Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Brakujący skrypt - Czarny ekran przy starcie

mefik1993 15 Mar 2016 17:57 645 3
  • #1 15 Mar 2016 17:57
    mefik1993
    Poziom 2  

    Witam

    Mam problem z (c:\windows\run.vbs) czarny ekran i taki komunikat z brakiem skryptu jak w nawiasie.
    W załącznikach logi z Farbar Recovery Scan Tool.

    Proszę o pomoc.

    0 3
  • #2 15 Mar 2016 18:08
    Kolobos
    Spec od komputerów

    Pod windows nie usuniesz ten infekcji.

    Odinstaluj:
    Adobe Reader 9.3 - Polish, zmien na najnowsza wersje AR lub na Foxit: http://ninite.com/foxit/
    shopperz


    Uruchom FRST w ten sposob: http://www.fixitpc.pl/topic/4414-diagnostyka-infekcji-na-niestartujących-windows/

    Obok frst.exe utworz plik fixlist.txt z zawartoscia:
    Task: {087D89AB-FCB1-416A-8D37-C10452C5E476} - System32\Tasks\{EEA72382-B0A1-40AB-9A12-868BF9251ADB} => pcalua.exe -a E:\autorun.exe -d E:\
    Task: {14500A3E-11F5-44E7-945F-5D6457229C7E} - System32\Tasks\{DF508F7F-AB0B-4A8C-81C2-1A544E852E54} => pcalua.exe -a C:\Windows\unvise32.exe -d C:\Windows -c C:\PROGRA~2\POSTAL~1\uninstal.log
    Task: {2B4B8A0A-E055-44B9-B10B-C4230B0C873D} - System32\Tasks\{81255F98-1496-4C04-8D0F-55A9A5DE3E1F} => pcalua.exe -a C:\Users\fabian\Desktop\sa-mp-0-3x-R1-2-install.exe -d C:\Users\fabian\Desktop
    Task: {333BA143-D803-4B1B-AA92-00828026AFB3} - System32\Tasks\{3A5062B9-FE6C-4E73-924D-A57353F6A7AF} => pcalua.exe -a "E:\ALLPlayer 2.2.7 PL\ALLPlayer_(www.programs.pl).exe" -d "E:\ALLPlayer 2.2.7 PL"
    Task: {48688996-D49E-46CE-B3CC-013A4AC9D251} - System32\Tasks\{E1F9B7C2-1D6D-4C97-88F7-59E2BFD317BD} => pcalua.exe -a C:\Users\fabian\Desktop\fabian\setup.exe -d C:\Users\fabian\Desktop\fabian
    Task: {7BB3E258-4AE7-43D1-BE83-518D1DF2C5EC} - System32\Tasks\{7A02817A-1941-49ED-A4F2-0C37CB452AFF} => pcalua.exe -a E:\start.exe -d E:\
    Task: {A54A6DA1-4716-4467-BD51-729FC503457F} - System32\Tasks\{C493BD39-5590-4865-A557-A272D452835A} => pcalua.exe -a E:\autorun.exe -d E:\
    Task: {B99DA10D-CCDF-4ECE-9D9C-3C8CE8127B06} - System32\Tasks\Madjiwo => C:\PROGRA~1\SHOPPE~1\Iwiwki.bat
    Task: {DF0DF28E-205F-424F-8962-71905FFD2E79} - System32\Tasks\hdqPlayer Update => C:\Program Files (x86)\hdqPlayer\hdqPlayerUpdater.exe <==== UWAGA
    Task: {EF61FC50-F110-4AE2-B24A-BA806D8756A1} - System32\Tasks\{5E71F81D-AFED-410D-8CC4-B175209FFAF1} => pcalua.exe -a C:\PROGRA~2\EIDOSI~1\HITMAN~1\unwise.exe
    Task: {F75ADABA-FCCB-4C07-8340-B4528F03168C} - System32\Tasks\{74902BEC-5327-46B8-9E25-5DDDFD537E91} => pcalua.exe -a E:\autorun.exe -d E:\
    2016-02-13 16:00 - 2015-09-07 18:02 - 01061599 _____ () C:\Program Files (x86)\TmtkControl\service.exe
    2016-02-13 16:00 - 2015-08-16 15:51 - 00279955 _____ () C:\Program Files (x86)\TmtkControl\libidn-11.dll
    2016-02-13 16:00 - 2015-08-16 15:52 - 00113166 _____ () C:\Program Files (x86)\TmtkControl\zlib1.dll
    AlternateDataStreams: C:\ProgramData:$SS_DESCRIPTOR_PVX2VCGFMV89FFNYTK1RVDNJCMPPYDMC0KDXYGMFRJKTJW6LN4AL [172]
    AlternateDataStreams: C:\Users\All Users:$SS_DESCRIPTOR_PVX2VCGFMV89FFNYTK1RVDNJCMPPYDMC0KDXYGMFRJKTJW6LN4AL [172]




