Elektroda.pl
Elektroda.pl
X
CControls
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

- WinXP/ infekcja amuleC i amisites

kani_tor 28 Gru 2016 18:34 909 6
  • #1 28 Gru 2016 18:34
    kani_tor
    Poziom 2  

    Witam, mam problem z wciąż instalującym się samoczynnie programem amuleC i przeglądarką amisites. Po usunięciu programu, po jakimś czasie program sam się ponownie instaluje. Dołączam logi z programu FRST. Proszę o pomoc

    0 6
  • CControls
  • Pomocny post
    #2 28 Gru 2016 18:42
    Kolobos
    Spec od komputerów

    Odinstaluj:
    amuleC
    YAC(Yet Another Cleaner!)
    youndoo - Uninstall
    Firefox

    Uzyj AdwCleaner, opcja Scan i Clean/Szukaj i Usun: http://www.bleepingcomputer.com/download/adwcleaner/

    Fixlist wykonaj w trybie awaryjnym.

    Obok frst.exe utworz plik Fixlist.txt z zawartoscia:
    CloseProcesses:
    CustomCLSID: HKU\S-1-5-21-1229272821-1383384898-682003330-1003_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InprocServer32 -> Brak ścieżki do pliku
    CustomCLSID: HKU\S-1-5-21-1229272821-1383384898-682003330-1003_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> Brak ścieżki do pliku
    CustomCLSID: HKU\S-1-5-21-1229272821-1383384898-682003330-1003_Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 -> Brak ścieżki do pliku
    CustomCLSID: HKU\S-1-5-21-1229272821-1383384898-682003330-1003_Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 -> Brak ścieżki do pliku
    CustomCLSID: HKU\S-1-5-21-1229272821-1383384898-682003330-1003_Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 -> Brak ścieżki do pliku
    CustomCLSID: HKU\S-1-5-21-1229272821-1383384898-682003330-1003_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 -> Brak ścieżki do pliku
    CustomCLSID: HKU\S-1-5-21-1229272821-1383384898-682003330-1003_Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 -> Brak ścieżki do pliku
    CustomCLSID: HKU\S-1-5-21-1229272821-1383384898-682003330-1003_Classes\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32 -> Brak ścieżki do pliku
    CustomCLSID: HKU\S-1-5-21-1229272821-1383384898-682003330-1003_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> Brak ścieżki do pliku
    CustomCLSID: HKU\S-1-5-21-1229272821-1383384898-682003330-1003_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> Brak ścieżki do pliku
    CustomCLSID: HKU\S-1-5-21-1229272821-1383384898-682003330-1003_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InprocServer32 -> Brak ścieżki do pliku
    CustomCLSID: HKU\S-1-5-21-1229272821-1383384898-682003330-1003_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32 -> Brak ścieżki do pliku
    Task: C:\WINDOWS\Tasks\Jqackshijicult Builder.job => C:\Program Files\Atupuse\plirey.exe
    Task: C:\WINDOWS\Tasks\Opera scheduled Autoupdate 1474650310.job => C:\Program Files\Opera\launcher.exe
    Task: C:\WINDOWS\Tasks\Powiadomienie o zakończeniu obsługi systemu Microsoft Windows XP — co miesiąc.job => C:\WINDOWS\system32\xp_eos.exe
    Task: C:\WINDOWS\Tasks\Powiadomienie o zakończeniu obsługi systemu Microsoft Windows XP — logowanie.job => C:\WINDOWS\system32\xp_eos.exe
    ShortcutWithArgument: C:\Documents and Settings\user\Menu Start\Programy\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.amisites.com/?type=sc&ts=14828...id=WDCXWD5000AAKS-75V0A0_WD-WMAWF085820858208




