Avira îmi detectează un troian(Virus or unwanted program).

Avira îmi detectează un troian de mai multe ori , de genul:

Virus or unwanted program 'TR/Crypt.XPACK.Gen3 [trojan]'
detected in file 'C:\Program Files\GUM1.tmp\goopdateres_am.dll.
Action performed: Deny access

Asta de vreo trei zile.
De fiecare dată am dat deny access sau mutare la "carantină".
Am instalat Malwarebytes free, am făcut scanare, după care am mutat tot ce a găsit la "carantină".
După care la restartare, mi-au apărut din nou aceleaşi mesaje de detectare de la Avira.
Ştie cineva cam ce ar trebui să fac?
Este normal ca după ce dau deny access în Avira să nu îl găsească Malwarebytes?

Descarca si salveaza Farbar Recovery Scan Tool, pe Desktop.
Dublu click pe FRST.exe pentru al rula.[ http://s4.postimg.org/b7b2g838p/Frst1.png - Pentru incarcare in pagina (embed) Click aici ]
Pentru Windows Vista sau Windows7,Windows8
click dreapta, selecteaza Run as administrator.
Click pe Yes.

[ http://s27.postimg.org/yzw6sw783/FRST2.png - Pentru incarcare in pagina (embed) Click aici ]

Click pe Scan.

[ http://s4.postimg.org/69q3ljvgt/Frst5.jpg - Pentru incarcare in pagina (embed) Click aici ]

La terminare vor apare 2 ferestre de Notepad - FRST.txt si Addition.txt.

Ataseaza FRST.txt si Addition.txt in urmatorul raspuns.

[ http://s30.postimg.org/m4ozfqfpt/ataseaza.jpg - Pentru incarcare in pagina (embed) Click aici ]

Edited by MhG_40, 01 June 2015 - 18:57.

Nu știu dacă era cazul să precizez de la bun început.
De fapt Avira detectează vreo câteva zeci, vreo 20 de astfel de malware, tuturor le-am dat deny access sau move to quarantine.
De asemenea, chiar în timp ce rulam Farbar, detecta și Avira; de fapt începuse mai devreme, dar i-am dat drumul și la Farbar în timp ce deja Avira mă atenționa.
Sper că nu risc să am probleme dacă atașez acele documente txt.

1. Descarca si salveaza fixlist.txt.   =>    fixlist.txt   1.55K   27 downloads

Atentie,fixlist.txt, trebuie salvat in aceiasi locatie cu FRST.exe

2. Ruleaza din nou Farbar Recovery Scan Tool.

Dublu click pe FRST.exe pentru al rula.[ http://s4.postimg.org/b7b2g838p/Frst1.png - Pentru incarcare in pagina (embed) Click aici ]
Pentru Windows Vista sau Windows7,Windows8
click dreapta, selecteaza Run as administrator.
Click pe Yes.

[ http://s27.postimg.org/yzw6sw783/FRST2.png - Pentru incarcare in pagina (embed) Click aici ]

Click pe Fix.

[ http://s22.postimg.org/bzzjtg0ap/FRST4.jpg - Pentru incarcare in pagina (embed) Click aici ]

Ataseaza logul in urmatorul raspuns.

[ http://s30.postimg.org/m4ozfqfpt/ataseaza.jpg - Pentru incarcare in pagina (embed) Click aici ]

3. Descarca AdwCleaner  sau AdwCleaner by Xplode pe Desktop.
Dublu click pe AdwCleaner.exe pentru al rula.
Pentru Windows Vista sau Windows7,Windows8
click dreapta, selecteaza Run as administrator.
Click pe Scan.
Asteapta sa termine de cautat, click pe Clean.
Dupa ce termina de curatat, apasa pe Report.
Posteaza continutul fisierului aici.
Logul se gaseste in C:\AdwCleaner[Sn].txt (n este un numar).

[ http://s3.postimg.org/tfjxm09qr/Adw_C.png - Pentru incarcare in pagina (embed) Click aici ]

4. Descarca si salveaza pe Desktop Junkware Removal Tool.
Inchide toate programele care ruleaza.
Pentru Windows Vista sau Windows7,Windows8
click dreapta, selecteaza Run as administrator.
Scaneaza cu el.
Ai rabdare cu el, dureaza putin mai mult.
Posteaza logul aici.

