Zrob kopie zakladek z Chrome, skrypt usunie katalog profilu przegladarki utworzony przez infekcje.
Usun tez dane synchronizacji Chrome z konta google:
https://support.google.com/chrome/answer/6386691?hl=pl
Uruchom system w trybie awaryjnym i wykonaj podany Fixlist.txt dla FRST:
CloseProcesses:
Task: {8CC2AFDF-9E81-4292-A8CF-AC259DAF75FF} - System32\Tasks\Kernel Administration Manager => Rundll32.exe "C:\Program Files\Kernel Administration Manager\Kernel Administration Manager.dll",BhuAzwbkZEKv
Task: {A1B96E99-0879-4C03-BFB6-FC9E34CBFDC2} - System32\Tasks\UCBrowserSecureUpdater => C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe [2017-06-03] (UC Web Inc.) <==== UWAGA
Task: {C03C2133-B3DC-4812-834B-F3DEDC275FD4} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe [2017-03-07] (UCWeb Inc) <==== UWAGA
Task: {F8578110-CBA5-4334-910E-4B8C2F85773D} - System32\Tasks\Microsoft\Windows\DeviceSettings\Idydrusis => msiexec.exe /i hxxp://D2bUH1bF1g584W.clOuDfroNt.net/mmtsk/occup.php?p=KINGSTONXSV300S37A120G_50026B77610A5E40&d=20170603 /q <==== UWAGA
Task: {FDCD01E7-6E97-4D70-9686-059486B68E5E} - System32\Tasks\Fipoph Module => C:\Program Files (x86)\Arohtjoripy\yaupdcache.exe [2017-06-03] ()
Task: C:\WINDOWS\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== UWAGA
AlternateDataStreams: C:\WINDOWS\system32\drivers:ucdrv-x64.sys [25444]
AlternateDataStreams: C:\WINDOWS\system32\drivers:x64 [1498914]
AlternateDataStreams: C:\WINDOWS\system32\drivers:x86 [1223458]
Hosts:
() C:\Program Files (x86)\UCBrowser\Application\UCService.exe
() C:\Windows\Temp\g6810.tmp.exe
() C:\Windows\Temp\gB284.tmp.exe
() C:\Program Files (x86)\UCBrowser\Application\6.1.2107.204\UCAgent.exe
HKLM\...\RunOnce: [ACER] => C:\WINDOWS\TEMP\g6810.tmp.exe [307200 2017-06-03] () <===== UWAGA
HKLM\ DisallowedCertificates: 03D22C9C66915D58C88912B64C1F984B8344EF09 (Comodo Security Solutions) <==== UWAGA
HKLM\ DisallowedCertificates: 0F684EC1163281085C6AF20528878103ACEFCAAB (F-Secure Corporation) <==== UWAGA
HKLM\ DisallowedCertificates: 1667908C9E22EFBD0590E088715CC74BE4C60884 (U)
HKLM\ DisallowedCertificates: 18DEA4EFA93B06AE997D234411F3FD72A677EECE (U)
HKLM\ DisallowedCertificates: 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF (U)
HKLM\ DisallowedCertificates: 249BDA38A611CD746A132FA2AF995A2D3C941264 (Malwarebytes Corporation) <==== UWAGA
HKLM\ DisallowedCertificates: 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF (U)
HKLM\ DisallowedCertificates: 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 (Trend Micro) <==== UWAGA
HKLM\ DisallowedCertificates: 3353EA609334A9F23A701B9159E30CB6C22D4C59 (U)
HKLM\ DisallowedCertificates: 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A (SUPERAntiSpyware.com) <==== UWAGA
HKLM\ DisallowedCertificates: 3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F (Kaspersky Lab) <==== UWAGA
HKLM\ DisallowedCertificates: 3D496FA682E65FC122351EC29B55AB94F3BB03FC (AVG Technologies CZ) <==== UWAGA
HKLM\ DisallowedCertificates: 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 (PC Tools) <==== UWAGA
HKLM\ DisallowedCertificates: 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 (K7 Computing Pvt Ltd) <==== UWAGA
