Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Wirus żeńą,i program FRST

Bovit 09 Kwi 2017 13:12 498 3
  • #1 09 Kwi 2017 13:12
    Bovit
    Poziom 2  

    Witajcie. W końcu trafiłem na Wasze forum, oczywiście jak to zazwyczaj bywa przez jakiś problem. Poczytałem trochę odnośnie śmieci w moim lapku i trafiłem na program FRST. Zrobiłem logi z niego (poniżej) i oczywiście mam prośbę o podanie zawartości pliku Fixlist.txt. Nie mam już siły do tego ustrojstwa, więc serdecznie proszę Szanownych Forumowiczów o pomoc.

    Z podziękowaniami na zapas

    Bovit :)

    0 3
  • Pomocny post
    #2 09 Kwi 2017 13:42
    Kolobos
    Spec od komputerów

    @Bovit zrob kopie zakladek z Chrome, skrypt usunie katalog profilu.

    Jezeli sciagasz cos takiego "WinRAR 521 [x32.iso" i nie widzisz, ze to zainfekowany plik to chyba nie powinienes niczego sciagac z internetu.

    Fixlist.txt dla FRST:
    CloseProcesses:
    Task: {383B7F98-4D16-4F7A-9E8B-C4F8949E4C2F} - System32\Tasks\DllKitPRO => C:\Program Files (x86)\DllKitPRO\dllkitpro.exe
    Task: {4D62DA1E-F507-4995-9903-87F7C09AA16F} - System32\Tasks\CreateExplorerShellUnelevatedTask => C:\Windows\Explorer.exe /NOUACCHECK
    Task: {53D8D35E-FF9A-4A28-8E4A-13EAD17E8582} - \UCBrowserUpdater -> Brak pliku <==== UWAGA
    Task: {5FC9B99B-2B2E-4F66-A8BC-318A7816E3EB} - System32\Tasks\{FB313BAA-235F-4C19-A2F9-3AF001C5B8CB} => pcalua.exe -a "C:\Program Files (x86)\BestZiper\uninstaller.exe" -d "C:\Program Files (x86)\BestZiper"
    Task: {71823C6E-1376-4B55-8D40-0CEE428C681C} - System32\Tasks\Cougoch Agent => C:\Program Files (x86)\Tohock\xlokiry.exe [2017-04-08] (Glarysoft Ltd)
    Task: {95FBA054-BCBE-4075-9A58-CED0DA526B95} - System32\Tasks\{9E3DA25D-2D91-4C66-828C-F652344E7D31} => pcalua.exe -a C:\Users\thema\AppData\Local\Temp\accelerator.exe -c /u <==== UWAGA
    Task: {98DE0F32-E6A2-464E-922D-D1DC20FDAFA6} - \UCBrowserSecureUpdater -> Brak pliku <==== UWAGA
    Task: {A49AEB34-8D55-4215-99E9-B716DA8DD90E} - System32\Tasks\vv623i899 => Rundll32.exe "C:\Program Files\Common Files\vv623i899\vv623i899.dll",vivnBnSUxO
    Task: {AB8168D9-6644-4C09-A8D6-D456BF8C44C4} - System32\Tasks\Coasuent Monitor => C:\Program Files (x86)\Phliyceriph\xarergoy.exe [2017-04-08] (Glarysoft Ltd)
    Task: {E6F6081C-5FBC-4CCA-B19A-EC30577C8930} - System32\Tasks\SMW_UpdateTask_Time_3534343331313130312d3237575a236c6c3255342a41 => Wscript.exe //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0 <==== UWAGA
    Task: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe
    WMI_ActiveScriptEventConsumer_ASEC: <===== UWAGA
    ShortcutWithArgument: C:\Users\thema\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\thema\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://qtipr.com/
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\thema\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://qtipr.com/
    ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\thema\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://qtipr.com/




