Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Złośliwe oprogramowanie. Adwcleaner nie działa. (logi)

dames 26 Maj 2017 10:44 822 8
  • #1 26 Maj 2017 10:44
    dames
    Poziom 12  

    Witam, mam zaśmiecony komputer jakimś oprogramowaniem i nie wiem jak się tego pozbyć. Adwcleaner nie działa, wyskakuje jaki błąd z plikiem sqlite3.dll. Załączam logi FRST i Addition.

    0 8
  • #2 26 Maj 2017 10:59
    Kolobos
    Spec od komputerów

    Nie pobieraj programow przy pomocy "asystentow pobierania" (dobreprogramy), pobieraj tylko z bezposrednich linkow!

    System zainfekowales w lutym i szkodliwych plikow nie widac juz w logach.

    Wykonaj Fixlist.txt dla FRST:
    Traffic Exchange (x32 Version: 2.2.0 - Microleaves) Hidden <==== UWAGA

    Po wykonaniu odinstaluj: Traffic Exchange

    Wykonaj kolejny Fixlist.txt:
    CloseProcesses:
    Task: {12BF44AF-C6A6-44C3-9C05-74E7E6E996E1} - System32\Tasks\{1DD9C891-51C2-4CA3-BA50-DAF798CE5E09} => Chrome.exe hxxps://www.skype.com/go/downloading?source=l...mp;amp;ver=7.32.0.104&amp;LastError=12007
    Task: {3794E68A-AFB2-4047-80EE-CF20075AE120} - System32\Tasks\Traffic Exchange v209 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Version 2.2.0\Online-Guardian.exe [2017-02-07] (Microleaves LTD) <==== UWAGA
    Task: {5BD2D85C-A891-4964-B4DC-F3EED3FAA523} - System32\Tasks\{0EA101B5-C747-4820-A5D6-94A6EBD4892F} => pcalua.exe -a "C:\Program Files (x86)\Maoha\MaohaAP\Uninstall.exe"
    Task: {64DFE515-2063-4236-8C32-775E13770DCC} - System32\Tasks\Traffic Exchange v209 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Version 2.2.0\Online-Guardian.exe [2017-02-07] (Microleaves LTD) <==== UWAGA
    Task: {824D5367-D9C9-49DD-A5EF-EA5F30D09BCA} - System32\Tasks\RDx5ptCBZdre => rdx5ptcbzdre.exe
    Task: {F0F09BCB-5FA5-45E4-A741-835955F61C52} - System32\Tasks\Traffic Exchange v209 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Version 2.2.0\Online-Guardian.exe [2017-02-07] (Microleaves LTD) <==== UWAGA
    Task: {FADCCE9A-6926-45D3-BA6B-5E61A4335F60} - System32\Tasks\{B2AC0850-E442-4B79-95C7-98713DF6033F} => Chrome.exe hxxps://www.skype.com/go/downloading?source=l...mp;amp;ver=7.32.0.104&amp;LastError=12007
    Task: C:\Windows\Tasks\Traffic Exchange v209 - 1.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Version 2.2.0\Online-Guardian.exe <==== UWAGA
    Task: C:\Windows\Tasks\Traffic Exchange v209 - 2.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Version 2.2.0\Online-Guardian.exe <==== UWAGA
    Task: C:\Windows\Tasks\Traffic Exchange v209 - 3.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Version 2.2.0\Online-Guardian.exe <==== UWAGA
    WMI_ActiveScriptEventConsumer_ASEC: <===== UWAGA
    ShortcutWithArgument: C:\Users\Przemek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yeadesktop.com/