[ http://s7.postimage.org/z2rwy800r/JRT.jpg - Pentru incarcare in pagina (embed) Click aici ]

Edited by MhG_40, 02 June 2015 - 16:44.

logul dupa fix cu farbar
dupa restartare imi detecteaza din nou acei malware

Reportul de la Adwcleaner. Am șters doar ce era la username.

01# AdwCleaner v4.206 - Logfile created 02/06/2015 at 18:49:27
# Updated 01/06/2015 by Xplode
# Database : 2015-05-31.5 [Local]
# Operating system : Microsoft Windows XP Service Pack 2 (x86)
# Username :
# Running from : C:\Documents and Settings\user\My Documents\Descărcări\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\All Users\Application Data\ytd video downloader
Folder Deleted : C:\Documents and Settings\All Users\Start Menu\Programs\ytd video downloader
Folder Deleted : C:\Program Files\ConduitEngine
Folder Deleted : C:\Program Files\file scout
Folder Deleted : C:\Program Files\GreenTree Applications
Folder Deleted : C:\Program Files\Mobogenie
Folder Deleted : C:\Documents and Settings\user\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\user\Local Settings\Application Data\ConduitEngine
Folder Deleted : C:\Documents and Settings\user\Local Settings\Application Data\PackageAware
Folder Deleted : C:\Documents and Settings\user\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\user\Application Data\Uniblue
Folder Deleted : C:\Documents and Settings\user\My Documents\Updater
[!] Folder Deleted : C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hgojaaaiddhmiiakpejiklijbalpckih
File Deleted : C:\Documents and Settings\All Users\Desktop\YTD Video Downloader.lnk
File Deleted : C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\sehl0d3m.default\invalidprefs.js
File Deleted : C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\sehl0d3m.default\user.js

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\hgojaaaiddhmiiakpejiklijbalpckih
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\BrowserProtect
Key Deleted : HKLM\SOFTWARE\Classes\*\shell\filescout
Key Deleted : HKLM\SOFTWARE\Classes\AppID\AddonsFramework.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ButtonSite.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\PropertySync.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHost.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Applications\ilividsetupv1.exe
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Mobogenie.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd
Key Deleted : HKCU\Software\5f54d78cb538ee15
Key Deleted : HKLM\SOFTWARE\5f54d78cb538ee15
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{18B9B16E-716F-43DF-A6AD-512C7D2EB983}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{19975B78-1907-4DD6-A437-4C48120F46A4}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{562B9316-C08A-444A-9482-62080DD851AE}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{562B9317-C08A-444A-9482-62080DD851AE}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\
Key Deleted : HKLM\SOFTWARE\Classes\AppID\
Key Deleted : HKLM\SOFTWARE\Classes\AppID\
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\
Key Deleted : HKLM\SOFTWARE\Classes\Interface\
Key Deleted : HKLM\SOFTWARE\Classes\Interface\
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\conduitEngine
Key Deleted : HKCU\Software\filescout
Key Deleted : HKCU\Software\Headlight
Key Deleted : HKCU\Software\Smiley Bar for Facebook
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Babylon
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\conduitEngine
Key Deleted : HKLM\SOFTWARE\Uniblue
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{15D2D75C-9CB2-4EFD-BAD7-B9B4CB4BC693}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Smiley Bar for Facebook
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}
Data Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <local>
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <local>

***** [ Web browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v23.0.1 (ro)


-\\ Google Chrome v34.0.1847.131

[C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.babylon.com/?q={searchTerms}#########ID=116736&tt=5212_4&babsrc=SP_ss&mntrId=4b9e142d00000000000000112f211bc6
[C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences] - Deleted [Extension] : dbpebffoameokfhnaaedmefjncfboino
[C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences] - Deleted [Extension] : hgojaaaiddhmiiakpejiklijbalpckih

*************************

AdwCleaner[R0].txt - [8964 bytes] - [02/06/2015 18:37:34]
AdwCleaner[S0].txt - [7656 bytes] - [02/06/2015 18:49:27]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7715  bytes] ##########

 MhG_40, on 02 iunie 2015 - 16:44, said:

Ăsta nu îmi merge.
Când ajunge pe la checking startup mi se stinge calculatorul și apoi restartează.
(am încercat de două ori și la fel mi s-a stins și apoi restartat)
între timp am văzut că nu îmi mai merg butoanele ălea din stânga din meniul Start, și nici cele din All Propgrams.

Interesant, Junkware Removal Tool a mers fara probleme.
Deschide Command Prompt si scrie:

Quote

.

