TR/Crypt.ULPM.Gen Trojan

[fu-swat]

Dobry den, surne by som potreboval pomoct s odstranenim viru
"TR/Crypt.ULPM.Gen Trojan"

Detekovala mi ho Avira, prejavuje sa to napr. pri vlozeni USB, vytvori sa na USBcku dalsi odkaz na USB s odkazom
"C:\Windows\system32\rundll32.exe ~$WAR.FAT,crys desktop.ini.ini hobleofp islvogje " "

Ak by niekto vedel pomoct, budem velmi vdacny. Avast, NOD32 si ani nepipli, posledne updatey.

Virus ako keby neustale odstranim, ale opat sa na USB nahra aj po formatovani, virus je vsak v PC, ktory ho tam neustale hadze, niekde asi v systeme, registroch - neviem.

Prostrednictvom hladania som postup pri rieseni problemu nenasiel, ak by nieco take bolo, budem rad, ak poskytnete odkaz.

Za cenne rady a tipy dakujem velmi pekne.

[JaRon]

ahoj,
na zaciatok pouzi USBFix http://forum.viry.cz/viewtopic.php?f=24&t=102308

[fu-swat]

no neviem, lebo ak to USB naformatujem a dam do ineho PC, virus tam uz podla vsetkeho nie je a nic neobvykleho sa nedeje

ak ho vsak naformatujem, vyberiem a zasuniet spat do PC, virus sa tam opat nahra cez PC, takze chyba asi nebude v USB ale v PC, takze v prvom rade z PC potrebujem ten virus odstranit definitivne, aj ked to bude zaujimave, kedze tie antivirusy su neviem na co robene, ked to nic nenajde

ale skusim aj ten tvoj link, dik


Program som pouzil, nasledne ... log:

################## | Files # Infected Folders |

Found ! G:\Removable Disk (4GB).lnk
Found ! C:\Users\pc\AppData\Local\Temp\ubi9FCF.tmp.exe
Found ! C:\Users\pc\AppData\Local\Temp\ubiC357.tmp.exe
Found ! C:\Users\pc\AppData\Local\Temp\utt3DF4.tmp.exe
Found ! G:\autorun.inf

################## | Registry |


################## | Mountpoints2 |

HKCU\.\.\.\.\Explorer\MountPoints2\{7e04259d-a053-11e1-9a01-806e6f6e6963}
Shell\AutoRun\Command = D:\CheckID.exe

################## | Vaccin |

(!) This computer is not vaccinated!

################## | E.O.F | http://sosvirus.org |

Ked som USB formatol, nasledne spravil to iste, zas sa ten vir nahral na USB, toto potrebujem odstranit uplne ten vir a to nahravanie na USB je len sposob jeho sirenia, teda aspon ja to tak citam.

[JaRon]

len klidek
nastrkaj kluce do PC a spust USBFix - volba deletion

[fu-swat]

len klidek
nastrkaj kluce do PC a spust USBFix - volba deletion

presne to som spravil, ale ten virus je v PC, lebo ak to USB aj bezne naformatovane dam do ineho PC, tak tam nic nenahra a tu to robi neustale dokola.

[JaRon]

tak tomu sa mi nechce verit - po zmazani, by tam nemalo byt nic
ak si si isty, ze si pouzil volbu deletion prip. aj restartol PC a stale je to tam, tak vloz log RSIT - zmazeme to inac

[fu-swat]

Ja som rad za kazdy tip a radu, len sme sa asi nepochopili.

Ja nemam problem to USB vycistit a virus dat prec aj klasickym formatom, totizto ten virus sa na USB nahrava vzdy pri jeho opatovnom zasunuti do PC, ktore je infiltrovane. Ak ho formatnem a zasuniem do NB tak to USB je uplne OK, tam virus nie je, lebo ho nema co nan nahrat. Preto vravim, ze potrebujem v prvom rade odstranit ten virus z PC registorov/systemu alebo kdekolvek moze byt.

