Вирусы в оперативной памяти. Реклама в браузерах.

Челябинская область

Автор:Dmitriy Altuhov

Вирусы в оперативной памяти. Реклама в браузерах.

Наблюдаем очередную эпидемию рекламных вирусов.
Реклама в браузерах (Firefox, Chrome, Amigo) на полях, всплывающие окна, отгибается правый верхний угол страницы, навязчивая реклама.

Антивирусы при сканировании оперативной памяти ничего не обнаруживают.

Для лечения скачать и выполнить полную проверку утилитой Malwarebytes Anti-Malware Free

мбам

c:\windows\system32\hfnapi.dll — Trojan-Downloader.Win32.Agent.heqj
c:\windows\system32\nethtsrv.exe — HEUR:Trojan.Win32.Generic ( AVAST4: Win32:Downloader-VLT [Trj] )
c:\windows\system32\netupdsrv.exe — HEUR:Trojan.Win32.Generic
c:\windows\syswow64\hfnapi.dll — Trojan-Downloader.Win32.Agent.heqj
c:\windows\syswow64\nethtsrv.exe — HEUR:Trojan.Win32.Generic ( AVAST4: Win32:Downloader-VLT [Trj] )
c:\windows\syswow64\netupdsrv.exe — HEUR:Trojan.Win32.Generic

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 07.07.2014
Scan Time: 13:50:37
Logfile: мбам.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.07.07.01
Rootkit Database: v2014.07.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7
CPU: x64
File System: NTFS
User: User 6

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 293235
Time Elapsed: 10 min, 16 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
PUP.Optional.Amonetize, C:\Windows\SysWOW64\netupdsrv.exe, 2236, Delete-on-Reboot, [0da0ecb0552613232b0f326148b91ee2]

Modules: 0
(No malicious items detected)

Registry Keys: 18
PUP.Optional.Amonetize, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ServiceUpdater, Quarantined, [0da0ecb0552613232b0f326148b91ee2],
PUP.Optional.NetFilter, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\nethfdrv, Quarantined, [4568e3b9700b3afcc3a5029108f9768a],
PUP.Optional.Amonetize, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NetHttpService, Quarantined, [99148418b4c791a5d1687a192dd43ec2],
PUP.Optional.Amonetize.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}, Quarantined, [3776415beb9040f6dad3f65d41c18a76],
PUP.Optional.Amonetize.A, HKLM\SOFTWARE\CLASSES\TYPELIB\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}, Quarantined, [3776415beb9040f6dad3f65d41c18a76],
PUP.Optional.Amonetize.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}, Quarantined, [3776415beb9040f6dad3f65d41c18a76],
PUP.Optional.Amonetize.A, HKLM\SOFTWARE\CLASSES\AmiBs.Installer.1, Quarantined, [3776415beb9040f6dad3f65d41c18a76],
PUP.Optional.Amonetize.A, HKLM\SOFTWARE\CLASSES\AmiBs.Installer, Quarantined, [3776415beb9040f6dad3f65d41c18a76],
PUP.Optional.Amonetize.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\AmiBs.Installer, Quarantined, [3776415beb9040f6dad3f65d41c18a76],
PUP.Optional.Amonetize.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\AmiBs.Installer.1, Quarantined, [3776415beb9040f6dad3f65d41c18a76],
PUP.Optional.ToolBar.WA, HKU\S-1-5-21-1951362265-2224098149-2723742845-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{61EB20A4-D4D5-4276-A2C9-DCCE8CE9F633}, Quarantined, [8825b5e7f18a082e95c7b8cb39c9f30d],
PUP.Optional.Amonetize, HKLM\SOFTWARE\CLASSES\TYPELIB\{363BB65D-1747-4826-B445-1DA6244E2037}, Quarantined, [57564b516318d95d26866015b9486e92],
PUP.Optional.Amonetize, HKLM\SOFTWARE\CLASSES\INTERFACE\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}, Quarantined, [57564b516318d95d26866015b9486e92],
PUP.Optional.Amonetize, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}, Quarantined, [57564b516318d95d26866015b9486e92],
PUP.Optional.Amonetize, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{363BB65D-1747-4826-B445-1DA6244E2037}, Quarantined, [57564b516318d95d26866015b9486e92],
PUP.Optional.Amonetize, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}, Quarantined, [57564b516318d95d26866015b9486e92],
PUP.Optional.SProtector.A, HKU\S-1-5-21-1951362265-2224098149-2723742845-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SProtector, Quarantined, [d6d7495382f9c07666b852a041c225db],
PUP.Optional.ToolBar.WA, HKU\S-1-5-21-1951362265-2224098149-2723742845-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Webalta Toolbar, Quarantined, [426b623a176477bf6028bf0419ea07f9],

