Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

plik z wirusami trojanami...frst

vw98 22 Kwi 2016 20:32 921 8
  • #2 22 Kwi 2016 20:44
    Kolobos
    Spec od komputerów

    Odinstaluj:
    Trojan Remover 6.9.4.2943
    UC浏览器

    Wejdz do katalogu C:\Program Files (x86)\MPC Cleaner\ i uruchom uninstall.exe z prawami administratora.

    Fixlist.txt dla FRST:
    Task: {3E1F1281-08B9-4262-A97B-C57129ED6B42} - System32\Tasks\{5BE2FCBC-4F58-32DF-9B90-2C30AEF31589} => C:\Users\HALSKI\AppData\Roaming\{5BE2F~1\SyncTask.exe
    Task: {408FB78C-6628-4AB6-BD72-D2F78FE62FE6} - System32\Tasks\{1E95C04A-0727-480B-9059-1E9F49ED686B} => pcalua.exe -a "C:\Program Files (x86)\Common Files\Gravetouch\uninstall.exe" -c shuz -f "C:\Program Files (x86)\Common Files\Gravetouch\uninstall.dat" -a uninstallme 9CEF942D-B2BC-462D-A018-16481C28BDF9 DeviceId=e0724714-f198-dbbb-156f-7c71c7d3c2f5 BarcodeId=51129011 ChannelId=11 DistributerName=APSFSWAds
    Task: {EACFE6BE-FB30-4C83-8AE4-FF47C1412448} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe [2016-04-13] (UCWeb Inc)
    Task: {FF590073-36EB-41C4-A1BB-4FAD452CE772} - System32\Tasks\HALSKIEmittedTrickerV2 => Rundll32.exe TurnoverBacksliders.dll,main 7 1 <==== UWAGA
    Task: C:\Windows\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe
    Task: C:\Windows\Tasks\{5BE2FCBC-4F58-32DF-9B90-2C30AEF31589}.job =>
    ShortcutWithArgument: C:\Users\HALSKI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://trustedsurf.com/?ssid=1461345270&a=1046394&src=sh&uuid=7409f058-09a0-4926-bba7-3ef68ba8df93"
    ShortcutWithArgument: C:\Users\HALSKI\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
    ShortcutWithArgument: C:\Users\HALSKI\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
    ShortcutWithArgument: C:\Users\HALSKI\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
    Hosts:
    () C:\Program Files (x86)\A6E39BF9-1461345505-CE46-99E7-D9D9AED45685\knsu3218.tmpfs
    (DotC United Inc) C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe
    () C:\Program Files (x86)\A6E39BF9-1461345505-CE46-99E7-D9D9AED45685\jnsj4AA7.tmp
    (DotC United Inc) C:\Program Files (x86)\MPC Cleaner\MPCTray.exe
    (DotC United Inc) C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe
    (UCWeb Inc.) C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe




    HKLM-x32\...\Run: [apphide] => C:\Program Files (x86)\badu\uc.exe [302182 2016-04-22] ()
    HKLM-x32\...\Run: [mpck_en_005030306] => [X]
    HKLM-x32\...\Run: [TrojanScanner] => C:\Program Files (x86)\Trojan Remover\Trjscan.exe [3753016 2016-04-22] (Simply Super Software)
    HKU\S-1-5-21-3077664057-2045354159-3079720057-1001\...\Run: [svchost0] => C:\Program Files (x86)\UCBrowser\Application\UUC0789.exe [69632 2016-04-22] ()
    HKU\S-1-5-21-3077664057-2045354159-3079720057-1001\...\Run: [apphide] => C:\Program Files (x86)\badu\uc.exe [302182 2016-04-22] ()
    AutoConfigURL: [S-1-5-21-3077664057-2045354159-3079720057-1001] => hxxp://unstops.net/wpad.dat?1fd307d1525c81564393c6162db6ea899220728
    Tcpip\..\Interfaces\{1c93fec9-e867-476b-b2e2-4edf05838be8}: [NameServer] 104.197.191.4
    Tcpip\..\Interfaces\{26b11a49-585f-4b43-a90c-9af3c3d7b25b}: [NameServer] 104.197.191.4
    Tcpip\..\Interfaces\{27581367-79e0-439d-bd58-06c7da67ffcb}: [NameServer] 104.197.191.4
    Tcpip\..\Interfaces\{295f8317-5493-495e-8ae8-f1205e6f34cc}: [NameServer] 104.197.191.4
    Tcpip\..\Interfaces\{79ab4088-71a3-4371-9f2a-073b0adff967}: [NameServer] 104.197.191.4
    Tcpip\..\Interfaces\{b14f1aa5-f157-45d6-ad14-9442c101bb3b}: [NameServer] 104.197.191.4
    Tcpip\..\Interfaces\{b14f1aa5-f157-45d6-ad14-9442c101bb3b}: [DhcpNameServer] 40.51.1.12
    Tcpip\..\Interfaces\{b24ebcb0-ff27-11e5-b5b7-806e6f6e6963}: [NameServer] 104.197.191.4
    Tcpip\..\Interfaces\{c4463592-d7cf-4b78-9e6c-24b4ce65c92e}: [NameServer] 104.197.191.4
    Tcpip\..\Interfaces\{c448d0ec-7636-457a-823c-058aed1fc4ff}: [NameServer] 104.197.191.4
    Tcpip\..\Interfaces\{eb36f4c1-1ef0-4815-bc64-3d82641d6ae0}: [NameServer] 104.197.191.4
    ManualProxies: 0hxxp://unstops.net/wpad.dat?1fd307d1525c81564393c6162db6ea899220728
    HKU\S-1-5-21-3077664057-2045354159-3079720057-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...XAcPC22w1u-uRsnCEC9XOfnCpsB8T5nKJFTVPT&q={searchTerms}
    HKU\S-1-5-21-3077664057-2045354159-3079720057-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    HKU\S-1-5-21-3077664057-2045354159-3079720057-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...XAcPC22w1u-uRsnCEC9XOfnCpsB8T5nKJFTVPT&q={searchTerms}
    HKU\S-1-5-21-3077664057-2045354159-3079720057-1001\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...XAcPC22w1u-uRsnCEC9XOfnCpsB8T5nKJFTVPT&q={searchTerms}
    SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
    SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...XAcPC22w1u-uRsnCEC9XOfnCpsB8T5nKJFTVPT&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3077664057-2045354159-3079720057-1001 -> DefaultScope {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...XAcPC22w1u-uRsnCEC9XOfnCpsB8T5nKJFTVPT&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3077664057-2045354159-3079720057-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-3077664057-2045354159-3079720057-1001 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...XAcPC22w1u-uRsnCEC9XOfnCpsB8T5nKJFTVPT&q={searchTerms}
    BHO-x32: Cash Kitten -> {9ea7bd36-2d13-4df3-837f-7ac273765e7d} -> C:\Program Files (x86)\Cash Kitten\Extensions\9ea7bd36-2d13-4df3-837f-7ac273765e7d.dll => Brak pliku
    R2 MPCProtectService; C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe [350688 2016-04-22] (DotC United Inc)
    R2 rocufyky; C:\Program Files (x86)\A6E39BF9-1461345505-CE46-99E7-D9D9AED45685\jnsj4AA7.tmp [389632 2016-04-22] () [Brak podpisu cyfrowego]
    S2 CloudPrinter; C:\ProgramData\\CloudPrinter\\CloudPrinter.exe shuz -f "C:\ProgramData\\CloudPrinter\\CloudPrinter.dat" -l -a
    R2 mikegujyzbt; C:\Program Files (x86)\A6E39BF9-1461345505-CE46-99E7-D9D9AED45685\knsu3218.tmpfs [X]
    S2 ProntSpooler; Brak ImagePath
    R1 MPCKpt; C:\Windows\System32\DRIVERS\MPCKpt.sys [60136 2016-04-22] (DotC United Inc)
    R1 UCGuard; C:\Windows\System32\DRIVERS\ucguard.sys [80768 2016-04-13] (Huorong Borui (Beijing) Technology Co., Ltd.)
    S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
    2016-04-22 20:01 - 2016-04-22 20:01 - 00000000 ____D C:\Users\HALSKI\AppData\Roaming\MCorp
    2016-04-22 19:56 - 2016-04-22 19:56 - 00001623 _____ C:\Users\HALSKI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC浏览器.lnk
    2016-04-22 19:56 - 2016-04-22 19:56 - 00000000 ____D C:\Users\HALSKI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC浏览器
    2016-04-22 19:56 - 2016-04-22 19:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MPC
    2016-04-22 19:53 - 2016-04-22 19:53 - 00000000 ____D C:\Program Files (x86)\Pwtyfemuk
    2016-04-22 19:46 - 2016-04-22 19:56 - 00000000 ____D C:\ProgramData\TEMP
    2016-04-22 19:39 - 2016-04-22 19:39 - 00975504 _____ (Sacip ) C:\Users\HALSKI\Downloads\Trojan-Remover-13140-dp.exe