[JaRon]

clovece s Tebou je to tazke obaja piseme slovensky, ALE ,,,,
vsak ja nikde nespochybnujem, ze mas zavireny pocitac a nie kluc
silne pochybujem, ze si spustil volbu deletion a nevlozil si ani log RSIT
tak bud postupuj podla pokynov, alebo sa na to vyprdnime

[fu-swat]

OK, idem na to

[fu-swat]

Volba DELETION:

############################## | UsbFix V 7.118 | [Deletion]

User: pc (Administrator) # VALACH
Updated 24/03/2013 by El Desaparecido
Started at 13:00:50 | 26/03/2013

Website: http://sosvirus.org/
Upload Malware: http://upload.sosvirus.org/
Contact: contact@sosvirus.org

PC: Gigabyte Technology Co., Ltd. (To be filled by O.E.M.) (x64-based PC)
CPU: Intel(R) Core(TM) i5-3550 CPU @ 3.30GHz (3701)
RAM -> [Total : 8138 | Free : 5208]
BIOS: BIOS Date: 02/15/12 18:07:41 Ver: 04.06.05
BOOT: Normal boot

OS: Microsoft Windows 7 Ultimate (6.1.7601 64-Bit) # Service Pack 1
WB: Windows Internet Explorer 9.0.8112.16421

SC: Security Center Service [Enabled]
WU: Windows Update Service [Enabled]
AV: Emsisoft Anti-Malware [(!) Disabled | Updated]
FW: Windows FireWall Service [Enabled]

C:\ (%systemdrive%) -> Fixed drive # 931 Gb (281 Mb free - 30%) [WD Caviar Black 1 TB] # NTFS
D:\ -> CD-ROM
E:\ -> CD-ROM
G:\ -> Removable drive # 4 Gb (4 Mb free - 100%) [] # FAT32

################## | El Desaparecido Section |

HKLM\SOFTWARE | Run : [IMSS] - "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
HKLM\SOFTWARE | Run : [USB3MON] - "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
HKLM\SOFTWARE | Run : [StartCCC] - "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
HKLM\SOFTWARE | Run : [STCAgent] - "C:\Program Files (x86)\Splashtop\Splashtop Connect IE\STCAgent.exe"
HKLM\SOFTWARE | Run : [ZyngaGamesAgent] - "C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe"
HKLM\SOFTWARE | Run : [emsisoft anti-malware] - "C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe" /d=60
HKLM\SOFTWARE\wow6432Node | Run : [IMSS] - "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
HKLM\SOFTWARE\wow6432Node | Run : [USB3MON] - "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
HKLM\SOFTWARE\wow6432Node | Run : [StartCCC] - "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
HKLM\SOFTWARE\wow6432Node | Run : [STCAgent] - "C:\Program Files (x86)\Splashtop\Splashtop Connect IE\STCAgent.exe"
HKLM\SOFTWARE\wow6432Node | Run : [ZyngaGamesAgent] - "C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe"
HKLM\SOFTWARE\wow6432Node | Run : [emsisoft anti-malware] - "C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe" /d=60
HKLM\SOFTWARE | RunOnce : [] -
HKLM\SOFTWARE\wow6432Node | RunOnce : [] -
HKU\S-1-5-19\SOFTWARE | Run : [Sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\SOFTWARE | Run : [Sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-774546196-2300074726-1560002794-1000\SOFTWARE | Run : [Sidebar] - C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
HKU\S-1-5-21-774546196-2300074726-1560002794-1000\SOFTWARE | Run : [IDMan] - C:\Users\pc\Desktop\MIX\Internet Download Manager v6.11 Build 5-li0nh3art\crack\IDMan.exe /onboot
HKU\S-1-5-21-774546196-2300074726-1560002794-1000\SOFTWARE | Run : [Skype] - "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
HKU\S-1-5-21-774546196-2300074726-1560002794-1000\SOFTWARE | Run : [HydraVisionDesktopManager] - "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe"
HKU\S-1-5-19\SOFTWARE | RunOnce : [mctadmin] - C:\Windows\System32\mctadmin.exe
HKU\S-1-5-20\SOFTWARE | RunOnce : [mctadmin] - C:\Windows\System32\mctadmin.exe

