Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Cholerny Yeadesctopbr. Pomożecie ?

gressive 07 Lip 2017 09:14 465 6
  • #2 07 Lip 2017 09:40
    Kolobos
    Spec od komputerów

    Wystarczy troche pomyslec i nie sciagac zainfekowanych aktywatorow...

    Odinstaluj:
    SnapDo
    TuneUp Utilities

    Obok frst.exe utworz plik Fixlist.txt z zawartoscia:
    Task: C:\Windows\Tasks\VideoPafe for Excel.job => rundll32.exe C:\Program Files\VideoPafe for Excel\VideoPafe for Excel.dll
    WMI_ActiveScriptEventConsumer_ASEC: <==== UWAGA
    ShortcutWithArgument: C:\Users\CrazyTechniq\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yeadesktopbr.com/
    ShortcutWithArgument: C:\Users\CrazyTechniq\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\CRAZYT~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://www.yeadesktopbr.com/
    ShortcutWithArgument: C:\Users\CrazyTechniq\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yeadesktopbr.com/
    ShortcutWithArgument: C:\Users\CrazyTechniq\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\CRAZYT~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://www.yeadesktopbr.com/
    ShortcutWithArgument: C:\Users\CrazyTechniq\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox (2).lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yeadesktopbr.com/
    ShortcutWithArgument: C:\Users\CrazyTechniq\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Internet Explorer (64-bit).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yeadesktopbr.com/
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\CRAZYT~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://www.yeadesktopbr.com/




