Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Wirus instaluje sam aplikacje na komputerze

heytham 02 Cze 2016 22:02 2121 6
  • #1 02 Cze 2016 22:02
    heytham
    Poziom 4  

    Witam
    Przez przypadek zainstalowałem jakiś niechciany program a razem z nim chyba jakiś wirus który sam instaluje mi dziwne rzeczy na kompie i co chwile wywala jakieś dziwne reklamy. Dołączam skany z FRST i prosze bardzo o pomoc bo sam sobie z tym nie poradze.

    1 6
  • #2 02 Cze 2016 22:36
    Kolobos
    Spec od komputerów

    Zgaduje, ze do infekcji doszlo po uruchomieniu czegos z tego:
    2016-06-02 21:36 - 2016-06-02 21:36 - 00669696 _____ C:\Users\Mateusz\Downloads\Crack Setup (1).iso
    2016-06-02 21:07 - 2016-06-02 21:07 - 167296395 _____ C:\Users\Mateusz\Downloads\FCPrimal_Crack_hackedcracked.eu.rar
    2016-06-02 20:55 - 2016-06-02 20:55 - 00669696 _____ C:\Users\Mateusz\Downloads\Crack Setup.iso
    Jezeli tak to usun te pliki.

    Odinstaluj:
    Dll-Files Fixer
    hohosearch - Uninstall
    Compress

    Wejdz do katalogu C:\Program Files (x86)\MPC Cleaner\ i uruchom z prawami administratora plik uninstall.exe

