Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Wirus żeńą,i program FRST

roszu134 20 Mar 2017 18:52 519 6
  • #1 20 Mar 2017 18:52
    roszu134
    Poziom 2  

    Cześć jestem nowy na forum to mój pierwszy post.

    Mam problem ostatnio pobrałem jakiś wirus ,znalazłem pliki o nazwie Żeną,YB4LASSXLC,WV2HQMLAL4,KME5KJETZM ,GM3G7ATFX9,4XBUIDOWTX i coś takiego.

    Otwierają się samoczynnie strony na przegladarce ,jakieś chinskie znaczki.

    Szukałem troche w necie ,pobrałem program FRST bo prawdopodobnie da rade tym to naprawić.
    Używałem programu Adware,Ccleaner ale nic nie pomogło.

    Nie umiem się obsługiwać FRST dlatego proszę was o pomoc co musiał bym zrobić.

    0 6
  • #2 20 Mar 2017 18:54
    Kolobos
    Spec od komputerów

    W FRST klikasz Skanuj i zamieszczasz utworzone addition.txt oraz frst.txt w zalaczniku, tyle chyba mozesz zrobic?

    0
  • #4 20 Mar 2017 19:03
    Kolobos
    Spec od komputerów

    Obok frst.exe utworz plik Fixlist.txt z zawartoscia:

    Code:
    CloseProcesses:
    
    Task: {0215803E-CB87-48E1-A6AD-ECB11B5A3958} - System32\Tasks\temp\mia1\iahelper_rcpro_x64 => Rundll32.exe "C:\ProgramData\241l444l649M171\241l444l649M171.dll",lMqpctyrIcGK
    Task: {2F6CDD2F-AF33-4B2B-AD12-9666A4DC5F6F} - System32\Tasks\Opera scheduled Autoupdate 1489930470 => C:\Program Files\Opera\launcher.exe [2017-02-27] (Opera Software)
    Task: {539A476A-BEA4-4F07-806C-0B4EDE95BACA} - System32\Tasks\241l444l649M171-dll => Rundll32.exe "C:\ProgramData\241l444l649M171\241l444l649M171.dll",lMqpctyrIcGK
    Task: {5EBA1DC8-B9A3-4272-ABAD-D7DD981E2D8C} - System32\Tasks\amd\cn\cimmanifest => Rundll32.exe "C:\ProgramData\241l444l649M171\241l444l649M171.dll",lMqpctyrIcGK
    Task: {A11DF3F4-F6C6-4854-B129-A630FB16FACB} - System32\Tasks\amd\cn\cimmanifest-exe => Rundll32.exe "C:\ProgramData\241l444l649M171\241l444l649M171.dll",lMqpctyrIcGK
    Task: {A8D4248E-89E5-460E-AC7F-9E3306C5E4EE} - System32\Tasks\Gretition Server => C:\Program Files (x86)\Qejisyfank\xderlther.exe [2017-03-19] (Glarysoft Ltd)
    Task: {D3FF64EA-6EE0-4D89-B331-0C92A7529C73} - System32\Tasks\google\chrome\user data\swreporter\16-92-2\software_reporter_tool => Rundll32.exe "C:\ProgramData\241l444l649M171\241l444l649M171.dll",lMqpctyrIcGK
    Task: {ED9E11B4-107B-4A0B-9B96-56B35ED5F852} - System32\Tasks\241l444l649M171 => Rundll32.exe "C:\ProgramData\241l444l649M171\241l444l649M171.dll",lMqpctyrIcGK <==== UWAGA
    WMI_ActiveScriptEventConsumer_ASEC: <===== UWAGA
    Shortcut: C:\Users\mateusz\Favorites\NCH Software Download Site.lnk -> hxxp://www.nchsoftware.com/index.htm
    Shortcut: C:\Users\mateusz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnet Explоrer (64-bit).lnk -> C:\Users\mateusz\AppData\Roaming\Browsers\exe.erolpxei.bat ()
    Shortcut: C:\Users\mateusz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Eхрlorer.lnk -> C:\Users\mateusz\AppData\Roaming\Browsers\exe.erolpxei.bat ()
    Shortcut: C:\Users\mateusz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WorldofTanks\WоrldofTanks.lnk -> C:\Users\mateusz\AppData\Roaming\Browsers\exe.emorhc.bat ()
    Shortcut: C:\Users\mateusz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WarThunder\WаrТhunder.lnk -> C:\Users\mateusz\AppData\Roaming\Browsers\exe.rehcnual.bat ()
    Shortcut: C:\Users\mateusz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Intеrnet Ехplоrеr (No Add-оns).lnk -> C:\Users\mateusz\AppData\Roaming\Browsers\exe.erolpxei.bat ()




