Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Wirus "żena" - pomocy -

robsado 22 Sty 2017 00:57 573 1
  • #1 22 Sty 2017 00:57
    robsado
    Poziom 1  

    Witam wszystkich.
    Po przeglądnięciu forum widzę, że nie jestem odosobnionym przypadkiem z moim problemem.
    Mianowicie złapałem wirus "żena" a wraz z nim jakieś inne dziadostwa. Otwierają mi się same jakieś dziwne strony, tysiące reklam itp.
    Pomóżcie proszę usunąć to dziadostwo z mojego kompa.
    Zamieszczam logi z FRST.
    Z góry dziękuję za pomoc.

    0 1
  • #2 22 Sty 2017 01:05
    Kolobos
    Spec od komputerów

    Odinstaluj: ContentPush

    Uzyj AdwCleaner, opcja Scan i Clean/Szukaj i Usun: http://www.bleepingcomputer.com/download/adwcleaner/

    Uzyj: https://sourceforge.net/projects/adobeflashup...an%20Remover/RemoveMcAfee_silent.exe/download

    Wykonaj Fixlist.txt dla FRST:
    CloseProcesses:
    Traffic Exchange (x32 Version: 1.15.1 - Microleaves) Hidden <==== UWAGA
    Task: {1CD1529F-36E4-47F6-A48A-8FBB73BD5EEE} - System32\Tasks\Traffic Exchange Guardian => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian.exe <==== UWAGA
    Task: {237142C4-DB93-4A74-844E-BD0565F4C5A0} - System32\Tasks\Traffic Exchange v2 Guardian => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.exe <==== UWAGA
    Task: {532D4AE5-AD1F-416F-B92D-DDE1B899EF5D} - System32\Tasks\Traffic Exchange => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian.exe <==== UWAGA
    Task: {5B9DCA07-6D0F-42BB-B789-8471A9525980} - System32\Tasks\Traffic Exchange v2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.exe <==== UWAGA
    Task: {75AE063F-5ACA-473B-9AD9-ACB54950C5D0} - System32\Tasks\Traffic Exchange Debug => C:\Program Files (x86)\Microleaves\Traffic Exchange\nc.exe <==== UWAGA
    Task: {8884A976-820F-4453-A434-8F8F302C6ECB} - System32\Tasks\Traffic Exchange v2 Guard => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.exe <==== UWAGA
    Task: {97D5DD60-CBCF-4123-B0D5-A74F9847D994} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe
    Task: {9D3A563C-08F9-446C-8B8A-6AE53E2A7F10} - System32\Tasks\sysnet => C:\Users\Robert\AppData\Local\sysnet\sysnet.exe <==== UWAGA
    C:\Users\Robert\AppData\Local\sysnet\
    Task: {C0198C68-A579-4058-9602-C99E9BF5A05E} - System32\Tasks\KuaiZip_Update => C:\Program Files\żěŃą\X86\Update.exe [2017-01-21] (Shanghai Guangle Network Technology Ltd
    ) <==== UWAGA
    Task: {EC690F0C-44A1-4472-9B4C-915314C9AF8F} - System32\Tasks\Traffic Exchange Updater => C:\Program Files (x86)\Microleaves\Traffic Exchange\Traffic Exchange Updater.exe <==== UWAGA
    Task: {FCB603B0-627B-4705-A3B9-91F3BCAD2F4A} - System32\Tasks\Traffic Exchange Guard => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian.exe <==== UWAGA
    C:\Program Files (x86)\Microleaves\
    Task: C:\WINDOWS\Tasks\Traffic Exchange Updater.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Traffic Exchange Updater.exe <==== UWAGA
    Task: C:\WINDOWS\Tasks\Traffic Exchange v2 Guard.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.exe <==== UWAGA




