Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

MPC Cleaner -usuwanie

ppiotrpp 07 Mar 2016 20:16 939 8
  • #2 07 Mar 2016 20:40
    krzychupar
    Poziom 40  

    Otwórz notatnik systemowy i wklej:
    Task: {CE8E8A37-9AFD-498E-AE20-ADF759CDD8AE} - System32\Tasks\Oaupae => C:\PROGRA~1\GROOVE~1\Ouduki.bat
    Task: {EA4371AE-05CE-4D0D-81C1-ADD8CD75CAB9} - System32\Tasks\Opera scheduled Autoupdate 1448834073 => C:\Program Files (x86)\Opera\launcher.exe
    Hosts:
    HKLM-x32\...\Run: [ QQPCTray] => "C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCTray.exe" /regrun
    HKU\S-1-5-21-3963205822-3639742512-1754851344-1000\...\Run: [] => [X]
    HKU\S-1-5-21-3963205822-3639742512-1754851344-1000\...\MountPoints2: {94f08104-c836-11e4-bc80-00030d7c4bb2} - G:\SETUP.EXE
    ShellIconOverlayIdentifiers: [.QMDeskTopGCIcon] -> {B7667919-3765-4815-A66D-98A09BE662D6} => Brak pliku
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.duba.com/?un_449343_3387
    HKU\S-1-5-21-3963205822-3639742512-1754851344-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.duba.com/?un_449343_3387
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    FF HKLM\...\Firefox\Extensions: [{90447087-2307-4270-8F07-33CA96C30EA2}] - C:\Program Files\groover031220151431\Firefox\{90447087-2307-4270-8F07-33CA96C30EA2}.xpi => nie znaleziono
    FF HKLM-x32\...\Firefox\Extensions: [{90447087-2307-4270-8F07-33CA96C30EA2}] - C:\Program Files\groover031220151431\Firefox\{90447087-2307-4270-8F07-33CA96C30EA2}.xpi => nie znaleziono
    S1 SRepairDrv; \??\C:\Windows\GJFix\SRepairDrv [X]
    S2 tsnethlpx64; \??\C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\TsNetHlpX64.sys [X]
    2016-03-06 22:21 - 2016-03-06 22:51 - 00000000 ____D C:\ProgramData\Baidu
    2016-03-06 22:21 - 2016-03-06 22:24 - 00000000 ____D C:\Users\Monika\AppData\Roaming\Baidu
    2016-03-06 22:21 - 2016-03-06 22:21 - 00000000 ____D C:\Program Files (x86)\Baidu
    2016-03-06 22:29 - 2016-03-07 18:17 - 00000000 ____D C:\Program Files (x86)\MPC Cleaner
    EmptyTemp:

    Plik zapisz pod nazwą fixlist.txt i umieść w folderze C:\Users\Nazwa użytkownka\Downloads\FRST64.exe.
    Uruchom FRST i kliknij w Fix/Napraw.

    0
  • Pomocny post
    #3 07 Mar 2016 20:49
    Kolobos
    Spec od komputerów

    @ppiotrpp z poziomu system nie usuniesz tej infekcji.

    Usuchom frst o tak: http://www.fixitpc.pl/topic/4414-diagnostyka-infekcji-na-niestartuj%C4%85cych-windows/