    Shortcut: C:\Users\mateusz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gооgle Сhrоmе.lnk -> C:\Users\mateusz\AppData\Roaming\Browsers\exe.emorhc.bat ()
    Shortcut: C:\Users\mateusz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Lаunсh Intеrnet Ехрlоrеr Вrowser.lnk -> C:\Users\mateusz\AppData\Roaming\Browsers\exe.erolpxei.bat ()
    Shortcut: C:\Users\mateusz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\WоrldоfТanks.lnk -> C:\Users\mateusz\AppData\Roaming\Browsers\exe.emorhc.bat ()
    Shortcut: C:\Users\mateusz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Оpеra.lnk -> C:\Users\mateusz\AppData\Roaming\Browsers\exe.rehcnual.bat ()
    Shortcut: C:\Users\mateusz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Intеrnet Ехplоrеr.lnk -> C:\Users\mateusz\AppData\Roaming\Browsers\exe.erolpxei.bat ()
    Shortcut: C:\Users\mateusz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Оpеrа.lnk -> C:\Users\mateusz\AppData\Roaming\Browsers\exe.rehcnual.bat ()
    Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Chrome.lnk -> C:\Users\mateusz\AppData\Roaming\Browsers\exe.emorhc.bat ()
    Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Оpera.lnk -> C:\Users\mateusz\AppData\Roaming\Browsers\exe.rehcnual.bat ()
    Shortcut: C:\Users\Public\Desktop\Gоoglе Сhrome.lnk -> C:\Users\mateusz\AppData\Roaming\Browsers\exe.emorhc.bat ()
    ShortcutWithArgument: C:\Users\mateusz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
    ShortcutWithArgument: C:\Users\mateusz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
    ShortcutWithArgument: C:\Users\mateusz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
    2017-03-19 13:23 - 2017-03-19 13:23 - 00306688 _____ () C:\Program Files (x86)\Gretition Server\local64spl.dll
    2017-03-19 13:24 - 2017-03-19 13:24 - 00524696 _____ () C:\Program Files\żěŃą\X64\KZipShell.dll
    2017-03-19 13:22 - 2014-03-22 19:19 - 03081728 _____ () C:\ProgramData\241l444l649M171\241l444l649M171.dll
    AlternateDataStreams: C:\Users\mateusz\Local Settings:init [6288682]
    Hosts:
    (IC%5G9IB) C:\Program Files\WV2HQMLAL4\WV2HQMLAL.exe
    (IC%5G9IB) C:\Program Files\GM3G7ATFX9\GM3G7ATFX.exe
    (IC%5G9IB) C:\Program Files\YB4LASSXLC\YB4LASSXL.exe
    (IC%5G9IB) C:\Program Files\KME5KJETZM\KME5KJETZ.exe
    HKLM\...\RunOnce: [MATEUSZ-MATEUSZ] => C:\Windows\TEMP\g4FC6.tmp.exe [214016 2017-03-20] () <===== UWAGA
    HKU\S-1-5-21-3228586726-948483585-1292996392-1000\...\Run: [4I64EF35M8] => "C:\Program Files\BALWXMCGR0\OZSB5LIHQ.exe"
    HKU\S-1-5-21-3228586726-948483585-1292996392-1000\...\Run: [CWDXP0U37Y] => C:\Program Files\WV2HQMLAL4\WV2HQMLAL.exe [1593856 2017-03-19] (IC%5G9IB)
    HKU\S-1-5-21-3228586726-948483585-1292996392-1000\...\Run: [PWTNZJ5IP9] => C:\Program Files\GM3G7ATFX9\GM3G7ATFX.exe [1593856 2017-03-19] (IC%5G9IB)
    HKU\S-1-5-21-3228586726-948483585-1292996392-1000\...\Run: [MSConfig] => C:\Users\mateusz\dewsc.exe [35823616 2017-03-19] ( Rockstar)
    HKU\S-1-5-21-3228586726-948483585-1292996392-1000\...\Run: [FDOGW2FCH6] => C:\Program Files\YB4LASSXLC\YB4LASSXL.exe [1593856 2017-03-19] (IC%5G9IB)
    HKU\S-1-5-21-3228586726-948483585-1292996392-1000\...\Run: [ABIYUBWMTQ] => C:\Program Files\KME5KJETZM\KME5KJETZ.exe [1593856 2017-03-19] (IC%5G9IB)