    AlternateDataStreams: C:\ProgramData\Application Data:$SS_DESCRIPTOR_PVX2VCGFMV89FFNYTK1RVDNJCMPPYDMC0KDXYGMFRJKTJW6LN4AL [172]
    AlternateDataStreams: C:\ProgramData\Dane aplikacji:$SS_DESCRIPTOR_PVX2VCGFMV89FFNYTK1RVDNJCMPPYDMC0KDXYGMFRJKTJW6LN4AL [172]
    Hosts:
    (DotC United Inc) C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe
    () C:\Program Files (x86)\TmtkControl\service.exe
    (DotC United Inc) C:\Program Files (x86)\MPC Cleaner\MPCTray.exe
    (DotC United Inc) C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe
    HKLM-x32\...\Run: [gmsd_pl_031010205] => "C:\Program Files (x86)\gmsd_pl_031010205\gmsd_pl_031010205.exe"
    HKLM-x32\...\Run: [Sysctl] => C:\Program Files (x86)\TmtkControl\sysctl.exe [532992 2015-09-07] ()
    HKLM-x32\...\Run: [gmsd_pl_005010247] => "C:\Program Files (x86)\gmsd_pl_005010247\gmsd_pl_005010247.exe"
    HKLM-x32\...\Run: [SystemClose] => D:\Documents\systemfile.exe
    HKLM-x32\...\RunOnce: [Update] => C:\Users\fabian\AppData\Roaming\VOPackage\VOPackage.exe /runonce
    HKLM-x32\...\RunOnce: [DeleteOnReboot] => C:\Users\fabian\AppData\Local\Temp\DeleteOnReboot.bat [423 2016-03-15] () <===== UWAGA
    HKLM\...\Winlogon: [Userinit] wscript C:\Windows\run.vbs,
    HKU\S-1-5-21-3752310950-2278547694-2214410218-1002\...\MountPoints2: {e562802f-9e76-11e5-831c-344b50b7ef88} - "G:\start.exe"
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackUpdateChecker.lnk [2014-12-07]
    ShortcutTarget: CodecPackUpdateChecker.lnk -> C:\Windows\SysWOW64\C2MP\UpdateChecker.exe (Brak pliku)
    GroupPolicy: Ograniczenia - Chrome <======= UWAGA
    GroupPolicyScripts-x32: Ograniczenia <======= UWAGA
    GroupPolicyScripts-x32\User: Ograniczenia <======= UWAGA
    CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
    AutoConfigURL: [S-1-5-21-3752310950-2278547694-2214410218-1002] => hxxp://get-access.me/wpad.dat?f2ffb9d7914143dbfc9951e06bc33b29815941
    ManualProxies: 0hxxp://get-access.me/wpad.dat?f2ffb9d7914143dbfc9951e06bc33b29815941
    URLSearchHook: HKU\S-1-5-21-3752310950-2278547694-2214410218-1002 - (Brak nazwy) - {00000000-6E41-4FD3-8538-502F5495E5FC} - Brak pliku
    SearchScopes: HKLM -> {C0AEEC99-925B-4758-86CC-779F7E340798} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?i...k%5Fcode=qs&index=aps&field-keywords={searchTerms}
    SearchScopes: HKLM-x32 -> {C0AEEC99-925B-4758-86CC-779F7E340798} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?i...k%5Fcode=qs&index=aps&field-keywords={searchTerms}
    SearchScopes: HKU\S-1-5-21-3752310950-2278547694-2214410218-1002 -> {C0AEEC99-925B-4758-86CC-779F7E340798} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?i...k%5Fcode=qs&index=aps&field-keywords={searchTerms}
