Elektroda.pl
Elektroda.pl
X
CControls
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

BitCoinMiner - jak się pozbyć?

adamsonm 09 Cze 2014 18:43 2214 5
  • #1 09 Cze 2014 18:43
    adamsonm
    Poziom 8  

    Złapałem tego syfa i przy każdym uruchomieniu komputera Avira informuje mnie o tym. Czy usunę czy pozostawię przy następnym uruchomieniu to samo.

    Komputer przeskanowałem SpyHunterem i usunąłem wszystkie błędy, później poszedł ComboFix, następnie adwcleaner. Ciągle to samo. Ściągnąłem FRST i przeskanowałem komputer.

    Oto logi:

    ComboFix:

    Spoiler:
    ComboFix 14-06-09.01 - Adam 2014-06-09 17:36:35.3.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1250.48.1045.18.4094.2634 [GMT 2]
    Uruchomiony z: f:\instalatory\PROGRAMY\ComboFix\ComboFix.exe
    AV: Avira Desktop *Disabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
    SP: Avira Desktop *Disabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system\Wing32.dll
    c:\windows\SysWow64\Dvbpws.dll
    .
    .
    ((((((((((((((((((((((((( Pliki utworzone od 2014-05-09 do 2014-06-09 )))))))))))))))))))))))))))))))
    .
    .
    2014-06-09 15:45 . 2014-06-09 15:45 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2014-06-09 15:45 . 2014-06-09 15:45 -------- d-----w- c:\users\Public\AppData\Local\temp
    2014-06-09 15:45 . 2014-06-09 15:45 -------- d-----w- c:\users\Default\AppData\Local\temp
    2014-06-09 13:51 . 2014-06-09 13:51 110080 ----a-r- c:\users\Adam\AppData\Roaming\Microsoft\Installer\{AF549236-6258-4AC6-A043-5B5B89C6EB61}\IconF7A21AF7.exe
    2014-06-09 13:51 . 2014-06-09 13:51 110080 ----a-r- c:\users\Adam\AppData\Roaming\Microsoft\Installer\{AF549236-6258-4AC6-A043-5B5B89C6EB61}\IconD7F16134.exe
    2014-06-09 13:51 . 2014-06-09 13:51 110080 ----a-r- c:\users\Adam\AppData\Roaming\Microsoft\Installer\{AF549236-6258-4AC6-A043-5B5B89C6EB61}\IconCF33A0CE.exe
    2014-06-09 13:51 . 2014-06-09 13:51 -------- d-----w- C:\sh4ldr
    2014-06-09 13:51 . 2014-06-09 13:51 -------- d-----w- c:\program files (x86)\Enigma Software Group
    2014-06-09 13:50 . 2014-06-09 13:51 -------- d-----w- c:\windows\AF54923662584AC6A0435B5B89C6EB61.TMP
    2014-06-09 08:06 . 2014-06-09 09:23 -------- d-----w- c:\windows\ACF5FE1B377240688B872D2A6EFD0A05.TMP
    2014-06-03 17:55 . 2014-06-09 15:22 -------- d--h--w- c:\users\Adam\AppData\Roaming\pwo7
    2014-05-27 14:49 . 2014-05-27 14:49 -------- d-----w- c:\program files (x86)\Common Files\Skype
    2014-05-15 20:01 . 2014-05-15 20:01 -------- d-----w- c:\users\Adam\AppData\Local\THQ
    2014-05-15 20:00 . 2008-07-12 06:18 467984 ----a-w- c:\windows\SysWow64\d3dx10_39.dll
    2014-05-15 20:00 . 2008-07-12 06:18 1493528 ----a-w- c:\windows\SysWow64\D3DCompiler_39.dll
    2014-05-15 20:00 . 2008-07-12 06:18 540688 ----a-w- c:\windows\system32\d3dx10_39.dll




