Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Wirus żěŃą-fixlist.txt - Nie wiem co wpisac w fixlist.txt aby usunąc ten wirus

Tunder2 08 Lut 2017 09:38 528 4
  • #1 08 Lut 2017 09:38
    Tunder2
    Poziom 2  

    Witam,

    Zostałem posiadaczem wirusa żěŃą . Oczywiscie przeze mnie otworzyłem plik rar zainfekowany tym oto programem. Czytałem dyskusje na ten temat i wiem ze trzeba wkleić załączniki z programu FRST. Nie wiem natomiast co wpisac dokładnie w fixlist.txt. Czy mógłby ktoś mi z tym pomóc? Załączniki z programu FRST:

    0 4
  • Pomocny post
    #2 08 Lut 2017 09:45
    Kolobos
    Spec od komputerów

    Nie uzywaj Combofix!

    Odinstaluj:
    Driver Booster 4.2
    Game Booster 3

    Zrob kopie zakladek z Chrome, skrypt usunie katalogi profili Chrome.

    Fixlist wykonaj w trybie awaryjnym.

    Obok frst.exe utworz plik Fixlist.txt z zawartoscia:
    CloseProcesses:
    Task: {00AA7DC9-9370-4211-A9F5-289673ADA73D} - System32\Tasks\Zazshzerfertain => /i hxxp://d2buh1bf1g584w.cloudfront.net/msi/rel....22A0RT0_WD-WXF1AA0P0376P0376&v=201724 /q
    Task: {3D4E7C80-63D3-4E6D-B289-3D440AF2BB4A} - System32\Tasks\UCBrowserSecureUpdater => C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe [2017-02-04] (UC Web Inc.) <==== UWAGA
    Task: {9CAC6364-6566-456A-BDC0-4011829B1762} - System32\Tasks\Milimili => C:\Program Files (x86)\MIO\MIO.exe
    Task: {BAC9AF37-9F0F-459C-9403-7E866B097125} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe [2017-01-16] (UCWeb Inc) <==== UWAGA
    Task: {DF63AFC9-0C1A-4242-8212-7A4277EE88DD} - System32\Tasks\UCBrowserUpdaterCore => C:\Program Files (x86)\UCBrowser\Application\update_task.exe [2017-01-16] (UCWeb Inc) <==== UWAGA
    Task: {E4035486-7F76-49DF-9AC0-352A7EEC3DDA} - System32\Tasks\Qoerchvilily Log => C:\Program Files (x86)\Shurerphraterward\puzise.exe [2017-02-04] (Glarysoft Ltd)
    Task: C:\Windows\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== UWAGA
    Task: C:\Windows\Tasks\UCBrowserUpdaterCore.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== UWAGA
    WMI_ActiveScriptEventConsumer_ASEC: <===== UWAGA
    ShortcutWithArgument: C:\Users\Kornel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
    ShortcutWithArgument: C:\Users\Kornel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
    ShortcutWithArgument: C:\Users\Kornel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Kornel\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://qtipr.com/
    ShortcutWithArgument: C:\Users\Kornel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/