Mai este ceva. Nu ştiu de când a început, dar numai acum vreo câteva minute am observat.
La restartarea calculatorului, chiar pe primele pagini, în locul unde scria ceva date despre calculator,
acum îmi scrie Trend ChipAway Virus ® On Guard Ver 1.65,   restul nici nu mai apuc să văd,
după care trece repede la pagina aceea unde jos scrie Boot from CD.

Edited by Iochanan, 02 June 2015 - 19:36.

 MhG_40, on 02 iunie 2015 - 19:14, said:

Rezultatul:

Windows File Protection could not initiate a scan of protected system files.
The specific error code is 0x000006ba [The RPC server is unavailable]

Descarca si salveaza pe Desktop, Windows Repair 3.2.1.

Dezarhiveaza si ruleaza Windows Repair.
Mergi la  Start Repairs si apasa pe Start.


Verifica sa fie bifate urmatoarele:

  Reset Registry Permissions
  Reset File Permissions
  Register System Files
  Repair WMI
  Remove Policies Set By Infections
  Repair Missing Start menu Icons
  Remove Temp Files
  Repair Proxy Settings
  Unhide Non System Files
  Set Windows Services To Default
  Repair MSI (windows Installer)
  Repair File Associations

Bifeaza Restart System si apasa pe Start.

[ https://www.youtube-nocookie.com/embed/QbQ0xyGt9fs?feature=oembed - Pentru incarcare in pagina (embed) Click aici ]

Dupa restart verifica daca mai ai probleme.

La dezarhivare Avira spune că a detectat cinci malware:

Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\Documents and Settings\user\Desktop\tweaking.com_windows_repair_aio\Tweaking.com - Windows Repair\WR_Tray_Icon.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\Documents and Settings\user\Desktop\tweaking.com_windows_repair_aio\Tweaking.com - Windows Repair\files\registry_backup_tool\files\vss_start.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\Documents and Settings\user\Desktop\tweaking.com_windows_repair_aio\Tweaking.com - Windows Repair\files\Tweaking_CleanMem.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\Documents and Settings\user\Desktop\tweaking.com_windows_repair_aio\Tweaking.com - Windows Repair\files\tweaking_ras.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\Documents and Settings\user\Desktop\tweaking.com_windows_repair_aio\Tweaking.com - Windows Repair\files\tweaking_rati.exe.
Action performed: Deny access

Windows Repair spune că fără acele fișiere nu poate rula.

Opreste Avira AntiVir Personal(a obosit, saracul).

 Avira AntiVir Personal.png   6.43K   7 downloads

Foloseste Windows Repair, n-are virusi.

http://forum.softped.../#entry17294352

Când dau să deschid aplicaţia (Repair_Windows.exe), mi se restartează calculatorul.

Oricum, MULŢUMESC pentru ajutorul acordat. Nu mai am probleme cu acel malware 'TR/Crypt.XPACK.Gen3 [trojan]'.
Cel puţin Avira nu îmi mai semnalează nimic.
Însă am alte probleme dintre care pe unele deja vi le-am semnalat, plus altele:
nu îmi mai merg funcţiile copy to / move to folder;
nu mai pot muta fişiere în alte directoare sau alte partiţii;
nu mai pot copia / muta fişiere pe USB, nici nu îmi mai vede USB-ul în Explorer, însă pot accesa anumite documente prin programe;
microprocesorul mi se pare foarte solicitat.

Dacă se poate, să îmi daţi soluţii pentru rezolvarea celor din urmă probleme.

În ultimul rând, aş vrea să vă întreb dacă consideraţi că ar fi putut cineva să îmi fure date personale prin intermediul acelui troian, cât timp îmi detecta Avira Troianul? (vinerea trecută mi l-a detectat pentru prima oară)

Buna, am fost ocupat si n-am avut timp sa-ti raspund.
Scaneaza, te rog, din nou cu Farbar Recovery Scan Tool

Bifeaza ca in imagine.

[ http://s21.postimg.org/ut5ddgb0n/frst.jpg - Pentru incarcare in pagina (embed) Click aici ]

Ataseaza FRST.txt, Addition.txt si Shortcut.txt in urmatorul raspuns.

Instaleaza Internet Explorer 7.
http://www.softpedia...xplorer-7.shtml

https://support.micr...en-us/kb/555839

Edited by MhG_40, 08 June 2015 - 17:29.