {6494B30A-7D47-4DD9-9B7F-A8DBBCD331F3} = 192.115.106.35,62.219.186.7
DPF: {3BF72F68-72D8-461D-A884-329D936C5581} – hxxp://www.mekusharim.co.il/ImageUploader5.cab
FF – ProfilePath – c:\documents and settings\Shai.m\Application Data\Mozilla\Firefox\Profiles\Shai_Profile\
FF – prefs.js: browser.startup.homepage – hxxp://search.speedbit.com/
FF – prefs.js: keyword.URL – hxxp://www.google.co.il/search?q=
FF
– component: c:\documents and settings\Shai.m\Application
Data\Mozilla\Firefox\Profiles\Shai_Profile\extensions\{311 2ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF
– HiddenExtension: Microsoft .NET Framework Assistant:
{20a82645-c095-46ed-80e3-08825760534b} –
c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation
Foundation\DotNetAssistantExtension\

—- FIREFOX POLICIES —-
c:\program files\Mozilla Firefox\greprefs\all.js – pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js – pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js – pref("svg.smil.enabled", false);
c:\program
files\Mozilla Firefox\greprefs\security-prefs.js –
pref("security.ssl.allow_unrestricted_renego_everywhere__t emporarily_available_pref",
true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js – pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js – pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js – pref("security.ssl.require_safe_negotiation", false);
c:\program
files\Mozilla Firefox\defaults\pref\firefox.js –
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.na me",
"chrome://browser/locale/browser.properties");
c:\program
files\Mozilla Firefox\defaults\pref\firefox.js –
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.de scription",
"chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js – pref("plugins.update.notifyUser", false);
.
– – – – ORPHANS REMOVED – – – –

Toolbar-Locked – (no file)

************************************************************ **************
scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files:

************************************************************ **************
.
——————— LOCKED REGISTRY KEYS ———————

[HKEY_USERS\S-1-5-21-1708537768-179605362-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FEBC97D3-1007-547F-1E1D-A6B1BE24AEE6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
——————— DLLs Loaded Under Running Processes ———————

– – – – – – – > 'winlogon.exe'(240)
c:\windows\system32\LMIinit.dll

– – – – – – – > 'explorer.exe'(1008)
c:\windows\system32\WININET.dll
.
Completion time: 2010-07-24 03:33:55
ComboFix-quarantined-files.txt 2010-07-24 00:33

Pre-Run: 9,946,996,736 bytes free
Post-Run: 9,912,045,568 bytes free

– – End Of File – – 10AD2FE20DD9CEB2D6EE7572C8E76529

Screenshots of the viruses which has been found by several Anti virus/malware softwares:

1. The error message:

2. Malwarebytes' Anti-Malware – Result from one on the tests I had run:

 Reduced: 66% of original size [ 1024 x 742 ] – Click to view full image

3. Spybot – Search & Destroy – Results:

 Reduced: 66% of original size [ 1024 x 742 ] – Click to view full image

4. Microsoft Security Essentials – Results:

I uploaded a RAR folder which contains the Log files, and Screenshots of some of my experience since 3 days ago.
http://www.multiupload.com/6LJ6PMTAMK

Attached the HijackThis log file.

Thanks Fr helping me!
Shai

[itsho]

תשתדל לפתוח פוסט משלך, ולא להמשיך פוסט קיים.

ראשית, כל הכבוד על הפירוט המלא והמדויק.

1. אז, כפי שהשתמשת בHiren, נסה להשתמש באנטי וירוס Live כדוגמת DrWeb CureIT

2. בנוסף, גם אני חושד בקובץ c:\windows\system32\drivers\vvptwoik.sys

וכן, בכמה קבצים נוספים המופיעים בלוג של Combofix ואלה הם:
[quote]
c:\windows\msyuv.dll
c:\documents and settings\All Users\Start Menu\Programs\Startup\Push Client.LNK

[/quote]
(תבדוק להיכן הלינק מוביל – ותמחק את הקובץ)

3. בנוסף יש לך 2 אנטיוירוסים במקביל – שזה דבר נורא ואיום. (NOD וAVG).
הסר אחד מהם.

4. באופן אישי אני הייתי ממליץ על AVIRA, אך אם אתה מעדיף את אחד מאלה, אין צורך להסיר.

5. שוב, באופן אישי, הייתי מוותר על VTTimer (מנגנון ההגנה בזמן אמת של SpyBot) – ההגנה של MBAM טובה הרבה יותר.

6. גלוש רק ב"מצב בטוח" (גם בIE וגם בFireFox) – יש לך Extentions חשודים בעיני.

7. הרץ את MBAM במצב בטוח, הפעל מחדש את המחשב שוב פעם למצב בטוח (מבלי להפעיל במצב רגיל) ושוב הרץ את MBAM – יתכן שזה יעזור במשהו.

itsho2010-7-25 2:49:0

[shai.m]

היי,
תודה על התשובה המהירה והאיכותית!!

ברשותך יש לי כמה הערות/שאלות אליך המכוונות להצעותיך:

1. נסה להשתמש באנטי וירוס Live כדוגמת DrWeb CureIT – האם חוץ מהעובדה שזה מעין  Recovery CD זה גם סורק ווירוסים?
מכיוון שאני עדיין לא מעוניין ב"גלגל הצלה" של הרגע האחרון (Recovery).

2. סבבה
 לגבי msyuv.dll – ראיתי שיש דיווח עליו.
Push Client.LNK – אני חושב שזה קשור לתוכנה של האוניברסיטה הפתוחה (אבדוק זאת).

3. אין לי שני אנטי ווירוסים מקבילים מוזר.. בכל מקרה, אריץ NOD32 REMOVAL TOOL

5. הMBAM הוא בגירסת החינם – משכך, אין לו הגנה שרצה ברקע. בגלל זה צריך את הVTTimer … אני צודק?

האם כדאי להעלות את הקבצים החשודים בעיניך לסריקה און ליין באתר:
'www.virustotal.com

תודה רבה!

[shai.m]

הכוונה היא לאתר:
http://www.virustotal.com/

[shai.m]

טוב..
צדקת!

נמצאו שני ווירוסים בשני הקבצים:
c:\windows\msyuv.dll
c:\windows\system32\drivers\vvptwoik.sys

עכשיו רק נשאר לי להצליח למחוק אותם!

[shai.m]

אגב, הנה הלוגים מVIRUS_TOTAL:

http://www.virustotal.com/analisis/3da4f51682e7d42c5569f1fb1 adc6295182962e36f748219e1d0c8f2389ba516-1280053172

http://www.virustotal.com/analisis/ce4cce97eb31f48698147f323 179eab2c037fcb75e66eae6ae8f47cd2b7d85ef-1280080788

[מאת]

תגובות