Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Prośba o sprawdzenie logów FRST

am44 03 Cze 2017 17:57 684 10
  • #1 03 Cze 2017 17:57
    am44
    Poziom 20  

    Proszę o sprawdzenie logów FRST. "Zalęgły" mi się na dysku jakieś chińskie dodatki do przeglądarki. Użyłem Adwcleanera. Znalazł i usunął kilkadziesiąt błędów, ale chińskie programy dalej pozostały. Nie korzystałem z przeglądarek, podejrzewam, że dostałem wirusa na pendrajwie z danymi.

    0 10
  • #2 03 Cze 2017 18:25
    Kolobos
    Spec od komputerów

    Zrob kopie zakladek z Chrome, skrypt usunie katalog profilu przegladarki utworzony przez infekcje.
    Usun tez dane synchronizacji Chrome z konta google:
    https://support.google.com/chrome/answer/6386691?hl=pl

    Uruchom system w trybie awaryjnym i wykonaj podany Fixlist.txt dla FRST:
    CloseProcesses:
    Task: {8CC2AFDF-9E81-4292-A8CF-AC259DAF75FF} - System32\Tasks\Kernel Administration Manager => Rundll32.exe "C:\Program Files\Kernel Administration Manager\Kernel Administration Manager.dll",BhuAzwbkZEKv
    Task: {A1B96E99-0879-4C03-BFB6-FC9E34CBFDC2} - System32\Tasks\UCBrowserSecureUpdater => C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe [2017-06-03] (UC Web Inc.) <==== UWAGA
    Task: {C03C2133-B3DC-4812-834B-F3DEDC275FD4} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe [2017-03-07] (UCWeb Inc) <==== UWAGA
    Task: {F8578110-CBA5-4334-910E-4B8C2F85773D} - System32\Tasks\Microsoft\Windows\DeviceSettings\Idydrusis => msiexec.exe /i hxxp://D2bUH1bF1g584W.clOuDfroNt.net/mmtsk/oc...0S37A120G_50026B77610A5E40&amp;d=20170603 /q <==== UWAGA
    Task: {FDCD01E7-6E97-4D70-9686-059486B68E5E} - System32\Tasks\Fipoph Module => C:\Program Files (x86)\Arohtjoripy\yaupdcache.exe [2017-06-03] ()
    Task: C:\WINDOWS\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== UWAGA
    AlternateDataStreams: C:\WINDOWS\system32\drivers:ucdrv-x64.sys [25444]
    AlternateDataStreams: C:\WINDOWS\system32\drivers:x64 [1498914]
    AlternateDataStreams: C:\WINDOWS\system32\drivers:x86 [1223458]
    Hosts:
    () C:\Program Files (x86)\UCBrowser\Application\UCService.exe
    () C:\Windows\Temp\g6810.tmp.exe
    () C:\Windows\Temp\gB284.tmp.exe
    () C:\Program Files (x86)\UCBrowser\Application\6.1.2107.204\UCAgent.exe
    HKLM\...\RunOnce: [ACER] => C:\WINDOWS\TEMP\g6810.tmp.exe [307200 2017-06-03] () <===== UWAGA
    HKLM\ DisallowedCertificates: 03D22C9C66915D58C88912B64C1F984B8344EF09 (Comodo Security Solutions) <==== UWAGA
    HKLM\ DisallowedCertificates: 0F684EC1163281085C6AF20528878103ACEFCAAB (F-Secure Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: 1667908C9E22EFBD0590E088715CC74BE4C60884 (U)
    HKLM\ DisallowedCertificates: 18DEA4EFA93B06AE997D234411F3FD72A677EECE (U)
    HKLM\ DisallowedCertificates: 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF (U)
    HKLM\ DisallowedCertificates: 249BDA38A611CD746A132FA2AF995A2D3C941264 (Malwarebytes Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF (U)
    HKLM\ DisallowedCertificates: 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 (Trend Micro) <==== UWAGA




