Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

wirus, ciągłe reklamy searching.com i screenshared

madzik1989 05 Maj 2017 17:58 384 6
  • #1 05 Maj 2017 17:58
    madzik1989
    Poziom 3  

    Witam, proszę o sprawdzenie logów i poinstruowanie mnie co zrobić. W komputerze zaczęły dziać się dziwne rzeczy, ciągle wyskakuja reklamy zainstalowało się jakieś screenshared (już usunęłam) a w przeglądarce wyskakuje http://www-searching.com mimo odinstalowania tego w panelu sterowania.
    proszę o pomoc

    0 6
  • #2 05 Maj 2017 18:03
    Kolobos
    Spec od komputerów

    > proszę o sprawdzenie logów

    Zamiesc.

    0
  • #4 05 Maj 2017 18:13
    Kolobos
    Spec od komputerów

    Zrob kopie zakladek z Chrome, skrypt usunie katalog profilu przegladarki utworzony przez infekcje.
    Usun tez dane synchronizacji Chrome z konta google:
    https://support.google.com/chrome/answer/6386691?hl=pl

    Odinstaluj: Search module

    Wykonaj Fixlist.txt dla FRST:
    CloseProcesses:
    Task: {28DBEBF3-8763-4FAA-86FF-252971D43978} - System32\Tasks\{2AFA93E2-9D51-2449-88DB-5C2DE431B906} => C:\ProgramData\{52EC26DC-E547-9177-B16B-76FC8527CD25}\759EFC08-C235-4BA3-D698-EDE7DD6CB1C1.exe [2017-05-05] () <==== UWAGA
    Task: {45D7075A-699E-455C-8C35-85A09F46B33B} - System32\Tasks\{F09150A0-4DA0-4948-8AD4-A978F4EA9387} => pcalua.exe -a "C:\Program Files\Common Files\Microsoft Shared\OFFICE15\Office Setup Controller\setup.exe" -c /uninstall PROPLUS /dll OSETUP.DLL
    Task: {6235E338-B03B-4489-8016-7A5AA66451AF} - System32\Tasks\{9AFC539F-689A-8A52-3665-1C47D7348A51} => Regsvr32.exe /s /n /i:"/rt" "C:\PROGRA~3\95aee7d5\edb8264b.dll" <==== UWAGA
    Task: {8310022D-01A7-45A4-A7A3-70DF641E65CF} - System32\Tasks\Microsoft\Windows\Software\UpdaterSrv => C:\ProgramData\UpdaterSrv\UpdaterSrv.exe [2015-11-27] () <==== UWAGA
    Task: {93C584D8-6397-4003-A5A3-2B9B3B779828} - System32\Tasks\Rakeryomary Monitor => C:\Program Files (x86)\Grakat\rakeryomarymntCtp.exe
    Task: {AB2CB4E3-BA2E-426C-922D-A6068634A854} - System32\Tasks\SMW_UpdateTask_Time_323732363437333030342d415034573732456c782a5a45 => Wscript.exe //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0 <==== UWAGA
    Task: {AD0A0DB9-ED6E-4B24-8C45-F9F7CDC27477} - \Joropygrosak Debuger -> Brak pliku <==== UWAGA
    Task: {C74C0BB4-14F6-45FA-80C9-508442960B3B} - System32\Tasks\{8D191AEF-8F27-4951-B6DB-D2CA66F8B94F} => pcalua.exe -a "C:\Users\Magda\Desktop\Translator Włoskiego\Start.exe" -d "C:\Users\Magda\Desktop\Translator Włoskiego"
    Task: {CFCE7049-928A-41B4-94E7-7E2BBF96FA0F} - System32\Tasks\{7A7D0547-097F-050F-7A11-0A04057D1104} => powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand OwA7ADsAIAA7ADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAcwB0AG8AcAAiADsAJABzAGMAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAVwBhAHIAbgBpAG4AZwBQAHIAZQBmAGUAcgBlAG4AYwBlAD0AJABzAGMA (dane wartości zawierają 9576 znaków więcej). <==== UWAGA
    Task: {F65538BB-0D2B-4316-B461-C51EEFD50172} - System32\Tasks\SMW_P => C:\ProgramData\smp2.exe [2017-05-05] (t ) <==== UWAGA
    ShortcutWithArgument: C:\Users\Magda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www%2dsearching.com/?prd=set_epf&s...cnbl1au,6bb374e1-51e2-4646-90f6-d87df8a92d5e,,




