Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Jak usunac chinskiego wirusa ŻeŃą

RedLabel 12 Kwi 2017 17:44 354 1
  • #2 12 Kwi 2017 17:54
    Kolobos
    Spec od komputerów

    Odinstaluj: Java Runtime Environment Packages

    Wykonaj podany Fixlist.txt w trybie awaryjnym:
    CloseProcesses:
    Task: {0C0DF8FE-17DA-48BD-82A4-D6E8A8CD3415} - System32\Tasks\KuaiZip_Update => C:\Program Files\żěŃą\X86\Update.exe [2017-04-12] (Shanghai Guangle Network Technology Ltd
    ) <==== UWAGA
    Task: {23C29F2F-02F6-4387-BC33-F56F506F6AB1} - System32\Tasks\UCBrowserSecureUpdater => C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe [2017-04-12] (UC Web Inc.) <==== UWAGA
    Task: {8FEACC0C-DF3F-4CAA-BCF2-519F06676020} - System32\Tasks\Opera scheduled Autoupdate 1429362916 => C:\Program Files (x86)\Opera\launcher.exe [2017-02-27] (Opera Software)
    C:\ProgramData\service.exe
    C:\ProgramData\igfxDH.dll
    2017-04-12 16:34 - 2017-04-12 16:34 - 00524696 _____ () C:\Program Files\żěŃą\X64\KZipShell.dll
    2017-04-12 16:32 - 2017-04-12 16:34 - 02072064 _____ () C:\Users\ja\AppData\Local\Temp\00027691\msiql.exe
    2017-04-12 16:34 - 2017-04-12 16:34 - 00219032 _____ () c:\program files\żěńą\x86\kuaizipupdatechecker.dll
    AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x64.sys [25444]
    AlternateDataStreams: C:\Windows\system32\drivers:x64 [1498914]
    AlternateDataStreams: C:\Windows\system32\drivers:x86 [1223458]
    () C:\Users\ja\AppData\Local\Temp\00027691\msiql.exe
    HKU\S-1-5-21-2771973169-3775069162-1019240528-1002\...\Run: [svchost0] => C:\Program Files (x86)\lll\uc.exe [143446 2017-04-10] ()
    HKU\S-1-5-21-2771973169-3775069162-1019240528-1002\...\Run: [msiql] => C:\Users\ja\AppData\Local\Temp\00027691\msiql.exe [2072064 2017-04-12] () <===== UWAGA
    HKU\S-1-5-21-2771973169-3775069162-1019240528-1002\...\MountPoints2: {8e323f2c-461f-11e6-82b6-38b1dba5e41a} - "F:\setup.exe"
    ShellExecuteHooks: Brak nazwy - {5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} - C:\ProgramData\igfxDH.dll [1028096 2017-04-11] ()
    ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => C:\Program Files\żěŃą\X64\KZipShell.dll [2017-04-12] ()
    Tcpip\..\Interfaces\{7AB14436-3F8B-4FAF-8C4F-B343F5B721A3}: [DhcpNameServer] 40.27.1.201
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.interia.pl/#utm_source=instalki&utm_medium=installer&utm_campaign=instalki
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.interia.pl/#utm_source=instalki&utm_medium=installer&utm_campaign=instalki
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPALL14/175




