Virüs C ve D Diskini Ele Geçirdi

sercansolmaz80 · 27 Aralık 2015

Merhaba. Benim şöyle bir sorunum var;
Bilgisayarımda ekran koruyucu adı altında yeni klasörler oluşturulmuş ve eski klasörler gizlenmiştir. Hiçbir uygulamaya erişemiyorum ve virüs hem C diskini hem de D diskini ele geçirmiş durumda(tabi bu bir virüs ise). Combofix ile tarattım ve şöyle bir şey elde ettim;

Kod:

ComboFix 15-12-24.01 - SERCAN 27.12.2015  11:23:14.1.2 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1254.90.1055.18.2046.1227 [GMT 2:00]
Running from: c:\users\SERCAN\Downloads\Programs\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\autorun.inf
C:\mpstk.exe
c:\program files (x86)\sXe Injected
c:\program files (x86)\sXe Injected\ddsxei.sys
c:\program files (x86)\sXe Injected\sXe-I EULA.txt
c:\program files (x86)\sXe Injected\sXe Injected.exe
c:\program files (x86)\sXe Injected\sXe Injected.txt
c:\program files (x86)\sXe Injected\sXe.dll
c:\program files (x86)\sXe Injected\uninstall.exe
c:\program files (x86)\sXe Injected\uninstall.ini
c:\windows\ippicd.log
c:\windows\lvrgqy.log
c:\windows\SysWow64\autoexec.bat
D:\Autorun.inf
J:\autorun.inf
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_pcCMService
.
.
(((((((((((((((((((((((((   Files Created from 2015-11-27 to 2015-12-27  )))))))))))))))))))))))))))))))
.
.
2015-12-27 08:59 . 2015-12-27 08:59426----a-w-c:\program files (x86)\Autoexec.bat
2015-12-26 14:17 . 2015-12-26 14:17--------d-----w-c:\programdata\McAfee Security Scan
2015-12-26 14:17 . 2015-12-26 14:17--------d--h--w-c:\program files (x86)\McAfee Security Scan
2015-12-26 14:17 . 2015-12-26 14:17796864----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
2015-12-26 14:17 . 2015-12-26 14:17142528----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-12-26 14:17 . 2015-12-26 14:17--------d-----w-c:\windows\SysWow64\Macromed
2015-12-26 14:17 . 2015-12-26 14:17--------d-----w-c:\windows\system32\Macromed
2015-12-26 13:30 . 2015-12-26 13:30--------d-----w-c:\program files\CPUID
2015-12-26 11:48 . 2015-12-27 09:30--------d-----w-c:\users\SERCAN\AppData\Local\CrashDumps
2015-12-25 17:08 . 2015-12-25 17:08--------d-----w-c:\program files\ParkControl
2015-12-25 16:01 . 2015-12-25 16:01--------d-----w-c:\users\SERCAN\AppData\Local\Chromium
2015-12-24 15:26 . 2015-12-24 15:26--------d-----w-C:\NPE
2015-12-24 15:24 . 2015-12-24 16:11--------d-----w-c:\users\SERCAN\AppData\Local\NPE
2015-12-24 15:24 . 2015-12-24 15:24--------d-----w-c:\programdata\Norton
2015-12-13 13:52 . 2015-12-24 16:40--------d-----w-c:\program files\ESET
2015-12-13 13:35 . 2015-12-13 13:36--------d-----w-c:\program files\stinger
2015-12-13 13:31 . 2015-12-14 13:17--------d-----w-c:\program files\Common Files\McAfee
2015-12-13 13:31 . 2015-12-13 13:32--------d-----w-c:\programdata\McAfee
2015-12-10 16:09 . 2015-12-24 16:40--------d--h--w-c:\program files (x86)\Activision
2015-12-10 15:45 . 2015-12-10 15:45--------d-sh--w-c:\windows\ftpcache
2015-12-06 07:08 . 2006-03-17 12:49368640----a-w-c:\windows\SysWow64\TwnLib4.dll
2015-12-06 07:08 . 2006-03-17 09:45802816----a-w-c:\windows\SysWow64\imagXRA7.dll
2015-12-06 07:08 . 2006-03-17 09:45497296----a-w-c:\windows\SysWow64\imagXpr7.dll
2015-12-06 07:08 . 2006-03-17 09:45258048----a-w-c:\windows\SysWow64\imagXR7.dll
2015-12-06 07:08 . 2006-03-17 09:451757184----a-w-c:\windows\SysWow64\imagX7.dll
2015-12-06 07:08 . 2015-12-06 07:21--------d--h--w-c:\program files (x86)\Nero
2015-12-06 07:08 . 2015-12-06 07:08--------d-----w-c:\programdata\Nero
2015-12-06 07:08 . 2015-12-06 07:08--------d-----w-c:\program files (x86)\Common Files\Nero
2015-12-06 07:02 . 2015-12-06 07:19--------d-----w-c:\users\SERCAN\AppData\Roaming\Nero
2015-12-03 14:17 . 2015-12-03 14:17--------d-----w-c:\users\SERCAN\AppData\Roaming\ATI
2015-12-03 14:17 . 2015-12-03 14:17--------d-----w-c:\users\SERCAN\AppData\Local\ATI
2015-12-03 14:17 . 2015-12-03 14:17--------d-----w-c:\programdata\ATI
2015-12-03 14:16 . 2015-12-03 14:16--------d-----w-c:\programdata\AMD
2015-12-03 14:16 . 2015-12-03 14:16--------d--h--w-c:\program files (x86)\AMD AVT
