Elektroda.pl
Elektroda.pl
X
CControls
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Malware - Oneclicstater - sprawdzenie logów

dmxodmxo 15 Sie 2016 13:50 534 1
  • CControls
  • #2 15 Sie 2016 14:07
    Kolobos
    Spec od komputerów

    Odinstaluj:
    AVG Web TuneUp
    McAfee Security Scan Plus
    TuneUp Utilities 2013
    (w razie problemow pomin i wykonaj reszte)

    Uzyj AdwCleaner, opcja Scan i Clean/Szukaj i Usun: http://www.bleepingcomputer.com/download/adwcleaner/

    Obok frst.exe utworz plik Fixlist.txt z zawartoscia:
    Task: {0A1B57E2-C3B7-4B25-9A05-0400A91DD247} - System32\Tasks\{D3DEE753-F745-4AFE-B9EF-FAAB4BBB63A1} => pcalua.exe -a C:\Users\dmxo\Downloads\cwk252_setup_[www.programosy.pl].exe -d C:\Users\dmxo\Downloads
    Task: {0DF593C1-CF55-4376-8EE7-75ADE8CA5627} - System32\Tasks\Opera scheduled Autoupdate 1427486593 => C:\Program Files (x86)\Opera\launcher.exe [2016-07-01] (Opera Software)
    Task: {839036B8-59E6-42C8-895E-388451AE85DC} - System32\Tasks\{C610F0A0-BDD2-4379-A878-CDBE38B8E364} => c:\program files (x86)\opera\launcher.exe [2016-07-01] (Opera Software)
    Task: {91C5D32F-D98D-4B4C-937C-E952EE682E24} - System32\Tasks\{CCB93996-5610-41A8-AC5C-2380C9D5E1D2} => pcalua.exe -a "C:\Program Files (x86)\EA GAMES\Need for Speed Underground 2\SPEED2.EXE" -d "C:\Program Files (x86)\EA GAMES\Need for Speed Underground 2\"
    HKU\S-1-5-21-366782665-2929205055-3203858903-1002\Software\Classes\.exe: => <===== UWAGA
    Hosts:
    (McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
    () C:\ProgramData\{36e66674-bac6-51e9-36e6-66674bac99d2}\Download 3DMGAME-Grand Theft Auto V Update 1 and Crack v2-3DM 7z Torrent - KickassTorrents(1).exe
    HKU\S-1-5-21-366782665-2929205055-3203858903-1002\...\Run: [Gameo] => C:\Users\dmxo\AppData\Roaming\Gameo\gameo.exe [42482176 2015-02-22] ()
    HKU\S-1-5-21-366782665-2929205055-3203858903-1002\...\RunOnce: [FlashPlayerUpdate] => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashUtil32_17_0_0_169_Plugin.exe [927920 2015-04-14] (Adobe Systems Incorporated)
    HKU\S-1-5-21-366782665-2929205055-3203858903-1002\...\MountPoints2: {c419f379-64f9-11e4-8250-24fd52a34c19} - "F:\AutoRun.exe"
    HKU\S-1-5-21-366782665-2929205055-3203858903-1002\...\MountPoints2: {dbb15e48-be90-11e4-bf1b-24fd52a34c19} - "D:\setup.exe"
    HKU\S-1-5-21-366782665-2929205055-3203858903-1002\...\MountPoints2: {e5b567fd-d0db-11e4-bf23-24fd52a34c19} - "F:\LGAutoRun.exe"
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2015-03-22]
    ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
    Startup: C:\Users\dmxo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Download 3DMGAME-Grand Theft Auto V Update 1 and Crack v2-3DM 7z Torrent - KickassTorrents(1).lnk [2015-04-18]
    ShortcutTarget: Download 3DMGAME-Grand Theft Auto V Update 1 and Crack v2-3DM 7z Torrent - KickassTorrents(1).lnk -> C:\ProgramData\{36e66674-bac6-51e9-36e6-66674bac99d2}\Download 3DMGAME-Grand Theft Auto V Update 1 and Crack v2-3DM 7z Torrent - KickassTorrents(1).exe ()