    ShortcutWithArgument: C:\Documents and Settings\user\Menu Start\Programy\Akcesoria\Narzędzia systemowe\Internet Explorer (bez dodatków).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.amisites.com/?type=sc&ts=14828...id=WDCXWD5000AAKS-75V0A0_WD-WMAWF085820858208
    ShortcutWithArgument: C:\Documents and Settings\user\Dane aplikacji\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk -> C:\Program Files\Firefox\Firefox.exe (Mozilla Corporation) -> hxxp://www.amisites.com/?type=sc&ts=14828...id=WDCXWD5000AAKS-75V0A0_WD-WMAWF085820858208
    ShortcutWithArgument: C:\Documents and Settings\user\Dane aplikacji\Microsoft\Internet Explorer\Quick Launch\Opera.lnk -> C:\Program Files\Opera\launcher.exe (Opera Software) -> hxxp://www.amisites.com/?type=sc&ts=14828...id=WDCXWD5000AAKS-75V0A0_WD-WMAWF085820858208
    ShortcutWithArgument: C:\Documents and Settings\user\Dane aplikacji\Microsoft\Internet Explorer\Quick Launch\Uruchom przeglądarkę Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.amisites.com/?type=sc&ts=14828...id=WDCXWD5000AAKS-75V0A0_WD-WMAWF085820858208
    ShortcutWithArgument: C:\Documents and Settings\All Users\Menu Start\Programy\Opera.lnk -> C:\Program Files\Opera\launcher.exe (Opera Software) -> hxxp://www.amisites.com/?type=sc&ts=14828...id=WDCXWD5000AAKS-75V0A0_WD-WMAWF085820858208
    ShortcutWithArgument: C:\Documents and Settings\All Users\Menu Start\Programy\Mozilla Firefox\Mozilla Firefox (Tryb awaryjny).lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.amisites.com/?type=sc&ts=14828...id=WDCXWD5000AAKS-75V0A0_WD-WMAWF085820858208
    ShortcutWithArgument: C:\Documents and Settings\All Users\Menu Start\Programy\Mozilla Firefox\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.amisites.com/?type=sc&ts=14828...id=WDCXWD5000AAKS-75V0A0_WD-WMAWF085820858208
    ShortcutWithArgument: C:\Documents and Settings\All Users\Pulpit\Mozilla Firefox.lnk -> C:\Program Files\Firefox\Firefox.exe (Mozilla Corporation) -> hxxp://www.amisites.com/?type=sc&ts=14828...id=WDCXWD5000AAKS-75V0A0_WD-WMAWF085820858208
    ShortcutWithArgument: C:\Documents and Settings\All Users\Pulpit\Opera.lnk -> C:\Program Files\Opera\launcher.exe (Opera Software) -> hxxp://www.amisites.com/?type=sc&ts=14828...id=WDCXWD5000AAKS-75V0A0_WD-WMAWF085820858208
    2016-12-18 18:12 - 2016-12-18 18:12 - 00274432 _____ () c:\program files\atupuse\ckrrenew.dll
    2016-12-27 15:53 - 2016-12-27 08:26 - 00119808 _____ () c:\program files\gubed\gubedzl.dll
    2016-12-28 16:42 - 2016-05-23 03:37 - 00065696 _____ () C:\Program Files\Elex-tech\YAC\zlib1.dll
    2016-12-28 16:42 - 2016-05-23 03:37 - 00179200 _____ () C:\Program Files\Elex-tech\YAC\libpng.dll
    (Copyright (C) 2016) C:\Documents and Settings\user\Dane aplikacji\jcfic\UvConverter.exe
    () C:\Program Files\Gubed_WMI\Gubed_WMI.exe
    (hxxp://www.amule.org/) C:\Program Files\amuleC1\ed2k.exe
    (Elex do Brasil Participações Ltda) C:\Program Files\Elex-tech\YAC\iSafeSvc.exe
    (Elex do Brasil Participações Ltda) C:\Program Files\Elex-tech\YAC\iSafeSvc2.exe
    (Elex do Brasil Participações Ltda) C:\Program Files\Elex-tech\YAC\iSafeTray.exe
    HKU\S-1-5-21-1229272821-1383384898-682003330-1003\...\MountPoints2: {fb855aaa-c53e-11e6-838f-54e6fcd30b42} - F:\setup.exe
    ShellExecuteHooks: Brak nazwy - {EB92ABA4-AFFB-11E6-B1A4-64006A5CFC23} - C:\Documents and Settings\user\Dane aplikacji\Qientplanasp\Stucespshojge.dll [125440 2016-12-18] ()
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.amisites.com/?type=hp&ts=14828...id=WDCXWD5000AAKS-75V0A0_WD-WMAWF085820858208
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.amisites.com/search/?type=ds&t...WD5000AAKS-75V0A0_WD-WMAWF085820858208&q={searchTerms}
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.amisites.com/?type=hp&ts=14828...id=WDCXWD5000AAKS-75V0A0_WD-WMAWF085820858208