HKLM\ DisallowedCertificates: 4420C99742DF11DD0795BC15B7B0ABF090DC84DF (Doctor Web Ltd.) <==== UWAGA
HKLM\ DisallowedCertificates: 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF (U)
HKLM\ DisallowedCertificates: 5240AB5B05D11B37900AC7712A3C6AE42F377C8C (Check Point Software Technologies Ltd.) <==== UWAGA
HKLM\ DisallowedCertificates: 5DD3D41810F28B2A13E9A004E6412061E28FA48D (Emsisoft Ltd) <==== UWAGA
HKLM\ DisallowedCertificates: 7457A3793086DBB58B3858D6476889E3311E550E (U)
HKLM\ DisallowedCertificates: 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 (BullGuard Ltd) <==== UWAGA
HKLM\ DisallowedCertificates: 775B373B33B9D15B58BC02B184704332B97C3CAF (McAfee) <==== UWAGA
HKLM\ DisallowedCertificates: 872CD334B7E7B3C3D1C6114CD6B221026D505EAB (Comodo Security Solutions) <==== UWAGA
HKLM\ DisallowedCertificates: 88AD5DFE24126872B33175D1778687B642323ACF (McAfee) <==== UWAGA
HKLM\ DisallowedCertificates: 9132E8B079D080E01D52631690BE18EBC2347C1E (Adaware Software) <==== UWAGA
HKLM\ DisallowedCertificates: 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 (Safer Networking Ltd.) <==== UWAGA
HKLM\ DisallowedCertificates: 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 (Webroot Inc.) <==== UWAGA
HKLM\ DisallowedCertificates: 9C43F665E690AB4D486D4717B456C5554D4BCEB5 (U)
HKLM\ DisallowedCertificates: 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 (U)
HKLM\ DisallowedCertificates: A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 (Avira Operations GmbH & Co. KG) <==== UWAGA
HKLM\ DisallowedCertificates: A5341949ABE1407DD7BF7DFE75460D9608FBC309 (U)
HKLM\ DisallowedCertificates: A59CC32724DD07A6FC33F7806945481A2D13CA2F (ESET) <==== UWAGA
HKLM\ DisallowedCertificates: AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 (AVG Technologies CZ) <==== UWAGA
HKLM\ DisallowedCertificates: AD4C5429E10F4FF6C01840C20ABA344D7401209F (Avast Antivirus/Software) <==== UWAGA
HKLM\ DisallowedCertificates: AD96BB64BA36379D2E354660780C2067B81DA2E0 (Symantec Corporation) <==== UWAGA
HKLM\ DisallowedCertificates: B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 (U)
HKLM\ DisallowedCertificates: CDC37C22FE9272D8F2610206AD397A45040326B8 (U)
HKLM\ DisallowedCertificates: D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 (Kaspersky Lab) <==== UWAGA
HKLM\ DisallowedCertificates: DB303C9B61282DE525DC754A535CA2D6A9BD3D87 (ThreatTrack Security) <==== UWAGA
HKLM\ DisallowedCertificates: DB77E5CFEC34459146748B667C97B185619251BA (Avast Antivirus/Software) <==== UWAGA
HKLM\ DisallowedCertificates: E22240E837B52E691C71DF248F12D27F96441C00 (U)
HKLM\ DisallowedCertificates: E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF (AVG Technologies CZ) <==== UWAGA
HKLM\ DisallowedCertificates: ED841A61C0F76025598421BC1B00E24189E68D54 (Bitdefender SRL) <==== UWAGA
HKLM\ DisallowedCertificates: F83099622B4A9F72CB5081F742164AD1B8D048C9 (ESET) <==== UWAGA
HKLM\ DisallowedCertificates: FBB42F089AF2D570F2BF6F493D107A3255A9BB1A (Panda Security S.L) <==== UWAGA
HKLM\ DisallowedCertificates: FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 (Doctor Web Ltd.) <==== UWAGA
HKLM\...\Providers\yvc7qtc8: C:\Program Files (x86)\Fipoph Module\local64spl.dll [317440 2017-06-03] ()