    HKU\S-1-5-21-3228586726-948483585-1292996392-1000\...\Policies\Explorer\Run: [Skype] => C:\Users\mateusz\AppData\Roaming\Microsoft\jsebtufa\trwwuwsc.exe [123392 2009-07-14] ()
    HKU\S-1-5-21-3228586726-948483585-1292996392-1000\...\MountPoints2: {5bfab45b-ea2c-11e6-852c-806e6f6e6963} - E:\.\Bin\ASSETUP.exe
    HKLM\...\Providers\gna3uo05: C:\Program Files (x86)\Gretition Server\local64spl.dll [306688 2017-03-19] ()
    ShellExecuteHooks: Brak nazwy - {D0ACBDDC-03A0-11E7-8952-64006A5CFC23} - -> Brak pliku
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> Brak pliku
    ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => C:\Program Files\żěŃą\X64\KZipShell.dll [2017-03-19] ()
    HKU\S-1-5-21-3228586726-948483585-1292996392-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxldvM_sEGJZAe-DpjIquwWP4i2mZEMZrqk85TFUk2836X1EsqCgW677-eQqCmgKolC-tGisicKiGRXrXTD2BztirFMtEcDk5-dpm8sy6FNDJnAB0PqQo5WG0Hq6SiLgqWDW8UHY1NyR9t-VoJKOPy8rQwEpnUPQc5hAtdMqjVg,,&q={searchTerms}
    HKU\S-1-5-21-3228586726-948483585-1292996392-1000\Software\Microsoft\Internet Explorer\Main,Start Page =
    HKU\S-1-5-21-3228586726-948483585-1292996392-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/pl-pl/?ocid=iehp
    SearchScopes: HKLM-x32 -> DefaultScope - brak wartości
    U0 aswVmm; Brak ImagePath
    2017-03-20 15:56 - 2017-03-20 15:57 - 00000000 ____D C:\AdwCleaner
    2017-03-20 15:47 - 2017-03-20 15:47 - 00000000 ____D C:\Windows\System32\Tasks\temp
    2017-03-20 15:44 - 2017-03-20 15:44 - 00000000 ____D C:\Users\mateusz\AppData\Roaming\Solvusoft
    2017-03-20 15:43 - 2017-03-20 15:45 - 00000000 ____D C:\Users\mateusz\AppData\Local\IIIQF
    2017-03-20 15:43 - 2017-03-20 15:44 - 00000000 ____D C:\ProgramData\Solvusoft
    2017-03-19 14:57 - 2017-03-19 14:57 - 00000000 ____D C:\Windows\System32\Tasks\amd
    2017-03-19 14:56 - 2017-03-19 14:56 - 00000000 ____D C:\Windows\System32\Tasks\google
    2017-03-19 14:37 - 2017-03-19 14:37 - 00000000 ____D C:\Users\mateusz\AppData\Roaming\KZMount
    2017-03-19 14:34 - 2017-03-19 14:34 - 00003884 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1489930470
    2017-03-19 14:34 - 2017-03-19 14:34 - 00001093 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera 43.lnk
    2017-03-19 14:23 - 2017-03-19 14:23 - 00000000 ____D C:\Program Files\KME5KJETZM
    2017-03-19 14:20 - 2017-03-19 14:20 - 00000000 ____D C:\Program Files\YB4LASSXLC
    2017-03-19 14:20 - 2017-03-19 14:20 - 00000000 ____D C:\Program Files (x86)\Qejisyfank
    2017-03-19 13:43 - 2017-03-19 13:43 - 35823616 ____H ( Rockstar) C:\Users\mateusz\dewsc.exe
    2017-03-19 13:43 - 2017-03-19 13:43 - 00000000 __SHD C:\Users\mateusz\AppData\Roaming\alFSVWJB
    2017-03-19 13:27 - 2017-03-19 15:02 - 00000000 ____D C:\Program Files\4XBUIDOWTX
    2017-03-19 13:26 - 2017-03-19 13:26 - 00000000 ____D C:\Users\mateusz\AppData\Roaming\Mozilla
    2017-03-19 13:25 - 2017-03-19 13:26 - 00000000 ____D C:\ProgramData\Voyasollams
    2017-03-19 13:25 - 2017-03-19 13:26 - 00000000 ____D C:\Program Files\GM3G7ATFX9
    2017-03-19 13:25 - 2017-03-19 13:25 - 00000000 ____D C:\Users\mateusz\AppData\Local\UCBrowser
    2017-03-19 13:24 - 2017-03-19 20:30 - 00000000 ____D C:\Users\mateusz\AppData\Roaming\KuaiZip
    2017-03-19 13:24 - 2017-03-19 16:35 - 00000000 ____D C:\Program Files (x86)\UCBrowser
    2017-03-19 13:24 - 2017-03-19 13:24 - 01895383 _____ C:\Users\mateusz\AppData\Roaming\Lamhome.bin
