Elektroda.pl
Elektroda.pl
X
CControls
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Keylogger lub inny program szpiegujący. Logi FRST

alex98 03 Cze 2016 17:31 657 4
  • CControls
  • #2 03 Cze 2016 18:36
    Acorus 20
    Spec od komputerów

    Odinstaluj AVG 2014, AVG 2016, McAfee Security Scan Plus. Otwórz notatnik systemowy i wklej:

    Cytat:
    Task: {8DE06B5C-6A90-438B-8A72-8B2462C416B9} - System32\Tasks\Opera scheduled Autoupdate 1462528525 => C:\Program Files\Opera\launcher.exe [2016-05-30] (Opera Software)
    Task: {ABA6632C-6D14-4AC0-A1F5-8A01D2A3A896} - System32\Tasks\KingaHydrotherapySultrierV2 => Rundll32.exe RevolutionizesDismays.dll,main 7 1 <==== ATTENTION
    Task: {B34547C5-863B-48FE-A954-103FD3F10109} - System32\Tasks\psv_Dontom => /c regedit.exe /s "C:\ProgramData\Quotenamron\Opehold.reg" &amp; del "C:\ProgramData\Quotenamron\Opehold.reg" &amp; SCHTASKS /Delete /TN "psv_Dontom" /F <==== ATTENTION
    Task: {E2BEF5EF-2037-4024-B649-EC8F318DFF8B} - System32\Tasks\060184C3-9766-46a0-B258-F4518A0B2633 => Cscript.exe "C:\ProgramData\Baidu Security\Duplicaterecord.js" <==== ATTENTION
    ShortcutWithArgument: C:\Users\Kinga\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
    ShortcutWithArgument: C:\Users\Kinga\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
    ShortcutWithArgument: C:\Users\Kinga\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
    ShortcutWithArgument: C:\Users\Kinga\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> %SNF%
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> %SNF%
    ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> %SNF%
    Hosts:
    HKLM\...\Run: [ISUSScheduler] => C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [69632 2004-04-13] (InstallShield Software Corporation)
    HKU\S-1-5-21-4017676292-3377319163-1159314703-1000\...\Run: [ISUSPM Startup] => C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [196608 2004-04-17] (InstallShield Software Corporation)
    HKU\S-1-5-21-4017676292-3377319163-1159314703-1000\...\MountPoints2: F - F:\Autorun.exe
    HKU\S-1-5-21-4017676292-3377319163-1159314703-1000\...\MountPoints2: H - H:\Autorun.exe
    HKU\S-1-5-21-4017676292-3377319163-1159314703-1000\...\MountPoints2: {23912836-080c-11e6-88cc-0cd292c326ab} - F:\AUTOSTARTER.EXE
    HKU\S-1-5-21-4017676292-3377319163-1159314703-1000\...\MountPoints2: {23912843-080c-11e6-88cc-0cd292c326ab} - D:\setup.exe




