Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Laptop rozsyła hurtowo pocztę

music 07 Mar 2017 20:57 483 10
  • #1 07 Mar 2017 20:57
    music
    Poziom 27  

    Witam

    Proszę o wsparcie doświadczonych kolegów. Laptop rozsyła hurtowo pocztę po świecie. Wiem to dziesiatek wracających "Mail delivery failed". Przeskanowałem system za pomocą MBAM i Cureit. Nic nie znalazły. FRST zaraz po kliknięciu "Skanuj" wyłącza się zostawiając jakieś dwa szczątkowe pliki które załączam. Plik users00 nie ma rozszerzenia więc dodałem "txt" żeby można było dodać na forum. Proszę o pomoc.

    0 10
  • Pomocny post
    #2 07 Mar 2017 21:07
    Kolobos
    Spec od komputerów

    Uruchom FRST w trybie awaryjnym.

    0
  • Pomocny post
    #6 08 Mar 2017 13:20
    Kolobos
    Spec od komputerów

    Nie widac tutaj infekcji.

    Odinstaluj Zone Alarm i sprawdz czy FRST sie uruchomi w trybie normalnym.

    Wykonaj Fixlist.txt dla FRST:
    HKLM\...\Run: [] => [X]
    2017-03-08 11:00 - 2017-03-08 12:13 - 00002432 _____ C:\Users\Patrycja\AppData\Local\Temp*.html
    EmptyTemp:

    Zamiesc log z TDSSKiller.

    Zwroty maili mozesz dostawac rowniez w przypadku kiedy bot podaje Twoj adres jako nadawcy, nie musi to oznaczac infekcji komputera.

    0
  • #8 08 Mar 2017 15:10
    Kolobos
    Spec od komputerów

    Sterownik ktory usunales w tdss to sterownik wirtualnego napedu dt.

    Odinstaluj:
    Java(TM) 6 Update 13
    Java(TM) 6 Update 20
    McAfee WebAdvisor

    Zainstaluj http://ninite.com/java/

    Obok frst.exe utworz plik Fixlist.txt z zawartoscia:
    Task: {320775A5-1E01-4C38-BC6B-792CE08A5A5C} - System32\Tasks\JavaUpdatePatrycja => C:\Windows\System32\jusched.exe
    Task: {6FE22CF0-E4B0-46D3-9113-049D64FE9858} - System32\Tasks\{F464BA53-FAC6-4654-9609-952870EBD076} => pcalua.exe -a D:\ProDentis500.exe -d C:\Windows\system32 -c /embed"{84C5FCB5-577A-4A15-940E-B26F7947BBCF}" /hide_splash /hide_progress /runprerequisites"NewFeature1,AlwaysInstall" /l1045
    Task: {87A51FA9-D9BF-4DF3-86EE-E5FF6396D1A7} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program => C:\Program Files\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2015-07-08] (Lenovo)
    (McAfee, Inc.) C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    HKLM\...\Run: [ISW] => [X]
    HKLM\...\Run: [] => [X]
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: F - F:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: G - G:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: H - H:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {0a17e25f-ad5d-11e0-b6a3-b8ac6f5e3be7} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {1e60dd1f-ad67-11e0-bb02-0024d66d80c3} - H:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {2076d328-5fa8-11e1-a5ec-0024d66d80c3} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {2076d337-5fa8-11e1-a5ec-0024d66d80c3} - F:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {29f0b960-c918-11e2-bd48-c44619e4a438} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {376ad0a2-e1c8-11df-9f3a-b8ac6f5e3be7} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {376ad0df-e1c8-11df-9f3a-c44619e4a438} - M:\LaunchU3.exe -a
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {3d7d47fc-5035-11e3-982d-c44619e4a438} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {4061d9ee-e87d-11e4-bd79-b8ac6f5e3be7} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {4061d9fe-e87d-11e4-bd79-b8ac6f5e3be7} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {43d266a7-3d14-11e1-9da4-b8ac6f5e3be7} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {4d2edee3-65ba-11e4-8832-b8ac6f5e3be7} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {4d2edef3-65ba-11e4-8832-b8ac6f5e3be7} - E:\AutoRun.exe