    ShortcutWithArgument: C:\Users\Magda\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epf&s...cnbl1au,6bb374e1-51e2-4646-90f6-d87df8a92d5e,,
    ShortcutWithArgument: C:\Users\Magda\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet-Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www%2dsearching.com/?prd=set_epf&s...cnbl1au,6bb374e1-51e2-4646-90f6-d87df8a92d5e,,
    ShortcutWithArgument: C:\Users\Magda\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epf&s...cnbl1au,6bb374e1-51e2-4646-90f6-d87df8a92d5e,,
    ShortcutWithArgument: C:\Users\Magda\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www-searching.com/?prd=set_epf&s=h...cnbl1au,6bb374e1-51e2-4646-90f6-d87df8a92d5e,,
    ShortcutWithArgument: C:\Users\Magda\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\ec89064d62497cfa\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epf&s...cnbl1au,6bb374e1-51e2-4646-90f6-d87df8a92d5e,,
    ShortcutWithArgument: C:\Users\Magda\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\360c22b137d62ce9\user0 - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epf&s...cnbl1au,6bb374e1-51e2-4646-90f6-d87df8a92d5e,,
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epf&s...cnbl1au,6bb374e1-51e2-4646-90f6-d87df8a92d5e,,
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www-searching.com/?prd=set_epf&s=h...cnbl1au,6bb374e1-51e2-4646-90f6-d87df8a92d5e,,
    ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epf&s...cnbl1au,6bb374e1-51e2-4646-90f6-d87df8a92d5e,,
    ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www-searching.com/?prd=set_epf&s=h...cnbl1au,6bb374e1-51e2-4646-90f6-d87df8a92d5e,,
    2017-05-05 17:26 - 2017-05-05 17:26 - 00274432 _____ () C:\Program Files\KMSnano\ZBK7VB9ZEL6K1YRQ\iA-vW572iD.exe
    () C:\Program Files\Windows Media Player\RMH2LLD18CCRCBF2C2F3T3WCBMTCTL\UzqfVoo&T7.exe
    (Search Module Ltd.) C:\Program Files\Common Files\Noobzo\GNUpdate\smu.exe
    () C:\Program Files\KMSnano\ZBK7VB9ZEL6K1YRQ\iA-vW572iD.exe
    C:\Program Files\KMSnano\ZBK7VB9ZEL6K1YRQ\
    HKU\S-1-5-21-353550897-592253625-3890224656-1001\...\Run: [iA-vW572iD.exe] => C:\Program Files\KMSnano\ZBK7VB9ZEL6K1YRQ\iA-vW572iD.exe [274432 2017-05-05] ()
    HKU\S-1-5-21-353550897-592253625-3890224656-1001\...\MountPoints2: {79040780-961c-11e6-8286-485ab6e44e20} - "G:\start.exe"
    Tcpip\Parameters: [NameServer] 82.163.143.157 82.163.142.159
    Tcpip\..\Interfaces\{6D8FE638-F1B6-4BEB-A189-26E53BBF87A1}: [NameServer] 82.163.143.157 82.163.142.159
    Tcpip\..\Interfaces\{6D8FE638-F1B6-4BEB-A189-26E53BBF87A1}: [DhcpNameServer] 82.163.143.157
    Tcpip\..\Interfaces\{F8CEAEDD-7546-4165-8F0B-3A534BD6BF18}: [NameServer] 82.163.143.157 82.163.142.159
    Tcpip\..\Interfaces\{F8CEAEDD-7546-4165-8F0B-3A534BD6BF18}: [DhcpNameServer] 82.163.143.157
    Tcpip\..\Interfaces\{FE3CD558-75D6-427F-9B71-0B6283118A54}: [NameServer] 82.163.143.157 82.163.142.159
    HKU\S-1-5-21-353550897-592253625-3890224656-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www-searching.com/?pid=s&s=H55zbcn...6-90f6-d87df8a92d5e,&vp=ch&prd=set_ie