    FF DefaultSearchEngine: Default
    FF SelectedSearchEngine: Default
    FF user.js: detected! => C:\Users\fabian\AppData\Roaming\Mozilla\Firefox\Profiles\7r1j2s7o.default\user.js [2016-02-23]
    FF SearchPlugin: C:\Users\fabian\AppData\Roaming\Mozilla\Firefox\Profiles\7r1j2s7o.default\searchplugins\yoursites123-1.xml [2016-03-15]
    FF SearchPlugin: C:\Users\fabian\AppData\Roaming\Mozilla\Firefox\Profiles\7r1j2s7o.default\searchplugins\yoursites123.xml [2016-01-13]
    FF Extension: AdBlock Ultimate - C:\Users\fabian\AppData\Roaming\Mozilla\Firefox\Profiles\7r1j2s7o.default\Extensions\adblockultimate@adblockultimate.net.xpi [2016-03-15]
    CHR RestoreOnStartup: Default -> "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggVclsKBQ1CRBgVJghbTA1AFwQOIlsMUhREF1cWdgkIUltFGQEFIk0FA1oDB0VXfV5bFElXTwhnKUpbDk8UU2FRJVhLFEsU"
    R2 MPCProtectService; C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe [348640 2016-02-23] (DotC United Inc)
    R2 Sysupdate; C:\Program Files (x86)\TmtkControl\service.exe [1061599 2015-09-07] () [Brak podpisu cyfrowego]
    S2 Konmece; "C:\Users\fabian\AppData\Roaming\WyxzFejp\Wadgaihn.exe" -cms [X]
    R1 bsdriver; C:\Windows\system32\drivers\bsdriver.sys [34712 2016-02-23] ()
    S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-03-15] ()
    R1 MPCKpt; C:\Windows\System32\DRIVERS\MPCKpt.sys [59112 2016-02-23] (DotC United Inc)
    R1 netcontroller; C:\Windows\System32\drivers\netcontroller.sys [60384 2015-12-29] (UtilTool Ltd)
    S3 AVFSFilter; \SystemRoot\system32\DRIVERS\avfsfilter.sys [X]
    S1 pvmkjasf; \??\C:\Windows\system32\drivers\pvmkjasf.sys [X]
    S1 ytjkdsvy; \??\C:\Windows\system32\drivers\ytjkdsvy.sys [X]
    2016-03-15 17:22 - 2016-03-15 17:22 - 00000000 _____ C:\Users\fabian\Desktop\example.vbs
    2016-03-15 17:19 - 2016-03-15 17:21 - 00000000 _____ C:\Users\fabian\Desktop\abc.vbs
    2016-03-15 16:50 - 2016-03-15 16:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MPC
    2016-03-15 16:10 - 2016-03-15 16:10 - 00000000 _____ C:\autoexec.bat
    2016-03-15 16:06 - 2016-03-15 16:06 - 00022704 _____ C:\Windows\system32\Drivers\EsgScanner.sys
    2016-03-15 13:45 - 2016-03-15 16:50 - 00001748 _____ C:\Users\Public\Desktop\MPC Cleaner.lnk
    2016-03-15 13:12 - 2016-03-15 13:25 - 00000000 ____D C:\Program Files (x86)\AdwCleaner
    2016-03-15 12:59 - 2016-03-15 12:59 - 00000001 _____ C:\Windows\SysWOW64\pl.html
    2016-03-02 13:36 - 2016-03-06 08:51 - 00000000 ____D C:\Users\fabian\AppData\Local\app
    2016-03-02 13:25 - 2016-03-02 13:25 - 00000000 ____D C:\Users\fabian\AppData\Roaming\UPUpdata
    2016-03-01 16:44 - 2016-03-01 16:44 - 00127488 _____ C:\Users\fabian\AppData\Roaming\Installer.dat