Registry Values: 3
PUP.Optional.NextLive.A, HKU\S-1-5-21-1951362265-2224098149-2723742845-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|NextLive, C:\Windows\SysWOW64\rundll32.exe «C:\Users\User 6\AppData\Roaming\newnext.me\nengine.dll»,EntryPoint -m l, Quarantined, [9b12138984f781b535b689d130d1748c]
PUP.Optional.NetworkUpdate.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETHTTPSERVICE|ImagePath, C:\Windows\SysWOW64\nethtsrv.exe, Quarantined, [6845643869129d9946a4d33bb74d29d7]
PUP.Optional.NetworkUpdate.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SERVICEUPDATER|ImagePath, C:\Windows\SysWOW64\netupdsrv.exe, Quarantined, [3d70f9a353282511e308cc42f014a858]

Registry Data: 4
Hijack.SearchPage, HKU\S-1-5-21-1951362265-2224098149-2723742845-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Search Page, http://webalta.ru/search, Good: (http://www.Google.com/), Bad: (http://webalta.ru/search),Replaced,[2a83c3d98af1300637acb0e39a6a14ec]
Hijack.Homepage, HKU\S-1-5-21-1951362265-2224098149-2723742845-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Default_Search_URL, http://webalta.ru/search, Good: (http://www.Google.com), Bad: (http://webalta.ru/search),Replaced,[703dd5c7314abf77ecabf599758f9b65]
Hijack.Search, HKU\S-1-5-21-1951362265-2224098149-2723742845-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Search Bar, http://webalta.ru/search, Good: (http://www.google.com/), Bad: (http://webalta.ru/search),Replaced,[129b6c305229c4729206464859abb34d]
Hijack.SearchPage, HKU\S-1-5-21-1951362265-2224098149-2723742845-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCH|SearchAssistant, http://webalta.ru/search, Good: (http://www.Google.com/), Bad: (http://webalta.ru/search),Replaced,[2a838814f48711250e8b2668fa0a7987]

Folders: 4
PUP.Optional.CinemaLoad.A, C:\Users\User 6\AppData\Roaming\cload, Quarantined, [a5080a9272091d19ddc35c64fb07b44c],
PUP.Optional.ToolBar.WA, C:\Users\User 6\AppData\Local\Webalta Toolbar, Quarantined, [505df0ac0b70b0861385455338cad22e],
PUP.Optional.NextLive.A, C:\Users\User 6\AppData\Roaming\newnext.me, Delete-on-Reboot, [8528e2badc9f0a2c4afaafecd32f7e82],
PUP.Optional.NextLive.A, C:\Users\User 6\AppData\Roaming\newnext.me\cache, Quarantined, [8528e2badc9f0a2c4afaafecd32f7e82],