    ShortcutWithArgument: C:\Users\Kornel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Kornel\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://qtipr.com/
    ShortcutWithArgument: C:\Users\Kornel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\360c22b137d62ce9\user0 - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=ChromeDefaultData
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Kornel\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://qtipr.com/
    2017-02-04 12:16 - 2017-01-16 12:23 - 00930704 _____ () C:\Program Files (x86)\UCBrowser\Application\UCService.exe
    2017-02-04 13:28 - 2017-01-16 12:43 - 02164624 _____ () C:\Program Files (x86)\UCBrowser\Application\6.0.1471.813\UCAgent.exe
    2017-02-05 16:19 - 2017-02-05 20:09 - 00118272 _____ () c:\program files (x86)\gubed\gubedzl.dll
    AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x64.sys [23652]
    AlternateDataStreams: C:\Windows\system32\drivers:x64 [1479458]
    AlternateDataStreams: C:\Windows\system32\drivers:x86 [1205026]
    () C:\Program Files (x86)\UCBrowser\Application\UCService.exe
    () C:\Program Files (x86)\UCBrowser\Application\6.0.1471.813\UCAgent.exe
    ShellExecuteHooks: Brak nazwy - {21E0FCA4-DE4A-11E6-844B-64006A5CFC23} - -> Brak pliku
    ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => -> Brak pliku
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
    HKU\S-1-5-21-3265586491-3057031789-2284767348-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
    FF user.js: detected! => C:\Users\Kornel\AppData\Roaming\Mozilla\Firefox\Profiles\huzzjh9m.default\user.js [2017-01-13]
    FF SearchPlugin: C:\Users\Kornel\AppData\Roaming\Mozilla\Firefox\Profiles\huzzjh9m.default\searchplugins\dcd88c8o.xml [2017-02-04]
    CHR DefaultProfile: ChromeDefaultData
    CHR Profile: C:\Users\Kornel\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-02-08] <==== UWAGA
    C:\Users\Kornel\AppData\Local\Google\Chrome\User Data\ChromeDefaultData
    CHR Profile: C:\Users\Kornel\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2 [2017-02-05] <==== UWAGA
    C:\Users\Kornel\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2
    CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
    R2 GubedZL; C:\Program Files (x86)\Gubed\GubedZL.dll [118272 2017-02-05] () [Brak podpisu cyfrowego]
    R2 UCBrowserSvc; C:\Program Files (x86)\UCBrowser\Application\UCService.exe [930704 2017-01-16] ()
    S2 ed2kidle; "C:\Program Files (x86)\amuleCe\ed2k.exe" -downloadwhenidle [X]
    S2 HextechRepairToolPCCleanPlus; rundll32.exe "C:\Program Files (x86)\PC Clean Plus\HextechRepairToolPCCleanPlus.dll",soeasy [X]
    S2 Ralerly; C:\Program Files (x86)\Shurerphraterward\TerqutCmm.dll [X]
    S2 WinSAPSvc; C:\ProgramData\WinSAPSvc\WinSAP.dll [X]
    R1 ucdrv; C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [23652 ] (UC Web Inc.) <==== UWAGA
    S3 BCM43XX; system32\DRIVERS\bcmwl664.sys [X]
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    S3 cpuz138; \??\C:\Users\Kornel\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X]
    2017-02-06 19:38 - 2017-02-08 08:11 - 00000000 ____D C:\Program Files (x86)\WinSnare(4.0.9)
    2017-02-05 16:19 - 2017-02-07 20:05 - 00000000 ____D C:\ProgramData\WinSAPSvc
    2017-02-05 16:19 - 2017-02-06 18:58 - 00000000 ____D C:\Program Files (x86)\MIO
    2017-02-05 16:19 - 2017-02-05 16:19 - 00003584 _____ C:\Windows\System32\Tasks\Milimili
    2017-02-05 16:19 - 2017-02-05 16:19 - 00000000 ____D C:\Program Files (x86)\Gubed
    2017-02-05 14:34 - 2017-02-08 08:59 - 00002580 _____ C:\Windows\System32\Tasks\UCBrowserUpdaterCore
    2017-02-05 14:34 - 2017-02-08 08:59 - 00000294 _____ C:\Windows\Tasks\UCBrowserUpdaterCore.job