    ShortcutWithArgument: C:\Users\Przemek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yeadesktop.com/
    ShortcutWithArgument: C:\Users\Przemek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Przemek\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://www.yeadesktop.com/
    ShortcutWithArgument: C:\Users\Przemek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yeadesktop.com/
    ShortcutWithArgument: C:\Users\Przemek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Przemek\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://www.yeadesktop.com/
    ShortcutWithArgument: C:\Users\Przemek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yeadesktop.com/
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Przemek\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://www.yeadesktop.com/
    ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Przemek\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://www.yeadesktop.com/
    2017-04-14 16:05 - 2017-04-14 16:05 - 00524696 _____ () C:\Program Files\żěŃą\X64\KZipShell.dll
    AlternateDataStreams: C:\ProgramData:NT [40]
    AlternateDataStreams: C:\ProgramData:NT2 [432]
    AlternateDataStreams: C:\Users\All Users:NT [40]
    AlternateDataStreams: C:\Users\All Users:NT2 [432]
    AlternateDataStreams: C:\ProgramData\Application Data:NT [40]
    AlternateDataStreams: C:\ProgramData\Application Data:NT2 [432]
    AlternateDataStreams: C:\ProgramData\Dane aplikacji:NT [40]
    AlternateDataStreams: C:\ProgramData\Dane aplikacji:NT2 [432]
    AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT [40]
    AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT2 [432]
    AlternateDataStreams: C:\Users\Przemek\Dane aplikacji:NT [40]
    AlternateDataStreams: C:\Users\Przemek\Dane aplikacji:NT2 [432]
    AlternateDataStreams: C:\Users\Przemek\AppData\Roaming:NT [40]
    AlternateDataStreams: C:\Users\Przemek\AppData\Roaming:NT2 [432]
    (Microleaves LTD) C:\Program Files (x86)\Microleaves\Traffic Exchange\Version 2.2.0\Online-Guardian.exe
    (Microleaves LTD) C:\Program Files (x86)\Microleaves\Traffic Exchange\Version 2.2.0\Online-Guardian.exe
    (Microleaves LTD) C:\Program Files (x86)\Microleaves\Traffic Exchange\Version 2.2.0\Online-Guardian.exe
    (xperper ltd) C:\Program Files (x86)\RDx5ptCBZdre\rdx5ptcbzdre.exe
    HKU\S-1-5-21-2388567375-3910309723-4126963247-1000\...\MountPoints2: G - G:\HTC_Sync_Manager_PC.exe
    HKU\S-1-5-21-2388567375-3910309723-4126963247-1000\...\MountPoints2: {2238eab6-41db-11e7-8330-002215809d02} - G:\HTC_Sync_Manager_PC.exe
    HKU\S-1-5-21-2388567375-3910309723-4126963247-1000\...\MountPoints2: {2238eaba-41db-11e7-8330-002215809d02} - G:\HTC_Sync_Manager_PC.exe
    HKU\S-1-5-21-2388567375-3910309723-4126963247-1000\...\MountPoints2: {84e558c6-2107-11e7-ad3d-002215809d02} - H:\LG_PC_Programs.exe
    HKU\S-1-5-18\...\Run: [] => [X]
    ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => C:\Program Files\żěŃą\X64\KZipShell.dll [2017-04-14] ()
    Tcpip\..\Interfaces\{1FEFDF1C-FA1B-44E1-A430-A272C28041BA}: [NameServer] 82.163.142.8,95.211.158.136
    Tcpip\..\Interfaces\{856BCEE4-75B5-47F7-9B6A-9AE2CC8A6CBB}: [NameServer] 82.163.142.8,95.211.158.136
    HKU\S-1-5-21-2388567375-3910309723-4126963247-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%6...dvpWAjLaV8yRHg1kEYygBOi0v9h1xx_NY4aMY,&q={searchTerms}
    HKU\S-1-5-21-2388567375-3910309723-4126963247-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61...VoIpVXGcHtoiU0WiLfU6oGtxpwpjdnGBjZ6_9IDN2kPA,,
    HKU\S-1-5-21-2388567375-3910309723-4126963247-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/pl-pl/?ocid=iehp
    URLSearchHook: HKLM-x32 - SHOUTcast Toolbar Search Class - {14f0d511-36a2-41ca-ae01-ba4f87282c97} - C:\Program Files (x86)\SHOUTcast Radio Toolbar\shoutcasttb.dll (AOL LLC)
    URLSearchHook: HKU\S-1-5-21-2388567375-3910309723-4126963247-1000 - SHOUTcast Toolbar Search Class - {14f0d511-36a2-41ca-ae01-ba4f87282c97} - C:\Program Files (x86)\SHOUTcast Radio Toolbar\shoutcasttb.dll (AOL LLC)
    SearchScopes: HKLM-x32 -> DefaultScope {40439b93-f815-4122-8073-d03bed94c303} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&query={searchTerms}&invocationType=tb50-ie-shoutcast-chromesbox-en-us
    SearchScopes: HKLM-x32 -> {40439b93-f815-4122-8073-d03bed94c303} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&query={searchTerms}&invocationType=tb50-ie-shoutcast-chromesbox-en-us
    SearchScopes: HKU\S-1-5-21-2388567375-3910309723-4126963247-1000 -> {40439b93-f815-4122-8073-d03bed94c303} URL = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&query={searchTerms}&invocationType=tb50-ie-shoutcast-chromesbox-en-us
    BHO-x32: SHOUTcast Loader -> {ccec60fc-2608-4e58-9659-3ffc159e8ea9} -> C:\Program Files (x86)\SHOUTcast Radio Toolbar\shoutcasttb.dll [2008-09-17] (AOL LLC)
    Toolbar: HKLM-x32 - SHOUTcast Radio Toolbar - {0457331d-8ca6-4f97-9c26-6a9ef2b2dba8} - C:\Program Files (x86)\SHOUTcast Radio Toolbar\shoutcasttb.dll [2008-09-17] (AOL LLC)
    Toolbar: HKU\S-1-5-21-2388567375-3910309723-4126963247-1000 -> Brak nazwy - {0457331D-8CA6-4F97-9C26-6A9EF2B2DBA8} - Brak pliku
    CHR HomePage: Default -> hxxp://www.mylucky123.com/?type=hp&ts=147...pm0616&uid=SAMSUNGXHD322HJ_S17AJ1CQ700314
    CHR DefaultSearchURL: Default -> hxxp://translate.google.pl/?source=osdd#auto
    CHR Extension: (easychrome) - C:\Users\Przemek\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk [2017-04-14]
    S2 RDx5ptCBZdre Updater; C:\Program Files (x86)\RDx5ptCBZdre Updater\RDx5ptCBZdre Updater.exe [X]
    R1 cryptfd; C:\Windows\System32\drivers\cryptfd.sys [193448 2017-03-03] ()
    R1 ucdrv; C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [25444 ] (UC Web Inc.) <==== UWAGA
    S3 FairplayKD; \??\C:\ProgramData\MTA San Andreas All\Common\temp\FairplayKD.sys [X]
    S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
    2017-05-14 14:47 - 2017-05-14 14:48 - 01238392 _____ ( ) C:\Users\Przemek\Downloads\KMPlayer-12538-AsystentPobierania.exe
    2017-05-14 11:23 - 2017-05-14 11:23 - 01238392 _____ ( ) C:\Users\Przemek\Downloads\Windows-Movie-Maker-11546-AsystentPobierania.exe
    2017-05-26 10:34 - 2017-04-14 16:04 - 00000338 _____ C:\Windows\Tasks\Traffic Exchange v209 - 3.job
    2017-05-26 10:34 - 2017-04-14 16:04 - 00000338 _____ C:\Windows\Tasks\Traffic Exchange v209 - 2.job
    2017-05-26 10:34 - 2017-04-14 16:04 - 00000338 _____ C:\Windows\Tasks\Traffic Exchange v209 - 1.job
    2017-05-26 10:24 - 2017-04-14 19:33 - 00000000 ____D C:\AdwCleaner
    2017-05-26 08:26 - 2017-04-14 16:06 - 00000000 ____D C:\Users\Przemek\AppData\Roaming\KuaiZip
    2017-04-14 16:07 - 2017-04-14 16:07 - 1895383 _____ () C:\Users\Przemek\AppData\Roaming\Doublefix.bin
    2017-04-14 16:07 - 2017-04-14 16:01 - 0994304 _____ () C:\Users\Przemek\AppData\Roaming\Joblax.exe
    2017-04-14 16:07 - 2017-04-14 16:07 - 1893797 _____ () C:\Users\Przemek\AppData\Roaming\Joblax.tst
    2017-04-14 16:01 - 2017-04-14 16:01 - 0994304 _____ () C:\Users\Przemek\AppData\Roaming\Trio-Com.exe
    2017-04-14 16:07 - 2017-04-14 16:07 - 0278508 _____ () C:\Users\Przemek\AppData\Roaming\Trio-Com.tst
    2017-04-13 23:39 - 2017-04-13 23:39 - 0000016 _____ () C:\ProgramData\mntemp
    C:\Program Files (x86)\Microleaves\
    C:\Program Files (x86)\UCBrowser\
    C:\Program Files\żěŃą\
    C:\Program Files (x86)\RDx5ptCBZdre\
    EmptyTemp:

    Po wykonaniu zamiesc nowe logi z FRST.

    0
  • #3 26 Maj 2017 19:47
    dames
    Poziom 12  

    Nie mogę odinstalować Traffic Exchange. Pojawia się w menagerze usuwania, ale po dwukrotnym kliknięciu w aplikację na liście nic się nie dzieję.

    0
  • Pomocny post
    #4 26 Maj 2017 19:49
    Kolobos
    Spec od komputerów

    Pomin i wykonaj reszte.

    0
  • Pomocny post
    #6 26 Maj 2017 20:06
    Kolobos
    Spec od komputerów

    Uruchom system w trybie awaryjnym i tam wykonaj taki Fixlist.txt:
    CloseProcesses:
    R1 ucdrv; C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [25444 ] (UC Web Inc.) <==== UWAGA
    C:\Program Files (x86)\UCBrowser\


    Po wykonaniu zamiesc nowy log z FRST, ze skanowania, wykonany w trybie normalnym. Wystarczy sam frst.txt.

    0
  • Pomocny post
    #8 26 Maj 2017 22:32
    Kolobos
    Spec od komputerów

    Usun C:\FRST i to wszystko.

    0
  • #9 26 Maj 2017 22:39
    dames
    Poziom 12  

    Dzieki wielkie za pomoc.
    Złośliwe oprogramowanie. Adwcleaner nie działa. (logi)

    0