Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Chińskie wirusy - wirus instalujący aplikacje, prośba o analizę logów z FRST

mathys86 09 Sty 2017 13:45 687 4
  • Pomocny post
    #2 09 Sty 2017 13:57
    Kolobos
    Spec od komputerów

    Z Chrome trzeba usunac profil utworzony przez infekcje.
    Zgraj zakladki z Chrome o ile sa Ci potrzebne.

    Obok frst.exe utworz plik Fixlist.txt z zawartoscia:
    CloseProcesses:
    Task: {6F405D17-F0DC-4997-A1F3-4DA724ABFF96} - System32\Tasks\Opera scheduled Autoupdate 1453468299 => C:\Program Files (x86)\Opera\launcher.exe [2016-12-19] (Opera Software)
    Task: {BEF289CE-FBDE-4A18-AA78-CC15C3C13A11} - System32\Tasks\Opera scheduled Autoupdate 1455052190 => C:\Program Files (x86)\Opera\launcher.exe [2016-12-19] (Opera Software)
    Task: {E200ECAB-164B-4929-AFF9-B1101A72A873} - System32\Tasks\NC => C:\Program Files (x86)\Microleaves\Traffic Exchange\nc.exe [2016-12-27] ()
    Task: C:\WINDOWS\Tasks\NC.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\nc.exe
    ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->
    ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->
    HKU\S-1-5-18\...\Run: [] => 0
    ShellExecuteHooks: Brak nazwy - {EA048B4C-D1B9-11E6-A759-64006A5CFC23} - C:\Users\User\AppData\Roaming\Arolertainmekeing\Clejerledercitain.dll [146944 2017-01-09] ()
    ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => -> Brak pliku
    CHR DefaultProfile: ChromeDefaultData
    CHR HomePage: ChromeDefaultData -> hxxp://www.youndoo.com/?z=442b8312d2496effd07...BPVT-24HXZT1_WD-WXD1E70CU745CU745&type=hp
    CHR StartupUrls: ChromeDefaultData -> "hxxp://www.youndoo.com/?z=442b8312d2496effd074d6cg3z4b9c2t1w3oaweq9e&from=wak&uid=WDCXWD7500BPVT-24HXZT1_WD-WXD1E70CU745CU745&type=hp"
    CHR DefaultSearchURL: ChromeDefaultData -> hxxp://www.youndoo.com/search/?q={searchTerms}&z=442b8312d2496effd074d6cg3z4b9c2t1w3oaweq9e&from=wak&uid=WDCXWD7500BPVT-24HXZT1_WD-WXD1E70CU745CU745&type=sp
    CHR DefaultSearchKeyword: ChromeDefaultData -> youndoo
    CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-01-09] <==== UWAGA
    C:\Users\User\AppData\Local\Google\Chrome\User Data\ChromeDefaultData
    CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx




    CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
    R2 Qotackcoaback; C:\Program Files (x86)\Arorit\drhcnf.dll [178688 2017-01-09] () [Brak podpisu cyfrowego]
    R2 SaFiSvc; C:\Program Files\SaFiPlayer\SaFiSvc.dll [324336 2017-01-03] ()
    2017-01-09 10:06 - 2017-01-09 11:48 - 00000000 ____D C:\ProgramData\Microleaves
    2017-01-09 10:04 - 2017-01-09 10:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SaFiPlayer
    2017-01-09 10:04 - 2017-01-09 10:04 - 00000882 _____ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\żěŃą.lnk
    2017-01-09 10:04 - 2017-01-09 10:04 - 00000000 ____D C:\Users\User\AppData\Roaming\Softlink
    2017-01-09 10:04 - 2017-01-09 10:04 - 00000000 ____D C:\Users\User\AppData\Roaming\KuaiZip
    2017-01-09 10:04 - 2017-01-09 10:04 - 00000000 ____D C:\Program Files\SaFiPlayer
    2017-01-09 10:03 - 2017-01-09 11:17 - 00000314 ____H C:\WINDOWS\Tasks\NC.job
    2017-01-09 10:03 - 2017-01-09 10:03 - 00003098 _____ C:\WINDOWS\System32\Tasks\NC
    2017-01-09 10:03 - 2017-01-09 10:03 - 00000000 ____D C:\Users\Default\AppData\Local\AdvinstAnalytics
    2017-01-09 10:03 - 2017-01-09 10:03 - 00000000 ____D C:\Users\Default User\AppData\Local\AdvinstAnalytics
    2017-01-09 10:03 - 2017-01-09 10:03 - 00000000 ____D C:\Program Files (x86)\Microleaves
    2017-01-09 10:02 - 2017-01-09 10:02 - 00000000 ____D C:\Users\User\AppData\Roaming\Arolertainmekeing
    2017-01-09 10:02 - 2017-01-09 10:02 - 00000000 ____D C:\Users\User\AppData\Local\Kerfesydcale
    2017-01-09 10:02 - 2017-01-09 10:02 - 00000000 ____D C:\Program Files (x86)\Zohtckileied Configuration
    2017-01-09 10:02 - 2017-01-09 10:02 - 00000000 ____D C:\Program Files (x86)\Arorit
    2017-01-09 09:55 - 2017-01-09 10:04 - 00000000 ____D C:\Users\User\AppData\Roaming\Microleaves
    2017-01-09 09:55 - 2017-01-09 09:55 - 00000000 ____D C:\ProgramData\Hotfreshs
    2017-01-09 09:54 - 2017-01-09 09:54 - 7316480 _____ () C:\Users\User\AppData\Roaming\agent.dat
    2017-01-09 09:53 - 2017-01-09 09:53 - 0140288 _____ () C:\Users\User\AppData\Roaming\Installer.dat
    2017-01-09 09:54 - 2017-01-09 09:54 - 0018432 _____ () C:\Users\User\AppData\Roaming\Main.dat
    EmptyTemp:

    W FRST wybierz Napraw.

    Usun katalog C:\FRST.

    0
  • Pomocny post
    #4 09 Sty 2017 14:39
    Kolobos
    Spec od komputerów

    Nowy Fixlist.txt:
    S3 dtldrvhelp; \??\c:\program files\safiplayer\dtldrvhelp64.sys [X]

    Usun katalog C:\FRST. To wszystko.

    0
  • #5 10 Sty 2017 11:14
    mathys86
    Poziom 2  

    Wszystko gra. Dzieki za pomoc

    0