Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Wirus "żena" - pomocy -

seba7ns 01 Lut 2017 22:55 456 4
  • #2 01 Lut 2017 23:02
    Kolobos
    Spec od komputerów

    @seba7ns Odinstaluj: SpyHunter 4

    Fixlist.txt dla FRST:
    CloseProcesses:
    Traffic Exchange (x32 Version: 2.0.0 - Microleaves) Hidden <==== UWAGA
    Task: {1A2FDD8A-C762-4353-A67E-11184E9CD102} - System32\Tasks\psv_Hotlab => /c regedit.exe /s "C:\ProgramData\Zaamla\Vilabam.reg" &amp; del "C:\ProgramData\Zaamla\Vilabam.reg" &amp; SCHTASKS /Delete /TN "psv_Hotlab" /F <==== UWAGA
    Task: {768C9EC5-2706-4F39-8CB2-549945CCF0A3} - System32\Tasks\psv_Lat-Bam => /c regedit.exe /s "C:\ProgramData\Zaamla\Nimfind.reg" &amp; del "C:\ProgramData\Zaamla\Nimfind.reg" &amp; SCHTASKS /Delete /TN "psv_Lat-Bam" /F <==== UWAGA
    Task: {CCF8C642-0E01-4FB1-9E57-7FB733AA97B6} - System32\Tasks\psv_ZamKayeco => /c regedit.exe /s "C:\ProgramData\Zaamla\Alphatone.reg" &amp; del "C:\ProgramData\Zaamla\Alphatone.reg" &amp; SCHTASKS /Delete /TN "psv_ZamKayeco" /F <==== UWAGA
    WMI_ActiveScriptEventConsumer_ASEC: <===== UWAGA
    ShortcutWithArgument: C:\Users\Seba\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Seba\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://fanli90.cn/
    ShortcutWithArgument: C:\Users\Seba\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Seba\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://fanli90.cn/
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Seba\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://fanli90.cn/
    ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Seba\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://fanli90.cn/
    2017-01-31 21:46 - 2017-01-31 21:46 - 00147968 _____ () c:\program files (x86)\druhewardplercght\proslecrughtcmm.dll
    AlternateDataStreams: C:\WINDOWS\system32\drivers:ucdrv-x64.sys [23652]
    AlternateDataStreams: C:\WINDOWS\system32\drivers:x64 [1479458]
    AlternateDataStreams: C:\WINDOWS\system32\drivers:x86 [1205026]
    HKLM-x32\...\Run: [] => [X]
    HKU\S-1-5-21-2262497724-3754189573-2870857-1001\...\MountPoints2: {aa30717b-e7ec-11e6-9bea-806e6f6e6963} - "D:\ASRSetup.exe"
    HKU\S-1-5-18\...\Run: [] => 0




    HKLM\...\Providers\6z9as2n9: C:\Program Files (x86)\Keqokvimuph Collector\local64spl.dll
    ShellExecuteHooks: Brak nazwy - {AB050410-DE45-11E6-BAA9-64006A5CFC23} - -> Brak pliku
    ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => -> Brak pliku
    HKU\S-1-5-21-2262497724-3754189573-2870857-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%6...xD8Ze0OGczV0Y6YjMt5gbTHU955NdGdXoOUzLZ&q={searchTerms}
    HKU\S-1-5-21-2262497724-3754189573-2870857-1001\Software\Microsoft\Internet Explorer\Main,Start Page =
    SearchScopes: HKLM-x32 -> DefaultScope - brak wartości
    SearchScopes: HKU\S-1-5-21-2262497724-3754189573-2870857-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    R2 Coewotatubeied; C:\Program Files (x86)\Druhewardplercght\proslecrughtcmm.dll [147968 2017-01-31] () [Brak podpisu cyfrowego]
    R1 ucdrv; C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [23652 ] (UC Web Inc.) <==== UWAGA
    2017-02-01 16:03 - 2017-02-01 16:03 - 00000000 _____ C:\autoexec.bat
    2017-02-01 16:02 - 2017-02-01 16:50 - 00000000 ____D C:\Program Files\Enigma Software Group
    2017-01-31 22:22 - 2017-01-31 22:22 - 00881904 _____ (Plumbytes Software) C:\Users\Seba\Downloads\antimalwaresetup.exe
    2017-01-31 22:01 - 2017-01-31 22:58 - 00000000 ____D C:\Program Files\żěŃą
    2017-01-31 21:46 - 2017-01-31 21:47 - 00000000 ____D C:\Program Files (x86)\Druhewardplercght
    2017-01-31 21:46 - 2017-01-31 21:46 - 00000000 ____D C:\Users\Seba\AppData\Local\Csoghtatam
    2017-01-31 21:46 - 2017-01-31 21:46 - 00000000 ____D C:\ProgramData\Avira
    2017-01-31 21:46 - 2017-01-31 21:46 - 00000000 ____D C:\ProgramData\Avg
    2017-01-31 21:46 - 2017-01-31 21:46 - 00000000 ____D C:\ProgramData\AVAST Software
    2017-01-31 21:14 - 2017-01-31 21:15 - 02004956 _____ C:\Users\Seba\Downloads\Niepotwierdzony 813269.crdownload
    2017-01-31 20:54 - 2017-01-31 20:54 - 00003330 _____ C:\WINDOWS\System32\Tasks\psv_ZamKayeco
    2017-01-31 20:54 - 2017-01-31 20:54 - 00003314 _____ C:\WINDOWS\System32\Tasks\psv_Lat-Bam
    2017-01-31 20:54 - 2017-01-31 20:54 - 00003310 _____ C:\WINDOWS\System32\Tasks\psv_Hotlab
    2017-01-31 20:51 - 2017-01-31 22:02 - 00000000 ____D C:\Program Files (x86)\UCBrowser
    2017-01-31 20:47 - 2017-01-31 20:47 - 00000000 ____D C:\Users\Default\AppData\Local\AdvinstAnalytics
    2017-01-31 20:47 - 2017-01-31 20:47 - 00000000 ____D C:\Users\Default User\AppData\Local\AdvinstAnalytics
    2017-01-02 18:33 - 2017-02-01 20:55 - 00000000 ____D C:\AdwCleaner
    EmptyTemp:

    Skrypt wykonaj w trybie awaryjnym.

    Po wykonaniu odinstaluj Traffic Exchange (pusty wpis).

    0
  • #4 01 Lut 2017 23:13
    Kolobos
    Spec od komputerów

    Odinstaluj: Traffic Exchange

    Usun katalog C:\FRST i to wszystko.

    0
  • #5 01 Lut 2017 23:14
    seba7ns
    Poziom 2  

    dzięki wielkie! pomogło
    Wirus "żena" - pomocy -

    0