Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

samoczynne przekierowanie na http://nova.rambler.ru

porab3 02 Kwi 2017 10:11 867 9
  • Pomocny post
    #2 02 Kwi 2017 10:35
    Kolobos
    Spec od komputerów

    Zgraj zakladki z Chrome, skrypt usunie katalog profilu utworzony przez infekcje.

    Odinstaluj:
    Adobe Reader 9.5.0 - Polish, zmien na najnowsza wersje AR lub na Foxit: http://ninite.com/foxit/
    amuleC
    WinSnare
    SpyHunter

    Uzyj AdwCleaner, opcja Scan/Szukaj i Clean/Usun: http://www.bleepingcomputer.com/download/adwcleaner/

    Obok frst.exe utworz plik Fixlist.txt z zawartoscia:
    CloseProcesses:
    Task: {164A7DDE-7D75-49C7-900A-BBD8A3A72901} - System32\Tasks\{B9A6D40A-60F6-4750-8859-03B45057A015} => pcalua.exe -a "C:\Program Files (x86)\Nowy folder (2)\miktex/bin/internal\copystart.exe" -c "C:\Program Files (x86)\Nowy folder (2)\miktex/bin/internal\uninstall.exe"
    Task: {3061B897-C68C-408D-8990-71498F7FB9A3} - System32\Tasks\Opera scheduled Autoupdate 1433604158 => C:\Program Files (x86)\Opera\launcher.exe [2015-05-18] (Opera Software)
    Task: {41E1324B-E7D8-4F98-AB48-8E7DFA043106} - System32\Tasks\{40469C41-E5C3-4BF1-8B7B-1E94B45462A1} => pcalua.exe -a C:\Users\Karolina\Desktop\setup.exe -d C:\Users\Karolina\Desktop
    Task: {42F8CE8C-968D-4EEA-A300-FB53817FA988} - System32\Tasks\931n589n335c482 => Rundll32.exe "C:\ProgramData\931n589n335c482\931n589n335c482.dll",ncdCbsWNnr <==== UWAGA
    Task: {6921682F-E77D-4F3E-925D-E169B6FCC836} - System32\Tasks\{B9FF310E-806F-4CDC-93EE-9822B4CA3660} => pcalua.exe -a "C:\Users\Karolina\Desktop\xxx\instalki\Miktex 2.9 32 bit\setup-2.9.4503.exe" -d "C:\Users\Karolina\Desktop\xxx\instalki\Miktex 2.9 32 bit"
    Task: {705CB3B1-C9C7-41D5-A0EA-0B283E36B801} - System32\Tasks\SpyHunter4Startup => C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe [2017-03-31] (Enigma Software Group USA, LLC.)
    Task: {750A3DF6-C23F-4485-A92B-8AC4BC4B0486} - System32\Tasks\AVGPCTuneUp_Task_BkGndMaintenance => C:\Program Files (x86)\AVG\AVG PC TuneUp\tuscanx.exe
    Task: {79E345A6-A368-4507-8376-B60C2EDE60BD} - System32\Tasks\{24435D54-1227-43CE-99CA-BC5BE91F602B} => pcalua.exe -a C:\Users\Karolina\AppData\Roaming\do-search\UninstallManager.exe -c -ptid=cor
    Task: {8CD60B44-AF5C-4599-844E-960817417FC0} - System32\Tasks\Driver Booster SkipUAC (Karolina) => C:\Program Files (x86)\IObit\Driver Booster\4.3.0\DriverBooster.exe
    Task: {A47D6C45-F055-4B67-B41F-FE11C02F481D} - System32\Tasks\{53E26815-E099-4D68-972C-8F2CB19D8695} => pcalua.exe -a H:\autorun.EXE -d H:\
    Task: {E31CDB64-6389-4248-8D9D-0EB71E78F8C6} - System32\Tasks\{37C5C5E9-B082-4F66-98A4-0CC7E99B99D9} => Chrome.exe hxxp://ui.skype.com/ui/0/7.5.0.101/pl/abandoninstall?page=tsBing
    Task: {E31E8072-D5CB-462B-9A1D-E891B6F394D4} - System32\Tasks\{3A18BBFC-558B-43F5-B9E9-BB5AAB6E94AD} => pcalua.exe -a "C:\Program Files (x86)\Nowy folder (2)\miktex\bin\internal\uninstall.exe" -d "C:\Program Files (x86)\Nowy folder (2)\miktex\bin\internal" -c C:\Program Files (x86)\Nowy folder (2)\miktex\config\uninst.exe