    Obok frst.exe utworz plik Fixlist.txt z zawartoscia:
    CloseProcesses:
    CustomCLSID: HKU\S-1-5-21-1242297236-4073968367-265080518-1001_Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32 -> C:\Users\Mateusz\AppData\Local\PPTAssist\pptassist64.dll => Brak pliku
    CustomCLSID: HKU\S-1-5-21-1242297236-4073968367-265080518-1001_Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32 -> C:\Users\Mateusz\AppData\Local\PPTAssist\pptassist64.dll => Brak pliku
    CustomCLSID: HKU\S-1-5-21-1242297236-4073968367-265080518-1001_Classes\CLSID\{C4917602-2AC8-4ECE-8E5D-390C3871ABB3}\InprocServer32 -> C:\Users\Mateusz\AppData\Local\PPTAssist\tabassist64.dll => Brak pliku
    CustomCLSID: HKU\S-1-5-21-1242297236-4073968367-265080518-1001_Classes\CLSID\{E00310B2-F036-4771-9347-C131257D990F}\InprocServer32 -> C:\Users\Mateusz\AppData\Local\PPTAssist\tabassist64.dll => Brak pliku
    Task: {14C64FE0-0794-42F1-BFC2-3CCDA0C44446} - System32\Tasks\KuaiZip_Update => C:\Program Files\żěŃą\X86\Update.exe [2016-06-02] (Shanghai Guangle Network Technology Ltd
    )
    Task: {6D4B8223-BB79-49F4-8EBF-42877BD71BF6} - System32\Tasks\DLL-Files.Com Fixer_Updates => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe [2015-10-30] (Dll-FIles.Com)
    Task: {714283B0-D790-41F7-A36D-CB8D92380C1B} - System32\Tasks\DLL-Files FixerASKUSER => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe [2015-10-30] (Dll-FIles.Com)
    Task: {752A8D98-F5EE-404C-A45B-6A6535C771FA} - System32\Tasks\DLL-Files.Com Fixer_MONTHLY => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe [2015-10-30] (Dll-FIles.Com)
    Task: {7FE56A1E-BAD5-4042-A57B-736D87EAEF8A} - System32\Tasks\PPTAssistantUpdateTask_Mateusz => C:\Users\Mateusz\AppData\Local\PPTAssist\assistupdate.exe
    Task: {F33FC878-A70A-4EAA-9755-FC8A7247C834} - System32\Tasks\PPTAssistantNotifyTask_Mateusz => C:\Users\Mateusz\AppData\Local\PPTAssist\notify.exe
    Task: C:\windows\Tasks\DLL-Files FixerASKUSER.job => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
    Task: C:\windows\Tasks\DLL-Files.Com Fixer_MONTHLY.job => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
    Task: C:\windows\Tasks\DLL-Files.Com Fixer_Updates.job => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
    Task: C:\windows\Tasks\PPTAssistantNotifyTask_Mateusz.job => C:\Users\Mateusz\AppData\Local\PPTAssist\notify.exe
    Task: C:\windows\Tasks\PPTAssistantUpdateTask_Mateusz.job => C:\Users\Mateusz\AppData\Local\PPTAssist\assistupdate.exe
    Hosts:
    (DotC United Inc) C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe
    (DotC United Inc) C:\Program Files (x86)\MPC Cleaner\MPCTray.exe
    HKLM-x32\...\RunOnce: [DeleteOnReboot] => C:\Users\Mateusz\AppData\Local\Temp\DeleteOnReboot.bat [274 2016-06-02] () <===== UWAGA
    HKLM\...\Winlogon: [Userinit] wscript C:\windows\run.vbs,
    HKU\S-1-5-21-1242297236-4073968367-265080518-1001\...\Run: [QGuan72564] => C:\Users\Mateusz\AppData\Roaming\service72564.exe [1936896 2016-06-02] ()
    HKU\S-1-5-21-1242297236-4073968367-265080518-1001\...\Run: [QGuan90132] => C:\Users\Mateusz\AppData\Roaming\service90132.exe [1936896 2016-06-02] ()
    ShellExecuteHooks: - {98C066AB-D735-4339-9E52-A34875141B56} - C:\Users\Mateusz\AppData\Local\Microsoft\Windows\INetCookies\cugudom.dll [421560 2016-06-02] ()