    2014-05-15 20:00 . 2008-07-12 06:18 1942552 ----a-w- c:\windows\system32\D3DCompiler_39.dll
    2014-05-15 20:00 . 2008-07-12 06:18 3851784 ----a-w- c:\windows\SysWow64\D3DX9_39.dll
    2014-05-15 20:00 . 2008-07-12 06:18 4992520 ----a-w- c:\windows\system32\D3DX9_39.dll
    2014-05-13 15:21 . 2014-05-13 15:25 -------- d-----w- c:\windows\USB Vibration
    2014-05-13 15:21 . 2014-05-13 15:21 270468 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\Setup.dll
    2014-05-13 15:21 . 2014-05-13 15:21 159876 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\IGdi.dll
    2014-05-13 15:21 . 2002-08-05 08:46 57344 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\ctor.dll
    2014-05-13 15:21 . 2002-08-02 01:10 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\DotNetInstaller.exe
    2014-05-13 15:21 . 2002-08-02 00:20 634880 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iKernel.dll
    2014-05-13 15:21 . 2002-08-02 00:20 237568 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iscript.dll
    2014-05-13 15:21 . 2002-08-02 00:20 151552 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iuser.dll
    2014-05-13 15:21 . 2014-05-13 15:24 -------- d-----w- c:\program files (x86)\USB Vibration
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2014-06-01 13:14 . 2013-03-15 18:51 189248 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
    2014-06-01 13:14 . 2013-03-15 18:51 189248 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
    2014-06-01 13:14 . 2013-03-15 18:51 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
    2014-05-22 09:30 . 2013-03-30 23:26 130584 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2014-05-22 09:30 . 2013-03-30 23:26 112080 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2014-05-14 17:28 . 2013-11-14 15:34 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2014-05-14 17:28 . 2013-11-14 15:34 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2014-04-14 18:13 . 2014-04-22 21:39 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2014-04-07 19:53 . 2014-04-07 19:53 2560 ----a-w- c:\windows\_MSRSTRT.EXE
    2014-03-24 20:12 . 2014-03-24 20:12 42184 ----a-w- c:\windows\system32\drivers\taphss6.sys
    2014-03-17 19:07 . 2014-03-17 19:07 82072 ----a-w- c:\windows\cadkasdeinst01e.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\program files (x86)\RocketDock\RocketDock.exe" [2007-09-02 495616]
    "Gadu-Gadu 10"="c:\program files (x86)\Gadu-Gadu 10\gg.exe" [2013-06-21 12477024]
    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2013-10-28 3675352]
    "screenSHU"="c:\program files (x86)\screenSHU\screenSHU.exe" [2013-07-08 1992704]
    "GUDelayStartup"="c:\program files (x86)\Glary Utilities 4\StartupManager.exe" [2014-01-22 37152]
    "Winfast"="c:\\Program Files\\WinFast\\WFDTV\\WFWIZ.exe" [2012-08-28 2916352]
    "pwo7"="c:\users\Adam\AppData\Roaming\pwo7\svchost.exe" [2014-06-03 8164139]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2014-05-22 737872]
    "WinFastDTV"="c:\program files\WinFast\WFDTV\DTVSchdl.exe" [2012-09-10 101888]
    "ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
    "LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
    .
    c:\users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    WFWIZ.lnk - c:\program files\WinFast\WFDTV\WFWIZ.exe [2013-3-10 2916352]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="userinit.exe"
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
    R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~2\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE;c:\progra~2\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [x]
    R3 CX88VID;WinFast CX2388x AvStream Driver;c:\windows\system32\drivers\cxavsvid.sys;c:\windows\SYSNATIVE\drivers\cxavsvid.sys [x]
    R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
    R3 EsgScanner;EsgScanner;c:\windows\system32\DRIVERS\EsgScanner.sys;c:\windows\SYSNATIVE\DRIVERS\EsgScanner.sys [x]
    R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files (x86)\Lavalys\EVEREST Ultimate Edition\kerneld.amd64;c:\program files (x86)\Lavalys\EVEREST Ultimate Edition\kerneld.amd64 [x]
    R3 IT9135BDA;IT9135 BDA Devices;c:\windows\system32\Drivers\IT9135BDA.sys;c:\windows\SYSNATIVE\Drivers\IT9135BDA.sys [x]
    R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys;c:\windows\SYSNATIVE\pwdrvio.sys [x]
    R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys;c:\windows\SYSNATIVE\pwdspio.sys [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
    R3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys;c:\windows\SYSNATIVE\DRIVERS\RtTeam60.sys [x]
    R3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\DRIVERS\RtVlan620.sys;c:\windows\SYSNATIVE\DRIVERS\RtVlan620.sys [x]
    R3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\DRIVERS\s0016bus.sys;c:\windows\SYSNATIVE\DRIVERS\s0016bus.sys [x]