    HKLM\ DisallowedCertificates: 3353EA609334A9F23A701B9159E30CB6C22D4C59 (U)
    HKLM\ DisallowedCertificates: 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A (SUPERAntiSpyware.com) <==== UWAGA
    HKLM\ DisallowedCertificates: 3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F (Kaspersky Lab) <==== UWAGA
    HKLM\ DisallowedCertificates: 3D496FA682E65FC122351EC29B55AB94F3BB03FC (AVG Technologies CZ) <==== UWAGA
    HKLM\ DisallowedCertificates: 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 (PC Tools) <==== UWAGA
    HKLM\ DisallowedCertificates: 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 (K7 Computing Pvt Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 4420C99742DF11DD0795BC15B7B0ABF090DC84DF (Doctor Web Ltd.) <==== UWAGA
    HKLM\ DisallowedCertificates: 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF (U)
    HKLM\ DisallowedCertificates: 5240AB5B05D11B37900AC7712A3C6AE42F377C8C (Check Point Software Technologies Ltd.) <==== UWAGA
    HKLM\ DisallowedCertificates: 5DD3D41810F28B2A13E9A004E6412061E28FA48D (Emsisoft Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 7457A3793086DBB58B3858D6476889E3311E550E (U)
    HKLM\ DisallowedCertificates: 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 (BullGuard Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 775B373B33B9D15B58BC02B184704332B97C3CAF (McAfee) <==== UWAGA
    HKLM\ DisallowedCertificates: 872CD334B7E7B3C3D1C6114CD6B221026D505EAB (Comodo Security Solutions) <==== UWAGA
    HKLM\ DisallowedCertificates: 88AD5DFE24126872B33175D1778687B642323ACF (McAfee) <==== UWAGA
    HKLM\ DisallowedCertificates: 9132E8B079D080E01D52631690BE18EBC2347C1E (Adaware Software) <==== UWAGA
    HKLM\ DisallowedCertificates: 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 (Safer Networking Ltd.) <==== UWAGA
    HKLM\ DisallowedCertificates: 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 (Webroot Inc.) <==== UWAGA
    HKLM\ DisallowedCertificates: 9C43F665E690AB4D486D4717B456C5554D4BCEB5 (U)
    HKLM\ DisallowedCertificates: 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 (U)
    HKLM\ DisallowedCertificates: A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 (Avira Operations GmbH & Co. KG) <==== UWAGA
    HKLM\ DisallowedCertificates: A5341949ABE1407DD7BF7DFE75460D9608FBC309 (U)
    HKLM\ DisallowedCertificates: A59CC32724DD07A6FC33F7806945481A2D13CA2F (ESET) <==== UWAGA
    HKLM\ DisallowedCertificates: AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 (AVG Technologies CZ) <==== UWAGA
    HKLM\ DisallowedCertificates: AD4C5429E10F4FF6C01840C20ABA344D7401209F (Avast Antivirus/Software) <==== UWAGA
    HKLM\ DisallowedCertificates: AD96BB64BA36379D2E354660780C2067B81DA2E0 (Symantec Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 (U)
    HKLM\ DisallowedCertificates: CDC37C22FE9272D8F2610206AD397A45040326B8 (U)
    HKLM\ DisallowedCertificates: D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 (Kaspersky Lab) <==== UWAGA
    HKLM\ DisallowedCertificates: DB303C9B61282DE525DC754A535CA2D6A9BD3D87 (ThreatTrack Security) <==== UWAGA
    HKLM\ DisallowedCertificates: DB77E5CFEC34459146748B667C97B185619251BA (Avast Antivirus/Software) <==== UWAGA
    HKLM\ DisallowedCertificates: E22240E837B52E691C71DF248F12D27F96441C00 (U)
    HKLM\ DisallowedCertificates: E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF (AVG Technologies CZ) <==== UWAGA
    HKLM\ DisallowedCertificates: ED841A61C0F76025598421BC1B00E24189E68D54 (Bitdefender SRL) <==== UWAGA