2015-12-03 14:16 . 2015-12-03 14:16--------d--h--w-c:\program files (x86)\AMD APP
2015-12-03 14:16 . 2015-12-03 14:16--------d-----w-c:\program files\Common Files\ATI Technologies
2015-12-03 14:14 . 2015-12-03 14:16--------d-----w-c:\program files\ATI Technologies
2015-12-03 14:14 . 2015-12-03 14:14--------d-----w-c:\program files\ATI
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-12-02 16:04 . 2015-10-13 16:4148648----a-w-c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2015-11-19 13:02 . 2015-10-18 14:4148648----a-w-c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2015-10-13 16:41 . 2015-10-13 16:41524624----a-w-c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\ZyXEL .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Wolfteam .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Windows Sidebar .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Windows Portable Devices .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Windows Photo Viewer .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Windows NT .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Windows Media Player .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Windows Mail .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Windows Defender .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\VstPlugins .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\VirtualDJ .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\valve .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Uninstall Information .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\TTNET .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\sXe Injected .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Steam .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Serato .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Reference Assemblies .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\QuickTime .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Nero .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Native Instruments .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\MSBuild .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\MixMeister BPM Analyzer .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Microsoft.NET .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Microsoft Works .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Microsoft Visual Studio 8 .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Microsoft Visual Studio .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Microsoft Silverlight .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Microsoft Office .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\McAfee Security Scan .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Internet Explorer .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Internet Download Manager .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\InstallShield Installation Information .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Image-Line .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Google .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Freemake .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\DSPRobotics .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Common Files .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\ATI Technologies .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\ASIO4ALL v2 .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Apple Software Update .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\AMD AVT .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\AMD APP .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Adobe .scr
2012-09-20 19:10 . 2010-07-25 04:55106496------r-c:\program files (x86)\Activision .scr
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files (x86)\Internet Download Manager\IDMan.exe" [2015-08-28 3972688]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
.
c:\users\SERCAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Online.com [2012-9-20 106496]
Adobe update.com [2012-9-20 106496]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.11.266\SSScheduler.exe [2015-12-2 277920]
