Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Proszę o pomoc z wirusem mail.ru

Marcinnn8301 20 Sie 2017 18:45 771 4
  • Pomocny post
    #2 20 Sie 2017 18:54
    Kolobos
    Spec od komputerów

    Odinstaluj: Browser-Security

    Wykonaj Fixlist.txt dla FRST:
    CloseProcesses:
    Task: {07B7B3C0-EEEC-4381-8B2E-AB6A26880057} - System32\Tasks\curl => C:\Users\Ola\AppData\Roaming\curl\curl_7_54.exe [2017-08-20] (curl, hxxps://curl.haxx.se/) <==== UWAGA
    Task: {7A575639-B0C8-43FF-BB83-DBC99E580809} - System32\Tasks\wupdate => C:\Users\Ola\AppData\Local\wupdate\wupdate.exe [2017-08-20] () <==== UWAGA
    Task: {891199D0-AC27-4DD9-AA25-3092FDEC05E9} - System32\Tasks\setupsk => C:\Users\Ola\AppData\Roaming\setupsk\python\pythonw.exe <==== UWAGA
    Task: {8A2F08E0-62A6-4DA9-8A16-D35389E1E6F8} - System32\Tasks\curls => C:\Users\Ola\AppData\Roaming\curl\curl.exe <==== UWAGA
    Task: {9F646398-36E9-4F64-A5FC-A56D260C816E} - System32\Tasks\{029236B8-BC8B-4632-8992-039A97A44ED3} => C:\Windows\system32\pcalua.exe -a "C:\drivers\Wireless LAN Driver\Install.exe" -d "C:\drivers\Wireless LAN Driver"
    Task: {B43D454C-FE61-46B0-B090-197617C8937A} - System32\Tasks\MSI => C:\Users\Ola\AppData\Roaming\Microsoft\msi.exe [2017-08-20] () <==== UWAGA
    Task: {F010C674-3724-4964-B2E5-AFF5FA0C2428} - System32\Tasks\syslog => C:\Users\Ola\AppData\Local\syslog\syslog.exe [2017-08-20] (MONN SOFT Inc) <==== UWAGA
    Task: {FE3367DF-F5B0-4E6D-9AE5-0833B63D603C} - System32\Tasks\setupsk_upd => C:\Users\Ola\AppData\Roaming\setupsk_upd\python\pythonw.exe [2014-10-06] () <==== UWAGA
    ShortcutWithArgument: C:\Users\Ola\AppData\Local\Microsoft\Start Menu\Вoйти в Интeрнeт.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> "hxxp://reshenov.ru/?utm_source=startlink03&utm_content=51e86683d948fae0618b360ceb58257b&utm_term=A1536F49C22D9346741E30EC8C17E0F7&utm_d=20170820"
    ShortcutWithArgument: C:\Users\Ola\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mail.Ru.lnk -> C:\Windows\System32\rundll32.exe (Microsoft Corporation) -> url,FileProtocolHandler "hxxp://www.mail.ru/cnt/20775012?gp=811008"
    C:\Windows\Microsoft\svchost.exe
    C:\Windows\Microsoft\svchost.exe.exe
    C:\Users\Ola\AppData\Local\Microsoft\Start Menu\Вoйти в Интeрнeт.lnk
    HKU\S-1-5-21-1517018482-3523043879-2821447819-1000\...\Run: [ycAutoLaunch_24D1DA24730ACE45A23E11305E51211C] => "C:\Users\Ola\AppData\Local\yc\Application\yc.exe" /prefetch:5
    HKU\S-1-5-21-1517018482-3523043879-2821447819-1000\...\Run: [qmpozoiwij] => explorer "hxxp://reshenov.ru/?utm_source=uoua03&utm_content=5d7d8dbef163c3f0e03ed0bb57619427&utm_term=A1536F49C22D9346741E30EC8C17E0F7&utm_d=20170820" <==== UWAGA
    HKU\S-1-5-21-1517018482-3523043879-2821447819-1000\...\Run: [setupsk] => "C:\Users\Ola\AppData\Roaming\setupsk\python\pythonw.exe" "C:\Users\Ola\AppData\Roaming\setupsk\ml.py" --APPNAME="setupsk" <==== UWAGA




