Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Jak skorzystać z programu FRST?

kidbuu221 19 Mar 2017 06:23 735 7
  • Pomocny post
    #2 19 Mar 2017 09:39
    Kolobos
    Spec od komputerów

    Usun te wszystkie skroty utworzone przez infekcje:
    C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Ехрlorеr.lnk
    C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Intеrnеt Eхplоrer (Nо Add-оns).lnk
    C:\Users\Daniel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Lаunch Intеrnet Eхplоrеr Browser.lnk
    C:\Users\Daniel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Ореrа.lnk
    C:\Users\Daniel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Ваttle.nеt Launchеr.lnk
    C:\Users\Daniel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Оpera.lnk

    I utworz nowe poprawne.

    Wykonaj Fixlist.txt dla FRST:
    Task: {018A4A4B-D8D3-4F41-A043-F634887AD3A6} - System32\Tasks\Metoghsezertion Server => C:\Program Files (x86)\Qejisyfank\ivuty.exe [2017-03-18] (Glarysoft Ltd)
    Task: {39EA5DBC-5DCA-4E16-93EE-E413F4AA35E5} - System32\Tasks\357R846R399F607-dll => Rundll32.exe "C:\ProgramData\357R846R399F607\357R846R399F607.dll",RFKeOOuE
    Task: {65890D27-BAF8-43C3-A07B-6D88A3BBBF9F} - System32\Tasks\Milimili => C:\Program Files (x86)\MIO\MIO.exe [2017-03-18] ()
    Task: {85B2EEEB-6F8B-4E65-81F4-40C9243E0247} - System32\Tasks\357R846R399F607 => Rundll32.exe "C:\ProgramData\357R846R399F607\357R846R399F607.dll",RFKeOOuE <==== UWAGA
    Task: {98404553-BD4C-4EE9-8816-374F8939B583} - System32\Tasks\Opera scheduled Autoupdate 1489819159 => C:\Program Files\Opera\launcher.exe [2017-02-27] (Opera Software)
    Task: {DAE83B7B-C7B1-48C1-B1FF-72F198BD2395} - System32\Tasks\{2F86D590-36B7-4D78-8157-654AE750B013} => F:\GOG Games\Stardew Valley\Stardew Valley.exe [2016-10-03] (ConcernedApe)
    Task: {DE819479-14DA-4C48-9F46-676DD64F80DA} - System32\Tasks\Driver Booster SkipUAC (Daniel) => C:\Program Files (x86)\IObit\Driver Booster\4.3.0\DriverBooster.exe
    WMI_ActiveScriptEventConsumer_ASEC: <===== UWAGA
    ShortcutWithArgument: C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
    ShortcutWithArgument: C:\Users\Daniel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
    2017-03-18 07:03 - 2017-03-18 07:03 - 00307712 _____ () C:\Program Files (x86)\Metoghsezertion Server\local64spl.dll
    Hosts:
    HKLM\...\RunOnce: [DANIEL-KOMPUTER] => C:\Windows\TEMP\gD22E.tmp.exe [249344 2017-03-19] () <===== UWAGA