    HKLM\ DisallowedCertificates: F83099622B4A9F72CB5081F742164AD1B8D048C9 (ESET) <==== UWAGA
    HKLM\ DisallowedCertificates: FBB42F089AF2D570F2BF6F493D107A3255A9BB1A (Panda Security S.L) <==== UWAGA
    HKLM\ DisallowedCertificates: FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 (Doctor Web Ltd.) <==== UWAGA
    HKLM\...\Providers\yvc7qtc8: C:\Program Files (x86)\Fipoph Module\local64spl.dll [317440 2017-06-03] ()
    ShellExecuteHooks: Brak nazwy - {7A593C30-45A3-11E7-95D6-64006A5CFC23} - C:\Users\amalu\AppData\Roaming\Pevghtbuhers\Clersok.dll -> Brak pliku
    ShellIconOverlayIdentifiers: [JzShlobj] -> {9A0700D2-920A-4E52-8697-9B5230C92612} => C:\Program Files (x86)\Maoha\JiSuZip\JZipExt.dll [2016-12-27] (深圳市猫哈网络科技发展有限公司)
    CHR DefaultProfile: mizedomdocaentareferly
    CHR HomePage: mizedomdocaentareferly -> hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F...Uba4Ay_oYTcv1Dnx1Za5ASxJIXRudTB7GB4y9Fk_m9A,,,,
    CHR StartupUrls: mizedomdocaentareferly -> "hxxp://www.onet.pl/","hxxp://www.initialpage123.com/?z=6ab17b7e23d8236f9a286f6g4z9tfq5wfeegagdo8g&from=amz&uid=KINGSTONXSV300S37A120G_50026B77610A5E40&type=hp"
    CHR DefaultSearchURL: mizedomdocaentareferly -> hxxp://www.initialpage123.com/search/?q={searchTerms}&z=6ab17b7e23d8236f9a286f6g4z9tfq5wfeegagdo8g&from=amz&uid=KINGSTONXSV300S37A120G_50026B77610A5E40&type=sp
    CHR DefaultSearchKeyword: mizedomdocaentareferly -> 78initialpage123
    CHR Profile: C:\Users\amalu\AppData\Local\Google\Chrome\User Data\mizedomdocaentareferly [2017-06-03] <==== UWAGA
    C:\Users\amalu\AppData\Local\Google\Chrome\User Data\mizedomdocaentareferly
    CHR HKU\S-1-5-21-2577339698-3773371970-456053641-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
    R2 UCBrowserSvc; C:\Program Files (x86)\UCBrowser\Application\UCService.exe [599440 2017-03-07] () <==== UWAGA
    R1 ucdrv; C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [25444 ] (UC Web Inc.) <==== UWAGA
    2017-06-03 17:35 - 2017-06-03 17:35 - 00003476 _____ C:\WINDOWS\System32\Tasks\UCBrowserSecureUpdater
    2017-06-03 17:24 - 2017-06-03 17:34 - 00000000 ____D C:\AdwCleaner
    2017-06-03 16:47 - 2017-06-03 16:47 - 00003484 _____ C:\WINDOWS\System32\Tasks\UCBrowserUpdater
    2017-06-03 16:47 - 2017-06-03 16:47 - 00000466 _____ C:\WINDOWS\Tasks\UCBrowserUpdater.job
    2017-06-03 16:46 - 2017-06-03 16:46 - 00016916 _____ C:\WINDOWS\System32\Tasks\Kernel Administration Manager
    2017-06-03 16:46 - 2017-06-03 16:46 - 00000000 ____D C:\Users\amalu\AppData\Local\UCBrowser
    2017-06-03 16:46 - 2017-06-03 16:46 - 00000000 ____D C:\Program Files (x86)\UCBrowser
    2017-06-03 16:45 - 2017-06-03 16:49 - 00000000 ____D C:\Users\amalu\AppData\Roaming\Pevghtbuhers
    2017-06-03 16:45 - 2017-06-03 16:45 - 00006082 _____ C:\WINDOWS\System32\Tasks\Fipoph Module
    2017-06-03 16:45 - 2017-06-03 16:45 - 00000000 ____D C:\Users\amalu\AppData\Local\Couserchwuwsh
    2017-06-03 16:45 - 2017-06-03 16:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\极速压缩
    2017-06-03 16:45 - 2017-06-03 16:45 - 00000000 ____D C:\Program Files (x86)\Fipoph Module
    2017-06-03 16:45 - 2017-06-03 16:45 - 00000000 ____D C:\Program Files (x86)\Arohtjoripy
    2017-06-03 16:45 - 2016-12-27 04:34 - 00025432 _____ C:\WINDOWS\system32\Drivers\vcdrom.sys
    2017-06-03 16:44 - 2017-06-03 16:44 - 00000000 ____D C:\Program Files (x86)\Maoha
    2017-06-03 16:43 - 2017-06-03 16:47 - 00000000 ____D C:\Users\amalu\AppData\Local\nav.tools
    2017-05-25 03:43 - 2017-05-25 03:43 - 00195496 _____ C:\WINDOWS\system32\Drivers\cryptfd.sys
    EmptyTemp:

    Po wykonaniu zamiesc nowe logi z FRST, ze skanowania (z trybu normalnego).

    0
  • #4 03 Cze 2017 19:28
    Kolobos
    Spec od komputerów

    Wykonales fixlist w trybie awaryjnym? Z tego co widze to chyba nie.
    Usunales dane synchronizacji Chrome z konta google?

    Wykonaj w trybie awaryjnym Fixlist.txt:
    CloseProcesses:
    Task: {A1D3BB13-4531-4AD6-BAB9-DFCBC3E5C962} - System32\Tasks\UCBrowserSecureUpdater => C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe [2017-06-03] (UC Web Inc.) <==== UWAGA
    AlternateDataStreams: C:\WINDOWS\system32\drivers:ucdrv-x64.sys [25444]
    AlternateDataStreams: C:\WINDOWS\system32\drivers:x64 [1498914]
    AlternateDataStreams: C:\WINDOWS\system32\drivers:x86 [1223458]
    CHR DefaultProfile: mizedomdocaentareferly
    CHR StartupUrls: mizedomdocaentareferly -> "hxxp://www.onet.pl/"
    CHR DefaultSearchURL: mizedomdocaentareferly -> hxxp://www.initialpage123.com/search/?q={searchTerms}&z=6ab17b7e23d8236f9a286f6g4z9tfq5wfeegagdo8g&from=amz&uid=KINGSTONXSV300S37A120G_50026B77610A5E40&type=sp
    CHR DefaultSearchKeyword: mizedomdocaentareferly -> 4initialpage123
    CHR Profile: C:\Users\amalu\AppData\Local\Google\Chrome\User Data\mizedomdocaentareferly [2017-06-03] <==== UWAGA
    C:\Users\amalu\AppData\Local\Google\Chrome\User Data\mizedomdocaentareferly
    CHR Extension: (Prezentacje Google) - C:\Users\amalu\AppData\Local\Google\Chrome\User Data\mizedomdocaentareferly\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-06-03]
    CHR Extension: (Dokumenty Google) - C:\Users\amalu\AppData\Local\Google\Chrome\User Data\mizedomdocaentareferly\Extensions\aohghmighlieiainnegkcijnfilokake [2017-06-03]
    CHR Extension: (Dysk Google) - C:\Users\amalu\AppData\Local\Google\Chrome\User Data\mizedomdocaentareferly\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-06-03]
    CHR Extension: (YouTube) - C:\Users\amalu\AppData\Local\Google\Chrome\User Data\mizedomdocaentareferly\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-06-03]
    CHR Extension: (Arkusze Google) - C:\Users\amalu\AppData\Local\Google\Chrome\User Data\mizedomdocaentareferly\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-06-03]
    CHR Extension: (Dokumenty Google offline) - C:\Users\amalu\AppData\Local\Google\Chrome\User Data\mizedomdocaentareferly\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-06-03]
    CHR Extension: (Płatności w sklepie Chrome Web Store) - C:\Users\amalu\AppData\Local\Google\Chrome\User Data\mizedomdocaentareferly\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-06-03]
    CHR Extension: (Gmail) - C:\Users\amalu\AppData\Local\Google\Chrome\User Data\mizedomdocaentareferly\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-06-03]
    CHR Extension: (Chrome Media Router) - C:\Users\amalu\AppData\Local\Google\Chrome\User Data\mizedomdocaentareferly\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-03]
    U1 ucdrv; C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [25444 ] (UC Web Inc.) <==== UWAGA
    2017-06-03 18:52 - 2017-06-03 18:52 - 00003476 _____ C:\WINDOWS\System32\Tasks\UCBrowserSecureUpdater
    2017-06-03 18:50 - 2017-06-03 18:51 - 00000000 ____D C:\AdwCleaner
    2017-06-03 18:48 - 2017-06-03 18:48 - 00000000 ____D C:\Users\amalu\AppData\Local\UCBrowser
    2017-06-03 16:46 - 2017-06-03 16:46 - 00000000 ____D C:\Program Files (x86)\UCBrowser


    Tym razem zamiesc Fixlog.txt, ktory sie utworzy oraz nowy log z FRST, ze skanowania.