    HKU\S-1-5-21-1517018482-3523043879-2821447819-1000\...\Run: [CpuzApp] => "C:\Users\Ola\AppData\Roaming\CpuzApp4\CpuzApp.exe"
    HKU\S-1-5-21-1517018482-3523043879-2821447819-1000\...\Run: [setupsk_upd] => C:\Users\Ola\AppData\Roaming\setupsk_upd\python\pythonw.exe [27648 2014-10-06] () <==== UWAGA
    GroupPolicy: Ograniczenia <==== UWAGA
    GroupPolicy\User: Ograniczenia <==== UWAGA
    HKU\S-1-5-21-1517018482-3523043879-2821447819-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://mail.ru/cnt/10445?gp=811013
    HKU\S-1-5-21-1517018482-3523043879-2821447819-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/pl-pl/?ocid=iehp
    SearchScopes: HKU\S-1-5-21-1517018482-3523043879-2821447819-1000 -> DefaultScope {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://go.mail.ru/distib/ep/?q={searchTerms}&fr=ntg&product_id=%7B4E5EF64F-1EB2-4E57-A1AD-B94AB637B6F1%7D&gp=811014
    SearchScopes: HKU\S-1-5-21-1517018482-3523043879-2821447819-1000 -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://go.mail.ru/distib/ep/?q={searchTerms}&fr=ntg&product_id=%7B4E5EF64F-1EB2-4E57-A1AD-B94AB637B6F1%7D&gp=811014
    BHO-x32: Search(malpa)Mail.Ru -> {8E8F97CD-60B5-456F-A201-73065652D099} -> C:\Users\Ola\AppData\Local\Mail.Ru\Sputnik\ie_addon_dll.dll => Brak pliku
    FF user.js: detected! => C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\h1oq8lnm.default\user.js [2017-06-03]
    FF DefaultSearchEngine: Mozilla\Firefox\Profiles\h1oq8lnm.default -> Поиск@Mail.Ru
    FF SelectedSearchEngine: Mozilla\Firefox\Profiles\h1oq8lnm.default -> Поиск@Mail.Ru
    FF Keyword.URL: Mozilla\Firefox\Profiles\h1oq8lnm.default -> hxxp://go.mail.ru/distib/ep/?fr=ntg&produ...-5AD5-4EA5-A0D6-54868BE8EDF0%7D&gp=811010
    FF Extension: (Browser-Security) - C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\h1oq8lnm.default\Extensions\firefox@browser-security.de.xpi [2017-06-03]
    FF Extension: (Домашняя страница Mail.Ru) - C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\h1oq8lnm.default\Extensions\homepage@mail.ru [2017-08-20]
    FF Extension: (Поиск@Mail.Ru) - C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\h1oq8lnm.default\Extensions\search@mail.ru [2017-08-20]
    FF Extension: (Визуальные закладки @Mail.Ru) - C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\h1oq8lnm.default\Extensions\{a38384b3-2d1d-4f36-bc22-0f7ae402bcd7} [2017-08-20]
    C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\h1oq8lnm.default\Extensions\firefox@browser-security.de.xpi
    C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\h1oq8lnm.default\Extensions\homepage@mail.ru
    C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\h1oq8lnm.default\Extensions\search@mail.ru
    C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\h1oq8lnm.default\Extensions\{a38384b3-2d1d-4f36-bc22-0f7ae402bcd7}
    FF SearchPlugin: C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\h1oq8lnm.default\searchplugins\mailru.xml [2017-08-20]
    R2 AppFrameHost; C:\Windows\system32\AppFrameHost.exe [969024 2017-08-20] ()
    R2 SvcHost Service Host; C:\Windows\Microsoft\svchost.exe [0 ] () <==== UWAGA (zerobajtowy plik/folder)
    S3 eapihdrv; C:\Users\Ola\AppData\Local\Temp\ehdrv.sys [135760 2017-08-20] (ESET) <==== UWAGA
    2017-08-20 16:35 - 2017-08-20 17:30 - 000000000 ____D C:\Users\Ola\AppData\Roaming\curl
    2017-08-20 16:35 - 2017-08-20 16:56 - 000000000 ____D C:\Users\Ola\AppData\Roaming\setupsk
    2017-08-20 16:35 - 2017-08-20 16:44 - 000000000 ____D C:\Users\Ola\AppData\Roaming\setupsk_upd
    2017-08-20 16:35 - 2017-08-20 16:35 - 000969024 _____ C:\Windows\system32\AppFrameHost.exe
    2017-08-20 16:35 - 2017-08-20 16:35 - 000003688 _____ C:\Windows\System32\Tasks\curl
    2017-08-20 16:35 - 2017-08-20 16:35 - 000003492 _____ C:\Windows\System32\Tasks\curls
    2017-08-20 16:35 - 2017-08-20 16:35 - 000003426 _____ C:\Windows\System32\Tasks\wupdate
    2017-08-20 16:35 - 2017-08-20 16:35 - 000003416 _____ C:\Windows\System32\Tasks\setupsk_upd
    2017-08-20 16:35 - 2017-08-20 16:35 - 000003402 _____ C:\Windows\System32\Tasks\setupsk
    2017-08-20 16:33 - 2017-08-20 16:33 - 000000000 ____D C:\Users\Ola\AppData\Local\wupdate
    2017-08-20 16:29 - 2017-08-20 18:35 - 000000000 ____D C:\Users\Ola\AppData\Local\syslog
    2017-08-20 16:29 - 2017-08-20 17:25 - 000003578 _____ C:\Windows\System32\Tasks\syslog
    2017-08-20 16:26 - 2017-08-20 16:26 - 000000000 ____D C:\ProgramData\Microsoft Toolkit
    2017-08-20 16:22 - 2017-08-20 17:23 - 000003400 __RSH C:\Windows\System32\Tasks\MSI
    2017-07-28 10:47 - 2017-06-03 09:03 - 000000000 ____D C:\ProgramData\McAfee
    2017-08-20 16:22 - 2017-08-20 16:22 - 002684416 __RSH () C:\Users\Ola\AppData\Roaming\Microsoft\msi.exe

    Po wykonaniu usun katalog C:\FRST.

    Uzyj AdwCleaner, opcja Scan/Szukaj i Clean/Usun: http://www.bleepingcomputer.com/download/adwcleaner/

    Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
    http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

    Po wszystkim zamiesc nowe logi z FRST, ze skanowania.

    0
  • Pomocny post
    #4 20 Sie 2017 19:49
    Kolobos
    Spec od komputerów

    Wszystko wyglada ok.

    0
  • #5 20 Sie 2017 19:51
    Marcinnn8301
    Poziom 2  

    W takim razie, bardzo dziękuje za pomoc.
    Proszę o pomoc z wirusem mail.ru

    0