    SearchScopes: HKU\S-1-5-21-353550897-592253625-3890224656-1001 -> {2F4C9571-A4B7-46DF-AB0E-5FEB4C6F799C} URL = hxxp://www-searching.com/s.ashx?prd=opensearch&q={searchTerms}&s=H55zbcnbl1AU,6bb374e1-51e2-4646-90f6-d87df8a92d5e,
    FF ProfilePath: C:\Users\Magda\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\ngqmfu5c.default\Profiles\ngqmfu5c.default [nie znaleziono]
    FF ProfilePath: C:\Users\Magda\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\ngqmfu5c.default\Profiles\rca7ziab.default-1468949821850 [nie znaleziono]
    FF user.js: detected! => C:\Users\Magda\AppData\Roaming\Mozilla\Firefox\Profiles\ngqmfu5c.default\user.js [2016-11-05]
    FF NewTab: Mozilla\Firefox\Profiles\ngqmfu5c.default ->
    FF SelectedSearchEngine: Mozilla\Firefox\Profiles\ngqmfu5c.default ->
    FF Keyword.URL: Mozilla\Firefox\Profiles\ngqmfu5c.default -> hxxp://www-searching.com/search.aspx?site=shdefault1&prd=smw&pid=s&shr=d&q={searchTerms}&s=H55zbcnbl1AU,6bb374e1-51e2-4646-90f6-d87df8a92d5e,
    FF Homepage: Mozilla\Firefox\Profiles\ngqmfu5c.default ->
    FF SearchPlugin: C:\Users\Magda\AppData\Roaming\Mozilla\Firefox\Profiles\ngqmfu5c.default\searchplugins\smod.xml [2017-05-05]
    FF user.js: detected! => C:\Users\Magda\AppData\Roaming\Mozilla\Firefox\Profiles\rca7ziab.default-1468949821850\user.js [2016-11-05]
    CHR DefaultProfile: ChromeDefaultData
    CHR HomePage: ChromeDefaultData -> hxxp://google.com/
    CHR Profile: C:\Users\Magda\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-05-05] <==== UWAGA
    CHR HKU\S-1-5-21-353550897-592253625-3890224656-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Magda\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2016-09-15]
    CHR HKU\S-1-5-21-353550897-592253625-3890224656-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
    R2 Recover; C:\Program Files\Windows Media Player\RMH2LLD18CCRCBF2C2F3T3WCBMTCTL\UzqfVoo&T7.exe [653312 2017-05-05] () [Brak podpisu cyfrowego]
    R2 SMUpd; C:\Program Files\Common Files\Noobzo\GNUpdate\smu.exe [2989056 2017-05-05] (Search Module Ltd.) [Brak podpisu cyfrowego] <==== UWAGA
    S2 CfHelper33; "C:\Users\MSUser.Default\Help_3\CfHelp33.exe" 3e19779b2974487e881c2174c0562504 [X] <==== UWAGA
    S2 CfHelper44; "C:\Users\MSUser.Default\Help_4\CfHelp44.exe" b48f42ba07304dd38f2ef02dfd46c678 [X] <==== UWAGA
    S2 CfHelper55; "C:\Users\MSUser.Default\Help_5\CfHelp55.exe" 388837891c4f496ea6203a5f71b2a421 [X] <==== UWAGA
    S2 CfHelper66; "C:\Users\MSUser.Default\Help_6\CfHelp66.exe" affe6dc7e5264e7e8e5695737342bee0 [X] <==== UWAGA
    S2 JoropygrosakDebuger; C:\Program Files (x86)\Ceseied\clhBuilder.dll [X]
    S2 SoSoIm3; "C:\Program Files (x86)\SoSoIm_3\SoSoIm3.exe" c54102ea829e4d458c86147e71427a8f [X] <==== UWAGA
    S2 SoSoIm4; "C:\Program Files (x86)\SoSoIm_4\SoSoIm4.exe" 420f678469254505a655a4b567f7c9a0 [X] <==== UWAGA
    S2 SoSoIm5; "C:\Program Files (x86)\SoSoIm_5\SoSoIm5.exe" ae2ce54ab1294744903dca4a5f8539bf [X] <==== UWAGA
    S2 SoSoIm6; "C:\Program Files (x86)\SoSoIm_6\SoSoIm6.exe" e47b5abf08794d6b8b774f94eeb062f4 [X] <==== UWAGA