    Task: C:\WINDOWS\Tasks\Traffic Exchange v2 Guardian.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.exe <==== UWAGA
    Task: C:\WINDOWS\Tasks\Traffic Exchange v2.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.exe <==== UWAGA
    WMI_ActiveScriptEventConsumer_ASEC: <===== UWAGA
    ShortcutWithArgument: C:\Users\Robert\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Robert\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://fanli90.cn/
    ShortcutWithArgument: C:\Users\Robert\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Robert\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://fanli90.cn/
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Robert\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://fanli90.cn/
    ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Robert\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://fanli90.cn/
    2017-01-21 23:18 - 2017-01-21 23:18 - 00524696 _____ () C:\Program Files\żěŃą\X64\KZipShell.dll
    HKLM\...\Winlogon: [Userinit] wscript C:\WINDOWS\run.vbs,
    HKU\S-1-5-21-208902885-2602134655-391681032-1001\...\Run: [xksptksuvt] => explorer "hxxp://granena.ru/?utm_source=uoua03n&utm_content=e739009bccd5f1e6d71a91bff5994529&utm_term=21547F6CA476C25E984585A99E083F9F&utm_d=20170121" <===== UWAGA
    HKU\S-1-5-18\...\Run: [] => 0
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> Brak pliku
    ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => C:\Program Files\żěŃą\X64\KZipShell.dll [2017-01-21] ()
    GroupPolicy\User: Ograniczenia <======= UWAGA
    HKU\S-1-5-21-208902885-2602134655-391681032-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%6...bUT7vlD4sMnysd5GXDlqJmOpCzn79Vz-viCQ,,&q={searchTerms}
    HKU\S-1-5-21-208902885-2602134655-391681032-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    HKU\S-1-5-21-208902885-2602134655-391681032-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell15.msn.com/?pc=DCTE
    SearchScopes: HKLM-x32 -> ielnksrch URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%6...bUT7vlD4sMnysd5GXDlqJmOpCzn79Vz-viCQ,,&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-208902885-2602134655-391681032-1001 -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://go.mail.ru/distib/ep/?q={SearchTerms}&product_id=%7B1F100ADA-A355-42AE-B33B-986141FDB925%7D&gp=811014
    SearchScopes: HKU\S-1-5-21-208902885-2602134655-391681032-1001 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%6...bUT7vlD4sMnysd5GXDlqJmOpCzn79Vz-viCQ,,&q={searchTerms}
    BHO-x32: Ďîčńę@Mail.Ru -> {8E8F97CD-60B5-456F-A201-73065652D099} -> C:\Users\Robert\AppData\Local\Mail.Ru\Sputnik\IESearchPlugin.dll => Brak pliku
    CHR HomePage: Default -> mail.ru/cnt/11956636?rciguc__PARAM__
    CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-208902885-2602134655-391681032-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ccfifbojenkenpkmnbnndeadpfdiffof] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-208902885-2602134655-391681032-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [oelpkepjlgmehajehfeicfbjdiobdkfj] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-208902885-2602134655-391681032-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ojlcebdkbpjdpiligkdbbkdkfjmchbfd] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx
    S2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
    U0 aswVmm; Brak ImagePath
    2017-01-22 00:42 - 2017-01-22 00:50 - 00000000 ____D C:\AdwCleaner
    2017-01-21 23:32 - 2017-01-21 23:32 - 00000000 ____D C:\Users\Robert\AppData\Local\AdvinstAnalytics
    2017-01-21 23:21 - 2017-01-21 23:21 - 00000000 ____D C:\Program Files (x86)\5f233a6c-a953-4c11-8a54-49604c08109c1485037278
    2017-01-21 23:18 - 2017-01-21 23:18 - 00092832 _____ (WinMount International Inc) C:\WINDOWS\system32\Drivers\KuaiZipDrive.sys
    2017-01-21 23:18 - 2017-01-21 23:18 - 00003562 _____ C:\WINDOWS\System32\Tasks\KuaiZip_Update
    2017-01-21 23:18 - 2017-01-21 23:18 - 00000884 _____ C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\żěŃą.lnk
    2017-01-21 23:18 - 2017-01-21 23:18 - 00000000 ____D C:\Program Files\żěŃą
    2017-01-21 23:17 - 2017-01-21 23:34 - 00000406 ____H C:\WINDOWS\Tasks\Traffic Exchange Updater.job
    2017-01-21 23:17 - 2017-01-21 23:34 - 00000356 ____H C:\WINDOWS\Tasks\Traffic Exchange v2.job
    2017-01-21 23:17 - 2017-01-21 23:34 - 00000356 ____H C:\WINDOWS\Tasks\Traffic Exchange v2 Guardian.job
    2017-01-21 23:17 - 2017-01-21 23:34 - 00000356 ____H C:\WINDOWS\Tasks\Traffic Exchange v2 Guard.job
