Elektroda.pl
Elektroda.pl
X
CControls
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

zainfekowany komputer Sprawdzenie log FRST

szerkan87 03 Lis 2015 17:32 852 12
  • CControls
  • #2 03 Lis 2015 17:56
    Kolobos
    Spec od komputerów

    Obok frst.exe utworz plik fixlist.txt z zawartoscia:
    () C:\Users\Tomek\AppData\Local\Crsoft\crsvc.exe
    () C:\Program Files (x86)\RayDld\ihpmServer.exe
    () C:\Users\Tomek\AppData\Roaming\NetService\netservice.exe
    HKLM-x32\...\Run: [rec_en_77] => [X]
    Winlogon\Notify\igfxcui: igfxdev.dll [X]
    HKLM\...\Policies\Explorer: [NoControlPanel] 0
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TrayMenu.lnk [2014-01-19]
    ShortcutTarget: TrayMenu.lnk -> C:\Windows\SysWOW64\C2MP\TrayMenu.exe ()
    CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.tohotweb.com?oem=sunadusv4&uid=S2SMJ9ED810921_ST1000LM024HN-M101MBB&tm=1446557594
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.tohotweb.com?oem=sunadusv4&uid=S2SMJ9ED810921_ST1000LM024HN-M101MBB&tm=1446557594
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.oursurfing.com/web/?type=ds&ts...=st1000lm024xhn-m101mbb_s2smj9ed810921&q={searchTerms}
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.tohotweb.com?oem=sunadusv4&uid=S2SMJ9ED810921_ST1000LM024HN-M101MBB&tm=1446557594
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = www.tohotweb.com?oem=sunadusv4&uid=S2SMJ9ED810921_ST1000LM024HN-M101MBB&tm=1446557594
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.oursurfing.com/web/?type=ds&ts...=st1000lm024xhn-m101mbb_s2smj9ed810921&q={searchTerms}
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/redirects/security_re...ndex.jsp?lg=pl&pid=NIS&pvid=21.6.0.32




    HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/redirects/security_re...ndex.jsp?lg=pl&pid=NIS&pvid=21.6.0.32
    HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/redirects/security_re...ndex.jsp?lg=pl&pid=NIS&pvid=21.6.0.32
    HKU\S-1-5-21-2756060167-294891085-3003495681-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com
    HKU\S-1-5-21-2756060167-294891085-3003495681-1001\Software\Microsoft\Internet Explorer\Main,Start Page = www.tohotweb.com?oem=sunadusv4&uid=S2SMJ9ED810921_ST1000LM024HN-M101MBB&tm=1446557594
    HKU\S-1-5-21-2756060167-294891085-3003495681-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.tohotweb.com?oem=sunadusv4&uid=S2SMJ9ED810921_ST1000LM024HN-M101MBB&tm=1446557594
    SearchScopes: HKU\S-1-5-21-2756060167-294891085-3003495681-1001 -> {6D0A05A9-AAEC-4BC7-9AA7-4B0B427A9CAB} URL =
    StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe www.tohotweb.com?oem=sunadusv4&uid=S2SMJ9ED810921_ST1000LM024HN-M101MBB&tm=1446557594
    FF Plugin: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll [Brak pliku]
    FF Plugin-x32: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll [Brak pliku]
    FF Plugin HKU\S-1-5-21-2756060167-294891085-3003495681-1001: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll [Brak pliku]
    CHR StartupUrls: Default -> "hxxps://www.google.pl/search?q=google&oq=goo&aqs=chrome.0.69i59j69i60j69i57j69i65j69i61j69i60&sourceid=chrome&ie=UTF-8","hxxp://www.holasearch.com/?babsrc=HP_ss&mntrId=74F4001CBF475A15&affID=121962&tsp=4953","hxxp://www.google.com","hxxp://www.dosearches.com/?utm_source=b&utm_medium=cor&utm_campaign=rg&utm_content=hp&from=cor&uid=FUJITSUXMHY2160BH_K411T7B288PK&ts=1384248931","www.wp.pl/?src01=dp","hxxp://www.sweet-page.com/?type=hp&ts=1406966397&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9ED810921","hxxp://www.oursurfing.com/?type=hp&ts=1445273511&z=04abc70921b6084ed960883g6z2zdwfo8mec5w4gfg&from=amt&uid=st1000lm024xhn-m101mbb_s2smj9ed810921"
    StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe www.tohotweb.com?oem=sunadusv4&uid=S2SMJ9ED810921_ST1000LM024HN-M101MBB&tm=1446557594
    OPR Extension: (HQ-Video-Pro-1.4) - C:\Users\Tomek\AppData\Roaming\Opera Software\Opera Stable\Extensions\apehpgkcgpefnlpfindggfdecmgihlaj [2014-03-03]
    OPR Extension: (帮5淘—帮5买旗下购物助手) - C:\Users\Tomek\AppData\Roaming\Opera Software\Opera Stable\Extensions\nklfajnmfbchcceflgddnkignfheooic [2015-11-03]
    R2 Crashhd; C:\Users\Tomek\AppData\Local\Crsoft\crsvc.exe [185800 2015-11-03] ()
    R2 ihpmServer; C:\Program Files (x86)\RayDld\ihpmServer.exe [270568 2015-10-12] ()
    R2 NetTcpHandler; C:\Users\Tomek\AppData\Roaming\NetService\netservice.exe [173088 2015-07-09] ()
    S3 esgiguard; \??\C:\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [X]
    S3 ew_hwusbdev; \SystemRoot\system32\DRIVERS\ew_hwusbdev.sys [X]
    S3 huawei_cdcacm; \SystemRoot\system32\DRIVERS\ew_jucdcacm.sys [X]
    S3 huawei_cdcecm; \SystemRoot\system32\DRIVERS\ew_jucdcecm.sys [X]
    S3 huawei_enumerator; \SystemRoot\System32\drivers\ew_jubusenum.sys [X]
    S3 huawei_ext_ctrl; \SystemRoot\System32\drivers\ew_juextctrl.sys [X]
    S1 QMUdisk; \??\C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\QMUdisk64.sys [X]
    S1 swsedrvr_vw_1_10_0_25; system32\drivers\swsedrvr_vw_1_10_0_25.sys [X]
    2015-11-03 14:33 - 2015-11-03 14:33 - 00000000 ____D C:\Users\Tomek\AppData\Local\Crsoft
    2015-10-19 18:24 - 2015-10-19 18:26 - 00000000 ____D C:\Users\Tomek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\腾讯软件
    2015-10-19 18:24 - 2015-10-19 18:24 - 00087864 _____ (电脑管家) C:\WINDOWS\system32\Drivers\TFsFltX64.sys
    2015-10-19 18:24 - 2015-10-19 18:24 - 00000000 ____D C:\Program Files\Common Files\Tencent
    2015-10-19 18:09 - 2015-10-19 18:09 - 00000000 ____D C:\Users\Tomek\AppData\Local\18012
    2015-10-19 17:51 - 2015-10-19 17:51 - 00000000 ____D C:\Users\Tomek\AppData\Local\SysassistByHotWheel
    2015-10-19 17:51 - 2015-10-04 17:52 - 00000000 ____D C:\Users\Tomek\AppData\Roaming\oursurfing
    2015-10-19 17:50 - 2015-10-19 18:24 - 00000000 ____D C:\ProgramData\IQIYI Video
    2015-10-04 17:53 - 2015-11-03 14:33 - 00000000 ____D C:\Users\Tomek\AppData\Roaming\RunDir
    2015-10-04 17:53 - 2015-10-04 17:53 - 00000000 ____D C:\Users\Tomek\AppData\Roaming\NetService
    2015-10-04 17:52 - 2015-10-04 17:52 - 00000000 ____D C:\Program Files (x86)\RayDld
    EmptyTemp:

    W FRST wybierz Napraw.

    0
  • CControls
  • #4 03 Lis 2015 20:40
    Kolobos
    Spec od komputerów

    Zrob kopie zakladek, nastepnie odinstaluj przegladarke, usun katalog profilu przegladarki i zainstaluj ponownie.

    0
  • #5 03 Lis 2015 21:34
    szerkan87
    Poziom 7  

    Nie pomoglo wiec chyba czeka mnie format :(

    0
  • #6 03 Lis 2015 21:39
    Kolobos
    Spec od komputerów

    Zamiesc nowe logi z FRST, ze skanowania.

    Usunales katalog profilu przegladarki przed ponownym zainstalowaniem?

    0
  • #8 03 Lis 2015 23:58
    Kolobos
    Spec od komputerów

    Usun przywracanie zestawu stron po starcie chrome, tutaj masz opis:
    https://support.google.com/chrome/answer/95314?hl=pl

    Jezeli nie pomoze to wykonaj w koncu to co napisalem bo widze, ze nie wykonales i nie usunales profilu przegladarki przed jej ponowna instalacja.

    Profil masz w C:\Users\Tomek\AppData\Local\Google\Chrome\User Data\Default o ile problem dotyczy chrome.

    0
  • #9 04 Lis 2015 05:19
    szerkan87
    Poziom 7  

    Wykonalem dokladnie to co napisales i po ponownym zainstalowaniu przegladarki reklamy znow sie pokazaly :(

    0
  • Pomocny post
    #10 04 Lis 2015 08:50
    Kolobos
    Spec od komputerów

    Synchronizujesz dane przegladarki logujac sie do konta google? Jezeli tak to usun dane przegladarki z konta.

    W logu nadal widac:
    CHR StartupUrls: Default -> "hxxps://www.google.pl/search?q=google&oq=goo&aqs=chrome.0.69i59j69i60j69i57j69i65j69i61j69i60&sourceid=chrome&ie=UTF-8","hxxp://www.holasearch.com/?babsrc=HP_ss&mntrId=74F4001CBF475A15&affID=121962&tsp=4953","hxxp://www.google.com","hxxp://www.dosearches.com/?utm_source=b&utm_medium=cor&utm_campaign=rg&utm_content=hp&from=cor&uid=FUJITSUXMHY2160BH_K411T7B288PK&ts=1384248931","www.wp.pl/?src01=dp","hxxp://www.sweet-page.com/?type=hp&ts=1406966397&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9ED810921","hxxp://www.oursurfing.com/?type=hp&ts=1445273511&z=04abc70921b6084ed960883g6z2zdwfo8mec5w4gfg&from=amt&uid=st1000lm024xhn-m101mbb_s2smj9ed810921"

    Mozesz to usunac w opcjach Chrome, a dokladniej w przywracaniu zestawu stron po starcie przegladarki.

    Jest jeszcze dodatek:
    CHR Extension: (EasyCalendar) - C:\Users\Tomek\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcgcoifbkbphhjnekfkmohklfaimhikk [2015-11-03]

    fixlist.txt dla frst:
    C:\Users\Tomek\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcgcoifbkbphhjnekfkmohklfaimhikk
    CHR Extension: (EasyCalendar) - C:\Users\Tomek\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcgcoifbkbphhjnekfkmohklfaimhikk [2015-11-03]

    0
  • #13 04 Lis 2015 15:16
    szerkan87
    Poziom 7  

    Udało mi się zrobiłem fixlist ten co podałeś tylko date musiałem zmienić i jak nararzie wszystko działa
    dzieki za pomoc

    0