    2016-03-01 16:44 - 2016-03-01 16:44 - 00011568 _____ C:\Users\fabian\AppData\Roaming\InstallationConfiguration.xml
    2016-02-27 19:24 - 2016-02-27 19:24 - 00000000 _____ C:\Windows\SysWOW64\Number of results
    2016-02-24 10:40 - 2016-02-24 10:40 - 00260876 _____ C:\Users\fabian\AppData\Local\nszDC0D.tmp
    2016-02-23 17:32 - 2016-02-23 17:32 - 00000000 ____D C:\Users\fabian\AppData\Roaming\WinZiper
    2016-02-23 16:35 - 2016-02-23 16:35 - 00000000 ____D C:\Windows\system32\nike
    2016-02-23 16:31 - 2016-02-23 16:30 - 00059112 ____N (DotC United Inc) C:\Windows\system32\Drivers\MPCKpt.sys
    2016-02-23 16:30 - 2016-02-23 16:46 - 00000000 ____D C:\Program Files (x86)\MPC Cleaner
    2016-02-23 16:24 - 2016-02-23 16:24 - 00034712 _____ () C:\Windows\system32\Drivers\bsdriver.sys
    2016-02-23 16:24 - 2016-02-23 16:24 - 00003340 _____ C:\Windows\System32\Tasks\Madjiwo
    2016-02-23 16:23 - 2016-02-23 16:24 - 00000000 ____D C:\Users\fabian\AppData\Local\Tempfolder
    2016-02-23 16:23 - 2016-02-23 16:23 - 00000000 ____D C:\Users\fabian\AppData\LocalLow\Company
    2016-02-23 16:23 - 2016-02-23 16:23 - 00000000 ____D C:\uninst
    2016-02-23 16:22 - 2016-03-15 13:41 - 00000000 ____D C:\Program Files\shopperz220220161642
    2016-02-22 15:45 - 2016-02-23 16:23 - 00056728 _____ (Windows (R) Win 7 DDK provider) C:\Windows\system32\Drivers\cherimoya.sys
    2016-03-04 13:40 - 2015-11-06 19:07 - 00000000 ____D C:\Users\fabian\AppData\Roaming\WarThunder
    2014-12-20 13:50 - 2015-07-05 10:34 - 0763904 ____H () C:\Users\fabian\AppData\Roaming\base_en.db
    2016-03-01 16:44 - 2016-03-01 16:44 - 0011568 _____ () C:\Users\fabian\AppData\Roaming\InstallationConfiguration.xml
    2016-03-01 16:44 - 2016-03-01 16:44 - 0127488 _____ () C:\Users\fabian\AppData\Roaming\Installer.dat
    2015-08-09 11:59 - 2015-08-09 11:59 - 0154624 _____ () C:\Users\fabian\AppData\Roaming\svchost.exe
    2015-11-26 19:20 - 2016-01-10 08:17 - 0000066 _____ () C:\Users\fabian\AppData\Roaming\WB.CFG
    2016-02-24 10:40 - 2016-02-24 10:40 - 0260876 _____ () C:\Users\fabian\AppData\Local\nszDC0D.tmp
    C:\Users\fabian\AppData\Local\Temp\DeleteOnReboot.bat
    EmptyTemp:

    W FRST wybierz Napraw.

    Po wykonaniu zamiesc nowe logi z FRST, zrobione juz w trybie normalnym.

    0
  • #3 15 Mar 2016 18:30
    mefik1993
    Poziom 2  

    Mam po prostu zamienić ten plik gdzie jest zainstalowany program?

    0
  • #4 15 Mar 2016 18:35
    Kolobos
    Spec od komputerów

    Nie, masz wykonac to co podalem. Napisalem przeciez, ze w trybie normalnym pod windows nie usuniesz tej infekcji. Musisz uruchomic frst tak jak masz podane na stronie do ktorej link zamiescilem.
    Fixlist.txt tworzysz w katalogu w ktorym masz frst.

    0