ShellExecuteHooks: Brak nazwy - {7A593C30-45A3-11E7-95D6-64006A5CFC23} - C:\Users\amalu\AppData\Roaming\Pevghtbuhers\Clersok.dll -> Brak pliku
ShellIconOverlayIdentifiers: [JzShlobj] -> {9A0700D2-920A-4E52-8697-9B5230C92612} => C:\Program Files (x86)\Maoha\JiSuZip\JZipExt.dll [2016-12-27] (深圳市猫哈网络科技发展有限公司)
CHR DefaultProfile: mizedomdocaentareferly
CHR HomePage: mizedomdocaentareferly -> hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBP-OqRkK_4g5H3zXx0q1D1XXsHhKKzkrGYp8649S1hnbnkV2qjwWs0k-SH9wpg64E5kbxrDmM0MvcO4FxT2ZW_tNaIKu_IheMB9UXFvEhH1GBJMUXFiQ5hbhU7ZxZblpAvOuRnbANUs-ElSRhUba4Ay_oYTcv1Dnx1Za5ASxJIXRudTB7GB4y9Fk_m9A,,
CHR StartupUrls: mizedomdocaentareferly -> "hxxp://www.onet.pl/","hxxp://www.initialpage123.com/?z=6ab17b7e23d8236f9a286f6g4z9tfq5wfeegagdo8g&from=amz&uid=KINGSTONXSV300S37A120G_50026B77610A5E40&type=hp"
CHR DefaultSearchURL: mizedomdocaentareferly -> hxxp://www.initialpage123.com/search/?q={searchTerms}&z=6ab17b7e23d8236f9a286f6g4z9tfq5wfeegagdo8g&from=amz&uid=KINGSTONXSV300S37A120G_50026B77610A5E40&type=sp
CHR DefaultSearchKeyword: mizedomdocaentareferly -> 78initialpage123
CHR Profile: C:\Users\amalu\AppData\Local\Google\Chrome\User Data\mizedomdocaentareferly [2017-06-03] <==== UWAGA
C:\Users\amalu\AppData\Local\Google\Chrome\User Data\mizedomdocaentareferly
CHR HKU\S-1-5-21-2577339698-3773371970-456053641-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
R2 UCBrowserSvc; C:\Program Files (x86)\UCBrowser\Application\UCService.exe [599440 2017-03-07] () <==== UWAGA
R1 ucdrv; C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [25444 ] (UC Web Inc.) <==== UWAGA
2017-06-03 17:35 - 2017-06-03 17:35 - 00003476 _____ C:\WINDOWS\System32\Tasks\UCBrowserSecureUpdater
2017-06-03 17:24 - 2017-06-03 17:34 - 00000000 ____D C:\AdwCleaner
2017-06-03 16:47 - 2017-06-03 16:47 - 00003484 _____ C:\WINDOWS\System32\Tasks\UCBrowserUpdater
2017-06-03 16:47 - 2017-06-03 16:47 - 00000466 _____ C:\WINDOWS\Tasks\UCBrowserUpdater.job
2017-06-03 16:46 - 2017-06-03 16:46 - 00016916 _____ C:\WINDOWS\System32\Tasks\Kernel Administration Manager
2017-06-03 16:46 - 2017-06-03 16:46 - 00000000 ____D C:\Users\amalu\AppData\Local\UCBrowser
2017-06-03 16:46 - 2017-06-03 16:46 - 00000000 ____D C:\Program Files (x86)\UCBrowser
2017-06-03 16:45 - 2017-06-03 16:49 - 00000000 ____D C:\Users\amalu\AppData\Roaming\Pevghtbuhers
2017-06-03 16:45 - 2017-06-03 16:45 - 00006082 _____ C:\WINDOWS\System32\Tasks\Fipoph Module
2017-06-03 16:45 - 2017-06-03 16:45 - 00000000 ____D C:\Users\amalu\AppData\Local\Couserchwuwsh
2017-06-03 16:45 - 2017-06-03 16:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\极速压缩
2017-06-03 16:45 - 2017-06-03 16:45 - 00000000 ____D C:\Program Files (x86)\Fipoph Module
2017-06-03 16:45 - 2017-06-03 16:45 - 00000000 ____D C:\Program Files (x86)\Arohtjoripy
2017-06-03 16:45 - 2016-12-27 04:34 - 00025432 _____ C:\WINDOWS\system32\Drivers\vcdrom.sys
2017-06-03 16:44 - 2017-06-03 16:44 - 00000000 ____D C:\Program Files (x86)\Maoha
2017-06-03 16:43 - 2017-06-03 16:47 - 00000000 ____D C:\Users\amalu\AppData\Local\nav.tools
2017-05-25 03:43 - 2017-05-25 03:43 - 00195496 _____ C:\WINDOWS\system32\Drivers\cryptfd.sys
EmptyTemp:
Po wykonaniu zamiesc nowe logi z FRST, ze skanowania (z trybu normalnego).