Elektroda.pl
Elektroda.pl
X
CControls
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Zawirusowany Komputer- search.so-v.com. Logi FRST

amiza 25 Cze 2017 20:39 438 7
  • #1 25 Cze 2017 20:39
    amiza
    Poziom 2  

    Witam, bardzo proszę o pomoc w przeanalizowaniu logów z FRST pod kątem usunięcia przeglądarki z Chrome - so-v.com. Z góry dziękuję za pomoc!

    0 7
  • CControls
  • #2 25 Cze 2017 20:42
    Kolobos
    Spec od komputerów

    Jeszcze addition.txt.

    0
  • CControls
  • Pomocny post
    #4 25 Cze 2017 21:50
    Kolobos
    Spec od komputerów

    W ustawieniach Chrome wylacz przywracanie zestawu stron po starcie przegladarki.

    Uzyj AdwCleaner, opcja Scan/Szukaj i Clean/Usun: http://www.bleepingcomputer.com/download/adwcleaner/

    Wykonaj Fixlist.txt dla FRST:
    CustomCLSID: HKU\S-1-5-21-1343957224-3945126396-2009694332-1001_Classes\CLSID\{D45F043D-F17F-4e8a-8435-70971D9FA46D}\InprocServer32 -> C:\Program Files\Blender Foundation\Blender\BlendThumb64.dll => No File
    Task: {4CB93D59-838B-4890-9CD2-0961119F48D0} - System32\Tasks\HDvid Codec V6.0-updater => C:\Program Files (x86)\HDvid Codec V6.0\HDvid Codec V6.0-updater.exe <==== ATTENTION
    Task: {BF830628-AB4A-4975-824D-0585792AAABF} - System32\Tasks\{EC26F275-CF3F-4018-A698-9DCFA6D5EDCE} => pcalua.exe -a "C:\Program Files (x86)\epson\escndv\setup\setup.exe" -c /r
    Task: {E2F870A7-51A4-4856-9A1D-5210F8D2E4F3} - System32\Tasks\HDvid Codec V6.0-firefoxinstaller => C:\Program Files (x86)\HDvid Codec V6.0\HDvid Codec V6.0-firefoxinstaller.exe <==== ATTENTION
    Task: C:\WINDOWS\Tasks\HDvid Codec V6.0-firefoxinstaller.job => C:\Program Files (x86)\HDvid Codec V6.0\HDvid Codec V6.0-firefoxinstaller.exe ˴/installxpi /agentregpath='HDvid Codec V6.0' /extensionfilepath C:\Program Files (x86)\HDvid Codec V6.0\45971.xpi' /appid=45971 /srcid='000691' /subid='0' /zdata='0' /bic=19BD583673DD4D39BA22AFC42075D257IE /verifier=fce065f57b3e8759efc0b45e5f0bcc27 /installerversion=1_30_153 /installerfullversion=1.30.153.0 /installationtime=1384381888 /statsdomain=hxxp:/stats.srvstatsdata.com /errorsdomain=hxxp:/errors.srvstatsdata.com /waitforbrowser=300 /extensionid=34f57b0c-8cdb-4914-818c-928df47c6c4f@3a243122-a6fc-40c9-a1e6-ba11e930da09.com /extensionversion=0.93 /prefsbranch=a34f57b0c8cdb4914818c928df47c6c4f3a243122a6fc40c9a1e6ba11e930da09com45971 /updateurl=hxxps:/w9u6a2p6.ssl.hwcdn.net/plugin/ff/update/45971.rdf <==== ATTENTION
    Task: C:\WINDOWS\Tasks\HDvid Codec V6.0-updater.job => C:\Program Files (x86)\HDvid Codec V6.0\HDvid Codec V6.0-updater.exe ǭ/runupdater /agentregpath='HDvid Codec V6.0' /appid=45971 /srcid='000691' /subid='0' /zdata='0' /bic=19BD583673DD4D39BA22AFC42075D257IE /verifier=fce065f57b3e8759efc0b45e5f0bcc27 /installerversion=1_30_153 /installationtime=1384381888 /statsdomain=hxxp:/stats.srvstatsdata.com /errorsdomain=hxxp:/errors.srvstatsdata.com /monetizationdomain=hxxp:/stats.syncstatsdata.com /geoserviceurl=hxxp:/ipgeoapi.com/ /updatejsondomain=hxxp:/update.srvstatsdata.com <==== ATTENTION
    Shortcut: C:\Users\Paulina\Desktop\SGH\sztuczna inteligencja\sztuczna inteligencja\RExcel2010 with RCommander.lnk -> C:\Program Files (x86)\RExcel\xls\RExcelWithRCommander2010.bat (No File)
    HKU\S-1-5-21-1343957224-3945126396-2009694332-1001\...\Run: [ALLUpdate] => C:\Program Files (x86)\ALLPlayer\ALLUpdate.exe [3670472 2015-07-28] (ALLPlayer Group Ltd.)