    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sweet-page.com/?type=hp&ts=142...p;uid=TOSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.sweet-page.com/?type=hp&ts=142...p;uid=TOSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sweet-page.com/web/?type=ds&ts...OSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS&q={searchTerms}
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.sweet-page.com/web/?type=ds&ts...OSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS&q={searchTerms}
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sweet-page.com/?type=hp&ts=142...p;uid=TOSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sweet-page.com/?type=hp&ts=142...p;uid=TOSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sweet-page.com/web/?type=ds&ts...OSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS&q={searchTerms}
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sweet-page.com/web/?type=ds&ts...OSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS&q={searchTerms}
    HKU\S-1-5-21-366782665-2929205055-3203858903-1002\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sweet-page.com/web/?type=ds&ts...OSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS&q={searchTerms}
    HKU\S-1-5-21-366782665-2929205055-3203858903-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sweet-page.com/?type=hp&ts=142...p;uid=TOSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS
    HKU\S-1-5-21-366782665-2929205055-3203858903-1002\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sweet-page.com/?type=hp&ts=142...p;uid=TOSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS
    HKU\S-1-5-21-366782665-2929205055-3203858903-1002\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sweet-page.com/web/?type=ds&ts...OSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS&q={searchTerms}
    SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.sweet-page.com/web/?type=ds&ts...OSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS&q={searchTerms}
    SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.sweet-page.com/web/?type=ds&ts...OSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS&q={searchTerms}
    SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.sweet-page.com/web/?type=ds&ts...OSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS&q={searchTerms}
    SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.sweet-page.com/web/?type=ds&ts...OSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-366782665-2929205055-3203858903-1002 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.sweet-page.com/web/?type=ds&ts...OSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-366782665-2929205055-3203858903-1002 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.sweet-page.com/web/?type=ds&ts...OSHIBAXMQ01ABD075_53NIFXFWSXX53NIFXFWS&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-366782665-2929205055-3203858903-1002 -> {9563D125-0A5E-4AFB-966D-D2E86A6A7EE7} URL =
    FF NewTab: chrome://quick_start/content/index.html
    FF DefaultSearchEngine: sweet-page
    FF SelectedSearchEngine: sweet-page
    FF SearchPlugin: C:\Users\dmxo\AppData\Roaming\Mozilla\Firefox\Profiles\rd649602.default\searchplugins\sweet-page.xml [2015-04-11]
    FF Extension: DealNoDeal - C:\Users\dmxo\AppData\Roaming\Mozilla\Firefox\Profiles\rd649602.default\Extensions\cd_olgbkebempryv@csmfpjoijpc_m.com [2015-06-05]
    FF Extension: AutoDealsAApp - C:\Users\dmxo\AppData\Roaming\Mozilla\Firefox\Profiles\rd649602.default\Extensions\iol@vBMHf.edu [2015-06-05]
    FF HKLM-x32\...\Firefox\Extensions: [searchengine@gmail.com] - C:\Users\dmxo\AppData\Roaming\Mozilla\Firefox\Profiles\rd649602.default\extensions\searchengine@gmail.com
    FF HKLM-x32\...\Firefox\Extensions: [istart_ffnt@gmail.com] - C:\Users\dmxo\AppData\Roaming\Mozilla\Firefox\Profiles\rd649602.default\extensions\istart_ffnt@gmail.com
    FF HKU\S-1-5-21-366782665-2929205055-3203858903-1002\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
    FF Extension: No Name - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014-04-04]
    CHR Extension: (AutoDealsAApp) - C:\Users\dmxo\AppData\Local\Google\Chrome\User Data\Default\Extensions\anfdilpadfeblgkojkdpdfmbciejpghc [2015-06-05]
    CHR HKU\S-1-5-21-366782665-2929205055-3203858903-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\dmxo\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2015-02-28]
    CHR HKU\S-1-5-21-366782665-2929205055-3203858903-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - https://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - http://clients2.google.com/service/update2/crx
    R2 6135ae48; c:\Program Files (x86)\SustainerPlus\SustainerPlus.dll [1740288 2015-06-05] () [File not signed]
    S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
    S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2015-02-26] ()
    S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
    CHR Extension: (UpDown page without arrows) - C:\Users\dmxo\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdlafijedddmcijlebhjbajifgcajfjp [2015-06-05]
    2015-06-05 21:33 - 2015-06-05 21:33 - 00000000 ____D C:\Program Files (x86)\SustainerPlus
    2015-06-05 21:32 - 2015-06-05 21:32 - 00000000 ____D C:\Program Files (x86)\UpDown page without arrows
    2015-06-05 21:31 - 2015-06-05 21:32 - 00000000 ____D C:\ProgramData\10316527062486672713
    2015-06-05 21:30 - 2015-06-08 15:30 - 00000366 _____ C:\WINDOWS\Tasks\AppLite.job
    2015-06-05 21:30 - 2015-06-06 15:30 - 00000000 ____D C:\ProgramData\{d56aa1ac-4deb-c217-d56a-aa1ac4de86b1}
    2015-06-05 21:30 - 2015-06-05 21:30 - 00003250 _____ C:\WINDOWS\System32\Tasks\AppLite
    2015-06-06 20:42 - 2015-04-18 23:55 - 00000080 _____ C:\Users\dmxo\AppData\Local剜捯獫慴⁲慇敭屳呇⁁屖湥楴汴浥湥⹴湩潦
    2015-06-07 23:46 - 2015-06-07 23:46 - 0000000 _____ () C:\Users\dmxo\AppData\Local\Temp.dat
    EmptyTemp:

    W FRST wybierz Napraw.

    Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
    http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

    Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    1