    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {50ac8765-6b3f-11df-a261-c44619e4a438} - F:\setup.exe AUTORUN=1
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {53df2bc9-4997-11e5-aa68-b8ac6f5e3be7} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {5633e0ef-4da0-11e1-86d9-0024d66d80c3} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {6e11c907-9591-11df-8763-b8ac6f5e3be7} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {6e7e3249-c7aa-11e2-a97b-c44619e4a438} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {6e7e3259-c7aa-11e2-a97b-c44619e4a438} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {8fc4fa94-9c5f-11e0-913e-0024d66d80c3} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {9ea3dcd7-d366-11e2-98dc-c44619e4a438} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {9fd435f5-1151-11e2-b4a4-c44619e4a438} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {a93f5efb-734d-11e4-927f-b8ac6f5e3be7} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {d14d1ace-daae-11df-8fd3-b8ac6f5e3be7} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1000\...\MountPoints2: {ecc9524d-2702-11e1-98bd-0024d66d80c3} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1004\...\Run: [ALLUpdate] => "C:\Program Files\ALLPlayer\ALLUpdate.exe" "sleep"
    HKU\S-1-5-21-2176362993-2728788026-226576418-1004\...\MountPoints2: E - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1004\...\MountPoints2: F - F:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1004\...\MountPoints2: G - G:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1004\...\MountPoints2: {00491598-632d-11df-bab7-806e6f6e6963} - D:\start.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1004\...\MountPoints2: {376ad0a2-e1c8-11df-9f3a-b8ac6f5e3be7} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1004\...\MountPoints2: {376ad0df-e1c8-11df-9f3a-c44619e4a438} - M:\LaunchU3.exe -a
    HKU\S-1-5-21-2176362993-2728788026-226576418-1004\...\MountPoints2: {50ac8765-6b3f-11df-a261-c44619e4a438} - F:\setup.exe AUTORUN=1
    HKU\S-1-5-21-2176362993-2728788026-226576418-1004\...\MountPoints2: {6e11c907-9591-11df-8763-b8ac6f5e3be7} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1004\...\MountPoints2: {8fc4fa94-9c5f-11e0-913e-0024d66d80c3} - E:\AutoRun.exe
    HKU\S-1-5-21-2176362993-2728788026-226576418-1004\...\MountPoints2: {d14d1ace-daae-11df-8fd3-b8ac6f5e3be7} - E:\AutoRun.exe
    HKU\S-1-5-18\...\Run: [ZoneAlarm Windows 10 Upgrader] => "C:\ProgramData\CheckPoint\ZoneAlarm\Data\Updates\unpacked==win10=update_win10.zip\upgrade.exe" /delay
    HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2013-05-14] (Microsoft Corporation)
    HKU\S-1-5-21-2176362993-2728788026-226576418-1004\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www1.euro.dell.com/content/default.aspx?c=pl&l=pl&s=pad
    SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
    SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
    SearchScopes: HKU\S-1-5-21-2176362993-2728788026-226576418-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
    BHO: ZoneAlarm Security Engine Registrar -> {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} -> C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll => Brak pliku
    BHO: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll [2017-02-22] (McAfee, Inc.)
    Toolbar: HKLM - ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll Brak pliku
    Toolbar: HKU\S-1-5-21-2176362993-2728788026-226576418-1000 -> ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll Brak pliku
    Toolbar: HKU\S-1-5-21-2176362993-2728788026-226576418-1004 -> ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll Brak pliku
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll [2017-02-22] (McAfee, Inc.)
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll [2017-02-22] (McAfee, Inc.)
    FF Extension: (McAfee WebAdvisor) - C:\Program Files\McAfee\SiteAdvisor\saffplg.xpi [2016-05-24]
    FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files\McAfee\SiteAdvisor\saffplg.xpi
    CHR HKLM\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx
    R2 McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [160800 2017-02-22] (McAfee, Inc.)
    R3 mfesapsn; C:\Program Files\McAfee\SiteAdvisor\mfesapsn.sys [41600 2016-06-06] (McAfee, Inc.)
    C:\Users\Patrycja\AppData\Local\Temp*.html
    2017-02-28 12:15 - 2016-11-08 18:46 - 00000000 ____D C:\Program Files\McAfee
    EmptyTemp:

    W FRST wybierz Napraw.

    Nadal nie widac w logach infekcji, tylko troche zbednych plikow i wpisow.

    0
  • #10 08 Mar 2017 18:17
    Kolobos
    Spec od komputerów

    W skrypcie nie ma nic co mogloby popsuc dostep do sieci. Moze po deinstalacji ZA cos sie zepsulo.

    Laczysz sie przez wifi czy lan? We wlasciwosciach polaczenia nie masz jakichs pozostalosci po ZA?

    Zawsze mozesz tez uzyc przywracania systemu.

    0
  • #11 09 Mar 2017 20:22
    music
    Poziom 27  

    Łącze się przez wifi. Po dłuższej walce udało się przywrócić połaczenie z siecią. Tak jak sugerowałeś deinstalacja ZA "zabrała" internet. Niezbyt ambitnie zainstalowałem go ponownie. Dziękuje za dotychczasową pomoc.

    0