    HKU\S-1-5-21-1343957224-3945126396-2009694332-1001\...\Run: [Napisy24Update] => "C:\Program Files (x86)\Napisy24\Napisy24Update.exe" "sleep"
    HKU\S-1-5-21-1343957224-3945126396-2009694332-1001\...\MountPoints2: {13e3d9f0-7db9-11e6-801c-7054d284416a} - "D:\autorun.exe"
    HKU\S-1-5-21-1343957224-3945126396-2009694332-1001\...\MountPoints2: {3e93cdc5-ffe0-11e6-8057-7054d284416a} - "D:\HiSuiteDownLoader.exe"
    HKU\S-1-5-21-1343957224-3945126396-2009694332-1001\...\MountPoints2: {81ba073e-a91f-11e6-8033-7054d284416a} - "D:\HiSuiteDownLoader.exe"
    HKU\S-1-5-21-1343957224-3945126396-2009694332-1001\...\MountPoints2: {c462efac-8b9c-11e6-8021-7054d284416a} - "D:\autorun.exe"
    HKU\S-1-5-21-1343957224-3945126396-2009694332-1001\...\MountPoints2: {c462efad-8b9c-11e6-8021-7054d284416a} - "D:\autorun.exe"
    HKU\S-1-5-21-1343957224-3945126396-2009694332-1001\...\MountPoints2: {d1bf661f-42e6-11e4-bed0-7054d284416a} - "D:\Startme.exe"
    HKU\S-1-5-21-1343957224-3945126396-2009694332-1001\...\MountPoints2: {f6f329f1-c6a6-11e4-bee3-7054d284416a} - "D:\Windows\setup.exe" /autorun
    HKU\S-1-5-18\...\Run: [Driver Support] => C:\Program Files (x86)\Driver Support\Driver Support\DriverSupport.exe /applicationMode:systemTray /showWelcome:false
    AppInit_DLLs: C:\PROGRA~2\Linkey\IEEXTE~1\iedll64.dll => No File
    Startup: C:\Users\Paulina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOA2.lnk [2016-05-22]
    ShortcutTarget: LOA2.lnk -> C:\LoA2\LOA2.exe (No File)
    GroupPolicy: Restriction - Chrome <==== ATTENTION
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.omniboxes.com/web/?type=ds&ts=...TOSHIBAXMK6475GSX_92N9YVEAFXX92N9YVEAF&q={searchTerms}
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.omniboxes.com/web/?type=ds&ts=...TOSHIBAXMK6475GSX_92N9YVEAFXX92N9YVEAF&q={searchTerms}
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1...mp;uid=TOSHIBAXMK6475GSX_92N9YVEAFXX92N9YVEAF
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1...mp;uid=TOSHIBAXMK6475GSX_92N9YVEAFXX92N9YVEAF
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.omniboxes.com/web/?type=ds&ts=...TOSHIBAXMK6475GSX_92N9YVEAFXX92N9YVEAF&q={searchTerms}
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.omniboxes.com/web/?type=ds&ts=...TOSHIBAXMK6475GSX_92N9YVEAFXX92N9YVEAF&q={searchTerms}
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617912...amp;GUID=BD129797-60E6-402D-8295-A291CFAF41DA
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKU\S-1-5-21-1343957224-3945126396-2009694332-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://search.delta-homes.com/web/?type=ds&am...TOSHIBAXMK6475GSX_92N9YVEAFXX92N9YVEAF&q={searchTerms}
    HKU\S-1-5-21-1343957224-3945126396-2009694332-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617912...amp;GUID=BD129797-60E6-402D-8295-A291CFAF41DA
    HKU\S-1-5-21-1343957224-3945126396-2009694332-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1...mp;uid=TOSHIBAXMK6475GSX_92N9YVEAFXX92N9YVEAF
    HKU\S-1-5-21-1343957224-3945126396-2009694332-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://search.delta-homes.com/web/?type=ds&am...TOSHIBAXMK6475GSX_92N9YVEAFXX92N9YVEAF&q={searchTerms}
    SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSERBM&pc=MSERT1
    SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSERBM&pc=MSERT1
    SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL = hxxp://www.default-search.net/search?sid=492&...=n&ver=12283&tm=335&src=ds&p={searchTerms}
    SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSERBM&pc=MSERT1
    SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSERBM&pc=MSERT1
    SearchScopes: HKLM-x32 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL = hxxp://www.default-search.net/search?sid=492&...=n&ver=12283&tm=335&src=ds&p={searchTerms}
    SearchScopes: HKU\S-1-5-21-1343957224-3945126396-2009694332-1001 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSERBM&pc=MSERT1