    HKU\S-1-5-21-620806016-2174227658-1852325348-1000\...\Run: [EvolveClient] => F:\Program Files\Echobit\Evolve\EvolveClient.exe -autorun
    HKU\S-1-5-21-620806016-2174227658-1852325348-1000\...\Run: [UP42YGALKY] => C:\Program Files\O0P2AIZNFK\O0P2AIZNF.exe [1759232 2017-03-18] (FH)
    HKU\S-1-5-21-620806016-2174227658-1852325348-1000\...\Run: [CAHK436YUO] => C:\Program Files\131JEFTE32\3OXU2US87.exe [1759232 2017-03-18] (FH)
    HKU\S-1-5-21-620806016-2174227658-1852325348-1000\...\Run: [UTO35NXY9T] => "C:\Program Files (x86)\PubHotspot\DS58J.exe"
    HKU\S-1-5-21-620806016-2174227658-1852325348-1000\...\Run: [XBRGAEWRZB] => C:\Program Files\6OTURYZZBB\DSHGR1VJ5.exe [1759232 2017-03-18] (FH)
    HKU\S-1-5-21-620806016-2174227658-1852325348-1000\...\Run: [T35KOKASXP] => C:\Program Files\C71J0Q3PTI\C71J0Q3PT.exe [1759232 2017-03-18] (FH)
    HKU\S-1-5-21-620806016-2174227658-1852325348-1000\...\Run: [YGACDF95WS] => C:\Program Files\LXIR3UJGPJ\S16D3YFZK.exe [1759232 2017-03-18] (FH)
    HKU\S-1-5-21-620806016-2174227658-1852325348-1000\...\MountPoints2: G - G:\HTC_Sync_Manager_PC.exe
    HKU\S-1-5-21-620806016-2174227658-1852325348-1000\...\MountPoints2: {8410e547-fa7b-11e6-b4e3-806e6f6e6963} - X:\Run.exe
    HKU\S-1-5-21-620806016-2174227658-1852325348-1000\...\MountPoints2: {fc3c3296-0bb7-11e7-9494-408d5c641831} - G:\HTC_Sync_Manager_PC.exe
    HKLM\...\Providers\ias72d7s: C:\Program Files (x86)\Metoghsezertion Server\local64spl.dll [307712 2017-03-18] ()
    ShellExecuteHooks: Brak nazwy - {D42B0386-0925-11E7-92D3-64006A5CFC23} - C:\Users\Daniel\AppData\Roaming\Kaziprerwush\Zfeward.dll -> Brak pliku
    ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => C:\Program Files\żěŃą\X64\KZipShell.dll -> Brak pliku
    HKU\S-1-5-21-620806016-2174227658-1852325348-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%6...5aLeqszDWxVPweLIuBJds3tG3x1UGRmkS0Wg,,&q={searchTerms}
    HKU\S-1-5-21-620806016-2174227658-1852325348-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%73%6E%61%70%64%6F.%63%6...9ZO6V143YzJQkvjL6JcyDssDe8yYRKds68KzTY-B8gg,,,,
    HKU\S-1-5-21-620806016-2174227658-1852325348-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/pl-pl/?ocid=iehp
    SearchScopes: HKLM-x32 -> DefaultScope - brak wartości
    S2 Kyubey; C:\Users\Daniel\AppData\Roaming\Kyubey\Kyubey.exe [113152 2017-03-18] () [Brak podpisu cyfrowego]
    R2 WinSAPSvc; C:\Users\Daniel\AppData\Roaming\WinSAPSvc\WinSAP.dll [218624 2017-03-18] (Windows) [Brak podpisu cyfrowego]
    R2 WinSnare; C:\Users\Daniel\AppData\Roaming\WinSnare\WinSnare.dll [776704 2017-03-17] (InterSect Alliance Pty Ltd) [Brak podpisu cyfrowego] <==== UWAGA
    S3 EvoSvc; "F:\Program Files\Echobit\Evolve\EvoSvc.exe" -service -logfile "C:\ProgramData\Echobit\Evolve\EvoSvc.log"
    S3 TunngleService; F:\Program Files (x86)\Tunngle\TnglCtrl.exe [X]
    R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [27552 2017-03-18] (REALiX(tm))
    S3 gdrv; \??\C:\Windows\gdrv.sys [X]
    2017-03-18 20:00 - 2017-03-18 21:33 - 00000000 ____D C:\Program Files (x86)\BikaQRss
    2017-03-18 20:00 - 2017-03-18 20:00 - 00003602 _____ C:\Windows\System32\Tasks\Milimili
    2017-03-18 20:00 - 2017-03-18 20:00 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\WinSnare
    2017-03-18 20:00 - 2017-03-18 20:00 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Kyubey
    2017-03-18 20:00 - 2017-03-18 20:00 - 00000000 ____D C:\Program Files (x86)\MIO
    2017-03-18 19:59 - 2017-03-19 05:40 - 00000000 ____D C:\Program Files (x86)\{6972EF86-80E8-4DE4-A52C-903ABD705703}
    2017-03-18 19:59 - 2017-03-18 19:59 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\WinSAPSvc