    ShellIconOverlayIdentifiers: [JzShlobj] -> {7B286609-DA97-47E1-AC6B-33B8B4732C95} => C:\Program Files\ZipTool\JZipExt.dll [2015-11-30] ()
    ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => C:\Program Files\żěŃą\X64\KZipShell.dll [2016-06-02] ()
    SearchScopes: HKLM-x32 -> {1D5F3399-BCC2-44A5-9E07-0240DA95EC67} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?i...k%5Fcode=qs&index=aps&field-keywords={searchTerms}
    SearchScopes: HKU\S-1-5-21-1242297236-4073968367-265080518-1001 -> {1D5F3399-BCC2-44A5-9E07-0240DA95EC67} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?i...k%5Fcode=qs&index=aps&field-keywords={searchTerms}
    CHR HomePage: ChromeDefaultData -> hxxp://d2ucfwpxlh3zh3.cloudfront.net/?ts=AHEq...8024A366901E1F25B&ptid=amz&mode=loadm
    CHR StartupUrls: ChromeDefaultData -> "hxxp://d2ucfwpxlh3zh3.cloudfront.net/?ts=AHEqB3UtBXAmB0..&v=20160602&uid=E3A5726D47443CE8024A366901E1F25B&ptid=amz&mode=loadm"
    CHR DefaultSearchURL: ChromeDefaultData -> hxxp://d2ucfwpxlh3zh3.cloudfront.net/chrome.php?q={searchTerms}&ts=AHEqB3UtBXAmB0..&v=20160602&uid=E3A5726D47443CE8024A366901E1F25B&ptid=amz&mode=loadm
    CHR DefaultSearchKeyword: ChromeDefaultData -> hohosearch
    R2 KuaizipUpdateChecker; C:\Program Files\żěŃą\X86\kuaizipUpdateChecker.dll [219072 2016-06-02] ()
    R2 MPCProtectService; C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe [350688 2016-06-02] (DotC United Inc)
    R2 ziphost; c:\program files\ziptool\ziphost.dll [114080 2015-11-30] ()
    S2 celywoshModuleSrv; "C:\Program Files (x86)\Celywosh\celywoshModuleSrv.html5" {79740E79-A383-47A7-B513-3DF6563D007F} {8C4CE252-7DB2-4F8E-8E76-BAD0E5826A83} [X]
    U0 DUGDFSTGGZ; C:\Windows\System32\Drivers\askProtect64.sys [208776 2016-05-11] ()
    R2 KuaiZipDrive; C:\windows\system32\drivers\KuaiZipDrive.sys [92872 2016-06-02] (WinMount International Inc)
    R1 MPCKpt; C:\Windows\System32\DRIVERS\MPCKpt.sys [60136 2016-06-02] (DotC United Inc)
    R1 ZipProtect; c:\program files\ziptool\ZipProtect64.sys [886512 2015-12-14] ()
    S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
    R3 blNetFilter; C:\windows\system32\drivers\blNetFilter.sys [54664 2016-05-11] ()
    2016-06-02 21:51 - 2016-06-02 21:54 - 00000000 ____D C:\AdwCleaner
    2016-06-02 21:49 - 2016-06-02 21:49 - 00001965 _____ C:\Users\Mateusz\Desktop\AdSkip.lnk
    2016-06-02 21:49 - 2016-06-02 21:49 - 00000000 ____D C:\Users\Mateusz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AdSkip
    2016-06-02 21:48 - 2016-06-02 21:48 - 00000865 _____ C:\Users\Mateusz\Desktop\żěŃą.lnk
    2016-06-02 21:48 - 2016-06-02 21:48 - 00000000 ____D C:\Program Files\żěŃą
    2016-06-02 21:48 - 2016-06-01 07:36 - 10599032 _____ () C:\Users\Mateusz\AppData\Roaming\ADSkip.v1.0.523.2103_Silent.exe
    2016-06-02 21:47 - 2016-02-18 03:56 - 07318464 _____ C:\Users\Mateusz\AppData\Roaming\KuaiZip_Setup_1875570831_jiuzhuan_001.exe
    2016-06-02 21:45 - 2016-06-02 21:49 - 00000000 ____D C:\Program Files (x86)\ADSKIP
    2016-06-02 21:45 - 2016-06-02 21:48 - 00000000 ____D C:\Users\Mateusz\AppData\Roaming\ADSKIP
    2016-06-02 21:45 - 2016-05-11 07:56 - 00054664 ____N () C:\windows\system32\Drivers\blNetFilter.sys