    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPALL14/175
    HKU\S-1-5-21-2771973169-3775069162-1019240528-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.interia.pl/#utm_source=instalki&utm_medium=installer&utm_campaign=instalki
    HKU\S-1-5-21-2771973169-3775069162-1019240528-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPALL14/175
    SearchScopes: HKLM -> {A128A8D6-5CB9-42E6-B7F6-AA47B7B1CC7B} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?i...k%5Fcode=qs&index=aps&field-keywords={searchTerms}
    SearchScopes: HKLM-x32 -> {A128A8D6-5CB9-42E6-B7F6-AA47B7B1CC7B} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?i...k%5Fcode=qs&index=aps&field-keywords={searchTerms}
    SearchScopes: HKU\S-1-5-21-2771973169-3775069162-1019240528-1002 -> {A128A8D6-5CB9-42E6-B7F6-AA47B7B1CC7B} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?i...k%5Fcode=qs&index=aps&field-keywords={searchTerms}
    CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
    R2 GoogleChromeUpService; C:\ProgramData\service.exe [1620992 2017-04-12] () [Brak podpisu cyfrowego] <==== UWAGA
    R2 KuaizipUpdateChecker; C:\Program Files\żěŃą\X86\kuaizipUpdateChecker.dll [219032 2017-04-12] ()
    R1 cryptfd; C:\Windows\System32\drivers\cryptfd.sys [193448 2017-03-03] ()
    R1 ucdrv; C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [25444 ] (UC Web Inc.) <==== UWAGA
    S3 GENERICDRV; \??\C:\Users\ADMINI~1\AppData\Local\Temp\pftC976.tmp\amifldrv64.sys [X] <==== UWAGA
    2017-04-12 16:36 - 2017-04-12 16:36 - 00003476 _____ C:\Windows\System32\Tasks\UCBrowserSecureUpdater
    2017-04-12 16:36 - 2017-04-12 16:36 - 00000000 ____D C:\Users\ja\AppData\Local\UCBrowser
    2017-04-12 16:35 - 2017-04-12 16:36 - 00000000 ____D C:\Program Files (x86)\UCBrowser
    2017-04-12 16:35 - 2017-04-12 16:35 - 00003424 _____ C:\Windows\System32\Tasks\KuaiZip_Update
    2017-04-12 16:34 - 2017-04-12 17:15 - 00000000 ____D C:\Users\ja\AppData\Roaming\KuaiZip
    2017-04-12 16:34 - 2017-04-12 16:34 - 01620992 _____ C:\ProgramData\service.exe
    2017-04-12 16:34 - 2017-04-12 16:34 - 00092832 _____ (WinMount International Inc) C:\Windows\system32\Drivers\KuaiZipDrive.sys
    2017-04-12 16:34 - 2017-04-12 16:34 - 00000860 _____ C:\Users\ja\AppData\Roaming\Microsoft\Windows\Start Menu\żěŃą.lnk
    2017-04-12 16:34 - 2017-04-12 16:34 - 00000000 ____D C:\Users\ja\AppData\Roaming\Softlink
    2017-04-12 16:33 - 2017-04-12 17:00 - 00000000 ____D C:\Program Files\żěŃą
    2017-04-12 16:33 - 2017-04-12 16:42 - 00000000 ____D C:\Program Files (x86)\Maoha
    2017-04-12 16:33 - 2017-04-12 16:34 - 00000000 ____D C:\Program Files (x86)\lll
    2017-04-12 16:33 - 2017-04-12 16:33 - 00000000 __SHD C:\Users\ja\AppData\Local\svchost
    2017-04-12 16:33 - 2017-04-12 16:33 - 00000000 ____D C:\Users\Public\Documents\XMUpdate
    2017-04-12 16:33 - 2017-04-11 23:04 - 01028096 ___SH C:\ProgramData\igfxDH.dll
    2017-04-12 16:32 - 2017-04-12 16:33 - 00000000 ____D C:\Users\ja\AppData\Roaming\UCChannel
    2017-03-03 04:35 - 2017-03-03 04:35 - 00193448 _____ C:\Windows\system32\Drivers\cryptfd.sys
    2016-11-29 19:07 - 2016-11-29 19:07 - 7065600 _____ () C:\Program Files (x86)\GUT4734.tmp
    C:\Users\ja\AppData\Local\Temp\00027691\msiql.exe
    C:\ProgramData\igfxDH.dll
    C:\ProgramData\service.exe
    EmptyTemp:


    Do tego usun plik od ktorego zainfekowales system, zgaduje, ze to
    2017-04-12 16:16 - 2017-04-12 16:46 - 508389277 _____ C:\Users\ja\Downloads\17_grand_theft_auto_san_andreas.zip
    lub:
    2017-04-12 15:50 - 2017-04-12 16:18 - 122003456 ____R C:\Users\ja\Downloads\Farming.Simulator.17.iso


    Uzyj AdwCleaner, opcja Scan/Szukaj i Clean/Usun: http://www.bleepingcomputer.com/download/adwcleaner/

    Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
    http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
    oraz http://ftp.drweb.com/pub/drweb/cureit/launch.exe

    Po wszystkim zamiesc nowe logi z FRST, ze skanowania.

    0