    I wykonaj tam taki Fixlist.txt:
    (DotC United Inc) C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe
    (DotC United Inc) C:\Program Files (x86)\MPC Cleaner\MPCTray.exe
    (DotC United Inc) C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe
    HKLM-x32\...\Run: [ QQPCTray] => "C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCTray.exe" /regrun
    HKU\S-1-5-21-3963205822-3639742512-1754851344-1000\...\Run: [] => [X]
    HKU\S-1-5-21-3963205822-3639742512-1754851344-1000\...\MountPoints2: {94f08104-c836-11e4-bc80-00030d7c4bb2} - G:\SETUP.EXE
    HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2015-06-21] (Microsoft Corporation)
    ShellIconOverlayIdentifiers: [.QMDeskTopGCIcon] -> {B7667919-3765-4815-A66D-98A09BE662D6} => Brak pliku
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.duba.com/?un_449343_3387
    HKU\S-1-5-21-3963205822-3639742512-1754851344-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.duba.com/?un_449343_3387
    FF user.js: detected! => C:\Users\Monika\AppData\Roaming\Mozilla\Firefox\Profiles\1zwjji65.default\user.js [2016-03-06]
    FF HKLM\...\Firefox\Extensions: [{90447087-2307-4270-8F07-33CA96C30EA2}] - C:\Program Files\groover031220151431\Firefox\{90447087-2307-4270-8F07-33CA96C30EA2}.xpi => nie znaleziono
    FF HKLM-x32\...\Firefox\Extensions: [{90447087-2307-4270-8F07-33CA96C30EA2}] - C:\Program Files\groover031220151431\Firefox\{90447087-2307-4270-8F07-33CA96C30EA2}.xpi => nie znaleziono
    R2 MPCProtectService; C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe [348640 2016-03-06] (DotC United Inc)
    S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2015-12-05] ()
    R1 MPCKpt; C:\Windows\System32\DRIVERS\MPCKpt.sys [59112 2016-03-06] (DotC United Inc)
    R1 {63f2a8fa-df0a-4828-941e-01b55cc27885}Gw64; C:\Windows\System32\drivers\{63f2a8fa-df0a-4828-941e-01b55cc27885}Gw64.sys [48752 2016-03-06] (StdLib)
    S1 SRepairDrv; \??\C:\Windows\GJFix\SRepairDrv [X]
    S2 tsnethlpx64; \??\C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\TsNetHlpX64.sys [X]
    2016-03-07 20:04 - 2016-03-07 20:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MPC
    2016-03-07 19:13 - 2016-03-07 20:04 - 00001729 _____ C:\Users\Public\Desktop\MPC Cleaner.lnk
    2016-03-06 22:30 - 2016-03-06 22:29 - 00059112 ____N (DotC United Inc) C:\Windows\system32\Drivers\MPCKpt.sys
    2016-03-06 22:29 - 2016-03-07 18:17 - 00000000 ____D C:\Program Files (x86)\MPC Cleaner
    2016-03-06 22:28 - 2016-03-06 22:28 - 00005120 _____ C:\Users\Monika\AppData\Roaming\GiftBag.db
    2016-03-06 22:24 - 2016-03-07 19:20 - 00000000 ____D C:\Program Files (x86)\AdwCleaner
    2016-03-06 22:21 - 2016-03-06 22:51 - 00000000 ____D C:\ProgramData\Baidu
    2016-03-06 22:21 - 2016-03-06 22:24 - 00000000 ____D C:\Users\Monika\AppData\Roaming\Baidu
    2016-03-06 22:21 - 2016-03-06 22:21 - 00000000 ____D C:\Program Files (x86)\Baidu
    2016-03-06 22:20 - 2016-03-06 22:20 - 00000000 ____D C:\Users\Monika\AppData\Local\Sparta
    2016-03-06 22:10 - 2016-03-06 10:33 - 00048752 _____ (StdLib) C:\Windows\system32\Drivers\{63f2a8fa-df0a-4828-941e-01b55cc27885}Gw64.sys

    Po wykonaniu zamiesc logi z FRST utworzone w trybie normalnym.

    0
  • Pomocny post
    #5 07 Mar 2016 21:08
    Kolobos
    Spec od komputerów

    Nic dziwnego, podalem jak masz uruchomic frst, uruchomiles normalnie i piszesz, ze nie dziala. Musisz uruchomic z poziomu WinRE, wszystko masz wytlumaczone na stronie!

    0
  • #7 08 Mar 2016 08:09
    Kolobos
    Spec od komputerów

    Wykonaj jeszcze taki Fixlist.txt:
    C:\Windows\GJFix
    EmptyTemp:

    Po wykonaniu usun katalog C:\FRST i to wszystko.

    0
  • #9 08 Mar 2016 19:51
    Kolobos
    Spec od komputerów

    Nowe logi nie sa juz potrzebne.

    MPC Cleaner -usuwanie

    0