    Task: {E3D85706-B6F8-4BE3-B568-80094DC69D06} - System32\Tasks\Ateditthilet Renew => C:\Program Files (x86)\Stumogeqebut\xguqerty.exe [2017-03-31] (Glarysoft Ltd)
    2017-03-31 18:03 - 2014-03-22 23:56 - 03322880 _____ () C:\ProgramData\931n589n335c482\931n589n335c482.dll
    2017-04-02 07:32 - 2017-04-02 07:37 - 00173568 _____ () C:\Windows\TEMP\gDDB2.tmp.exe
    Hosts:
    (Enigma Software Group USA, LLC.) C:\Program Files (x86)\Enigma Software Group\SpyHunter\SH4Service.exe
    () C:\Windows\Temp\gDDB2.tmp.exe
    HKLM-x32\...\Run: [] => [X]
    HKU\S-1-5-21-2658245198-3005051595-1530724498-1000\...\MountPoints2: F - F:\AutoRun.exe
    HKU\S-1-5-21-2658245198-3005051595-1530724498-1000\...\MountPoints2: {3f9b8c93-a1dc-11e5-a951-705ab6b8b67b} - F:\AutoRun.exe
    HKU\S-1-5-21-2658245198-3005051595-1530724498-1000\...\MountPoints2: {3f9b8ca1-a1dc-11e5-a951-705ab6b8b67b} - F:\AutoRun.exe
    HKU\S-1-5-18\...\Run: [] => [X]
    ShellExecuteHooks: Brak nazwy - {894E887A-D3F9-11E6-89DF-64006A5CFC35} - C:\Users\Karolina\AppData\Roaming\Jozusp\Vedudom.dll -> Brak pliku
    ShellExecuteHooks: Brak nazwy - {1DC5CF78-12F1-11E7-BD7A-64006A5CFC23} - C:\Users\Karolina\AppData\Roaming\Plikot\Miqlewafucult.dll -> Brak pliku
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> Brak pliku
    CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
    SearchScopes: HKLM-x32 -> DefaultScope - brak wartości
    FF Extension: (Fast search) - C:\Users\Karolina\AppData\Roaming\Mozilla\Firefox\Profiles\vjavd83l.default\Extensions\amcontextmenu@loucypher [2017-03-31]
    FF SearchPlugin: C:\Users\Karolina\AppData\Roaming\Mozilla\Firefox\Profiles\vjavd83l.default\searchplugins\uccs53rf.xml [2017-03-31]
    CHR DefaultProfile: ChromeDefaultData
    CHR Profile: C:\Users\Karolina\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-04-02] <==== UWAGA
    C:\Users\Karolina\AppData\Local\Google\Chrome\User Data\ChromeDefaultData
    OPR Extension: (Fast search) - C:\Users\Karolina\AppData\Roaming\Opera Software\Opera Stable\Extensions\pbdpajcdgknpendpmecafmopknefafha [2017-03-31]
    R2 SpyHunter 4 Service; C:\Program Files (x86)\Enigma Software Group\SpyHunter\SH4Service.exe [769920 2013-01-14] (Enigma Software Group USA, LLC.)
    S2 AdobeARMservice; "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" [X]
    S3 esgiguard; C:\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [13088 2011-03-02] ()
    S3 EsgScanner; C:\Windows\SysWOW64\DRIVERS\EsgScanner.sys [19984 2012-06-22] ()
    R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [27552 2017-03-31] (REALiX(tm))
    U3 alic5vlp; C:\Windows\System32\Drivers\alic5vlp.sys [0 ] (Microsoft Corporation) <==== UWAGA (zerobajtowy plik/folder)
    2017-03-31 21:24 - 2017-03-31 21:24 - 00003360 _____ C:\Windows\System32\Tasks\SpyHunter4Startup
    2017-03-31 21:24 - 2017-03-31 21:24 - 00002294 _____ C:\Users\Karolina\Desktop\SpyHunter.lnk
    2017-03-31 21:24 - 2017-03-31 21:24 - 00000000 ____D C:\Users\Karolina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter
    2017-03-31 21:24 - 2017-03-31 21:24 - 00000000 ____D C:\sh4ldr
    2017-03-31 21:20 - 2017-03-31 12:19 - 00000000 ____D C:\Users\Karolina\Downloads\Combo Fix
    2017-03-31 21:19 - 2017-03-31 21:19 - 00000182 _____ C:\Users\Karolina\Downloads\Combo Fix-20170331T191945Z-001.zip