    2016-04-22 19:32 - 2016-04-22 19:32 - 00003738 _____ C:\Windows\System32\Tasks\{1E95C04A-0727-480B-9059-1E9F49ED686B}
    2016-04-22 19:27 - 2016-04-22 20:15 - 00000482 _____ C:\Windows\Tasks\UCBrowserUpdater.job
    2016-04-22 19:27 - 2016-04-22 19:27 - 00003502 _____ C:\Windows\System32\Tasks\UCBrowserUpdater
    2016-04-22 19:26 - 2016-04-22 19:26 - 00000000 ____D C:\Users\HALSKI\AppData\Local\UCBrowser
    2016-04-22 19:26 - 2016-04-22 19:26 - 00000000 ____D C:\Program Files (x86)\UCBrowser
    2016-04-22 19:26 - 2016-04-13 18:37 - 00080768 _____ (Huorong Borui (Beijing) Technology Co., Ltd.) C:\Windows\system32\Drivers\ucguard.sys
    2016-04-22 19:25 - 2016-04-22 19:56 - 00000000 ____D C:\Program Files (x86)\MPC Cleaner
    2016-04-22 19:25 - 2016-04-22 19:25 - 00060136 _____ (DotC United Inc) C:\Windows\system32\Drivers\MPCKpt.sys
    2016-04-22 19:24 - 2016-04-22 19:49 - 00000000 ____D C:\Users\HALSKI\AppData\Local\Apps\2.0
    2016-04-22 19:24 - 2016-04-22 19:24 - 00000000 ____D C:\Users\Public\Documents\dmp
    2016-04-22 19:24 - 2016-04-22 19:24 - 00000000 ____D C:\Program Files (x86)\Ekeh
    2016-04-22 19:24 - 2016-04-22 19:24 - 00000000 ____D C:\Program Files (x86)\CleanBrowser
    2016-04-22 19:24 - 2016-04-22 19:24 - 00000000 ____D C:\Program Files (x86)\badu
    2016-04-22 19:18 - 2016-04-22 19:57 - 00000000 ____D C:\Program Files (x86)\A6E39BF9-1461345505-CE46-99E7-D9D9AED45685
    2016-04-22 19:15 - 2016-04-22 19:57 - 00000000 ____D C:\ProgramData\CloudPrinter
    2016-04-22 19:15 - 2016-04-22 19:33 - 00000000 ____D C:\ProgramData\Holdtam
    2016-04-22 19:15 - 2016-04-22 19:15 - 06494208 _____ C:\Users\HALSKI\AppData\Roaming\agent.dat
    2016-04-22 19:15 - 2016-04-22 19:15 - 01626777 _____ C:\Users\HALSKI\AppData\Roaming\Sololam.tst
    2016-04-22 19:15 - 2016-04-22 19:15 - 00126464 _____ C:\Users\HALSKI\AppData\Roaming\noah.dat
    2016-04-22 19:15 - 2016-04-22 19:15 - 00126464 _____ C:\Users\HALSKI\AppData\Roaming\lobby.dat
    2016-04-22 19:15 - 2016-04-22 19:15 - 00072717 _____ C:\Users\HALSKI\AppData\Roaming\Geo-Lax.tst
    2016-04-22 19:15 - 2016-04-22 19:15 - 00065568 _____ C:\Users\HALSKI\AppData\Roaming\Config.xml
    2016-04-22 19:15 - 2016-04-22 19:15 - 00054272 _____ C:\Users\HALSKI\AppData\Roaming\ApplicationHosting.dat
    2016-04-22 19:15 - 2016-04-22 19:15 - 00018432 _____ C:\Users\HALSKI\AppData\Roaming\Main.dat
    2016-04-22 19:15 - 2016-04-22 19:15 - 00005568 _____ C:\Users\HALSKI\AppData\Roaming\md.xml
    2016-04-22 19:15 - 2016-04-22 19:15 - 00002393 _____ C:\Windows\SysWOW64\findit.xml
    2016-04-22 19:15 - 2016-04-22 19:15 - 00000000 ____D C:\ProgramData\Holdtams
    2016-04-22 19:15 - 2016-04-22 19:14 - 01110016 _____ C:\Users\HALSKI\AppData\Roaming\Sololam.exe
    2016-04-22 19:15 - 2016-04-22 19:14 - 01110016 _____ C:\Users\HALSKI\AppData\Roaming\Geo-Lax.exe
    2016-04-22 19:14 - 2016-04-22 19:15 - 00015840 _____ C:\Users\HALSKI\AppData\Roaming\InstallationConfiguration.xml
    2016-04-22 19:14 - 2016-04-22 19:14 - 00162492 _____ C:\Users\HALSKI\AppData\Roaming\inst.lat
    2016-04-22 19:14 - 2016-04-22 19:14 - 0012788 _____ C:\Users\HALSKI\AppData\Roaming\Installer.dat
    2016-04-22 19:15 - 2016-04-22 19:15 - 6494208 _____ () C:\Users\HALSKI\AppData\Roaming\agent.dat
    2016-04-22 19:15 - 2016-04-22 19:15 - 0054272 _____ () C:\Users\HALSKI\AppData\Roaming\ApplicationHosting.dat
    2016-04-22 19:15 - 2016-04-22 19:15 - 0065568 _____ () C:\Users\HALSKI\AppData\Roaming\Config.xml
    2016-04-22 19:15 - 2016-04-22 19:14 - 1110016 _____ () C:\Users\HALSKI\AppData\Roaming\Geo-Lax.exe
    2016-04-22 19:15 - 2016-04-22 19:15 - 0072717 _____ () C:\Users\HALSKI\AppData\Roaming\Geo-Lax.tst
    2016-04-22 19:14 - 2016-04-22 19:14 - 0162492 _____ () C:\Users\HALSKI\AppData\Roaming\inst.lat
    2016-04-22 19:14 - 2016-04-22 19:15 - 0015840 _____ () C:\Users\HALSKI\AppData\Roaming\InstallationConfiguration.xml
    2016-04-22 19:14 - 2016-04-22 19:14 - 0127488 _____ () C:\Users\HALSKI\AppData\Roaming\Installer.dat
    2016-04-22 19:15 - 2016-04-22 19:15 - 0126464 _____ () C:\Users\HALSKI\AppData\Roaming\lobby.dat
    2016-04-22 19:15 - 2016-04-22 19:15 - 0018432 _____ () C:\Users\HALSKI\AppData\Roaming\Main.dat
    2016-04-22 19:15 - 2016-04-22 19:15 - 0005568 _____ () C:\Users\HALSKI\AppData\Roaming\md.xml
    2016-04-22 19:15 - 2016-04-22 19:15 - 0126464 _____ () C:\Users\HALSKI\AppData\Roaming\noah.dat
    2016-04-22 19:15 - 2016-04-22 19:14 - 1110016 _____ () C:\Users\HALSKI\AppData\Roaming\Sololam.exe
    2016-04-22 19:15 - 2016-04-22 19:15 - 1626777 _____ () C:\Users\HALSKI\AppData\Roaming\Sololam.tst
    2016-04-10 18:03 - 2016-04-22 19:56 - 0000184 _____ () C:\Users\HALSKI\AppData\Roaming\sp_data.sys
    2016-04-22 19:15 - 2016-04-22 19:15 - 0032038 _____ () C:\Users\HALSKI\AppData\Roaming\uninstall_temp.ico
    EmptyTemp:

    Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    0
  • #3 22 Kwi 2016 21:00
    vw98
    Poziom 7  

    ok dzieki wielkie zaraz to robie
    jak skoncze napisze czy jest wszystko ok

    Dodano po 14 [minuty]:

    Pomoglo! Ta wiewiorka pomaranczowa z chinskimi literami tez sie odinstalowala ale po wejsciu w przegladarke domyslnie wyskakuje to : http://search.mpc.am/?geo=pl
    jak to usunac?

    0
  • #4 22 Kwi 2016 21:02
    Kolobos
    Spec od komputerów

    > Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    0
  • #6 22 Kwi 2016 21:19
    Kolobos
    Spec od komputerów

    Nic nie pisalem o fixlist, masz zamiescic nowe logi z FRST, ze skanowania.

    0
  • #8 22 Kwi 2016 21:53
    Kolobos
    Spec od komputerów

    Nowy Fixlist.txt dla FRST:
    C:\Windows\Tasks\{5BE2FCBC-4F58-32DF-9B90-2C30AEF31589}.job
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = search.mpc.am
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = search.mpc.am
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = search.mpc.am
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = search.mpc.am
    CHR HomePage: Default -> search.mpc.am
    CHR StartupUrls: Default -> "search.mpc.am"
    CHR DefaultSearchURL: Default -> hxxp://search.mpc.am?q={searchTerms}&cx=partner-pub-3796753109442372:3837783968
    CHR DefaultSearchKeyword: Default -> mpc safe search
    2016-04-22 19:44 - 2016-04-22 19:44 - 37303624 _____ (Simply Super Software ) C:\Users\HALSKI\Downloads\trjsetup694.exe

    0
  • #9 22 Kwi 2016 22:02
    vw98
    Poziom 7  

    Pomogło na wszystko dzięki wielkie.
    plik z wirusami trojanami...frst

    0