    R3 Sony PC Companion;Sony PC Companion;c:\program files (x86)\Sony\Sony PC Companion\PCCService.exe;c:\program files (x86)\Sony\Sony PC Companion\PCCService.exe [x]
    R3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\DRIVERS\taphss6.sys;c:\windows\SYSNATIVE\DRIVERS\taphss6.sys [x]
    R3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys;c:\windows\SYSNATIVE\DRIVERS\RtTeam60.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 TunngleService;TunngleService;c:\program files (x86)\Tunngle\TnglCtrl.exe;c:\program files (x86)\Tunngle\TnglCtrl.exe [x]
    R3 WatAdminSvc;Usługa Technologie aktywacji systemu Windows;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
    R4 AntiVirWebService;Avira Web Protection;c:\program files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE;c:\program files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE [x]
    S0 BootDefragDriver;BootDefragDriver;c:\windows\System32\drivers\BootDefragDriver.sys;c:\windows\SYSNATIVE\drivers\BootDefragDriver.sys [x]
    S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
    S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
    S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys;c:\windows\SYSNATIVE\drivers\cpuz135_x64.sys [x]
    S2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe;c:\windows\SYSNATIVE\HPSIsvc.exe [x]
    S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\nlssrv32.exe;c:\windows\SysWOW64\nlssrv32.exe [x]
    S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys;c:\windows\SYSNATIVE\DRIVERS\RtNdPt60.sys [x]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
    S3 mvusbews;USB EWS Device;c:\windows\system32\Drivers\mvusbews.sys;c:\windows\SYSNATIVE\Drivers\mvusbews.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
    S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys;c:\windows\SYSNATIVE\DRIVERS\tap0901t.sys [x]
    S3 WFLR6654;WinFast TV2000 XP Expert (FM1216MK3);c:\windows\system32\drivers\wfeaglxt.sys;c:\windows\SYSNATIVE\drivers\wfeaglxt.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2014-05-23 19:36 1091912 ----a-w- c:\program files (x86)\Google\Chrome\Application\35.0.1916.114\Installer\chrmstp.exe
    .
    Zawartość folderu 'Zaplanowane zadania'
    .
    2014-06-09 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-11-14 17]
    .
    2014-06-09 c:\windows\Tasks\GlaryInitialize 4.job
    - c:\program files (x86)\Glary Utilities 4\Initialize.exe [2014-01-22 01]
    .
    2014-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-04-07 19]
    .
    2014-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-04-07 19]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay1]
    @="{E68D0A50-3C40-4712-B90D-DCFA93FF2534}"
    [HKEY_CLASSES_ROOT\CLSID\{E68D0A50-3C40-4712-B90D-DCFA93FF2534}]
    c:\programdata\GG\ggdrive\ggdrive-overlay.dll [BU]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay2]
    @="{E68D0A51-3C40-4712-B90D-DCFA93FF2534}"
    [HKEY_CLASSES_ROOT\CLSID\{E68D0A51-3C40-4712-B90D-DCFA93FF2534}]
    c:\programdata\GG\ggdrive\ggdrive-overlay.dll [BU]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay3]
    @="{E68D0A52-3C40-4712-B90D-DCFA93FF2534}"
    [HKEY_CLASSES_ROOT\CLSID\{E68D0A52-3C40-4712-B90D-DCFA93FF2534}]
    c:\programdata\GG\ggdrive\ggdrive-overlay.dll [BU]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay4]
    @="{E68D0A53-3C40-4712-B90D-DCFA93FF2534}"
    [HKEY_CLASSES_ROOT\CLSID\{E68D0A53-3C40-4712-B90D-DCFA93FF2534}]
    c:\programdata\GG\ggdrive\ggdrive-overlay.dll [BU]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-12 7220768]
    "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-12 1833504]
    .
    ------- Skan uzupełniający -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&ksportuj do programu Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: Interfaces\{08EA5340-70D7-479E-8248-E270E710F888}: NameServer = 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
    FF - ProfilePath - c:\users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\m9i9qj9b.default\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (pl)
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/firefox
    .
    - - - - USUNIĘTO PUSTE WPISY - - - -
    .
    AddRemove-Borland C++ 5.02 - c:\windows\BC5RMV.EXE
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\EverestDriver]
    "ImagePath"="\??\c:\program files (x86)\Lavalys\EVEREST Ultimate Edition\kerneld.amd64"
    .
    --------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Czas ukończenia: 2014-06-09 17:48:10
    ComboFix-quarantined-files.txt 2014-06-09 15:48
    ComboFix2.txt 2014-04-04 14:51
    .
    Przed: 37 638 561 792 bajtów wolnych
    Po: 37 613 219 840 bajtów wolnych
    .
    - - End Of File - - 30BEDC60309378ED0F36DC50D15C7685
    A36C5E4F47E84449FF07ED3517B43A31