    2017-02-05 14:34 - 2017-02-08 08:57 - 00003476 _____ C:\Windows\System32\Tasks\UCBrowserSecureUpdater
    2017-02-05 14:14 - 2017-02-05 14:14 - 04015056 _____ C:\Users\Kornel\Downloads\adwcleaner_6.043 (1).exe
    2017-02-05 12:08 - 2017-02-08 08:08 - 00000000 ____D C:\Program Files (x86)\dcd88c8o
    2017-02-04 12:55 - 2017-02-04 12:55 - 00020554 _____ C:\ComboFix.txt
    2017-02-04 12:17 - 2017-02-08 08:34 - 00000458 _____ C:\Windows\Tasks\UCBrowserUpdater.job
    2017-02-04 12:17 - 2017-02-04 12:17 - 00003434 _____ C:\Windows\System32\Tasks\UCBrowserUpdater
    2017-02-04 12:16 - 2017-02-04 13:28 - 00000000 ____D C:\Program Files (x86)\UCBrowser
    2017-02-04 12:16 - 2017-02-04 12:16 - 00000000 ____D C:\Users\Kornel\AppData\Local\UCBrowser
    2017-02-04 12:14 - 2017-02-08 08:09 - 00000000 ____D C:\Program Files (x86)\Droyshocish
    2017-02-04 12:14 - 2017-02-04 12:16 - 00000000 ____D C:\Users\Kornel\AppData\Local\Kiseatiweght
    2017-02-04 12:14 - 2017-02-04 12:14 - 00000841 _____ C:\Users\Kornel\AppData\Roaming\Microsoft\Windows\Start Menu\żěŃą.lnk
    2017-02-04 12:13 - 2017-02-05 14:26 - 00000000 ____D C:\Program Files\żěŃą
    2017-02-04 12:11 - 2017-02-04 12:15 - 00000000 ____D C:\Users\Kornel\AppData\Roaming\UCChannel
    2017-02-04 12:10 - 2017-02-04 12:10 - 00003706 _____ C:\Windows\System32\Tasks\Zazshzerfertain
    2017-02-04 12:10 - 2017-02-04 12:10 - 00000000 ____D C:\ProgramData\Avg
    2017-02-04 12:10 - 2017-02-04 12:10 - 00000000 ____D C:\Program Files (x86)\baidu
    2017-02-04 12:08 - 2017-02-05 14:32 - 00000000 ____D C:\Program Files (x86)\Shurerphraterward
    2017-02-04 12:08 - 2017-02-04 12:23 - 00000000 ____D C:\Users\Kornel\AppData\Roaming\Vonepy
    2017-02-04 12:08 - 2017-02-04 12:10 - 00000000 ____D C:\Users\Kornel\AppData\Local\Arojot
    2017-02-04 12:08 - 2017-02-04 12:08 - 00006058 _____ C:\Windows\System32\Tasks\Qoerchvilily Log
    2017-02-04 12:05 - 2017-02-04 12:05 - 00000000 ____H C:\Windows\system32\BIT99F3.tmp
    2017-01-24 20:06 - 2017-02-05 14:28 - 00000000 ____D C:\AdwCleaner
    2017-01-13 15:45 - 2011-06-26 07:45 - 00256000 _____ C:\Windows\PEV.exe
    2017-01-13 15:45 - 2010-11-07 18:20 - 00208896 _____ C:\Windows\MBR.exe
    2017-01-13 15:45 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
    2017-01-13 15:45 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
    2017-01-13 15:45 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
    2017-01-13 15:45 - 2000-08-31 01:00 - 00098816 _____ C:\Windows\sed.exe
    2017-01-13 15:45 - 2000-08-31 01:00 - 00080412 _____ C:\Windows\grep.exe
    2017-01-13 15:45 - 2000-08-31 01:00 - 00068096 _____ C:\Windows\zip.exe
    2017-01-13 15:44 - 2017-02-04 12:56 - 00000000 ____D C:\Qoobox
    2017-01-13 15:36 - 2017-01-13 15:37 - 05659349 ____R (Swearware) C:\Users\Kornel\Downloads\ComboFix.exe
    EmptyTemp:

    W FRST wybierz Napraw.

    Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    0
  • Pomocny post
    #4 08 Lut 2017 10:33
    Kolobos
    Spec od komputerów

    Synchronizujesz ustawienia Chrome z konta google? Jezeli tak to usun dane synchronizacji z konta:
    https://support.google.com/chrome/answer/6386691?hl=pl

    Wykonaj Fixlist.txt:
    CHR DefaultProfile: ChromeDefaultData
    CHR Profile: C:\Users\Kornel\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-02-08] <==== UWAGA
    C:\Users\Kornel\AppData\Local\Google\Chrome\User Data\ChromeDefaultData
    S3 WinRing0_1_2_0; \??\C:\Program Files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys [X]

    Po wykonaniu usun katalog C:\FRST.

    W ustawieniach chrome usun uzytkownika ChromeDefaultData.

    To wszystko.

    0
  • #5 08 Lut 2017 10:45
    Tunder2
    Poziom 2  

    Dziękuje bardzo za pomoc , temat do zamknięcia.

    0