    2017-04-08 12:37 - 2017-04-09 12:41 - 01721856 _____ () C:\Windows\TEMP\g265A.tmp
    2017-04-09 12:43 - 2017-04-09 12:43 - 00173568 _____ () C:\Windows\TEMP\g6830.tmp.exe
    () C:\Windows\Temp\g6830.tmp.exe
    HKLM\...\RunOnce: [ATARI65XE] => C:\Windows\TEMP\g6830.tmp.exe [173568 2017-04-09] () <===== UWAGA
    HKU\S-1-5-21-4170051615-784292960-4060217159-1001\...\Run: [windows defender] => C:\Users\Public\wind.exe [396610 2017-04-09] ()
    HKU\S-1-5-21-4170051615-784292960-4060217159-1001\...\Policies\Explorer\Run: [WinRAR] => C:\Users\thema\AppData\Roaming\Microsoft\ddhrucue\sraeabaj.exe [145408 2016-07-16] ()
    HKU\S-1-5-21-4170051615-784292960-4060217159-1001\...\Policies\Explorer\Run: [PC] => C:\Users\thema\AppData\Roaming\Microsoft\cuewaubw\sraeabaj.exe
    HKU\S-1-5-21-4170051615-784292960-4060217159-1001\...\MountPoints2: {bf1d80c8-e214-11e6-91e0-90a4de79557f} - "D:\AutoRun.exe"
    HKU\S-1-5-18\...\Run: [nbTsmtMty.exe] => C:\Windows\system32\config\systemprofile\AppData\Roaming\0622c96dee0a4f84965571dc450969e0\nbTsmtMty.exe [159232 2017-04-08] (Yahoo)
    HKLM\...\Providers\zy7w25lt: C:\Program Files (x86)\Coasuent Monitor\local64spl.dll [307200 2017-04-08] ()
    ShellExecuteHooks: Brak nazwy - {5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} - -> Brak pliku
    ShellExecuteHooks: Brak nazwy - {2D5D8F5C-1485-11E7-A215-64006A5CFC23} - C:\Program Files (x86)\Phliyceriph\Ganagfory.dll [145408 2017-04-08] ()
    ShellExecuteHooks: Brak nazwy - {BE1A7B48-1485-11E7-B606-64006A5CFC23} - -> Brak pliku
    ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => -> Brak pliku
    FF user.js: detected! => C:\Users\thema\AppData\Roaming\Mozilla\Firefox\Profiles\2qdrq5dh.default\user.js [2017-01-15]
    FF NewTab: Mozilla\Firefox\Profiles\2qdrq5dh.default -> hxxp://www.initialsite123.com/?z=caf6b61aa1fc...HZ2320BHXG2_K62NT8927TRDT8927TRDX&type=hp
    FF DefaultSearchEngine: Mozilla\Firefox\Profiles\2qdrq5dh.default -> initialsite123
    FF SelectedSearchEngine: Mozilla\Firefox\Profiles\2qdrq5dh.default -> initialsite123
    FF Homepage: Mozilla\Firefox\Profiles\2qdrq5dh.default -> hxxp://www.initialsite123.com/?z=caf6b61aa1fc...HZ2320BHXG2_K62NT8927TRDT8927TRDX&type=hp
    FF Extension: (Fast search) - C:\Users\thema\AppData\Roaming\Mozilla\Firefox\Profiles\2qdrq5dh.default\Extensions\amcontextmenu@loucypher [2017-04-08]
    FF SearchPlugin: C:\Users\thema\AppData\Roaming\Mozilla\Firefox\Profiles\2qdrq5dh.default\searchplugins\9h2a0s2n.xml [2017-04-08]
    FF SearchPlugin: C:\Users\thema\AppData\Roaming\Mozilla\Firefox\Profiles\2qdrq5dh.default\searchplugins\zy7w25lt.xml [2017-04-08]
    CHR DefaultProfile: ChromeDefaultData
    CHR Profile: C:\Users\thema\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-04-09] <==== UWAGA
    C:\Users\thema\AppData\Local\Google\Chrome\User Data\ChromeDefaultData
    S2 Recover; C:\Program Files\Windows Defender Advanced Threat Protection\OIZ59PFFRCINVW3RZ6XGBT\3GxGDçXU4J.exe [178688 2017-04-08] () [Brak podpisu cyfrowego]
    R1 cryptfd; C:\Windows\System32\drivers\cryptfd.sys [193448 2017-03-03] ()
    S3 wfpgameprotect; \??\C:\Users\thema\AppData\Local\Temp\9041.tmp.sys [X] <==== UWAGA
    2017-04-09 12:24 - 2017-04-09 12:24 - 00000214 _____ C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job
    2017-04-08 15:03 - 2017-04-08 15:03 - 00000858 _____ C:\Users\thema\Desktop\żěŃą.lnk
    2017-04-08 15:02 - 2017-04-08 15:02 - 00000000 ____D C:\Users\thema\AppData\Local\kemgadeojglibflomicgnfeopkdfflnw
    2017-04-08 15:01 - 2017-04-08 15:01 - 00000000 ____D C:\Users\thema\AppData\Local\Chepusharalert
    2017-04-08 15:01 - 2017-04-08 15:01 - 00000000 ____D C:\Program Files (x86)\Grutesy
    2017-04-08 14:37 - 2017-04-08 14:37 - 01129376 _____ (Google Inc.) C:\Users\thema\Downloads\ChromeSetup (1).exe
    2017-04-08 14:03 - 2017-04-08 14:03 - 00000000 ____D C:\Program Files (x86)\Tohock
    2017-04-08 13:59 - 2017-04-08 13:59 - 00000000 ____D C:\Users\Default\AppData\Local\Chepusharalert