TTNET Akıllı Çubuk.lnk - c:\program files (x86)\TTNET\TTNET Akilli Çubuk\TTNET Akilli Cubuk.exe [2013-3-14 540288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 ATICDSDr;ATICDSDr;c:\users\SERCAN\AppData\Local\Temp\ATICDSDr.sys;c:\users\SERCAN\AppData\Local\Temp\ATICDSDr.sys [x]
R3 Disc Soft Lite Bus Service;Disc Soft Lite Bus Service;c:\program files\DAEMON Tools Lite\DiscSoftBusService.exe;c:\program files\DAEMON Tools Lite\DiscSoftBusService.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.11.266\McCHSvc.exe;c:\program files (x86)\McAfee Security Scan\3.11.266\McCHSvc.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 xhunter1;xhunter1;c:\windows\xhunter1.sys;c:\windows\xhunter1.sys [x]
R3 xspirit;xspirit;c:\windows\xspirit.sys;c:\windows\xspirit.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys;c:\windows\SYSNATIVE\DRIVERS\idmwfp.sys [x]
S2 pcCMService64;pcCMService64;c:\program files\Common Files\Motive\pcCMService.exe;c:\program files\Common Files\Motive\pcCMService.exe [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 dtlitescsibus;DAEMON Tools Lite Virtual SCSI Bus;c:\windows\system32\DRIVERS\dtlitescsibus.sys;c:\windows\SYSNATIVE\DRIVERS\dtlitescsibus.sys [x]
S3 RTL8167;Realtek 8167 NT Sürücüsü;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-12-25 16:031073992----a-w-c:\program files (x86)\Google\Chrome\Application\47.0.2526.106\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-12-25 16:03]
.
2015-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-12-25 16:03]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\   IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2015-08-14 10:5225624----a-w-c:\program files (x86)\Internet Download Manager\IDMShellExt64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: IDM ile indir - c:\program files (x86)\Internet Download Manager\IEExt.htm
IE: Microsoft Excel'e &Ver - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Tüm bağlantıları IDM ile indir - c:\program files (x86)\Internet Download Manager\IEGetAll.htm
TCP: DhcpNameServer = 195.175.39.39 195.175.39.40
.
.
------- File Associations -------
.
scrfile=%1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-ZyXEL MAP v2 - (no file)
AddRemove-FL Studio 11 - c:\program files (x86)\Image-Line\FL Studio 11\uninstall.exe
AddRemove-Raptr - c:\program files (x86)\Raptr\uninstall.exe
AddRemove-reFX Nexus_is1 - c:\users\SERCAN\Desktop\Uninstall Nexus\unins000.exe
AddRemove-sXe Injected - c:\program files (x86)\sXe Injected\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1462065909-3546365151-270312791-1000_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):60,af,2c,3f,0e,5d,72,b8,91,95,d6,e5,2d,01,7d,be,5d,5b,94,e1,85,
   4b,78,40,d8,66,8d,26,5a,70,61,33,51,9c,75,08,11,72,60,8a,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-1462065909-3546365151-270312791-1000_Classes\Wow6432Node\CLSID\{83d05fbe-6dd0-4e54-a5d8-88c75900b6e3}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000014e
"Therad"=dword:0000000f
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\users\SERCAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Online.com
c:\users\SERCAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe update.com
.
**************************************************************************
.
Completion time: 2015-12-27  11:34:10 - machine was rebooted
ComboFix-quarantined-files.txt  2015-12-27 09:34
.
Pre-Run: 72.345.489.408 bayt boş
Post-Run: 73.126.408.192 bayt boş
.
- - End Of File - - D22A74245C5BEF8D438F07A6F125CB70
A36C5E4F47E84449FF07ED3517B43A31

Ne olduğunu anlamadım, yardımcı olursanız sevinirim.

Leonmik · 27 Aralık 2015

Anti yazılımın uyarı verdimi adres isim bişey varmı elinde.

THE_MILLER · 2 Ocak 2016

Windows 7'nin yetersiz güvenlik durumundan dolayı teknik destek vermiyoruz.
Temiz bir Windows 10 kurulumu yapın. Windows 10 Türkçe İndirme ve Kurulum

Ayrıca uzman biri tavsiye etmediği sürece Combofix türevi uygulama kullanmayın.

Virüs C ve D Diskini Ele Geçirdi

sercansolmaz80

Megapat

Leonmik

Hectopat

THE_MILLER

Petapat