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.amisites.com/search/?type=ds&t...WD5000AAKS-75V0A0_WD-WMAWF085820858208&q={searchTerms}
    HKU\S-1-5-21-1229272821-1383384898-682003330-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.amisites.com/?type=hp&ts=14828...id=WDCXWD5000AAKS-75V0A0_WD-WMAWF085820858208
    HKU\S-1-5-21-1229272821-1383384898-682003330-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKU\S-1-5-21-1229272821-1383384898-682003330-1003\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.amisites.com/?type=hp&ts=14828...id=WDCXWD5000AAKS-75V0A0_WD-WMAWF085820858208
    SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.amisites.com/search/?type=ds&t...WD5000AAKS-75V0A0_WD-WMAWF085820858208&q={searchTerms}
    SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.amisites.com/search/?type=ds&t...WD5000AAKS-75V0A0_WD-WMAWF085820858208&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-1229272821-1383384898-682003330-1003 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.amisites.com/search/?type=ds&t...WD5000AAKS-75V0A0_WD-WMAWF085820858208&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-1229272821-1383384898-682003330-1003 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.amisites.com/search/?type=ds&t...WD5000AAKS-75V0A0_WD-WMAWF085820858208&q={searchTerms}
    FF NewTab: C:\Documents and Settings\user\Dane aplikacji\Mozilla\Firefox\Profiles\05ayuoro.default -> hxxp://www.youndoo.com/?z=343eeb2739c625d01db...0AAKS-75V0A0_WD-WMAWF085820858208&type=hp
    FF DefaultSearchEngine: C:\Documents and Settings\user\Dane aplikacji\Mozilla\Firefox\Profiles\05ayuoro.default -> youndoo
    FF SelectedSearchEngine: C:\Documents and Settings\user\Dane aplikacji\Mozilla\Firefox\Profiles\05ayuoro.default -> youndoo
    FF Homepage: C:\Documents and Settings\user\Dane aplikacji\Mozilla\Firefox\Profiles\05ayuoro.default -> hxxp://www.youndoo.com/?z=343eeb2739c625d01db...0AAKS-75V0A0_WD-WMAWF085820858208&type=hp
    FF Extension: (HP Smart Web Printing) - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-12-01] [Brak podpisu cyfrowego]
    FF SearchPlugin: C:\Documents and Settings\user\Dane aplikacji\Mozilla\Firefox\Profiles\05ayuoro.default\searchplugins\5y8932fx.xml [2016-12-18]
    FF SearchPlugin: C:\Documents and Settings\user\Dane aplikacji\Mozilla\Firefox\Profiles\05ayuoro.default\searchplugins\amisites.xml [2016-12-27]
    FF ProfilePath: C:\Documents and Settings\user\Dane aplikacji\Firefox\Firefox\Profiles\05ayuoro.default [2016-12-28]
    FF NewTab: C:\Documents and Settings\user\Dane aplikacji\Firefox\Firefox\Profiles\05ayuoro.default -> hxxp://www.youndoo.com/?z=343eeb2739c625d01db...0AAKS-75V0A0_WD-WMAWF085820858208&type=hp
    FF DefaultSearchEngine: C:\Documents and Settings\user\Dane aplikacji\Firefox\Firefox\Profiles\05ayuoro.default -> youndoo
    FF SelectedSearchEngine: C:\Documents and Settings\user\Dane aplikacji\Firefox\Firefox\Profiles\05ayuoro.default -> youndoo
    FF Homepage: C:\Documents and Settings\user\Dane aplikacji\Firefox\Firefox\Profiles\05ayuoro.default -> hxxp://www.searchinme.com/?type=hp&ts=148...id=WDCXWD5000AAKS-75V0A0_WD-WMAWF085820858208
    FF Extension: (FF Adr) - C:\Documents and Settings\user\Dane aplikacji\Firefox\Firefox\Profiles\05ayuoro.default\Extensions\@H99KV4DO-UCCF-9PFO-9ZLK-8RRP4FVOKD9O.xpi [2016-12-28] [Brak podpisu cyfrowego]
    FF SearchPlugin: C:\Documents and Settings\user\Dane aplikacji\Firefox\Firefox\Profiles\05ayuoro.default\searchplugins\5y8932fx.xml [2016-12-18]
    FF SearchPlugin: C:\Documents and Settings\user\Dane aplikacji\Firefox\Firefox\Profiles\05ayuoro.default\searchplugins\amisites.xml [2016-12-27]
    FF SearchPlugin: C:\Documents and Settings\user\Dane aplikacji\Firefox\Firefox\Profiles\05ayuoro.default\searchplugins\searchinme.xml [2016-12-28]
    FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\firefox-branding.js [2010-06-26]
    FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\firefox-l10n.js [2010-06-26]
    FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\firefox.js [2010-06-26]
    FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\reporter.js [2010-06-26]
    R2 Archer; C:\Program Files\WinArcher\Archer.dll [792064 2016-12-28] (Fun Dw) [Brak podpisu cyfrowego]
    R2 Convxxxx; C:\Documents and Settings\user\Dane aplikacji\jcfic\UvConverter.exe [396800 2016-12-26] (Copyright (C) 2016) [Brak podpisu cyfrowego]
    R2 ed2kidle; C:\Program Files\amuleC1\ed2k.exe [237568 2016-12-19] (hxxp://www.amule.org/) [Brak podpisu cyfrowego]
    R2 FirefoxU; C:\Program Files\Firefox\bin\FirefoxUpdate.exe [110256 2016-12-28] ()
    R2 Ghhese; C:\Program Files\Atupuse\ckrrenew.dll [274432 2016-12-18] () [Brak podpisu cyfrowego]
    R2 GubedZL; C:\Program Files\Gubed\GubedZL.dll [119808 2016-12-27] () [Brak podpisu cyfrowego]
    R2 Gubed_WMI; C:\Program Files\Gubed_WMI\Gubed_WMI.exe [108544 2016-12-22] () [Brak podpisu cyfrowego] <==== UWAGA
    R2 iSafeService; C:\Program Files\Elex-tech\YAC\iSafeSvc.exe [131024 2016-12-02] (Elex do Brasil Participações Ltda)
    R2 WinSAPSvc; C:\Documents and Settings\All Users\Dane aplikacji\WinSAPSvc\WinSAP.dll [219136 2016-12-28] () [Brak podpisu cyfrowego]
    R1 iSafeKrnl; C:\Program Files\Elex-tech\YAC\iSafeKrnl.sys [227776 2016-05-23] (Elex do Brasil Participações Ltda)
    S3 iSafeKrnlBoot; C:\WINDOWS\System32\DRIVERS\iSafeKrnlBoot.sys [50280 2016-05-23] (Elex do Brasil Participações Ltda)
    R1 iSafeKrnlKit; C:\Program Files\Elex-tech\YAC\iSafeKrnlKit.sys [97912 2016-05-23] (Elex do Brasil Participações Ltda)
    R1 iSafeKrnlMon; C:\Program Files\Elex-tech\YAC\iSafeKrnlMon.sys [45032 2016-05-23] (Elex do Brasil Participações Ltda)
    R1 iSafeKrnlR3; C:\Program Files\Elex-tech\YAC\iSafeKrnlR3.sys [73232 2016-05-23] (Elex do Brasil Participações Ltda)
    R1 iSafeNetFilter; C:\WINDOWS\System32\DRIVERS\iSafeNetFilter.sys [67288 2016-05-19] (Elex do Brasil Participações Ltda)
    S0 cerc6; Brak ImagePath
    2016-12-28 16:42 - 2016-12-28 16:42 - 00000000 ____D C:\Program Files\Elex-tech
    2016-12-28 16:42 - 2016-12-28 16:42 - 00000000 ____D C:\Documents and Settings\user\Dane aplikacji\Elex-tech
    2016-12-28 16:42 - 2016-05-23 03:41 - 00050280 _____ (Elex do Brasil Participações Ltda) C:\WINDOWS\system32\Drivers\iSafeKrnlBoot.sys
    2016-12-28 16:42 - 2016-05-19 07:42 - 00067288 _____ (Elex do Brasil Participações Ltda) C:\WINDOWS\system32\Drivers\iSafeNetFilter.sys
    2016-12-28 16:38 - 2016-12-28 16:38 - 00000000 ____D C:\Program Files\amuleC1
    2016-12-28 16:38 - 2016-12-28 16:38 - 00000000 ____D C:\Documents and Settings\user\Menu Start\Programy\amuleC
    2016-12-28 16:38 - 2016-12-28 16:38 - 00000000 ____D C:\Documents and Settings\user\Dane aplikacji\aMule
    2016-12-27 15:53 - 2016-12-27 15:53 - 00000000 ____D C:\Program Files\UvConverter
    2016-12-27 15:53 - 2016-12-27 15:53 - 00000000 ____D C:\Program Files\Gubed
    2016-12-27 15:53 - 2016-12-27 15:53 - 00000000 ____D C:\Documents and Settings\user\Dane aplikacji\jcfic
    2016-12-22 09:53 - 2016-12-28 16:38 - 00000000 ____D C:\Documents and Settings\All Users\Dane aplikacji\WinSAPSvc
    2016-12-22 09:53 - 2016-12-27 15:53 - 00000000 ____D C:\Program Files\WinArcher
    2016-12-22 09:53 - 2016-12-22 09:53 - 00000000 ____D C:\Program Files\Gubed_WMI
    2016-12-22 09:52 - 2016-12-27 15:53 - 00000000 ____D C:\Program Files\ohhakuw2
    2016-12-18 18:13 - 2016-12-18 18:13 - 00000394 _____ C:\WINDOWS\Tasks\Jqackshijicult Builder.job
    2016-12-18 18:12 - 2016-12-27 15:57 - 00000000 ____D C:\Program Files\Atupuse
    2016-12-18 18:12 - 2016-12-18 18:12 - 00000000 ____D C:\Documents and Settings\user\Ustawienia lokalne\Dane aplikacji\Wirught
    2016-12-18 18:12 - 2016-12-18 18:12 - 00000000 ____D C:\Documents and Settings\user\Dane aplikacji\Qientplanasp
    EmptyTemp:

    W FRST wybierz Napraw.

    Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
    http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
    oraz http://ftp.drweb.com/pub/drweb/cureit/launch.exe

    Zamiesc nowe logi z FRST, ze skanowania.

    0
  • CControls
  • #3 28 Gru 2016 19:36
    kani_tor
    Poziom 2  

    Zamieszczam logi z FRST. Teraz jak klikam w menu start ikonę 'Mój komputer', 'Moje dokumenty' lub wyszukiwanie to wyskakuje mi instalacja SmartWebPrinting, która wyłącza się dopiero po jej 3-krotnym przerwaniu. Po przerwaniu dopiero otwiera się kliknięty folder. - WinXP/ infekcja amuleC i amisites

    0
  • Pomocny post
    #4 28 Gru 2016 20:01
    Kolobos
    Spec od komputerów

    Odinstaluj: HP Smart Web Printing 4.5

    Wykonaj taki Fixlist.txt:
    BHO: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2009-05-21] (Hewlett-Packard Co.)
    BHO: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2009-05-21] (Hewlett-Packard Co.)
    FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 => nie znaleziono
    FF HKU\S-1-5-21-1229272821-1383384898-682003330-1003\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 => nie znaleziono
    2016-12-28 18:49 - 2016-12-28 18:52 - 00000000 ____D C:\AdwCleaner

    0
  • #5 28 Gru 2016 20:27
    kani_tor
    Poziom 2  

    Wszystko działa teraz elegancko :) Dzięki Mistrzu :)

    0
  • #6 28 Gru 2016 20:28
    Kolobos
    Spec od komputerów

    Usun katalog C:\FRST i to wszystko.

    0
  • #7 28 Gru 2016 20:30
    kani_tor
    Poziom 2  

    Zrobione. Dzięki serdeczne za pomoc :)

    1