    FRST

    FRST:
    http://wklej.org/id/1387340/

    Additional:
    http://wklej.org/id/1387339/

    PS Tak ten komputer ma tyle syfów ale nie przeszkadzało mi to w pracy

    0 5
  • CControls
  • Pomocny post
    #2 09 Cze 2014 18:53
    Kolobos
    Spec od komputerów

    Odinstaluj:
    SpyHunter (HKLM-x32\...\{AF549236-6258-4AC6-A043-5B5B89C6EB61}) (Version: 4.17.6.4336 - Enigma Software Group USA, LLC)

    Obok frst.exe utworz plik fixlist.txt z zawartoscia:
    2014-06-03 19:55 - 2014-06-09 17:53 - 00000000 ___HD () C:\Users\Adam\AppData\Roaming\pwo7
    Task: {1458220F-7BBF-451B-8D84-0EAD51979D64} - \EPUpdater No Task File <==== ATTENTION
    Task: {5050C961-7D83-4665-B3A0-4B8931A2D278} - System32\Tasks\RegClean Pro => C:\Program Files (x86)\RegClean Pro\Regcleanpro.exe <==== ATTENTION
    Task: {71EEDF21-CD7D-4DE4-99B0-69A050F468EA} - \QtraxPlayer No Task File <==== ATTENTION
    Task: {8736775A-C947-4E03-B15D-9118990A412D} - \BitGuard No Task File <==== ATTENTION
    C:\Users\Adam\AppData\Local\Temp\_MEI37042\bin\winlogon.exe
    C:\Users\Adam\AppData\Local\Temp\_MEI37042\bin\quark\mozilla.exe
    HKU\S-1-5-21-2373570503-2441873444-65820229-1001\...\Run: [pwo7] => C:\Users\Adam\AppData\Roaming\pwo7\svchost.exe [8164139 2014-06-03] ()
    FF NetworkProxy: "http", "173.245.61.120"
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
    S3 EverestDriver; \??\C:\Program Files (x86)\Lavalys\EVEREST Ultimate Edition\kerneld.amd64 [X]
    C:\Users\Adam\AppData\Local\Temp*.html

    W FRST Wybierz Fix.

