Elektroda.pl
Elektroda.pl
X
CControls
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Czy może ktoś zerknąć na logi FRST?

Tom2666 07 Lut 2016 13:28 768 6
  • CControls
  • Pomocny post
    #2 07 Lut 2016 13:36
    Kolobos
    Spec od komputerów

    Odinstaluj:
    BetterPricoEChec
    CouponFactory
    DeallsTer
    DNS Unlocker version 1.3
    ExtraShaoppueer
    greattsaving
    istartsurf uninstall
    omiga-plus uninstall
    Optimizer Pro v3.2
    Picexa
    PPRincceCCoupon
    QQueenCoouponu
    RapidReader 1.10.0.24
    RoYalCuoupoN
    RoYAlShoppErApp
    SaloeesCheCkeR
    Save my Tabs
    saveoiittkeepi.
    Solution Real
    Super Optimizer v3.2
    System Healer
    WebStorage
    YAC(Yet Another Cleaner!)

    Obok frst.exe utworz plik fixlist.txt z zawartoscia:
    Task: C:\Windows\Tasks\Price Fountain.job =>
    Task: C:\Windows\Tasks\Superclean.job =>
    Task: C:\Windows\Tasks\System HealerPeriod.job =>
    Task: C:\Windows\Tasks\System HealerStartUp.job =>
    Startup: C:\Users\Agnieszka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INSTRUCTIONS_FBE3C.html [2016-01-27] ()
    Startup: C:\Users\Agnieszka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INSTRUCTIONS_FBE3C.png [2016-01-27] ()
    Startup: C:\Users\Agnieszka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INSTRUCTIONS_FBE3C.txt [2016-01-27] ()
    CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
    CHR HKU\S-1-5-21-3370982214-2884218214-415904202-1004\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
    CHR HKU\S-1-5-21-3370982214-2884218214-415904202-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
    Tcpip\Parameters: [NameServer] 82.163.142.5 95.211.158.132
    Tcpip\..\Interfaces\{28A0A37A-5544-48F9-8AA1-6D40EA37B008}: [NameServer] 82.163.142.5 95.211.158.132
    Tcpip\..\Interfaces\{28A0A37A-5544-48F9-8AA1-6D40EA37B008}: [DhcpNameServer] 82.163.142.5
    Tcpip\..\Interfaces\{2D263BD4-F5FF-404E-B06E-9F6FFA387919}: [NameServer] 82.163.142.5 95.211.158.132
    Tcpip\..\Interfaces\{2D263BD4-F5FF-404E-B06E-9F6FFA387919}: [DhcpNameServer] 82.163.142.5
    Tcpip\..\Interfaces\{2FEA0505-E509-4CE3-B5D4-FD4C3AB9D9D8}: [NameServer] 82.163.143.172,82.163.142.174
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.v9.com?type=hp&ts=1437473580&a...;z=bf18fcde83396c8641a2ed9gfz4c5m1zamecew0mbt
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.v9.com?type=hp&ts=1437473580&a...;z=bf18fcde83396c8641a2ed9gfz4c5m1zamecew0mbt
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://isearch.omiga-plus.com/web/?type=ds&am...=ST1000LM024XHN-M101MBB_S32XJ9HF610105&q={searchTerms}