    2016-06-02 21:45 - 2016-05-11 07:31 - 00208776 _____ C:\windows\system32\Drivers\askProtect64.sys
    2016-06-02 21:43 - 2016-06-02 21:52 - 00000000 ____D C:\Users\Mateusz\AppData\Roaming\Kuaizip
    2016-06-02 21:43 - 2016-06-02 21:48 - 00003566 _____ C:\windows\System32\Tasks\KuaiZip_Update
    2016-06-02 21:43 - 2016-06-02 21:48 - 00000889 _____ C:\Users\Mateusz\AppData\Roaming\Microsoft\Windows\Start Menu\żěŃą.lnk
    2016-06-02 21:43 - 2016-06-02 21:43 - 00092872 _____ (WinMount International Inc) C:\windows\system32\Drivers\KuaiZipDrive.sys
    2016-06-02 21:43 - 2016-06-02 21:43 - 00003688 _____ C:\windows\System32\Tasks\PPTAssistantUpdateTask_Mateusz
    2016-06-02 21:43 - 2016-06-02 21:43 - 00003418 _____ C:\windows\System32\Tasks\PPTAssistantNotifyTask_Mateusz
    2016-06-02 21:43 - 2016-06-02 21:43 - 00000640 _____ C:\windows\Tasks\PPTAssistantUpdateTask_Mateusz.job
    2016-06-02 21:43 - 2016-06-02 21:43 - 00000370 _____ C:\windows\Tasks\PPTAssistantNotifyTask_Mateusz.job
    2016-06-02 21:43 - 2016-06-02 21:43 - 00000000 ____D C:\Users\Mateusz\AppData\Roaming\Softlink
    2016-06-02 21:43 - 2016-06-02 21:43 - 00000000 ____D C:\Users\Mateusz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\¶ŕ˛Ę±ăÇ©
    2016-06-02 21:43 - 2016-06-02 21:43 - 00000000 ____D C:\ProgramData\kingsoft
    2016-06-02 21:43 - 2016-06-01 07:36 - 10599032 _____ () C:\Users\Mateusz\AppData\Roaming\ADSkip.v1.0.523.2105_Silent.exe
    2016-06-02 21:43 - 2016-05-04 10:44 - 04232400 _____ (Kingsoft Corp. Ltd.) C:\Users\Mateusz\AppData\Roaming\OfficeAssist.0172.80.1384.exe
    2016-06-02 21:43 - 2016-03-03 03:14 - 00656952 _____ (Beijing Hongda wanfang technology Co.,Ltd.) C:\Users\Mateusz\AppData\Roaming\setup_31019.exe
    2016-06-02 21:42 - 2016-06-02 21:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Compress
    2016-06-02 21:42 - 2016-06-02 21:42 - 00000000 ____D C:\Program Files\ZipTool
    2016-06-02 21:42 - 2016-02-18 10:10 - 05267952 _____ () C:\Users\Mateusz\AppData\Roaming\ziptool_wc-9015_setup.exe
    2016-06-02 21:41 - 2016-06-02 15:51 - 01936896 _____ C:\Users\Mateusz\AppData\Roaming\service90132.exe
    2016-06-02 21:41 - 2016-06-02 15:46 - 01936896 _____ C:\Users\Mateusz\AppData\Roaming\service72564.exe
    2016-06-02 21:41 - 2016-06-01 09:08 - 00343040 _____ C:\Users\Mateusz\AppData\Roaming\RandomDelJiheReg.exe
    2016-06-02 21:40 - 2016-06-02 21:46 - 00000000 ____D C:\Program Files (x86)\MPC Cleaner
    2016-06-02 21:40 - 2016-06-02 21:42 - 00060136 ____N (DotC United Inc) C:\windows\system32\Drivers\MPCKpt.sys
    2016-06-02 21:40 - 2016-06-02 21:40 - 00128512 _____ C:\Users\Mateusz\AppData\Roaming\Installer.dat
    2016-06-02 21:40 - 2016-06-02 21:40 - 00060136 _____ (DotC United Inc) C:\windows\system32\Drivers\MPCKpt.removed21363312
    2016-06-02 21:40 - 2016-06-02 21:40 - 00011568 _____ C:\Users\Mateusz\AppData\Roaming\InstallationConfiguration.xml
    2016-06-02 21:38 - 2016-06-02 21:54 - 00000000 ____D C:\Users\Mateusz\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108
    2016-06-02 21:38 - 2016-06-02 21:39 - 00000000 ____D C:\Program Files (x86)\Prakph
    2016-06-02 21:38 - 2016-06-02 21:39 - 00000000 ____D C:\Program Files (x86)\Ckodeingdrenigh
    2016-06-01 17:08 - 2016-06-01 17:08 - 00000200 _____ C:\windows\system32\{EC94D02F-D200-4428-9531-05AF7F9799CB}.bat