    2017-01-21 23:17 - 2017-01-21 23:17 - 07316480 _____ C:\Users\Robert\AppData\Roaming\agent.dat
    2017-01-21 23:17 - 2017-01-21 23:17 - 01938538 _____ C:\Users\Robert\AppData\Roaming\Solodex.bin
    2017-01-21 23:17 - 2017-01-21 23:17 - 01907065 _____ C:\Users\Robert\AppData\Roaming\RunFax.tst
    2017-01-21 23:17 - 2017-01-21 23:17 - 00126464 _____ C:\Users\Robert\AppData\Roaming\noah.dat
    2017-01-21 23:17 - 2017-01-21 23:17 - 00126464 _____ C:\Users\Robert\AppData\Roaming\lobby.dat
    2017-01-21 23:17 - 2017-01-21 23:17 - 00072787 _____ C:\Users\Robert\AppData\Roaming\Zamtop.tst
    2017-01-21 23:17 - 2017-01-21 23:17 - 00070752 _____ C:\Users\Robert\AppData\Roaming\Config.xml
    2017-01-21 23:17 - 2017-01-21 23:17 - 00054272 _____ C:\Users\Robert\AppData\Roaming\ApplicationHosting.dat
    2017-01-21 23:17 - 2017-01-21 23:17 - 00018432 _____ C:\Users\Robert\AppData\Roaming\Main.dat
    2017-01-21 23:17 - 2017-01-21 23:17 - 00005568 _____ C:\Users\Robert\AppData\Roaming\md.xml
    2017-01-21 23:17 - 2017-01-21 23:17 - 00003708 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange Guardian
    2017-01-21 23:17 - 2017-01-21 23:17 - 00003702 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange Guard
    2017-01-21 23:17 - 2017-01-21 23:17 - 00003690 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange
    2017-01-21 23:17 - 2017-01-21 23:17 - 00003606 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange Debug
    2017-01-21 23:17 - 2017-01-21 23:17 - 00003294 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange Updater
    2017-01-21 23:17 - 2017-01-21 23:17 - 00003252 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v2 Guardian
    2017-01-21 23:17 - 2017-01-21 23:17 - 00003246 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v2 Guard
    2017-01-21 23:17 - 2017-01-21 23:17 - 00003234 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v2
    2017-01-21 23:17 - 2017-01-21 23:17 - 00000000 ____D C:\Users\Default\AppData\Local\AdvinstAnalytics
    2017-01-21 23:17 - 2017-01-21 23:17 - 00000000 ____D C:\Users\Default User\AppData\Local\AdvinstAnalytics
    2017-01-21 23:17 - 2017-01-21 23:16 - 00983040 _____ C:\Users\Robert\AppData\Roaming\Zamtop.exe
    2017-01-21 23:17 - 2017-01-21 23:16 - 00983040 _____ C:\Users\Robert\AppData\Roaming\RunFax.exe
    2017-01-21 23:16 - 2017-01-21 23:17 - 00016560 _____ C:\Users\Robert\AppData\Roaming\InstallationConfiguration.xml
    2017-01-21 23:16 - 2017-01-21 23:16 - 00140288 _____ C:\Users\Robert\AppData\Roaming\Installer.dat
    2017-01-21 23:07 - 2017-01-21 23:07 - 00003636 _____ C:\WINDOWS\System32\Tasks\sysnet
    2017-01-21 21:16 - 2017-01-21 21:16 - 01285352 _____ (Rocere ) C:\Users\Robert\Downloads\uTorrent-13270-dp.exe
    2017-01-21 23:17 - 2017-01-21 23:17 - 7316480 _____ () C:\Users\Robert\AppData\Roaming\agent.dat
    2017-01-21 23:17 - 2017-01-21 23:17 - 0054272 _____ () C:\Users\Robert\AppData\Roaming\ApplicationHosting.dat
    2017-01-21 23:17 - 2017-01-21 23:17 - 0070752 _____ () C:\Users\Robert\AppData\Roaming\Config.xml
    2017-01-21 23:16 - 2017-01-21 23:17 - 0016560 _____ () C:\Users\Robert\AppData\Roaming\InstallationConfiguration.xml
    2017-01-21 23:16 - 2017-01-21 23:16 - 0140288 _____ () C:\Users\Robert\AppData\Roaming\Installer.dat
    2017-01-21 23:17 - 2017-01-21 23:17 - 0126464 _____ () C:\Users\Robert\AppData\Roaming\lobby.dat
    2017-01-21 23:17 - 2017-01-21 23:17 - 0018432 _____ () C:\Users\Robert\AppData\Roaming\Main.dat
    2017-01-21 23:17 - 2017-01-21 23:17 - 0005568 _____ () C:\Users\Robert\AppData\Roaming\md.xml
    2017-01-21 23:17 - 2017-01-21 23:17 - 0126464 _____ () C:\Users\Robert\AppData\Roaming\noah.dat
    2017-01-21 23:17 - 2017-01-21 23:16 - 0983040 _____ () C:\Users\Robert\AppData\Roaming\RunFax.exe
    2017-01-21 23:17 - 2017-01-21 23:17 - 1907065 _____ () C:\Users\Robert\AppData\Roaming\RunFax.tst
    2017-01-21 23:17 - 2017-01-21 23:17 - 1938538 _____ () C:\Users\Robert\AppData\Roaming\Solodex.bin
    2017-01-21 23:17 - 2017-01-21 23:17 - 0032038 _____ () C:\Users\Robert\AppData\Roaming\uninstall_temp.ico
    2017-01-21 23:17 - 2017-01-21 23:16 - 0983040 _____ () C:\Users\Robert\AppData\Roaming\Zamtop.exe
    2017-01-21 23:17 - 2017-01-21 23:17 - 0072787 _____ () C:\Users\Robert\AppData\Roaming\Zamtop.tst
    EmptyTemp:

    Po wykonaniu odinstaluj Traffic Exchange.

    Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
    http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

    Usun katalog C:\FRST.

    0