    0
  • CControls
  • #3 09 Cze 2014 18:56
    Acorus 20
    Spec od komputerów

    Daleko od Combofixa i Spyhuntera.Odinstaluj SpyHunter.Otwórz Notatnik i wklej:

    Cytat:
    Task: {1458220F-7BBF-451B-8D84-0EAD51979D64} - \EPUpdater No Task File <==== ATTENTION
    Task: {5050C961-7D83-4665-B3A0-4B8931A2D278} - System32\Tasks\RegClean Pro => C:\Program Files (x86)\RegClean Pro\Regcleanpro.exe <==== ATTENTION
    Task: {71EEDF21-CD7D-4DE4-99B0-69A050F468EA} - \QtraxPlayer No Task File <==== ATTENTION
    Task: {8736775A-C947-4E03-B15D-9118990A412D} - \BitGuard No Task File <==== ATTENTION
    HKU\S-1-5-21-2373570503-2441873444-65820229-1001\...\Run: [pwo7] => C:\Users\Adam\AppData\Roaming\pwo7\svchost.exe [8164139 2014-06-03] ()
    StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
    R2 SpyHunter 4 Service; C:\Program Files (x86)\Enigma Software Group\SpyHunter\SH4Service.exe [770432 2014-01-09] (Enigma Software Group USA, LLC.)
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
    S3 EverestDriver; \??\C:\Program Files (x86)\Lavalys\EVEREST Ultimate Edition\kerneld.amd64 [X]
    2014-06-09 15:51 - 2014-06-09 15:51 - 00000000 ____D () C:\Program Files (x86)\Enigma Software Group
    2014-06-09 15:50 - 2014-06-09 15:51 - 00000000 ____D () C:\Windows\AF54923662584AC6A0435B5B89C6EB61.TMP
    2014-06-03 19:55 - 2014-06-09 17:53 - 00000000 ___HD () C:\Users\Adam\AppData\Roaming\pwo7


    Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.
    Uruchom FRST i kliknij w Fix.

    0
  • #4 09 Cze 2014 19:11
    adamsonm
    Poziom 8  

    Po Fixie i resecie Avira nie wywaliła komunikatu o Bitcoinie, ale w logu widzę że nie znaleziono kilku plików w tym:

    "C:\Users\Adam\AppData\Local\Temp\_MEI37042\bin\quark\mozilla.exe" => File/Directory not found.

    a często miałem to w procesach i dużo procesora zabierało.
    zaraz zresetuje jeszcze raz aby sprawdzić czy dalej nie ma błędu.

    oto Log po fixie

    Spoiler:
    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-06-2014 02
    Ran by Adam at 2014-06-09 18:57:14 Run:1
    Running from C:\Users\Adam\Downloads
    Boot Mode: Normal
    ==============================================

    Content of fixlist:
    *****************
    2014-06-03 19:55 - 2014-06-09 17:53 - 00000000 ___HD () C:\Users\Adam\AppData\Roaming\pwo7
    Task: {1458220F-7BBF-451B-8D84-0EAD51979D64} - \EPUpdater No Task File <==== ATTENTION
    Task: {5050C961-7D83-4665-B3A0-4B8931A2D278} - System32\Tasks\RegClean Pro => C:\Program Files (x86)\RegClean Pro\Regcleanpro.exe <==== ATTENTION
    Task: {71EEDF21-CD7D-4DE4-99B0-69A050F468EA} - \QtraxPlayer No Task File <==== ATTENTION
    Task: {8736775A-C947-4E03-B15D-9118990A412D} - \BitGuard No Task File <==== ATTENTION
    C:\Users\Adam\AppData\Local\Temp\_MEI37042\bin\winlogon.exe
    C:\Users\Adam\AppData\Local\Temp\_MEI37042\bin\quark\mozilla.exe
    HKU\S-1-5-21-2373570503-2441873444-65820229-1001\...\Run: [pwo7] => C:\Users\Adam\AppData\Roaming\pwo7\svchost.exe [8164139 2014-06-03] ()
    FF NetworkProxy: "http", "173.245.61.120"
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
    S3 EverestDriver; \??\C:\Program Files (x86)\Lavalys\EVEREST Ultimate Edition\kerneld.amd64 [X]
    C:\Users\Adam\AppData\Local\Temp*.html