    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yeadesktopbr.com/
    ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yeadesktopbr.com/
    () C:\ProgramData\Client\client.exe
    HKU\S-1-5-21-2970128832-2000671888-3058191675-1001\...\RunOnce: [PoOrOWSK&b.exe] => C:\Program Files\Windows Mail\HOEX2FQS1P6MSN4DSPINV\PoOrOWSK&b.exe [777728 2017-07-06] ()
    HKU\S-1-5-21-2970128832-2000671888-3058191675-1001\...\RunOnce: [ogbTTr2h.exe] => C:\Users\CrazyTechniq\AppData\Local\Temp\37e7f8760a6448bba81157e0d874f96b\ogbTTr2h.exe [777728 2017-07-06] () <==== UWAGA
    HKU\S-1-5-21-2970128832-2000671888-3058191675-1001\...\RunOnce: [Client Monitor] => C:\ProgramData\Client\client.exe [1166336 2016-10-27] ()
    HKU\S-1-5-21-2970128832-2000671888-3058191675-1001\...\Winlogon: [Shell] explorer.exe,"C:\Users\CrazyTechniq\AppData\Roaming\clientmonitor.exe" <==== UWAGA
    IFEO\SppExtComObj.exe: [Debugger] SppExtComObjPatcher.exe
    ShellExecuteHooks: Brak nazwy - {5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} - C:\Windows\C_02iu47.dat [2017280 2017-07-05] (Micrasaft Carparation)
    GroupPolicy: Ograniczenia <==== UWAGA
    GroupPolicyScripts: Ograniczenia <==== UWAGA
    HKU\S-1-5-21-2970128832-2000671888-3058191675-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%6...8xRhdTqlcUwz1QWS8dsl0h12V-cReqIifsuntQ&q={searchTerms}
    HKU\S-1-5-21-2970128832-2000671888-3058191675-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%73%6E%61%70%64%6F.%63%6...Tr6WImrBngkkvT2aQHpkb0-lpGyRwfzG4xy_EmLLqznsZ
    HKU\S-1-5-21-2970128832-2000671888-3058191675-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/pl-pl/?ocid=iehp
    SearchScopes: HKLM-x32 -> DefaultScope - brak wartości
    FF user.js: detected! => C:\Users\CrazyTechniq\AppData\Roaming\Mozilla\Firefox\Profiles\gndz8p1c.default\user.js [2017-07-05]
    CHR DefaultSearchURL: Default -> hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%6...pc6b9B-swg_m8C2zakC1e8R0Yrcnpam-Hgly6-&q={searchTerms}
    CHR DefaultSearchKeyword: Default -> feed.sonic-search.com
    2017-07-06 20:05 - 2017-07-06 20:05 - 04110280 _____ C:\Users\CrazyTechniq\Downloads\adwcleaner_6.047.exe
    2017-07-06 20:05 - 2017-07-06 20:05 - 04110280 _____ C:\Users\CrazyTechniq\Downloads\adwcleaner_6.047 (1).exe
    2017-07-06 19:55 - 2017-07-06 19:55 - 00001528 _____ C:\Windows\Tasks\VideoPafe for Excel.job
    2017-07-06 19:55 - 2017-07-06 19:55 - 00000000 ____D C:\Users\CrazyTechniq\AppData\Local\2c35166007b9442f8f8f7fc92ba63df8
    2017-07-06 19:55 - 2017-07-06 19:55 - 00000000 ____D C:\ProgramData\d6fc76ae05454aa1b74fbbd7ff91ae7c
    2017-07-06 19:55 - 2017-07-05 14:22 - 02017280 ___SH (Micrasaft Carparation) C:\Windows\C_02iu47.dat
    2017-07-06 19:53 - 2017-07-06 20:36 - 00930816 _____ C:\Users\CrazyTechniq\AppData\Local\test_db_cara.db
    2017-07-06 19:53 - 2017-07-06 19:53 - 07307264 _____ C:\Users\CrazyTechniq\AppData\Local\agent.dat
    2017-07-06 19:53 - 2017-07-06 19:53 - 03137536 _____ (TODO: <Company name>) C:\Users\CrazyTechniq\AppData\Local\Oversing.exe
    2017-07-06 19:53 - 2017-07-06 19:53 - 01896509 _____ C:\Users\CrazyTechniq\AppData\Local\Oversing.tst
    2017-07-06 19:53 - 2017-07-06 19:53 - 01895382 _____ C:\Users\CrazyTechniq\AppData\Local\DomSing.bin
    2017-07-06 19:53 - 2017-07-06 19:53 - 00278509 _____ C:\Users\CrazyTechniq\AppData\Local\Villatop.bin
    2017-07-06 19:53 - 2017-07-06 19:53 - 00140800 _____ C:\Users\CrazyTechniq\AppData\Local\installer.dat
    2017-07-06 19:53 - 2017-07-06 19:53 - 00136834 _____ () C:\Users\CrazyTechniq\AppData\Local\Scotjob.bin
    2017-07-06 19:53 - 2017-07-06 19:53 - 00126464 _____ C:\Users\CrazyTechniq\AppData\Local\noah.dat
    2017-07-06 19:53 - 2017-07-06 19:53 - 00070800 _____ C:\Users\CrazyTechniq\AppData\Local\Config.xml
    2017-07-06 19:53 - 2017-07-06 19:53 - 00018432 _____ C:\Users\CrazyTechniq\AppData\Local\Main.dat
    2017-07-06 19:53 - 2017-07-06 19:53 - 00005568 _____ C:\Users\CrazyTechniq\AppData\Local\md.xml
    2017-07-06 18:39 - 2016-10-27 05:17 - 01166336 _____ C:\Users\CrazyTechniq\AppData\Roaming\clientmonitor.exe
    2017-07-06 18:38 - 2017-07-06 18:38 - 00015360 _____ C:\Windows\system32\SppExtComObjHook.dll
    2017-07-06 18:38 - 2017-07-06 18:38 - 00004608 _____ C:\Windows\system32\SppExtComObjPatcher.exe
    2017-07-06 18:33 - 2017-07-07 08:55 - 00001603 _____ C:\ProgramData\Client Monitor
    2017-07-06 18:32 - 2017-07-06 18:58 - 00000000 ____D C:\Users\CrazyTechniq\AppData\Roaming\1CCAF0BE-FA7C-4440-BE70-CF6268CA2DDB
    2017-07-06 18:32 - 2017-07-06 18:32 - 00000000 ____D C:\Users\CrazyTechniq\AppData\Roaming\Monitor
    2017-07-06 18:32 - 2017-07-06 18:32 - 00000000 ____D C:\ProgramData\Client
    2017-06-20 08:42 - 2017-06-20 08:42 - 00196520 _____ C:\Windows\system32\Drivers\cfidsk.sys
    2017-07-06 20:41 - 2017-05-19 16:24 - 00000000 ____D C:\AdwCleaner
    2017-07-06 18:39 - 2016-10-27 05:17 - 1166336 _____ () C:\Users\CrazyTechniq\AppData\Roaming\clientmonitor.exe
    2017-07-06 19:53 - 2017-07-06 19:53 - 7307264 _____ () C:\Users\CrazyTechniq\AppData\Local\agent.dat
    2017-07-06 19:53 - 2017-07-06 19:53 - 0070800 _____ () C:\Users\CrazyTechniq\AppData\Local\Config.xml
    2017-05-16 11:32 - 2017-07-02 18:58 - 0005632 _____ () C:\Users\CrazyTechniq\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2017-07-06 19:53 - 2017-07-06 19:53 - 1895382 _____ () C:\Users\CrazyTechniq\AppData\Local\DomSing.bin
    2017-07-06 19:53 - 2017-07-06 19:53 - 0140800 _____ () C:\Users\CrazyTechniq\AppData\Local\installer.dat
    2017-07-06 19:53 - 2017-07-06 19:53 - 0018432 _____ () C:\Users\CrazyTechniq\AppData\Local\Main.dat
    2017-07-06 19:53 - 2017-07-06 19:53 - 0005568 _____ () C:\Users\CrazyTechniq\AppData\Local\md.xml
    2017-07-06 19:53 - 2017-07-06 19:53 - 0126464 _____ () C:\Users\CrazyTechniq\AppData\Local\noah.dat
    2017-07-06 19:53 - 2017-07-06 19:53 - 3137536 _____ (TODO: <Company name>) C:\Users\CrazyTechniq\AppData\Local\Oversing.exe
    2017-07-06 19:53 - 2017-07-06 19:53 - 1896509 _____ () C:\Users\CrazyTechniq\AppData\Local\Oversing.tst
    2017-07-06 19:53 - 2017-07-06 19:53 - 0136834 _____ () C:\Users\CrazyTechniq\AppData\Local\Scotjob.bin
    2017-07-06 19:53 - 2017-07-06 20:36 - 0930816 _____ () C:\Users\CrazyTechniq\AppData\Local\test_db_cara.db
    2017-07-06 19:53 - 2017-07-06 19:53 - 0001150 _____ () C:\Users\CrazyTechniq\AppData\Local\uninstall_temp.ico
    2017-07-06 19:53 - 2017-07-06 19:53 - 0278509 _____ () C:\Users\CrazyTechniq\AppData\Local\Villatop.bin
    2017-07-06 18:33 - 2017-07-07 08:55 - 0001603 _____ () C:\ProgramData\Client Monitor
    C:\Users\CrazyTechniq\AppData\Local\Temp\37e7f8760a6448bba81157e0d874f96b\ogbTTr2h.exe
    EmptyTemp:

    W FRST wybierz Napraw.

    Po wykonaniu zamiesc nowe logi z FRST, ze skanownia.

    0
  • #3 07 Lip 2017 09:54
    gressive
    Poziom 7  

    Zrobiłem jak napisałeś. Problem polega na tym, że SnapDo kiedy chcę go usunąć to zamyka mi firefoxa, kiedy ponawiam próbę to nic tylko przez chwilę myśli. Masz może jakiś pomysł?

    Dzięki za szybką reakcję na temat.

    0
  • #4 07 Lip 2017 10:02
    Kolobos
    Spec od komputerów

    Pomin i tyle.

    Do tego czytaj ze zrozumieniem:
    > Po wykonaniu zamiesc nowe logi z FRST, ze skanownia.

    0
  • Pomocny post
    #6 07 Lip 2017 10:18
    Kolobos
    Spec od komputerów

    SnapDo mozesz usunac z rejestru z klucza uninstall, wyszukaj:
    4752F154EEC6 az znajdziesz wlasciwy wpis i usun.

    Wykonaj Fixlist.txt dla FRST:
    CloseProcesses:
    Task: {91DC1E07-FF7B-4408-8791-2314DFA95962} - System32\Tasks\Client Monitor => C:\ProgramData\Client\client.exe <==== UWAGA
    2017-07-07 09:51 - 2017-07-07 09:51 - 00930816 _____ C:\Users\CrazyTechniq\AppData\Local\test_db_cara.db
    2017-07-07 09:51 - 2017-07-07 09:51 - 00140800 _____ C:\Users\CrazyTechniq\AppData\Local\installer.dat
    2017-07-07 09:47 - 2017-07-07 09:47 - 00003208 _____ C:\Windows\System32\Tasks\Client Monitor
    2017-07-07 09:43 - 2017-07-07 09:43 - 00011568 _____ C:\Users\CrazyTechniq\AppData\Local\InstallationConfiguration.xml
    2017-07-05 20:12 - 2017-07-07 09:45 - 00000000 ____D C:\ProgramData\TuneUp Software
    2017-07-05 20:12 - 2017-07-05 20:12 - 00000000 ____D C:\Users\CrazyTechniq\AppData\Roaming\TuneUp Software
    2017-07-05 20:11 - 2017-07-05 20:11 - 00000000 __SHD C:\ProgramData\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
    2017-07-07 09:43 - 2017-07-07 09:43 - 0011568 _____ () C:\Users\CrazyTechniq\AppData\Local\InstallationConfiguration.xml
    2017-07-07 09:51 - 2017-07-07 09:51 - 0140800 _____ () C:\Users\CrazyTechniq\AppData\Local\installer.dat
    2017-07-07 09:51 - 2017-07-07 09:51 - 0930816 _____ () C:\Users\CrazyTechniq\AppData\Local\test_db_cara.db

    Po wykonaniu usun katalog C:\FRST i to wszystko.

    0
  • #7 07 Lip 2017 10:33
    gressive
    Poziom 7  

    Dzięki za pomoc.

    0