    2017-03-31 21:18 - 2017-03-31 21:19 - 00000000 ____D C:\Users\Karolina\Downloads\SmitfraudFix
    2017-03-31 21:18 - 2017-03-31 21:18 - 01816161 _____ C:\Users\Karolina\Downloads\SmitfraudFix-20170331T191809Z-001.zip
    2017-03-31 21:16 - 2017-03-31 21:16 - 01481530 _____ C:\Users\Karolina\Downloads\SDFix 1.240-20170331T191621Z-001.zip
    2017-03-31 21:16 - 2017-03-31 21:16 - 00000000 ____D C:\Users\Karolina\Downloads\SDFix 1.240
    2017-03-31 21:15 - 2017-03-31 21:15 - 04756290 _____ C:\Users\Karolina\Downloads\SUPERAntiSpyware-20170331T191506Z-001.zip
    2017-03-31 21:15 - 2017-03-31 21:15 - 00000000 ____D C:\Users\Karolina\Downloads\SUPERAntiSpyware
    2017-03-31 20:08 - 2017-03-31 20:08 - 00000000 ____D C:\Program Files (x86)\Enigma Software Group
    2017-03-31 18:14 - 2017-03-31 18:38 - 00000058 _____ C:\Windows\SysWOW64\data
    2017-03-31 18:04 - 2017-03-31 19:03 - 00000000 ____D C:\ProgramData\ProductData
    2017-03-31 18:03 - 2017-04-02 08:00 - 00016716 _____ C:\Windows\System32\Tasks\931n589n335c482
    2017-03-31 18:03 - 2017-03-31 21:00 - 00000000 ____D C:\Program Files\HPXX21WU3C
    2017-03-31 18:03 - 2017-03-31 20:03 - 00000000 ____D C:\Program Files (x86)\Stumogeqebut
    2017-03-31 18:03 - 2017-03-31 19:17 - 00000000 ____D C:\Users\Karolina\AppData\Roaming\Plikot
    2017-03-31 18:03 - 2017-03-31 18:53 - 00002902 _____ C:\Windows\System32\Tasks\Driver Booster SkipUAC (Karolina)
    2017-03-31 18:03 - 2017-03-31 18:04 - 00000000 ____D C:\ProgramData\IObit
    2017-03-31 18:03 - 2017-03-31 18:03 - 01556916 _____ (Microsoft Corporation) C:\Windows\csrss.exe
    2017-03-31 18:03 - 2017-03-31 18:03 - 00104448 _____ C:\run.exe
    2017-03-31 18:03 - 2017-03-31 18:03 - 00073216 _____ C:\Windows\taskmgr.exe
    2017-03-31 18:03 - 2017-03-31 18:03 - 00027552 _____ (REALiX(tm)) C:\Windows\SysWOW64\Drivers\HWiNFO64A.SYS
    2017-03-31 18:03 - 2017-03-31 18:03 - 00006044 _____ C:\Windows\System32\Tasks\Ateditthilet Renew
    2017-03-31 18:03 - 2017-03-31 18:03 - 00000000 ___HD C:\ProgramData\931n589n335c482
    2017-03-31 18:03 - 2017-03-31 18:03 - 00000000 ____D C:\Windows\IObit
    2017-03-31 18:03 - 2017-03-31 18:03 - 00000000 ____D C:\Windows\Azart
    2017-03-31 18:03 - 2017-03-31 18:03 - 00000000 ____D C:\Users\Karolina\AppData\Roaming\IObit
    2017-03-31 18:03 - 2017-03-31 18:03 - 00000000 ____D C:\Users\Karolina\AppData\LocalLow\IObit
    2017-03-31 18:03 - 2017-03-31 18:03 - 00000000 ____D C:\Users\Karolina\AppData\Local\Terisevik
    2017-03-31 18:03 - 2017-03-31 18:03 - 00000000 ____D C:\Users\Karolina\AppData\Local\MicrosoftUpdater
    2017-03-31 18:03 - 2017-03-31 18:03 - 00000000 ____D C:\Users\Karolina\AppData\Local\MicrosoftHelper
    2017-03-31 18:03 - 2017-03-31 18:03 - 00000000 ____D C:\Program Files (x86)\Ateditthilet Renew
    2017-03-31 15:30 - 2017-03-31 15:30 - 00000000 _____ C:\autoexec.bat
    2017-03-31 15:29 - 2017-03-31 21:24 - 00000000 ____D C:\Windows\46B04D534E344388B6EE80FAB66AEF9B.TMP
    2017-03-23 23:51 - 2017-03-23 23:51 - 00000000 ____D C:\Users\Karolina\AppData\Local\Pearness
    2017-03-23 23:50 - 2017-03-24 21:56 - 00000000 ____D C:\Program Files (x86)\n1
    2017-03-23 23:50 - 2017-03-23 23:50 - 00000000 ____D C:\Program Files (x86)\Pearness
    2017-03-23 23:49 - 2017-03-23 23:49 - 00000000 ____D C:\Program Files (x86)\MIO
    2017-03-31 19:16 - 2015-08-12 20:58 - 00000000 ____D C:\AdwCleaner
    EmptyTemp:

    W FRST wybierz Napraw.

    Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    0
  • #3 02 Kwi 2017 12:55
    porab3
    Poziom 9  

    dziękuję pomogło ;)

    0
  • #4 02 Kwi 2017 12:59
    Kolobos
    Spec od komputerów

    > Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    0
  • #6 02 Kwi 2017 16:28
    Kolobos
    Spec od komputerów

    W Chrome nadal masz profil utworzony przez infekcje. Czy synchronizujesz ustawienia Chrome z konta google? Jezeli tak to usun dane synchronizacji:
    https://support.google.com/chrome/answer/6386691?hl=pl

    Wykonaj nowy Fixlist.txt dla FRST:
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
    HKU\S-1-5-21-2658245198-3005051595-1530724498-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
    CHR DefaultProfile: ChromeDefaultData
    CHR Profile: C:\Users\Karolina\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-04-02] <==== UWAGA
    U3 acqu7l4d; C:\Windows\System32\Drivers\acqu7l4d.sys [0 ] (Advanced Micro Devices) <==== UWAGA (zerobajtowy plik/folder)
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    2017-04-02 16:03 - 2017-04-02 16:03 - 00000000 ____D C:\Users\Karolina\Downloads\SmitfraudFix
    2017-04-02 09:46 - 2017-04-02 09:46 - 00388608 _____ (Trend Micro Inc.) C:\Users\Karolina\Downloads\HijackThis_2.0.4.exe
    2017-04-02 09:45 - 2017-04-02 09:46 - 01222168 _____ ( ) C:\Users\Karolina\Downloads\HijackThis-12030-AsystentPobierania.exe
    2017-04-02 09:44 - 2017-04-02 09:45 - 01872472 _____ C:\Users\Karolina\Downloads\SmitfraudFix(dobreprogramy.pl).exe
    2017-04-02 09:15 - 2017-04-02 09:15 - 00016518 _____ C:\ComboFix.txt
    2017-04-02 08:55 - 2017-04-02 09:16 - 00000000 ____D C:\Qoobox
    2017-04-02 08:55 - 2011-06-26 08:45 - 00256000 _____ C:\Windows\PEV.exe
    2017-04-02 08:55 - 2010-11-07 19:20 - 00208896 _____ C:\Windows\MBR.exe
    2017-04-02 08:55 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
    2017-04-02 08:55 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
    2017-04-02 08:55 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
    2017-04-02 08:55 - 2000-08-31 02:00 - 00098816 _____ C:\Windows\sed.exe
    2017-04-02 08:55 - 2000-08-31 02:00 - 00080412 _____ C:\Windows\grep.exe
    2017-04-02 08:55 - 2000-08-31 02:00 - 00068096 _____ C:\Windows\zip.exe
    2017-04-02 08:50 - 2017-04-02 08:50 - 05660310 ____R (Swearware) C:\Users\Karolina\Downloads\ComboFix.exe

    0
  • #8 02 Kwi 2017 16:56
    Kolobos
    Spec od komputerów

    Odinstaluj Chrome, usun katalog profilu z: C:\Users\Karolina\AppData\Local\Google\Chrome\User Data\ChromeDefaultData i zainstaluj Chrome ponownie.

    0
  • Pomocny post
    #10 02 Kwi 2017 17:35
    Kolobos
    Spec od komputerów

    Usun katalog C:\FRST i to wszystko.

    0