Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

wirus - internet spowolnił, wyskakujące reklamy na google chrome

xlesiuad 02 Mar 2017 16:42 333 3
  • #1 02 Mar 2017 16:42
    xlesiuad
    Poziom 4  

    Witam, mam problem udostępniłem dzisiaj swojemu młodszemu kuzynowi komputer i pościągał jakieś programy które po instalowały mi wirusy na google chrome, jakieś przeglądraki chińskie, spowolniły strasznie internet. Wszystko zdarzyło się dzisiejszego dnia, więc może to w czymś pomoże, zarzucam logi z FRST, z góry dziękuje za pomoc :)

    0 3
  • #2 02 Mar 2017 18:07
    Kolobos
    Spec od komputerów

    Widze, ze do infekcji doszlo po pobraniu:
    2017-03-02 16:09 - 2017-03-02 18:09 - 01254392 _____ C:\Users\Hirek\Desktop\Nissan_Xanavi_X6.exe
    2017-03-02 15:50 - 2017-03-02 15:50 - 3176634608 _____ C:\Users\Hirek\Downloads\x6 2011.rar
    2017-03-02 15:39 - 2017-03-02 15:40 - 00000000 ____D C:\Users\Hirek\Desktop\Nissan_Xanavi_Dvd_X6_0_Sat_Nav_password_12345

    Czy plik odpowiedzialny za infekcje zostal usuniety?

    Podany Fixlist wykonaj w trybie awaryjnym.

    Obok frst.exe utworz plik Fixlist.txt z zawartoscia:
    CloseProcesses:
    Task: {3A6433AE-2CD2-4A5B-8453-95DF0C73C8B6} - System32\Tasks\UCBrowserSecureUpdater => C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe [2017-03-02] (UC Web Inc.) <==== UWAGA
    Task: {462378FF-9F99-4FD2-95A8-385F3FA93597} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe [2017-03-01] (UCWeb Inc) <==== UWAGA
    Task: {4A83AE25-3FD3-4505-974F-27384E136C4C} - System32\Tasks\Microsoft\Windows\Media Center\VCore => C:\\ProgramData\\vCore\\VCore.exe [2017-03-02] () <==== UWAGA
    Task: {4AC33DE5-2FBC-44B5-B72E-336097142382} - System32\Tasks\Microsoft\Windows\Multimedia\Manager => C:\Users\Hirek\AppData\Roaming\Adobe\Manager.exe [2017-03-02] ()
    Task: {56B19F80-A690-448A-B748-BB2094170291} - System32\Tasks\UCBrowserUpdaterCore => C:\Program Files (x86)\UCBrowser\Application\update_task.exe [2017-03-01] (UCWeb Inc) <==== UWAGA
    Task: {7A183CF3-2E25-40CD-BE69-4D24BC67E988} - System32\Tasks\Format Factory => C:\Users\Hirek\AppData\Local\Temp\is-SB2MI.tmp\prsetup.exe [2016-02-08] (Free Time ) <==== UWAGA
    Task: {F96D9973-2C13-4CB6-A8E4-FB2815EAABAB} - System32\Tasks\Driver Booster SkipUAC (Hirek) => C:\Program Files (x86)\IObit\Driver Booster\4.2.0\DriverBooster.exe
    Task: C:\Windows\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== UWAGA
    Task: C:\Windows\Tasks\UCBrowserUpdaterCore.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== UWAGA
    WMI_ActiveScriptEventConsumer_ASEC: <===== UWAGA
    Shortcut: C:\Users\Hirek\Desktop\Мinecrаft.lnk -> C:\Users\Hirek\AppData\Roaming\Browsers\exe.rehcnual tfarcenim.bat ()
    Shortcut: C:\Users\Hirek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnet Exрlоrer.lnk -> C:\Users\Hirek\AppData\Roaming\Browsers\exe.erolpxei.bat ()
    Shortcut: C:\Users\Hirek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Minecraft\Мinecrаft.lnk -> C:\Users\Hirek\AppData\Roaming\Browsers\exe.rehcnual tfarcenim.bat ()
    Shortcut: C:\Users\Hirek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gооgle Сhrоmе.lnk -> C:\Users\Hirek\AppData\Roaming\Browsers\exe.emorhc.bat ()
    Shortcut: C:\Users\Hirek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Lаunсh Intеrnet Ехрlоrеr Вrowser.lnk -> C:\Users\Hirek\AppData\Roaming\Browsers\exe.erolpxei.bat ()