    2017-03-18 19:59 - 2017-03-18 19:59 - 00000000 ____D C:\Program Files\ias72d7s
    2017-03-18 07:39 - 2017-03-18 07:39 - 00003882 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1489819159
    2017-03-18 07:39 - 2017-03-18 07:39 - 00001093 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
    2017-03-18 07:18 - 2017-03-18 07:30 - 00000000 ____D C:\AdwCleaner
    2017-03-18 07:11 - 2017-03-18 07:11 - 00000000 ____D C:\Program Files\LXIR3UJGPJ
    2017-03-18 07:10 - 2017-03-18 07:10 - 00000000 ____D C:\Program Files\C71J0Q3PTI
    2017-03-18 07:08 - 2017-03-18 07:08 - 00000000 ____D C:\Program Files (x86)\Qejisyfank
    2017-03-18 07:05 - 2017-03-18 07:05 - 00000000 ____D C:\Program Files\6OTURYZZBB
    2017-03-18 07:04 - 2017-03-18 23:01 - 00016712 _____ C:\Windows\System32\Tasks\357R846R399F607-dll
    2017-03-18 07:04 - 2017-03-18 07:04 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Mozilla
    2017-03-18 07:03 - 2017-03-18 07:20 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Kaziprerwush
    2017-03-18 07:03 - 2017-03-18 07:09 - 00000000 ____D C:\Program Files\żěŃą
    2017-03-18 07:03 - 2017-03-18 07:03 - 01895383 _____ C:\Users\Daniel\AppData\Roaming\Ronfind.bin
    2017-03-18 07:03 - 2017-03-18 07:03 - 01894106 _____ C:\Users\Daniel\AppData\Roaming\Goldsoltom.tst
    2017-03-18 07:03 - 2017-03-18 07:03 - 00278511 _____ C:\Users\Daniel\AppData\Roaming\Oversunstring.bin
    2017-03-18 07:03 - 2017-03-18 07:03 - 00136827 _____ () C:\Users\Daniel\AppData\Roaming\Indigohotplus.bin
    2017-03-18 07:03 - 2017-03-18 07:03 - 00006026 _____ C:\Windows\System32\Tasks\Metoghsezertion Server
    2017-03-18 07:03 - 2017-03-18 07:03 - 00000000 ____D C:\Users\Daniel\AppData\Local\Prermerward
    2017-03-18 07:03 - 2017-03-18 07:03 - 00000000 ____D C:\Program Files (x86)\Metoghsezertion Server
    2017-03-18 07:03 - 2017-03-18 07:02 - 01125376 _____ C:\Users\Daniel\AppData\Roaming\Goldsoltom.exe
    2017-03-18 07:02 - 2017-03-19 06:00 - 00016712 _____ C:\Windows\System32\Tasks\357R846R399F607
    2017-03-18 07:02 - 2017-03-18 07:03 - 00000000 ____D C:\ProgramData\ProductData
    2017-03-18 07:02 - 2017-03-18 07:02 - 00027552 _____ (REALiX(tm)) C:\Windows\SysWOW64\Drivers\HWiNFO64A.SYS
    2017-03-18 07:02 - 2017-03-18 07:02 - 00002902 _____ C:\Windows\System32\Tasks\Driver Booster SkipUAC (Daniel)
    2017-03-18 07:02 - 2017-03-18 07:02 - 00000000 ___HD C:\ProgramData\357R846R399F607
    2017-03-18 07:02 - 2017-03-18 07:02 - 00000000 ____D C:\Windows\IObit
    2017-03-18 07:02 - 2017-03-18 07:02 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\IObit
    2017-03-18 07:02 - 2017-03-18 07:02 - 00000000 ____D C:\Users\Daniel\AppData\LocalLow\IObit
    2017-03-18 07:02 - 2017-03-18 07:02 - 00000000 ____D C:\ProgramData\IObit
    2017-03-18 07:02 - 2017-03-18 07:02 - 00000000 ____D C:\Program Files\O0P2AIZNFK
    2017-03-18 07:02 - 2017-03-18 07:02 - 00000000 ____D C:\Program Files\131JEFTE32
    2017-03-18 07:01 - 2017-03-18 07:01 - 00001449 ___RS C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Ехрlorеr.lnk
    2017-03-18 07:03 - 2017-03-18 07:02 - 1125376 _____ () C:\Users\Daniel\AppData\Roaming\Goldsoltom.exe
    2017-03-18 07:03 - 2017-03-18 07:03 - 1894106 _____ () C:\Users\Daniel\AppData\Roaming\Goldsoltom.tst
    2017-03-18 07:03 - 2017-03-18 07:03 - 0136827 _____ () C:\Users\Daniel\AppData\Roaming\Indigohotplus.bin
    2017-03-18 07:03 - 2017-03-18 07:03 - 0278511 _____ () C:\Users\Daniel\AppData\Roaming\Oversunstring.bin
    2017-03-18 07:03 - 2017-03-18 07:03 - 1895383 _____ () C:\Users\Daniel\AppData\Roaming\Ronfind.bin
    EmptyTemp:

    Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    0
  • Pomocny post
    #4 19 Mar 2017 20:50
    Kolobos
    Spec od komputerów

    Nadal zostaly Ci skroty do usuniecia:
    C:\Users\Daniel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Ваttle.nеt Launchеr.lnk
    C:\Users\Daniel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Оpera.lnk

    Nowy Fixlist.txt dla FRST:
    CloseProcesses:
    Task: {168F921F-5EEC-4BC9-A4FB-0D2C7B7E3D5A} - \Milimili -> Brak pliku <==== UWAGA
    Task: {2E5AEBA2-4E07-4892-A9CD-511E948FFC9D} - System32\Tasks\frst64 => Rundll32.exe "C:\ProgramData\357R846R399F607\357R846R399F607.dll",RFKeOOuE
    Task: {91DF4449-6390-4C19-8DAB-6939ADDDE945} - System32\Tasks\1361Z2403Z1048i2078-dll => Rundll32.exe "C:\ProgramData\1361Z2403Z1048i2078\1361Z2403Z1048i2078.dll",ZiabQXN
    Task: {DB115378-B6A4-4727-B2AC-F77713CAA82C} - System32\Tasks\Update Manager => C:\Users\Daniel\AppData\Roaming\Shadow.Tactics.Blades.of.the.Shogun.v1.1.2-ALI213\Upgrade.exe [2017-03-19] ()
    Task: {F9917B49-21FC-4792-952E-56BFFAAB4037} - System32\Tasks\1361Z2403Z1048i2078 => Rundll32.exe "C:\ProgramData\1361Z2403Z1048i2078\1361Z2403Z1048i2078.dll",ZiabQXN <==== UWAGA
    C:\Users\Daniel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Ваttle.nеt Launchеr.lnk
    C:\Users\Daniel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Оpera.lnk
    2017-03-19 20:34 - 2014-03-22 04:15 - 03098112 _____ () C:\ProgramData\1361Z2403Z1048i2078\1361Z2403Z1048i2078.dll
    2017-03-19 20:37 - 2017-03-19 20:37 - 00249344 _____ () C:\Windows\TEMP\g1DBE.tmp.exe
    () C:\Windows\Temp\g1DBE.tmp.exe
    HKLM\...\RunOnce: [DANIEL-KOMPUTER] => C:\Windows\TEMP\g1DBE.tmp.exe [249344 2017-03-19] () <===== UWAGA
    2017-03-19 20:38 - 2017-03-19 20:38 - 00016726 _____ C:\Windows\System32\Tasks\1361Z2403Z1048i2078-dll
    2017-03-19 20:36 - 2017-03-19 20:37 - 00000000 ____D C:\AdwCleaner
    2017-03-19 20:34 - 2017-03-19 20:38 - 00016726 _____ C:\Windows\System32\Tasks\1361Z2403Z1048i2078
    2017-03-19 20:34 - 2017-03-19 20:34 - 00016712 _____ C:\Windows\System32\Tasks\frst64
    2017-03-19 20:34 - 2017-03-19 20:34 - 00000000 ___HD C:\ProgramData\1361Z2403Z1048i2078
    2017-03-19 18:47 - 2017-03-19 20:36 - 00000000 ____D C:\Program Files (x86)\{B33CC078-56E3-43D8-914B-077D073F508B}
    2017-03-19 14:21 - 2017-03-19 14:21 - 00003604 _____ C:\Windows\System32\Tasks\Update Manager
    2017-03-19 14:21 - 2017-03-19 14:21 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Shadow.Tactics.Blades.of.the.Shogun.v1.1.2-ALI213

    Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    0
  • Pomocny post
    #6 22 Mar 2017 05:50
    Kolobos
    Spec od komputerów

    W logu nadal widac te skroty, w opcjach folderow wlacz pokazywanie plikow ukrytych oraz wylacz ukrywanie chronionych i sprawdz ponownie.

    Nowy Fixlist.txt dla FRST:
    CloseProcesses:
    Shortcut: C:\Users\Daniel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Ваttle.nеt Launchеr.lnk
    Shortcut: C:\Users\Daniel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Оpera.lnk
    2017-03-20 16:07 - 2017-03-20 16:07 - 00117561 _____ () C:\Users\Daniel\AppData\Local\Ogics\owifujs.exe
    2017-03-20 16:11 - 2017-03-20 16:11 - 01310720 _____ () C:\Users\Daniel\AppData\Local\Ogics\kffnyclq.dll
    2017-03-20 16:08 - 2017-03-20 16:08 - 01307648 _____ () C:\Users\Daniel\AppData\Local\Emtion\tjzrogbd.dll
    () C:\Users\Daniel\AppData\Local\Ogics\owifujs.exe
    HKU\S-1-5-21-620806016-2174227658-1852325348-1000\...\Run: [Ogics] => C:\Users\Daniel\AppData\Local\Ogics\owifujs.exe [117561 2017-03-20] ()
    HKU\S-1-5-21-620806016-2174227658-1852325348-1000\...\Run: [Emtion] => regsvr32.exe C:\Users\Daniel\AppData\Local\Emtion\tjzrogbd.dll <===== UWAGA
    HKU\S-1-5-21-620806016-2174227658-1852325348-1000\...\Run: [Ajworks] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Daniel\AppData\Local\Ogics\kffnyclq.dll <===== UWAGA
    2017-03-21 21:42 - 2017-03-21 21:43 - 00000000 ____D C:\AdwCleaner
    2017-03-20 16:08 - 2017-03-20 16:08 - 00000000 ____D C:\Users\Daniel\AppData\Local\Emtion
    2017-03-20 16:07 - 2017-03-20 16:11 - 00000000 ____D C:\Users\Daniel\AppData\Local\Ogics


    Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
    http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
    oraz http://ftp.drweb.com/pub/drweb/cureit/launch.exe

    Zamiesc nowe logi z FRST, ze skanowania.

    0
  • #8 23 Mar 2017 05:44
    Kolobos
    Spec od komputerów

    Usun katalog C:\FRST i to wszystko.

    0