################## | Stopped processes |

Stopped! C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe (948)
Stopped! C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe (976)
Stopped! c:\Program Files\Microsoft Security Client\MsMpEng.exe (1168)
Stopped! C:\Windows\system32\atiesrxx.exe (1276)
Stopped! C:\Windows\system32\atieclxx.exe (1544)
Stopped! C:\Windows\system32\taskeng.exe (1440)
Stopped! C:\Windows\system32\taskhost.exe (1824)
Stopped! C:\Windows\System32\spoolsv.exe (1920)
Stopped! C:\Program Files\Bitdefender\Antivirus Free Edition\gziface.exe (2328)
Stopped! C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (2364)
Stopped! C:\Program Files\Intel\iCLS Client\HeciServer.exe (2500)
Stopped! C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe (2544)
Stopped! C:\Program Files (x86)\Splashtop\Splashtop Connect\BackService.exe (2676)
Stopped! C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe (2748)
Stopped! c:\Program Files\Microsoft Security Client\NisSrv.exe (2432)
Stopped! C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (3264)
Stopped! C:\Program Files\Microsoft Security Client\msseces.exe (3272)
Stopped! C:\Program Files\Windows Sidebar\sidebar.exe (3300)
Stopped! C:\Users\pc\Desktop\MIX\Internet Download Manager v6.11 Build 5-li0nh3art\crack\IDMan.exe (3396)
Stopped! C:\Program Files (x86)\Skype\Phone\Skype.exe (3476)
Stopped! C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe (3488)
Stopped! C:\Windows\System32\WUDFHost.exe (3560)
Stopped! C:\Windows\system32\SearchIndexer.exe (3580)
Stopped! C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe (3752)
Stopped! C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (3760)
Stopped! C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe (3796)
Stopped! C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe (4076)
Stopped! C:\Program Files\Windows Media Player\wmpnetwk.exe (4700)
Stopped! C:\Program Files (x86)\Internet Explorer\IELowutil.exe (4680)
Stopped! C:\Program Files (x86)\Mozilla Firefox\firefox.exe (3516)
Stopped! C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe (3908)
Stopped! C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe (2540)
Stopped! C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (4904)
Stopped! C:\Windows\system32\sppsvc.exe (4940)
Stopped! C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe (2724)
Stopped! C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe (4892)
Stopped! C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (1608)
Stopped! C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe (3632)
Stopped! C:\Windows\servicing\TrustedInstaller.exe (3728)
Stopped! C:\Windows\system32\taskhost.exe (4380)
Stopped! C:\Windows\system32\SearchProtocolHost.exe (3856)

################## | Files # Infected Folders |

Deleted ! G:\Removable Disk (4GB).lnk
Deleted ! G:\autorun.inf

(!) Temporary files deleted.