    R3 SMUpdd; C:\Program Files\Common Files\Noobzo\GNUpdate\smw.sys [52992 2017-05-05] ()
    2017-05-05 17:52 - 2017-05-05 17:53 - 00000000 ____D C:\AdwCleaner
    2017-05-05 17:31 - 2017-05-05 17:31 - 00023472 _____ C:\Windows\System32\Tasks\{7A7D0547-097F-050F-7A11-0A04057D1104}
    2017-05-05 17:31 - 2017-05-05 17:31 - 00000000 ____D C:\ProgramData\471c6536-0e13-0
    2017-05-05 17:28 - 2017-05-05 17:48 - 00000000 ____D C:\ProgramData\42749f89-68e1-0
    2017-05-05 17:28 - 2017-05-05 17:48 - 00000000 ____D C:\ProgramData\42749f89-0c75-1
    2017-05-05 17:27 - 2017-05-05 17:27 - 00320000 _____ (t ) C:\ProgramData\smp2.exe
    2017-05-05 17:27 - 2017-05-05 17:27 - 00004236 _____ C:\Windows\System32\Tasks\SMW_UpdateTask_Time_323732363437333030342d415034573732456c782a5a45
    2017-05-05 17:27 - 2017-05-05 17:27 - 00004146 _____ C:\Windows\System32\Tasks\SMW_P
    2017-05-05 17:27 - 2017-05-05 17:27 - 00000000 ____H C:\Windows\system32\BITDEF9.tmp
    2017-05-05 17:27 - 2017-05-05 17:27 - 00000000 ____D C:\ProgramData\SearchModule
    2017-05-05 17:27 - 2017-05-05 17:27 - 00000000 ____D C:\Program Files\Common Files\Noobzo
    2017-05-05 17:26 - 2017-05-05 17:26 - 00004028 _____ C:\Windows\System32\Tasks\{2AFA93E2-9D51-2449-88DB-5C2DE431B906}
    2017-05-05 17:26 - 2017-05-05 17:26 - 00003728 _____ C:\Windows\System32\Tasks\{9AFC539F-689A-8A52-3665-1C47D7348A51}
    2017-05-05 17:26 - 2017-05-05 17:26 - 00000000 ____D C:\ProgramData\95aee7d5
    2017-05-05 17:26 - 2017-05-05 17:26 - 00000000 ____D C:\ProgramData\471c6536-1225-0
    2017-05-05 17:26 - 2017-05-05 17:26 - 00000000 ____D C:\ProgramData\{52EC26DC-E547-9177-B16B-76FC8527CD25}
    2017-05-05 17:26 - 2017-05-05 17:26 - 00000000 ____D C:\ProgramData\{3f890ada-012c-0}
    2017-05-05 17:26 - 2017-05-05 17:26 - 00000000 ____D C:\ProgramData\{248c6886-712c-1}
    2017-05-05 17:26 - 2017-05-05 17:26 - 00000000 ____D C:\ProgramData\{1594A9FE-A23F-1E55-F4B8-4DC87385442E}
    2017-05-05 17:26 - 2017-05-05 17:26 - 00000000 ____D C:\Program Files (x86)\ScreenShared
    2017-05-05 17:25 - 2017-05-05 17:26 - 00000000 ____D C:\ProgramData\42749f89-6905-1
    2017-05-05 17:25 - 2017-05-05 17:26 - 00000000 ____D C:\ProgramData\42749f89-14e7-0
    2017-05-05 17:24 - 2017-05-05 17:27 - 00000000 ____D C:\Users\Magda\AppData\Local\IpMon
    2017-05-05 17:27 - 2017-05-05 17:27 - 0320000 _____ (t ) C:\ProgramData\smp2.exe
    EmptyTemp:

    W FRST wybierz napraw.

    Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    0
  • Pomocny post
    #6 05 Maj 2017 18:35
    Kolobos
    Spec od komputerów

    Wykonaj kolejny Fixlist.txt:
    CHR HKU\S-1-5-21-353550897-592253625-3890224656-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Magda\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2017-05-05]
    CHR HKU\S-1-5-21-353550897-592253625-3890224656-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
    2017-05-05 18:27 - 2017-05-05 18:27 - 00000000 ____D C:\Users\Magda\Desktop\FRST-OlderVersion

    Po wykonaniu usun katalog C:\FRST i to wszystko.

    0
  • #7 05 Maj 2017 18:37
    madzik1989
    Poziom 3  

    dziękuję! :)

    0