    *****************


    "C:\Users\Adam\AppData\Roaming\pwo7" directory move:

    C:\Users\Adam\AppData\Roaming\pwo7\cached-certs => Moved successfully.
    C:\Users\Adam\AppData\Roaming\pwo7\cached-microdesc-consensus => Moved successfully.
    C:\Users\Adam\AppData\Roaming\pwo7\cached-microdescs => Moved successfully.
    C:\Users\Adam\AppData\Roaming\pwo7\cached-microdescs.new => Moved successfully.
    Could not move "C:\Users\Adam\AppData\Roaming\pwo7\lock" => Scheduled to move on reboot.
    C:\Users\Adam\AppData\Roaming\pwo7\state => Moved successfully.
    Could not move "C:\Users\Adam\AppData\Roaming\pwo7\svchost.exe" => Scheduled to move on reboot.
    Could not move "C:\Users\Adam\AppData\Roaming\pwo7" directory. => Scheduled to move on reboot.

    'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1458220F-7BBF-451B-8D84-0EAD51979D64}' => Key deleted successfully.
    'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1458220F-7BBF-451B-8D84-0EAD51979D64}' => Key deleted successfully.
    'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\EPUpdater' => Key deleted successfully.
    'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5050C961-7D83-4665-B3A0-4B8931A2D278}' => Key deleted successfully.
    'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5050C961-7D83-4665-B3A0-4B8931A2D278}' => Key deleted successfully.
    C:\Windows\System32\Tasks\RegClean Pro not found.
    'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RegClean Pro' => Key deleted successfully.
    'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{71EEDF21-CD7D-4DE4-99B0-69A050F468EA}' => Key deleted successfully.
    'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{71EEDF21-CD7D-4DE4-99B0-69A050F468EA}' => Key deleted successfully.
    'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\QtraxPlayer' => Key deleted successfully.
    'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8736775A-C947-4E03-B15D-9118990A412D}' => Key deleted successfully.
    'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8736775A-C947-4E03-B15D-9118990A412D}' => Key deleted successfully.
    'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BitGuard' => Key deleted successfully.
    "C:\Users\Adam\AppData\Local\Temp\_MEI37042\bin\winlogon.exe" => File/Directory not found.
    "C:\Users\Adam\AppData\Local\Temp\_MEI37042\bin\quark\mozilla.exe" => File/Directory not found.
    HKU\S-1-5-21-2373570503-2441873444-65820229-1001\Software\Microsoft\Windows\CurrentVersion\Run\\pwo7 => value deleted successfully.
    Firefox Proxy settings were reset.
    'HKLM\SOFTWARE\Policies\Google' => Key deleted successfully.
    catchme => Service deleted successfully.
    esgiguard => Service deleted successfully.
    EverestDriver => Service deleted successfully.
    Could not move "C:\Users\Adam\AppData\Local\Temp*.html" => Scheduled to move on reboot.

    => Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-06-09 18:59:54)<=

    C:\Users\Adam\AppData\Roaming\pwo7\lock => Is moved successfully.
    C:\Users\Adam\AppData\Roaming\pwo7\svchost.exe => Is moved successfully.
    C:\Users\Adam\AppData\Roaming\pwo7 => Is moved successfully.
    C:\Users\Adam\AppData\Local\Temp*.html => Moved successfully.

    ==== End of Fixlog ====


    Dodano po 5 [minuty]:

    wydaje mi się że już jest wszystko w porządku, Avira nie sypie Errorami, nie ma procesu Mozilla.exe, ale jeszcze będę obserwował przez kilka godzin, co się dzieje, póki co dzięki wielkie za pomoc.

    0
  • #6 09 Cze 2014 19:48
    adamsonm
    Poziom 8  

    ok, wygląda na to że działa, dzięki wszystkim za pomoc. Wyczytanie z logów czegoś i utworzenie pliku dla programu jest dla mnie czarną magią, a coś tam o informatyce wiem. Jeszcze raz dzięki wielkie !

    0