Files: 39
PUP.Optional.Amonetize, C:\Windows\SysWOW64\netupdsrv.exe, Delete-on-Reboot, [0da0ecb0552613232b0f326148b91ee2],
PUP.Optional.NextLive.A, C:\Users\User 6\AppData\Roaming\newnext.me\nengine.dll, Quarantined, [9b12138984f781b535b689d130d1748c],
PUP.Optional.NetFilter, C:\Windows\System32\drivers\nethfdrv.sys, Quarantined, [4568e3b9700b3afcc3a5029108f9768a],
PUP.Optional.Amonetize, C:\Windows\SysWOW64\nethtsrv.exe, Quarantined, [99148418b4c791a5d1687a192dd43ec2],
PUP.Optional.Amonetize.A, C:\Users\User 6\AppData\Local\Temp\Launcher_i386823284.exe, Quarantined, [3776415beb9040f6dad3f65d41c18a76],
PUP.Optional.Amonetize.A, C:\Users\User 6\AppData\Local\Temp\awh69C1.tmp, Quarantined, [e2cb0a920774dd59f2c6cb6e32ce4fb1],
PUP.Optional.Webalta, C:\Users\User 6\AppData\Local\Temp\18__.exe, Quarantined, [f8b5326af98254e23d50930aaa57758b],
PUP.Optional.CinemaLoad.A, C:\Users\User 6\AppData\Local\Temp\18___1.exe, Quarantined, [0aa37d1fd6a540f6c6ca245ebe4320e0],
PUP.Optional.Amonetize, C:\Users\User 6\AppData\Local\Temp\drvinstal.exe, Quarantined, [05a86e2ec9b2cd6964d5f49f53aef10f],
PUP.Optional.Rambler.A, C:\Users\User 6\AppData\Local\Temp\RUpdate.exe, Quarantined, [e6c7afedeb9032045ec6e93ab54b7b85],
PUP.Optional.Webalta, C:\Users\User 6\AppData\Local\Temp\Countries_in_the_world (1)__.exe, Quarantined, [c6e79408abd07db94548633a2ed33dc3],
PUP.Optional.CinemaLoad.A, C:\Users\User 6\AppData\Local\Temp\Countries_in_the_world (1)___1.exe, Quarantined, [327b74289ae193a367295a28669b19e7],
PUP.Optional.Webalta, C:\Users\User 6\AppData\Local\Temp\Countries_in_the_world__.exe, Quarantined, [f7b6b2eab0cbfa3c2e5f0994ea172fd1],
PUP.Optional.CinemaLoad.A, C:\Users\User 6\AppData\Local\Temp\Countries_in_the_world___1.exe, Quarantined, [38750e8ef586a5915c342e5441c0db25],
PUP.Optional.Amonetize.A, C:\Users\User 6\AppData\Local\Temp\{3520F1FE-D857-4BA0-A95B-179DD50B73F0}\Launcher_i537555364.exe, Quarantined, [7d30dfbd0d6ec86eb9b63606a15f946c],
Trojan.Agent.CK, C:\Users\User 6\AppData\Local\Temp\~nsu.tmp\Au_.exe, Quarantined, [ddd0b7e56b1082b4b8705b4a768e8779],
PUP.Optional.MediaMagnet.A, C:\Users\User 6\Downloads\Noy_2014.c69b4.exe, Quarantined, [e0cd4d4f6b10bf771aa398defc0557a9],
PUP.Optional.ZvuZona, C:\Users\User 6\Downloads\startrek-vozmezdie-[torrentino].exe, Quarantined, [75382874c3b8d6601c9512fd857c6e92],
PUP.Optional.Skymonk, C:\Users\User 6\Downloads\Countries-in-the-world.rar_17442143_98_letB (1).exe, Quarantined, [8a23dbc1720979bd76ec60be8b79a35d],
PUP.Optional.Skymonk, C:\Users\User 6\Downloads\Countries-in-the-world.rar_17442143_98_letB.exe, Quarantined, [ad001884ef8cc373521075a9d82c649c],
Trojan.Onlinegames, C:\Users\User 6\Downloads\PremiaMuzTV.rar_14300775_24_letC.exe, Quarantined, [2885d8c465163303192f68b1a26036ca],
PUP.Adware.MediaGet, C:\Users\User 6\Downloads\MediaGet_id2915734ids2s.exe, Quarantined, [4e5f19837dfee155c6266a9d5ea23ec2],
PUP.Adware.MediaGet, C:\Users\User 6\Downloads\MediaGet_id4929973ids1s.exe, Quarantined, [b9f4b7e50477c670787427e0db2548b8],
PUP.Adware.MediaGet, C:\Users\User 6\Downloads\MediaGet_id4930439ids1s.exe, Quarantined, [298475276615ad899656b35413ed758b],
PUP.Optional.Amonetize, C:\Users\User 6\AppData\Local\41\a18467.exe, Quarantined, [57564b516318d95d26866015b9486e92],
PUP.Optional.NextLive.A, C:\Users\User 6\AppData\Local\genienext\nengine.dll, Quarantined, [1f8ec1db0c6f8da9af3c203a7d8424dc],
PUP.Optional.Rambler.A, C:\Users\User 6\AppData\Local\Rambler\RamblerUpdater\rupdate_standalone.exe, Quarantined, [b0fd2f6d413a5cda8d9763c0fe025aa6],
PUP.SoftwareUpdater.A, C:\Windows\System32\Tasks\AmiUpdXp, Quarantined, [6449019b285365d143fe7f372ad8de22],
PUP.Optional.CinemaLoad.A, C:\Users\User 6\AppData\Roaming\cload\chrome.dat, Quarantined, [a5080a9272091d19ddc35c64fb07b44c],
PUP.Optional.CinemaLoad.A, C:\Users\User 6\AppData\Roaming\cload\amigo.dat, Quarantined, [a5080a9272091d19ddc35c64fb07b44c],
PUP.Optional.Superfish.A, C:\Users\User 6\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage, Quarantined, [e3cadbc10a71f343e24e70511de51ee2],
PUP.Optional.Superfish.A, C:\Users\User 6\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage-journal, Quarantined, [c4e973295625d16588a8f7ca36cc2cd4],
PUP.Software.Updater, C:\Windows\Tasks\AmiUpdXp.job, Quarantined, [c4e92d6fdba072c4a37a27ba6c969d63],
Exploit.Drop.GS, C:\Users\User 6\AppData\Local\Temp\2vovkandnnndddddd.exe, Quarantined, [a409c8d4c0bb77bf799b9662877b26da],
PUP.Optional.ToolBar.WA, C:\Users\User 6\AppData\Local\Webalta Toolbar\chrome.crx, Quarantined, [505df0ac0b70b0861385455338cad22e],
PUP.Optional.ToolBar.WA, C:\Users\User 6\AppData\Local\Webalta Toolbar\main.ico, Quarantined, [505df0ac0b70b0861385455338cad22e],
PUP.Optional.NextLive.A, C:\Users\User 6\AppData\Roaming\newnext.me\nengine.cookie, Quarantined, [8528e2badc9f0a2c4afaafecd32f7e82],
PUP.Optional.NextLive.A, C:\Users\User 6\AppData\Roaming\newnext.me\cache\spark.bin, Quarantined, [8528e2badc9f0a2c4afaafecd32f7e82],
PUP.Optional.WebAlta.A, C:\Users\User 6\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: ( «homepage»: «http://home.webalta.ru/?link»,), Replaced,[7439cbd1dba05bdb52eca71e35cf29d7]

Physical Sectors: 0
(No malicious items detected)
(end)

Comments Are Closed!!!