    Shortcut: C:\Users\Hirek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gооgle Chrоme (2).lnk -> C:\Users\Hirek\AppData\Roaming\Browsers\exe.emorhc.bat ()
    Shortcut: C:\Users\Hirek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gооgle Chrоme.lnk -> C:\Users\Hirek\AppData\Roaming\Browsers\exe.emorhc.bat ()
    Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk -> C:\Users\Hirek\AppData\Roaming\Browsers\exe.emorhc.bat ()
    Shortcut: C:\Users\Public\Desktop\DАЕМON Tools Litе.lnk -> C:\Users\Hirek\AppData\Roaming\Browsers\exe.rehcnualtd.bat ()
    Shortcut: C:\Users\Public\Desktop\Gоoglе Chrоme.lnk -> C:\Users\Hirek\AppData\Roaming\Browsers\exe.emorhc.bat ()
    ShortcutWithArgument: C:\Users\Hirek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
    ShortcutWithArgument: C:\Users\Hirek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Hirek\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://qtipr.com/
    ShortcutWithArgument: C:\Users\Hirek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Hirek\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://qtipr.com/
    ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Hirek\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://qtipr.com/
    2017-03-02 16:11 - 2017-03-02 16:11 - 00177152 _____ () C:\Windows\svchost.exe
    2017-03-02 16:13 - 2017-03-02 16:13 - 01620992 _____ () C:\ProgramData\service.exe
    2017-03-02 16:14 - 2017-03-02 16:14 - 02072064 _____ () C:\Users\Hirek\AppData\Local\Temp\00002229\msiql.exe
    2017-03-02 16:19 - 2017-03-01 06:44 - 00599440 _____ () C:\Program Files (x86)\UCBrowser\Application\UCService.exe
    2017-03-02 16:19 - 2017-03-01 06:44 - 02150288 _____ () C:\Program Files (x86)\UCBrowser\Application\6.1.2107.201\UCAgent.exe
    AlternateDataStreams: C:\Windows\system32\Drivers:ucdrv-x64.sys [25444]
    AlternateDataStreams: C:\Windows\system32\Drivers:x64 [1496610]
    AlternateDataStreams: C:\Windows\system32\Drivers:x86 [1221154]
    Hosts:
    (CU) C:\Program Files\HG4OBEO5K2\HG4OBEO5K.exe
    () C:\Windows\svchost.exe
    (Microsoft Corporation) C:\Windows\csrss.exe
    () C:\ProgramData\service.exe
    () C:\Users\Hirek\AppData\Local\Temp\00002229\msiql.exe
    () C:\Program Files (x86)\UCBrowser\Application\UCService.exe
    () C:\Program Files (x86)\UCBrowser\Application\6.1.2107.201\UCAgent.exe
    HKLM\...\RunOnce: [OMEWPRODUCT_FHXXY] => "C:\Program Files (x86)\PubHotspot\9CMH6DFBYD1LC5M.exe" <===== UWAGA
    HKU\S-1-5-21-3105793933-121228893-1968712745-1001\...\Run: [NLG34O6L3F] => C:\Program Files\HG4OBEO5K2\HG4OBEO5K.exe [888320 2017-03-02] (CU)
    HKU\S-1-5-21-3105793933-121228893-1968712745-1001\...\Run: [msiql] => C:\Users\Hirek\AppData\Local\Temp\00002229\msiql.exe [2072064 2017-03-02] () <===== UWAGA
    HKU\S-1-5-21-3105793933-121228893-1968712745-1001\...\MountPoints2: {7a04d0b6-f2b1-11e5-be8c-001bfce0806d} - "K:\m.exe"
    HKU\S-1-5-21-3105793933-121228893-1968712745-1001\...\MountPoints2: {7a04d0b9-f2b1-11e5-be8c-001bfce0806d} - "L:\m.exe"
    HKU\S-1-5-21-3105793933-121228893-1968712745-1001\...\MountPoints2: {b958a073-5553-11e5-be6c-001bfce0806d} - "K:\HTC_Sync_Manager_PC.exe"
    HKU\S-1-5-21-3105793933-121228893-1968712745-1001\...\MountPoints2: {bdffb509-a0f0-11e5-be7b-001bfce0806d} - "I:\Setup.exe"
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.globasearch.com/?serie=211&b=3&installkey=xveyrw3oQngJtiRFD9wa
    HKU\S-1-5-21-3105793933-121228893-1968712745-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ic.loadblanks.ru/c/02037a282dd7fbaf?
    HKU\S-1-5-21-3105793933-121228893-1968712745-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/pl-pl/?ocid=iehp
    URLSearchHook: [S-1-5-21-3105793933-121228893-1968712745-1005] UWAGA => Brak domyślnego URLSearchHook
    SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.globasearch.com/?serie=211&installkey=xveyrw3oQngJtiRFD9wa&b=3&q={searchTerms}
    SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.globasearch.com/?serie=211&installkey=xveyrw3oQngJtiRFD9wa&b=3&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3105793933-121228893-1968712745-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.globasearch.com/?serie=211&installkey=xveyrw3oQngJtiRFD9wa&b=3&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3105793933-121228893-1968712745-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.globasearch.com/?serie=211&installkey=xveyrw3oQngJtiRFD9wa&b=3&q={searchTerms}