    2017-04-08 13:59 - 2017-04-08 13:59 - 00000000 ____D C:\Users\Default User\AppData\Local\Chepusharalert
    2017-04-08 13:55 - 2017-04-08 14:25 - 00000000 ____D C:\Users\Default\AppData\Roaming\Widcult
    2017-04-08 13:55 - 2017-04-08 14:25 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Widcult
    2017-04-08 13:55 - 2017-04-08 13:55 - 00122880 _____ () C:\Theobald.dll
    2017-04-08 13:55 - 2017-04-08 13:55 - 00000000 ____D C:\Users\Default\AppData\Local\Serketainmibage
    2017-04-08 13:55 - 2017-04-08 13:55 - 00000000 ____D C:\Users\Default User\AppData\Local\Serketainmibage
    2017-04-08 13:03 - 2017-04-08 13:04 - 00000000 ____D C:\Users\thema\Downloads\CCleaner Professional Plus v5.22.5724 Retail Ml_Rus
    2017-04-08 12:48 - 2017-04-08 12:48 - 00003328 _____ C:\Windows\System32\Tasks\{FB313BAA-235F-4C19-A2F9-3AF001C5B8CB}
    2017-04-08 12:35 - 2017-04-08 12:35 - 00005571 _____ C:\Users\thema\Downloads\3525_CCleaner_Profes.torrent
    2017-04-08 12:22 - 2017-04-09 09:49 - 00396610 _____ C:\Users\Public\wind.exe
    2017-04-08 12:22 - 2017-04-08 12:22 - 00060420 _____ C:\Users\Public\wiWd.exe
    2017-04-08 12:20 - 2017-04-08 12:20 - 00000000 ____D C:\Program Files (x86)\Phliyceriph
    2017-04-08 12:19 - 2017-04-09 12:40 - 00000000 ____D C:\AdwCleaner
    2017-04-08 12:13 - 2017-04-08 12:13 - 00003262 _____ C:\Windows\System32\Tasks\{9E3DA25D-2D91-4C66-828C-F652344E7D31}
    2017-04-08 12:10 - 2017-04-09 09:35 - 00000000 ____D C:\Users\thema\AppData\Roaming\Widcult
    2017-04-08 12:10 - 2017-04-08 12:10 - 00006098 _____ C:\Windows\System32\Tasks\Cougoch Agent
    2017-04-08 12:10 - 2017-04-08 12:10 - 00000000 ____D C:\Users\thema\AppData\Local\Serketainmibage
    2017-04-08 12:10 - 2017-04-08 12:10 - 00000000 ____D C:\Program Files (x86)\Cougoch Agent
    2017-04-08 12:06 - 2017-04-09 09:35 - 00004414 _____ C:\Windows\System32\Tasks\SMW_UpdateTask_Time_3534343331313130312d3237575a236c6c3255342a41
    2017-04-08 12:06 - 2017-04-08 12:06 - 00000000 ____D C:\Program Files (x86)\Phliyceriph_
    2017-04-08 12:05 - 2017-04-09 09:53 - 00004216 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{B7FBFD41-C257-42AE-BEED-3EC3F66174D5}
    2017-04-08 12:02 - 2017-04-08 12:31 - 00000000 ____D C:\Users\thema\AppData\Roaming\Coehaplahaph
    2017-04-08 12:02 - 2017-04-08 12:02 - 00006074 _____ C:\Windows\System32\Tasks\Coasuent Monitor
    2017-04-08 12:02 - 2017-04-08 12:02 - 00003204 __RSH C:\pagefile.$$$
    2017-04-08 12:02 - 2017-04-08 12:02 - 00000000 ____D C:\Users\thema\AppData\Local\Clerwewardghubese
    2017-04-08 12:02 - 2017-04-08 12:02 - 00000000 ____D C:\Program Files (x86)\Coasuent Monitor
    2017-04-08 12:01 - 2017-04-08 12:20 - 00000000 ____D C:\Program Files (x86)\BestZiper
    2017-04-08 12:01 - 2017-04-08 12:01 - 00016818 _____ C:\Windows\System32\Tasks\vv623i899
    2017-04-08 12:01 - 2017-04-08 12:01 - 00000000 ___HD C:\Program Files\Common Files\vv623i899
    2017-04-08 12:01 - 2017-04-08 12:01 - 00000000 ____D C:\Users\thema\AppData\Roaming\58247964
    2017-04-08 12:01 - 2017-04-08 12:01 - 00000000 ____D C:\Users\thema\AppData\Roaming\34608748
    2017-04-08 11:56 - 2017-04-08 11:56 - 00000000 ____D C:\Users\thema\AppData\Local\UCBrowser
    2017-04-08 11:55 - 2017-04-09 10:59 - 00000000 ____D C:\Program Files\żěŃą
    2017-04-08 11:55 - 2017-04-08 11:55 - 00000000 ____D C:\Users\thema\AppData\Local\CEF
    2017-04-08 11:55 - 2017-04-08 11:55 - 00000000 ____D C:\Users\thema\AppData\Local\AMD
    2017-04-08 11:54 - 2017-04-08 15:02 - 00003648 _____ C:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask
    2017-04-08 11:54 - 2017-04-08 11:54 - 00000000 ____D C:\Users\Public\Documents\XMUpdate
    2017-04-08 11:52 - 2017-04-08 11:52 - 01499136 _____ C:\Users\thema\Downloads\WinRAR 521 [x32.iso
    2017-04-02 09:42 - 2017-04-02 09:45 - 00003382 _____ C:\Windows\System32\Tasks\DllKitPRO
    2017-02-25 10:38 - 2017-02-25 10:38 - 0000037 ___SH () C:\Users\thema\AppData\Local\20986331705021ca58edc424.96250074
    C:\Windows\TEMP\g6830.tmp.exe
    C:\Users\Public\wind.exe
    C:\Users\Public\wiWd.exe
    EmptyTemp:

    Po wykonaniu uzyj AdwCleaner, opcja Scan/Szukaj i Clean/Usun: http://www.bleepingcomputer.com/download/adwcleaner/

    Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
    http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
    oraz http://ftp.drweb.com/pub/drweb/cureit/launch.exe

    Na koniec zamiesc nowe logi z FRST, ze skanowania.

    0
  • #4 09 Kwi 2017 14:54
    Kolobos
    Spec od komputerów

    W Chrome nadal masz profil utworzony przez infekcje.
    Usun dane synchronizacji ustawien Chrome z konta google:
    https://support.google.com/chrome/answer/6386691?hl=pl

    Wykonaj nowy Fixlist.txt dla FRST:
    Task: {3DF56FE8-C237-43F3-A723-F54A3493EFB4} - \User_Feed_Synchronization-{B7FBFD41-C257-42AE-BEED-3EC3F66174D5} -> Brak pliku <==== UWAGA
    CHR DefaultProfile: ChromeDefaultData
    CHR HomePage: ChromeDefaultData -> hxxp://isearch.omiga-plus.com/?type=hp&ts...mp;uid=TOSHIBAXMK3265GSX_909IC6ZGTXX909IC6ZGT
    CHR DefaultSearchKeyword: ChromeDefaultData -> r
    CHR Session Restore: ChromeDefaultData -> [funkcja włączona]
    CHR Profile: C:\Users\thema\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-04-09] <==== UWAGA
    C:\Users\thema\AppData\Local\Google\Chrome\User Data\ChromeDefaultData
    2017-04-09 13:58 - 2017-04-09 14:00 - 00000000 ____D C:\AdwCleaner
    2017-04-09 10:08 - 2017-04-09 10:36 - 04089296 _____ C:\Users\thema\Downloads\adwcleaner_6.045 (1).exe

    Po wykonaniu usun katalog C:\FRST i to wszystko.

    0