    2016-06-01 17:00 - 2016-06-02 19:00 - 00000320 _____ C:\windows\Tasks\DLL-Files FixerASKUSER.job
    2016-06-01 17:00 - 2016-06-01 17:00 - 00002992 _____ C:\windows\System32\Tasks\DLL-Files FixerASKUSER
    2016-06-01 16:59 - 2016-06-01 18:38 - 00000328 _____ C:\windows\Tasks\DLL-Files.Com Fixer_Updates.job
    2016-06-01 16:59 - 2016-06-01 18:38 - 00000312 _____ C:\windows\Tasks\DLL-Files.Com Fixer_MONTHLY.job
    2016-06-01 16:59 - 2016-06-01 17:29 - 00003156 _____ C:\windows\System32\Tasks\DLL-Files.Com Fixer_Updates
    2016-06-01 16:59 - 2016-06-01 17:29 - 00003142 _____ C:\windows\System32\Tasks\DLL-Files.Com Fixer_MONTHLY
    2016-06-01 16:59 - 2016-06-01 16:59 - 00001164 _____ C:\Users\Public\Desktop\Dll-Files Fixer.lnk
    2016-06-01 16:59 - 2016-06-01 16:59 - 00000000 ____D C:\Users\Mateusz\AppData\Roaming\dll-files.com
    2016-06-01 16:59 - 2016-06-01 16:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dll-Files Fixer
    2016-06-01 16:59 - 2016-06-01 16:59 - 00000000 ____D C:\Program Files (x86)\Dll-Files.com Fixer
    2016-06-01 16:58 - 2016-06-01 16:59 - 05444000 _____ (Dll-Files.com ) C:\Users\Mateusz\Downloads\dffsetup-xinput1_3.exe
    2016-06-02 21:48 - 2016-06-01 07:36 - 10599032 _____ () C:\Users\Mateusz\AppData\Roaming\ADSkip.v1.0.523.2103_Silent.exe
    2016-06-02 21:43 - 2016-06-01 07:36 - 10599032 _____ () C:\Users\Mateusz\AppData\Roaming\ADSkip.v1.0.523.2105_Silent.exe
    2016-06-02 21:40 - 2016-06-02 21:40 - 0011568 _____ () C:\Users\Mateusz\AppData\Roaming\InstallationConfiguration.xml
    2016-06-02 21:40 - 2016-06-02 21:40 - 0128512 _____ () C:\Users\Mateusz\AppData\Roaming\Installer.dat
    2016-06-02 21:47 - 2016-02-18 03:56 - 7318464 _____ () C:\Users\Mateusz\AppData\Roaming\KuaiZip_Setup_1875570831_jiuzhuan_001.exe
    2016-06-02 21:43 - 2016-05-04 10:44 - 4232400 _____ (Kingsoft Corp. Ltd.) C:\Users\Mateusz\AppData\Roaming\OfficeAssist.0172.80.1384.exe
    2016-06-02 21:41 - 2016-06-01 09:08 - 0343040 _____ () C:\Users\Mateusz\AppData\Roaming\RandomDelJiheReg.exe
    2016-06-02 21:41 - 2016-06-02 15:46 - 1936896 _____ () C:\Users\Mateusz\AppData\Roaming\service72564.exe
    2016-06-02 21:41 - 2016-06-02 15:51 - 1936896 _____ () C:\Users\Mateusz\AppData\Roaming\service90132.exe
    2016-06-02 21:43 - 2016-03-03 03:14 - 0656952 _____ (Beijing Hongda wanfang technology Co.,Ltd.) C:\Users\Mateusz\AppData\Roaming\setup_31019.exe
    2016-06-02 21:42 - 2016-02-18 10:10 - 5267952 _____ () C:\Users\Mateusz\AppData\Roaming\ziptool_wc-9015_setup.exe
    EmptyTemp:

    W FRST wybierz Napraw.

    Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
    http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

    Po wykonaniu zamiesc nowe log z FRST, ze skanowania.

    1
  • #4 02 Cze 2016 23:07
    Kolobos
    Spec od komputerów

    Zamiesciles stary addition.txt.

    Odinstaluj jeszcze:
    anote (v1.37)

    Nowy Fixlist.txt dla FRST:
    CloseProcesses:
    S2 ADSkipSvc; C:\Program Files (x86)\ADSKIP\ADSkipSvc.exe [X]
    R0 DUGDFSTGGZ; C:\Windows\System32\Drivers\askProtect64.sys [208776 2016-06-02] ()
    C:\windows\system32\Drivers\askProtect64.sys

    Po wykonaniu zamiesc nowy log z FRST oraz Fixlog.txt, ktory sie utworzy.

    0