    R2 GoogleChromeUpService; C:\ProgramData\service.exe [1620992 2017-03-02] () [Brak podpisu cyfrowego] <==== UWAGA
    R2 UCBrowserSvc; C:\Program Files (x86)\UCBrowser\Application\UCService.exe [599440 2017-03-01] ()
    R2 Windows; C:\Windows\svchost.exe [177152 2017-03-02] () [Brak podpisu cyfrowego]
    U1 ucdrv; C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [25444 ] (UC Web Inc.) <==== UWAGA
    R1 {ffb49e20-6f50-4018-94a9-6dfb5877f841}Gw64; C:\Windows\System32\drivers\{ffb49e20-6f50-4018-94a9-6dfb5877f841}Gw64.sys [48784 2016-03-13] (StdLib)
    S3 vserial; System32\DRIVERS\vserial.sys [X]
    2017-03-02 16:20 - 2017-03-02 16:20 - 00001540 _____ C:\Users\Hirek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC浏览器.lnk
    2017-03-02 16:20 - 2017-03-02 16:20 - 00000000 ____D C:\Users\Hirek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC浏览器
    2017-03-02 16:19 - 2017-03-02 16:19 - 00003476 _____ C:\Windows\System32\Tasks\UCBrowserSecureUpdater
    2017-03-02 16:19 - 2017-03-02 16:19 - 00003412 _____ C:\Windows\System32\Tasks\UCBrowserUpdater
    2017-03-02 16:19 - 2017-03-02 16:19 - 00002554 _____ C:\Windows\System32\Tasks\UCBrowserUpdaterCore
    2017-03-02 16:19 - 2017-03-02 16:19 - 00000462 _____ C:\Windows\Tasks\UCBrowserUpdater.job
    2017-03-02 16:19 - 2017-03-02 16:19 - 00000298 _____ C:\Windows\Tasks\UCBrowserUpdaterCore.job
    2017-03-02 16:19 - 2017-03-02 16:19 - 00000000 ____D C:\Users\Hirek\AppData\Local\UCBrowser
    2017-03-02 16:19 - 2017-03-02 16:19 - 00000000 ____D C:\Program Files (x86)\UCBrowser
    2017-03-02 16:17 - 2017-03-02 16:21 - 00000000 ____D C:\Program Files (x86)\Maoha
    2017-03-02 16:16 - 2017-03-02 16:18 - 00000000 ____D C:\Users\Hirek\AppData\Roaming\UCChannel
    2017-03-02 16:13 - 2017-03-02 16:13 - 01620992 _____ C:\ProgramData\service.exe
    2017-03-02 16:13 - 2017-03-02 16:13 - 00027552 _____ (REALiX(tm)) C:\Windows\SysWOW64\Drivers\HWiNFO64A.SYS
    2017-03-02 16:13 - 2017-03-02 16:13 - 00002874 _____ C:\Windows\System32\Tasks\Driver Booster SkipUAC (Hirek)
    2017-03-02 16:13 - 2017-03-02 16:13 - 00000000 ____D C:\Windows\IObit
    2017-03-02 16:13 - 2017-03-02 16:13 - 00000000 ____D C:\Users\Hirek\AppData\LocalLow\IObit
    2017-03-02 16:13 - 2017-03-02 16:13 - 00000000 ____D C:\Users\Hirek\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk
    2017-03-02 16:13 - 2017-03-02 16:13 - 00000000 ____D C:\ProgramData\ProductData
    2017-03-02 16:13 - 2017-03-02 16:13 - 00000000 ____D C:\ProgramData\IObit
    2017-03-02 16:12 - 2017-03-02 16:12 - 00000000 ____D C:\Users\Hirek\AppData\Roaming\IObit
    2017-03-02 16:11 - 2017-03-02 16:11 - 02531840 _____ (Microsoft Corporation) C:\Windows\csrss.exe
    2017-03-02 16:11 - 2017-03-02 16:11 - 00177152 _____ C:\Windows\svchost.exe
    2017-03-02 16:10 - 2017-03-02 16:11 - 00000000 ____D C:\Program Files\HG4OBEO5K2
    2017-03-02 16:10 - 2017-03-02 16:10 - 00073216 _____ C:\Windows\taskmgr.exe
    2017-03-02 16:10 - 2017-03-02 16:10 - 00000000 ___HD C:\Users\Hirek\AppData\Roaming\com
    2017-03-02 16:10 - 2017-03-02 16:10 - 00000000 ____D C:\Users\Hirek\AppData\Roaming\SPI
    2017-03-02 16:10 - 2017-03-02 16:10 - 00000000 ____D C:\Users\Hirek\AppData\Roaming\Browsers
    2017-03-02 16:10 - 2017-03-02 16:10 - 00000000 ____D C:\ProgramData\vCore
    2015-04-19 13:20 - 2015-04-19 13:20 - 0005872 _____ () C:\Users\Hirek\AppData\Roaming\BAIKYQ8BcHo7sa8jRC579C1
    2016-03-13 17:34 - 2016-03-13 17:34 - 0011568 _____ () C:\Users\Hirek\AppData\Roaming\InstallationConfiguration.xml
    2016-03-13 17:34 - 2016-03-13 17:34 - 0127488 _____ () C:\Users\Hirek\AppData\Roaming\Installer.dat
    2016-03-26 17:41 - 2003-04-09 04:28 - 0233472 ____R () C:\Users\Hirek\AppData\Roaming\MafiaSetup.exe
    2015-04-19 13:20 - 2015-04-19 13:20 - 0005872 _____ () C:\Users\Hirek\AppData\Roaming\wAXnjGRaWAZEWe8Jr7UmWCtDq6c
    2015-08-19 11:39 - 2015-08-19 11:39 - 0613255 _____ (CMI Limited) C:\Users\Hirek\AppData\Local\nsa1354.tmp
    2017-03-02 16:13 - 2017-03-02 16:13 - 1620992 _____ () C:\ProgramData\service.exe
    C:\Windows\svchost.exe
    UWAGA ====> Check for partition/boot infection.
    C:\Users\Hirek\AppData\Local\Temp\00002229\msiql.exe
    C:\ProgramData\service.exe
    EmptyTemp:

    W FRST wybierz Napraw.

    Uzyj AdwCleaner, opcja Scan i Clean/Szukaj i Usun: http://www.bleepingcomputer.com/download/adwcleaner/

    Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
    http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
    oraz http://ftp.drweb.com/pub/drweb/cureit/launch.exe

    Po wykonaniu wszystkiego, zamiesc nowe logi z FRST, ze skanowania.

    0
  • #3 02 Mar 2017 22:37
    xlesiuad
    Poziom 4  

    Kolobos napisał:
    Czy PLIK odpowiedzialny za infekcje zostal usuniety?

    Tak, został usunięty, wszystko zrobione, Logi w załączniku, MB znalazł 3 infekcje a Dr.Web 0, lecz nadal jest coś nie tak bo internet wolno działa. Przy otworzeniu jakiejkolwiek strony otwiera mi się 5 pustych kart w google chrome oraz wyskakują reklamy z takich stron jak http://nova.rambler.ru http://www.reimageplus.com

    0
  • #4 02 Mar 2017 22:51
    Kolobos
    Spec od komputerów

    Zrob kope zakladek z Chrome, odinstaluj Chrome, usun katalog profilu z:
    C:\Users\Hirek\AppData\Local\Google\Chrome\User Data\Default
    Zainstaluj Chrome ponownie.

    Jezeli synchronizujesz ustawienia z konta google to usun dane synchronizacji Chrome z konta.

    Nowy Fixlist.txt dla FRST:
    Task: {94D07F1A-F9CA-466E-912C-0A0415AB934A} - System32\Tasks\Microsoft\Windows\Windows Activation Technologies\WatTask => C:\Windows Activation Technologies\wat.exe [2006-04-21] ()
    C:\Users\Hirek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnet Exрlоrer.lnk
    C:\Users\Hirek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Minecraft\Мinecrаft.lnk
    C:\Users\Hirek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gооgle Сhrоmе.lnk
    C:\Users\Hirek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Lаunсh Intеrnet Ехрlоrеr Вrowser.lnk
    C:\Users\Hirek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gооgle Chrоme.lnk
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk
    URLSearchHook: [S-1-5-21-3105793933-121228893-1968712745-1005] UWAGA => Brak domyślnego URLSearchHook
    S1 HWiNFO32; \??\C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [X]
    2017-03-02 21:10 - 2017-03-02 21:10 - 00000000 ____D C:\Users\Hirek\AppData\Local\UCBrowser
    2017-03-02 21:15 - 2016-12-08 18:16 - 00000000 ____D C:\AdwCleaner

    0