    0
  • #5 03 Cze 2017 20:59
    am44
    Poziom 20  

    Wszedłem w tryb awaryjny w WIN 10. Zupełnie inaczej niż w poprzednich systemach. Wykonałem skanowanie. Po poprzednim skanowaniu zniknęły chińskie programiki, ale pozostała wyszukiwarka Initialpage123 w Chrome. Co ciekawe , ta wyszukiwarka
    pojawiła się również w drugim komputerze, w którym również otwierałem pendriwa.

    0
  • Pomocny post
    #6 03 Cze 2017 21:28
    Kolobos
    Spec od komputerów

    Dlatego podalem zebys usunal dane synchronizacji Chrome z konta google:
    https://support.google.com/chrome/answer/6386691?hl=pl
    Odinstaluj Chrome, usun katalog profilu z:
    C:\Users\amalu\AppData\Local\Google\Chrome\User Data\Profile 1, nastepnie zainstaluj Chrome ponownie.

    Infekcja nadal jest aktywna.

    Uruchom FRST z poziomu WinRe o tak:
    http://www.fixitpc.pl/topic/4414-diagnostyka-infekcji-na-niestartujących-windows/
    i tam wykonaj podany Fixlist.txt:
    Task: {EDC25644-20E3-4696-9070-D6DAFEAAFE42} - System32\Tasks\UCBrowserSecureUpdater => C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe [2017-06-03] (UC Web Inc.) <==== UWAGA
    AlternateDataStreams: C:\WINDOWS\system32\drivers:ucdrv-x64.sys [25444]
    AlternateDataStreams: C:\WINDOWS\system32\drivers:x64 [1498914]
    AlternateDataStreams: C:\WINDOWS\system32\drivers:x86 [1223458]
    HKLM\...\RunOnce: [ucdrv_repair] => C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe [749456 2017-06-03] (UC Web Inc.)
    CHR HomePage: Profile 1 -> hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F...Uba4Ay_oYTcv1Dnx1Za5ASxJIXRudTB7GB4y9Fk_m9A,,,,
    CHR StartupUrls: Profile 1 -> "hxxp://www.onet.pl/","hxxp://www.initialpage123.com/?z=6ab17b7e23d8236f9a286f6g4z9tfq5wfeegagdo8g&from=amz&uid=KINGSTONXSV300S37A120G_50026B77610A5E40&type=hp"
    CHR HKU\S-1-5-21-2577339698-3773371970-456053641-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
    S1 ucdrv; C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [25444 ] (UC Web Inc.) <==== UWAGA
    2017-06-03 18:50 - 2017-06-03 19:55 - 00000000 ____D C:\AdwCleaner
    2017-06-03 18:48 - 2017-06-03 18:48 - 00000000 ____D C:\Users\amalu\AppData\Local\UCBrowser
    2017-06-03 16:46 - 2017-06-03 16:46 - 00000000 ____D C:\Program Files (x86)\UCBrowser

    Po wykonaniu, wykonaj jeszcze raz podany Fixlist w trybie normalnym i zamiesc nowe logi z FRST, ze skanowania oraz Fixlog z wykonania.

    0
  • #8 03 Cze 2017 22:32
    Kolobos
    Spec od komputerów

    Zamiesc log z FRST wykonany w trybie normalnym.

    0
  • #10 04 Cze 2017 12:19
    Kolobos
    Spec od komputerów

    Wykonaj Fixlist.txt dla FRST:
    CHR HomePage: Profile 1 -> hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F...Uba4Ay_oYTcv1Dnx1Za5ASxJIXRudTB7GB4y9Fk_m9A,,,,
    CHR HKU\S-1-5-21-2577339698-3773371970-456053641-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx

    Po wykonaniu sprawdz czy szkodliwa strona domowa w Chrome jest juz usunieta.

    0
  • #11 04 Cze 2017 12:37
    am44
    Poziom 20  

    Wygląda, że wszystko jest w porządku. Dziękuję.

    0