################## | Registry |


################## | Mountpoints2 |


################## | Listing |

[17/05/2012 - 20:42:27 | SHD ] C:\$Recycle.Bin
[26/03/2013 - 10:40:56 | RASHD ] C:\Autorun.inf
[25/03/2013 - 23:00:11 | D ] C:\Config.Msi
[05/11/2012 - 01:04:04 | D ] C:\Counter-Strike 1.6
[14/07/2009 - 06:08:56 | SHD ] C:\Documents and Settings
[01/03/2013 - 01:37:05 | D ] C:\fe97a3fd6027ba430357f7bc3390d1
[26/03/2013 - 12:56:00 | ASH | 6400323584] C:\hiberfil.sys
[17/05/2012 - 21:30:17 | D ] C:\Intel
[19/05/2012 - 00:52:43 | RHD ] C:\MSOCache
[26/03/2013 - 12:56:03 | ASH | 8533766144] C:\pagefile.sys
[14/07/2009 - 04:20:08 | D ] C:\PerfLogs
[26/03/2013 - 00:24:21 | D ] C:\Program Files
[26/03/2013 - 00:43:42 | D ] C:\Program Files (x86)
[26/03/2013 - 00:26:56 | HD ] C:\ProgramData
[17/05/2012 - 20:42:16 | SHD ] C:\Recovery
[26/03/2013 - 10:03:08 | SHD ] C:\System Volume Information
[25/03/2013 - 18:14:00 | D ] C:\Temp
[25/11/2012 - 20:43:40 | D ] C:\uninstall
[26/03/2013 - 13:02:55 | D ] C:\UsbFix
[26/03/2013 - 10:41:38 | N | 8797] C:\UsbFix [Clean 1] VALACH.txt
[26/03/2013 - 13:03:01 | A | 7997] C:\UsbFix [Clean 2] VALACH.txt
[26/03/2013 - 10:35:52 | N | 8112] C:\UsbFix [Scan 1] VALACH.txt
[17/05/2012 - 20:42:20 | D ] C:\Users
[19/05/2012 - 00:56:16 | D ] C:\VLAO
[25/03/2013 - 23:19:47 | D ] C:\Windows
[30/05/2012 - 21:16:44 | D ] C:\ZALOHA-184GB
[26/03/2013 - 11:18:20 | D ] G:\ 
[26/03/2013 - 11:18:22 | N | 2517] G:\~$WDNCFZK.FAT
[26/03/2013 - 11:18:22 | RASH | 3274] G:\desktop.ini
[26/03/2013 - 11:18:22 | RASH | 2517] G:\Thumbs.db

################## | Vaccin |

C:\Autorun.inf -> Vaccine created by UsbFix (El Desaparecido)
G:\Autorun.inf -> Vaccine created by UsbFix (El Desaparecido)

################## | E.O.F | http://sosvirus.org |

Obsah USB aktualne po vykonani operacie:

[JaRon]

OK - subory na USB-kluci ZMAZ - a PONECHAJ iba adresar Autorun.inf (ten nemaz, ani kluc neformatuj)
malo by to byt v poriadku - ak nie vloz log RSIT

[fu-swat]

OK - subory na USB-kluci ZMAZ - a PONECHAJ iba adresar Autorun.inf (ten nemaz, ani kluc neformatuj)
malo by to byt v poriadku - ak nie vloz log RSIT

Spravil som ako si povedal, po pripojeni opatovnom USB tam ostava len ten subor, takze vsetko je OK - nenahrava sa virus opat na USB.

Este sa chcem spytat - ten virus aj tak ostal v PC, nie? Tam mi nevies poradit ako postupovat, aby bol PC definitivne cisty?

PS: napojil som dalsie USB, ktore bolo ciste a nerobil som na nom ziadne operacie s tym programom a aj to USB je ciste a nic sa nan nenahralo.

[JaRon]

v prvom vypise bolo 5 infikovanych suborov a jeden kluc registra ,,, myslim, ze teraz to tam uz nie je ,,,
pocitac aj kluc boli vakcinovane, takze opatovna infiltracia podobnym smejdom je nepravdepodobna

[fu-swat]

v prvom vypise bolo 5 infikovanych suborov a jeden kluc registra ,,, myslim, ze teraz to tam uz nie je ,,,
pocitac aj kluc boli vakcinovane, takze opatovna infiltracia podobnym smejdom je nepravdepodobna

Myslim, ze mas pravdu, po prvykrat mi nameralo normalne hodnoty rychlosti internetu, pred tym mi blbol download aj upload, zrejme kvoli tomu virusu.

Dakujem velmi pekne za radu a za pomoc.

[JaRon]

rado sa stalo
ak by si mal niekedy podozrenie, zastav sa na preventivku
LOCK