    2017-03-19 13:24 - 2017-03-19 13:24 - 01894075 _____ C:\Users\mateusz\AppData\Roaming\Singlestrong.tst
    2017-03-19 13:24 - 2017-03-19 13:24 - 00000000 __SHD C:\ProgramData\WindowsMsg
    2017-03-19 13:24 - 2017-03-19 13:24 - 00000000 ____D C:\ProgramData\Logic Cramble
    2017-03-19 13:24 - 2017-03-19 13:24 - 00000000 ____D C:\Program Files\żěŃą
    2017-03-19 13:24 - 2017-03-19 13:22 - 01125376 _____ C:\Users\mateusz\AppData\Roaming\Singlestrong.exe
    2017-03-19 13:23 - 2017-03-19 14:50 - 00000000 ____D C:\Users\mateusz\AppData\Roaming\Ckinetain
    2017-03-19 13:23 - 2017-03-19 14:20 - 00000000 ____D C:\Users\mateusz\AppData\Local\Prermerward
    2017-03-19 13:23 - 2017-03-19 13:24 - 00000000 ____D C:\ProgramData\PrefsSecure
    2017-03-19 13:23 - 2017-03-19 13:23 - 00278511 _____ C:\Users\mateusz\AppData\Roaming\Holdtip.bin
    2017-03-19 13:23 - 2017-03-19 13:23 - 00006022 _____ C:\Windows\System32\Tasks\Gretition Server
    2017-03-19 13:23 - 2017-03-19 13:23 - 00000000 ___HD C:\Users\mateusz\AppData\Local\svchost
    2017-03-19 13:23 - 2017-03-19 13:23 - 00000000 ____D C:\Users\mateusz\AppData\Roaming\UCChannel
    2017-03-19 13:23 - 2017-03-19 13:23 - 00000000 ____D C:\Program Files (x86)\Gretition Server
    2017-03-19 13:22 - 2017-03-20 18:53 - 00016720 _____ C:\Windows\System32\Tasks\241l444l649M171
    2017-03-19 13:22 - 2017-03-19 14:51 - 00000000 ____D C:\Users\mateusz\AppData\Roaming\Event Monitor
    2017-03-19 13:22 - 2017-03-19 13:26 - 00000000 ____D C:\Program Files (x86)\PubHotspot
    2017-03-19 13:22 - 2017-03-19 13:22 - 00000000 ___HD C:\ProgramData\241l444l649M171
    2017-03-19 13:22 - 2017-03-19 13:22 - 00000000 ____D C:\Users\mateusz\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk
    2017-03-19 13:22 - 2017-03-19 13:22 - 00000000 ____D C:\ProgramData\e5bfef05-7c21-1
    2017-03-19 13:22 - 2017-03-19 13:22 - 00000000 ____D C:\ProgramData\e5bfef05-38c3-0
    2017-03-19 13:22 - 2017-03-19 13:22 - 00000000 ____D C:\Program Files\WV2HQMLAL4
    2017-03-19 13:21 - 2017-03-19 13:44 - 00000000 ____D C:\Program Files (x86)\pccleanplus
    2017-03-19 13:21 - 2017-03-19 13:21 - 00000000 ____D C:\Users\mateusz\AppData\Roaming\SPI
    2017-03-19 13:21 - 2017-03-19 13:21 - 00000000 ____D C:\Users\mateusz\AppData\Roaming\Browsers
    2017-03-19 13:23 - 2017-03-19 13:23 - 0278511 _____ () C:\Users\mateusz\AppData\Roaming\Holdtip.bin
    2017-03-19 13:24 - 2017-03-19 13:24 - 1895383 _____ () C:\Users\mateusz\AppData\Roaming\Lamhome.bin
    2017-03-19 13:24 - 2017-03-19 13:22 - 1125376 _____ () C:\Users\mateusz\AppData\Roaming\Singlestrong.exe
    2017-03-19 13:24 - 2017-03-19 13:24 - 1894075 _____ () C:\Users\mateusz\AppData\Roaming\Singlestrong.tst
    EmptyTemp:


    Podany Fixlist wykonaj w trybie awaryjnym.

    Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
    http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

    Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    0
  • #5 20 Mar 2017 19:05
    roszu134
    Poziom 2  

    Tzn w trybie awaryjnym wykonać naprawę programem FRST?

    0
  • #6 20 Mar 2017 19:13
    Kolobos
    Spec od komputerów

    Tak, uzyj FRST w trybie awaryjnym i wykonaj podany Fixlist.txt.

    0
  • #7 21 Mar 2017 14:40
    roszu134
    Poziom 2  

    Niestety chciałem zrobić restart komputera ale system padł całkowicie trzeba było zrobić format.

    0