    HKU\S-1-5-21-4017676292-3377319163-1159314703-1000\...\MountPoints2: {d44471c2-ee6d-11e3-8ee6-201a06a3b5f8} - E:\Startme.exe
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2016-04-07]
    ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.309\SSScheduler.exe (McAfee, Inc.)
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://do-search.com/web/?type=ds&ts=1432...ST500LT012-1DG142_W3P2W0KEXXXXW3P2W0KE&q={searchTerms}
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://do-search.com/web/?type=ds&ts=1432...ST500LT012-1DG142_W3P2W0KEXXXXW3P2W0KE&q={searchTerms}
    HKU\S-1-5-21-4017676292-3377319163-1159314703-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...YzT29GNLYoLTpg-WzcUJgnvY0YpM7Lv_zwIwnW&q={searchTerms}
    HKU\S-1-5-21-4017676292-3377319163-1159314703-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%68%65%6C%70%65%72%62%61%...9yQQ_dyNBdKKYgQxP0Qsz5voQ6RyC9T1REFe79ONRfK6L
    HKU\S-1-5-21-4017676292-3377319163-1159314703-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...YzT29GNLYoLTpg-WzcUJgnvY0YpM7Lv_zwIwnW&q={searchTerms}
    HKU\S-1-5-21-4017676292-3377319163-1159314703-1000\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...YzT29GNLYoLTpg-WzcUJgnvY0YpM7Lv_zwIwnW&q={searchTerms}
    SearchScopes: HKLM -> DefaultScope {ielnksrch} URL =
    SearchScopes: HKLM -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...YzT29GNLYoLTpg-WzcUJgnvY0YpM7Lv_zwIwnW&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-4017676292-3377319163-1159314703-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://do-search.com/web/?utm_source=b&ut...0KE&ts=1432247610&type=default&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-4017676292-3377319163-1159314703-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://do-search.com/web/?utm_source=b&ut...0KE&ts=1432247610&type=default&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-4017676292-3377319163-1159314703-1000 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = hxxp://do-search.com/web/?utm_source=b&ut...0KE&ts=1432247610&type=default&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-4017676292-3377319163-1159314703-1000 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = hxxp://do-search.com/web/?utm_source=b&ut...0KE&ts=1432247610&type=default&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-4017676292-3377319163-1159314703-1000 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...YzT29GNLYoLTpg-WzcUJgnvY0YpM7Lv_zwIwnW&q={searchTerms}
    FF Homepage: C:\ProgramData\Quotenamron\ff.HP
    FF NewTab: C:\ProgramData\Quotenamron\ff.NT
    FF SearchPlugin: C:\Users\Kinga\AppData\Roaming\Mozilla\Firefox\Profiles\a36ubefe.default\searchplugins\findit.xml [2016-04-25]
    CHR StartupUrls: Default -> "hxxp://do-search.com/?type=hp&ts=1432247464&z=76525ab15437fbc1ba1cc97gbz5cbobofzem6z7q6o&from=cor&uid=ST500LT012-1DG142_W3P2W0KEXXXXW3P2W0KE"
    CHR DefaultSearchURL: Default -> hxxp://feed.safefinder.biz/?fext=true&pub...publisher=extensiondefaultap&st=ed&q={searchTerms}
    CHR DefaultSearchKeyword: Default -> SafeFinder
    CHR HKLM\...\Chrome\Extension: [jidkebcigjgheaahopdnlfaohgnocfai] - hxxps://clients2.google.com/service/update2/crx
    2016-04-21 23:44 - 2016-04-21 23:44 - 6494208 _____ () C:\Users\Kinga\AppData\Roaming\agent.dat
    2016-04-21 23:44 - 2016-04-21 23:44 - 0065232 _____ () C:\Users\Kinga\AppData\Roaming\Config.xml
    2016-04-21 23:44 - 2016-04-21 23:44 - 1932216 _____ () C:\Users\Kinga\AppData\Roaming\Goodqvodox.bin
    2016-04-21 23:44 - 2016-04-21 23:44 - 0294731 _____ () C:\Users\Kinga\AppData\Roaming\inst.lat
    2016-04-21 23:44 - 2016-04-21 23:44 - 0014208 _____ () C:\Users\Kinga\AppData\Roaming\InstallationConfiguration.xml
    2016-04-21 23:44 - 2016-04-21 23:44 - 0127488 _____ () C:\Users\Kinga\AppData\Roaming\Installer.dat
    2016-04-21 23:44 - 2016-04-21 23:44 - 0018432 _____ () C:\Users\Kinga\AppData\Roaming\Main.dat
    2016-04-21 23:44 - 2016-04-21 23:44 - 0005568 _____ () C:\Users\Kinga\AppData\Roaming\md.xml
    2016-04-21 23:44 - 2016-04-21 23:44 - 0126464 _____ () C:\Users\Kinga\AppData\Roaming\noah.dat
    2016-04-21 23:44 - 2016-04-21 23:43 - 1242624 _____ () C:\Users\Kinga\AppData\Roaming\Treeit.exe
    2016-04-21 23:44 - 2016-04-21 23:44 - 1626652 _____ () C:\Users\Kinga\AppData\Roaming\Treeit.tst
    2016-04-21 23:45 - 2016-04-21 23:45 - 0032038 _____ () C:\Users\Kinga\AppData\Roaming\uninstall_temp.ico
    EmptyTemp:


    Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.
    Uruchom jako administrator FRST i kliknij w Fix/Napraw.
    Pobierz i uruchom jako administrator AdwCleaner https://toolslib.net/downloads/finish/1/ Kliknij Scan i później Cleaning.

    0
  • CControls
  • #3 04 Cze 2016 20:53
    alex98
    Poziom 4  

    Dzięki, zrobione. Jakie programy są tak w ogóle najlepsze do ochrony przed programami szpiegującymi? Wystarczy antywirus, AdwCleaner czy coś jeszcze?

    0
  • #5 05 Cze 2016 17:12
    swiercm
    Moderator na urlopie...

    Acorus 20 napisał:
    Przeskanuj od czasu do czasu Malwarebytesem.

    Do tego ADWCleaner oraz CCleaner, by wyczyścić zbędne wpisy w rejestrze i to wszystko.

    Oczywiście, jeśli coś znajdą - bez analizy logów z FRST, będzie ciężko wytropić ww. programy.

    Zamykam temat.
    Keylogger lub inny program szpiegujący. Logi FRST

    0