    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.v9.com?type=hp&ts=1437473580&a...;z=bf18fcde83396c8641a2ed9gfz4c5m1zamecew0mbt
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.v9.com?type=hp&ts=1437473580&a...;z=bf18fcde83396c8641a2ed9gfz4c5m1zamecew0mbt
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://isearch.omiga-plus.com/web/?type=ds&am...=ST1000LM024XHN-M101MBB_S32XJ9HF610105&q={searchTerms}
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=MSE1
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.v9.com?type=hp&ts=1437473580&a...;z=bf18fcde83396c8641a2ed9gfz4c5m1zamecew0mbt
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,First Home Page = hxxp://go.microsoft.com/fwlink/?LinkID=226786...de83396c8641a2ed9gfz4c5m1zamecew0mbt&OSP=
    HKU\S-1-5-21-3370982214-2884218214-415904202-1004\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=MSE1
    HKU\S-1-5-21-3370982214-2884218214-415904202-1004\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus13.msn.com/?pc=ASJB
    HKU\S-1-5-21-3370982214-2884218214-415904202-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=MSE1
    HKU\S-1-5-21-3370982214-2884218214-415904202-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus13.msn.com/?pc=ASJB
    URLSearchHook: [S-1-5-21-3370982214-2884218214-415904202-1001] UWAGA => Brak domyślnego URLSearchHook
    URLSearchHook: [S-1-5-21-3370982214-2884218214-415904202-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0] UWAGA => Brak domyślnego URLSearchHook
    SearchScopes: HKLM -> DefaultScope {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL =
    SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
    SearchScopes: HKLM-x32 -> DefaultScope {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = hxxp://v9.com/web?type=ds&ts=1450269624&a...e8a8c9f59bb76547ff3gaz0wee9o2qeteq6gab&q={searchTerms}
    SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
    SearchScopes: HKLM-x32 -> {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = hxxp://v9.com/web?type=ds&ts=1450269624&a...e8a8c9f59bb76547ff3gaz0wee9o2qeteq6gab&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3370982214-2884218214-415904202-1004 -> DefaultScope {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = hxxp://v9.com/web?type=ds&ts=1450269624&a...e8a8c9f59bb76547ff3gaz0wee9o2qeteq6gab&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3370982214-2884218214-415904202-1004 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
    SearchScopes: HKU\S-1-5-21-3370982214-2884218214-415904202-1004 -> {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = hxxp://v9.com/web?type=ds&ts=1450269624&a...e8a8c9f59bb76547ff3gaz0wee9o2qeteq6gab&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3370982214-2884218214-415904202-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = hxxp://v9.com/web?type=ds&ts=1450269624&a...e8a8c9f59bb76547ff3gaz0wee9o2qeteq6gab&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3370982214-2884218214-415904202-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
    SearchScopes: HKU\S-1-5-21-3370982214-2884218214-415904202-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = hxxp://v9.com/web?type=ds&ts=1450269624&a...e8a8c9f59bb76547ff3gaz0wee9o2qeteq6gab&q={searchTerms}
    S2 Dashing Pair; C:\Program Files (x86)\Dashing Pair\Dashing Pair.exe [8016420 2015-07-08] () [Brak podpisu cyfrowego] <==== UWAGA
    S2 5936b827; "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro 3.20\OptProMon.dll",ENT <==== UWAGA
    2016-02-06 19:02 - 2016-02-06 19:07 - 00000000 ____D C:\AdwCleaner
    2016-02-06 17:49 - 2016-02-06 17:49 - 22908888 _____ (Malwarebytes ) C:\Users\Agnieszka\Downloads\mbam-setup-2.2.0.1024 (2).exe
    2016-02-06 17:45 - 2016-02-06 17:45 - 22908888 _____ (Malwarebytes ) C:\Users\Agnieszka\Downloads\mbam-setup-2.2.0.1024 (1).exe
    2016-01-27 20:33 - 2016-01-27 20:33 - 00016444 _____ C:\Users\Agnieszka\Desktop\INSTRUCTIONS_FBE3C.txt
    2016-01-19 20:29 - 2016-01-27 20:33 - 00025468 _____ C:\Users\Agnieszka\Desktop\INSTRUCTIONS_FBE3C.html
    2016-02-07 13:07 - 2015-08-03 13:53 - 00000020 _____ C:\Users\Nikola\AppData\Roaming\appdataFr2.bin
    2016-02-07 12:47 - 2014-11-20 14:05 - 00000074 _____ C:\Users\Agnieszka\AppData\Roaming\sp_data.sys
    2016-02-07 12:45 - 2015-12-30 18:11 - 00000290 _____ C:\Windows\Tasks\System HealerStartUp.job
    2016-02-07 12:40 - 2015-01-04 23:40 - 00000304 _____ C:\Windows\Tasks\Price Fountain.job
    2016-02-05 22:43 - 2015-08-16 23:28 - 00000350 _____ C:\Windows\Tasks\Superclean.job
    2016-02-05 21:57 - 2015-08-04 19:01 - 00000020 _____ C:\Users\Agnieszka\AppData\Roaming\appdataFr2.bin
    2016-02-02 22:51 - 2015-02-04 22:35 - 00000000 ____D C:\ProgramData\5685422033599577734
    2016-01-28 21:51 - 2014-11-19 14:08 - 00000074 _____ C:\Users\Nikola\AppData\Roaming\sp_data.sys
    2016-01-27 22:35 - 2015-12-30 18:11 - 00000290 _____ C:\Windows\Tasks\System HealerPeriod.job
    EmptyTemp:

    W FRST wybierz Napraw.

    Do okna frst wklej:
    TrustedInstaller.exe

    Wyszukaj pliki i zamiesc log, ktory sie utworzy.


    Co to za pliki?
    2016-01-19 20:27 - 2016-01-19 20:27 - 06547372 _____ C:\Users\Agnieszka\Downloads\8t5rfr2.m5f6
    2016-01-19 20:27 - 2016-01-19 20:27 - 06214472 _____ C:\Users\Agnieszka\Downloads\lss8v.n4
    itd.

    Pozostalosc po infekcji szyfrujacej pliki?

    Po wszystkim zamiesc nowe logi z FRST, lacznie z nowym addition.txt, tym razem calym.

    0
  • CControls
  • Pomocny post
    #4 07 Lut 2016 14:15
    Kolobos
    Spec od komputerów

    Nie pisz post pod postem, uzywaj ZMIEN.

    Miales wkleic do okna FRST: TrustedInstaller.exe i nacisnac Szukaj Plikow, dlaczego tego nie wykonales?

    FRST uruchom z konta posiadajacego uprawnienia administratora i dopiero wykonaj skanowanie i zamiesc nowe logi.