    SearchScopes: HKU\S-1-5-21-1343957224-3945126396-2009694332-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSERBM&pc=MSERT1
    SearchScopes: HKU\S-1-5-21-1343957224-3945126396-2009694332-1001 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL = hxxp://www.default-search.net/search?sid=492&...=n&ver=12283&tm=335&src=ds&p={searchTerms}
    BHO-x32: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> No File
    Toolbar: HKLM-x32 - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.mystartsearch.com/?type=sc&ts=...mp;uid=TOSHIBAXMK6475GSX_92N9YVEAFXX92N9YVEAF
    FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\Paulina\AppData\Roaming\Mozilla\Firefox\Profiles\ce34fkfv.default-1458585162637\extensions\default_newtabff@gmail.com => not found
    FF HKLM-x32\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\Paulina\AppData\Roaming\Mozilla\Firefox\Profiles\re2uih6k.default-1444064099944\extensions\defsearchp@gmail.com => not found
    FF HKLM-x32\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\Paulina\AppData\Roaming\Mozilla\Firefox\Profiles\htk6scqo.default-1437082345138\extensions\deskCutv2@gmail.com => not found
    FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\Paulina\AppData\Roaming\Mozilla\Firefox\Profiles\fkowxzv1.default-1448393847113\extensions\yahooprotected@gmail.com => not found
    CHR HomePage: Default -> s.piesearch.com
    CHR StartupUrls: Default -> "hxxp://www.default-search.net?sid=492&aid=100&itype=n&ver=12283&tm=335&src=hmp","hxxp://google.com/"
    CHR DefaultSearchURL: Default -> hxxp://www.default-search.net/search?sid=492&...=n&ver=12283&tm=335&src=ds&p={searchTerms}
    CHR DefaultSearchKeyword: Default -> ask.com
    CHR Extension: (Rapport) - C:\Users\Paulina\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbjllphbppobebmjpjcijfbakobcheof [2017-06-25]
    CHR HKLM\...\Chrome\Extension: [ljnfelhdldlokjkohcmjpogkdjgbgjpj] - C:\Users\Paulina\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljnfelhdldlokjkohcmjpogkdjgbgjpj.crx [2015-10-01]
    CHR HKLM\...\Chrome\Extension: [lpeeaghdjmhlakojjcgfdhgcejdaefmi] - hxxps://chrome.google.com/webstore/detail/lpeeaghdjmhlakojjcgfdhgcejdaefmi
    CHR HKU\S-1-5-21-1343957224-3945126396-2009694332-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bbjllphbppobebmjpjcijfbakobcheof] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [ljnfelhdldlokjkohcmjpogkdjgbgjpj] - C:\Users\Paulina\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljnfelhdldlokjkohcmjpogkdjgbgjpj.crx [2015-10-01]
    CHR HKLM-x32\...\Chrome\Extension: [lpeeaghdjmhlakojjcgfdhgcejdaefmi] - hxxps://chrome.google.com/webstore/detail/lpeeaghdjmhlakojjcgfdhgcejdaefmi
    2017-06-25 19:45 - 2017-06-25 19:45 - 00000000 ____D C:\Users\Paulina\Downloads\FRST-OlderVersion
    2014-10-27 22:23 - 2014-10-27 22:23 - 0000088 __RSH () C:\ProgramData\70A99EC032.sys
    2015-10-26 11:54 - 2016-03-22 10:43 - 0000074 _____ () C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
    EmptyTemp:

    Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    0
  • Pomocny post
    #6 26 Cze 2017 22:11
    Kolobos
    Spec od komputerów

    Wykonaj kolejny Fixlist.txt:
    CHR HKU\S-1-5-21-1343957224-3945126396-2009694332-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bbjllphbppobebmjpjcijfbakobcheof] - hxxps://clients2.google.com/service/update2/crx
    2017-06-26 19:21 - 2017-06-26 19:28 - 00000000 ____D C:\AdwCleaner

    Po wykonaniu usun katalog C:\FRST i to wszystko.

    0
  • #7 27 Cze 2017 20:25
    amiza
    Poziom 2  

    Kolobos napisał:
    Wykonaj kolejny Fixlist.txt:
    CHR HKU\S-1-5-21-1343957224-3945126396-2009694332-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bbjllphbppobebmjpjcijfbakobcheof] - hxxps://clients2.google.com/service/update2/crx
    2017-06-26 19:21 - 2017-06-26 19:28 - 00000000 ____D C:\AdwCleaner

    Po wykonaniu usun katalog C:\FRST i to wszystko.


    Dziękuje!

    0