    0
  • Pomocny post
    #6 07 Lut 2016 14:49
    Kolobos
    Spec od komputerów

    Nie odpowiedziales:
    Co to za pliki?
    2016-01-19 20:27 - 2016-01-19 20:27 - 06547372 _____ C:\Users\Agnieszka\Downloads\8t5rfr2.m5f6
    2016-01-19 20:27 - 2016-01-19 20:27 - 06214472 _____ C:\Users\Agnieszka\Downloads\lss8v.n4
    itd.
    Pozostalosc po infekcji szyfrujacej pliki? Jezeli tak to usun te wszystkie pliki z losowymi nazwami z Download (Pobranych).

    Po wklejeniu do frst TrustedInstaller.exe i nacisnieciu Szukaj Plikow, powinien utworzyc sie log (search.txt), jak widac nadal go nie zamiesciles, dajesz tylko logi z FRST, ze skanowania.

    Wykonaj jeszcze nowy Fixlist.txt dla FRST:
    Task: {0A8FDB76-7640-4C9F-8300-DFD139D8F644} - \Super Optimizer Schedule -> Brak pliku <==== UWAGA
    Task: {12E13AFA-586A-4B48-9A92-15DAE21EF202} - \System HealerStartUp -> Brak pliku <==== UWAGA
    Task: {2414814A-67AB-44BD-9D87-C6B4C64166FB} - \Price Fountain -> Brak pliku <==== UWAGA
    Task: {2F4DD684-B7B8-4050-B027-2A442FE5E271} - System32\Tasks\{3A1156D9-C6F1-4446-AB4C-5EB36C3771C6} => pcalua.exe -a "C:\Program Files (x86)\Elex-tech\YAC\uninstall.exe"
    Task: {35C949AF-843D-406E-AA45-57497D10FBFB} - \DNSCONTRERAS -> Brak pliku <==== UWAGA
    Task: {5B82F117-AF6F-4BC6-B25D-2719F2DE65D2} - \Optimizer Pro Schedule -> Brak pliku <==== UWAGA
    Task: {5E9B8F3C-9D43-441C-A89D-F68671FBE9B1} - \System HealerPeriod -> Brak pliku <==== UWAGA
    Task: {6319742E-EC55-429F-8330-1B1BD3507A27} - \System Healer Task -> Brak pliku <==== UWAGA
    Task: {8E169717-C41E-4173-8D66-CC6CF78A9E74} - \SystemHealer Monitor -> Brak pliku <==== UWAGA
    Task: {AE5E5628-870B-473C-A3E5-78913B799212} - \Superclean -> Brak pliku <==== UWAGA
    Task: {FE1B3970-8B23-41C3-BE2E-7BC05E13F1FE} - \{A058CC53-19A2-E328-750C-8416D30F2D74} -> Brak pliku <==== UWAGA
    HKU\S-1-5-21-3370982214-2884218214-415904202-1001\...\RunOnce: [Report] => \AdwCleaner\AdwCleaner[C1].txt
    HKU\S-1-5-21-3370982214-2884218214-415904202-1001\...\MountPoints2: {a3845278-0326-11e4-824e-806e6f6e6963} - "E:\setup.exe"
    CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
    CHR HKU\S-1-5-21-3370982214-2884218214-415904202-1001\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
    CHR HKU\S-1-5-21-3370982214-2884218214-415904202-1004\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
    HKU\S-1-5-21-3370982214-2884218214-415904202-1001\Software\Microsoft\Internet Explorer\Main,First Home Page = hxxp://go.microsoft.com/fwlink/?LinkID=226786...3293%26type%3Ddefault%26q%3D%7BsearchTerms%7D
    SearchScopes: HKLM -> DefaultScope {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL =
    CHR Plugin: (WildTangent Games App V2 Presence Detector) - C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\4\NP_wtapp.dll => Brak pliku
    CHR Plugin: (McAfee SecurityCenter) - c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL => Brak pliku
    2016-02-07 14:15 - 2016-02-07 14:19 - 00000000 ____D C:\AdwCleaner
    2016-02-07 13:03 - 2016-02-07 13:03 - 00003096 _____ C:\Windows\System32\Tasks\{3A1156D9-C6F1-4446-AB4C-5EB36C3771C6}
    2016-02-07 13:40 - 2015-07-08 13:57 - 00000000 ____D C:\Program Files (x86)\Dashing Pair
    2016-02-07 13:40 - 2015-06-13 09:50 - 00000000 ____D C:\Program Files (x86)\Proper Menubar
    2016-02-07 13:40 - 2015-05-25 15:04 - 00000000 ____D C:\Program Files (x86)\Browser Capability
    2016-02-07 13:40 - 2015-01-04 23:41 - 00001160 _____ C:\Users\Nikola\Desktop\Continue Flv Player Installation.lnk
    2016-02-05 22:02 - 2015-09-08 16:18 - 00003878 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1441725474
    EmptyTemp:

    0
  • #7 28 Paź 2016 11:39
    Tom2666
    Poziom 11  

    Dziękuję bardzo za pomoc po ostatnich czynnościach już wszystko jest ok.

    0