Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

zainfekowana przeglądarka traffic media co..

garrett89 21 Wrz 2017 23:10 1047 6
  • #1 21 Wrz 2017 23:10
    garrett89
    Poziom 2  

    Witajcie.
    Pomóżcie proszę.
    Wszedłem po bracie na komputer i non stop wyświetlają się te cholerne reklamy z traffic media co albo ru. alliekspres.. Problem występuje na wszystkich przeglądarkach.
    Ponadto wolniej włącza się komputer.
    Po przeskanowaniu i uśnięciu programem ADWcleaner próbują się 2 zakładki otworzyć w mozilii:
    http://www.qzpcuhjvz3jhbsbgawxlc1xnb3ppbgxhiezpcmvmb3hczmlyzwzvec5legu=.com/
    http://www.ahr0cdovl2f6awhsdhn3yw54lnj1lw==.com/ ale zostają blokowane
    Zauważyłem, że jakiś program HPPANDA tworzy mi ikony przeglądarek, mozilli, chroma... i co jakiś czas ten program włącza się przy starcie systemu wiec chyba dlatego go tak spowalnia
    Poratujcie proszę..
    Zaaktualizowałem logi po adwcleanerze

    Pozdrawiam

    0 6
  • #2 22 Wrz 2017 07:20
    Kolobos
    Spec od komputerów

    Z tego co widze to do infekcji doszlo po sciagnieciu pirackiej zainfekowanej gry: C:\Users\Garrett\Downloads\comnds03pc.rar (plik warto usunac).

    Usun recznie skroty z cyrylica w nazwie:
    C:\Users\Garrett\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Ехрlоrеr.lnk
    C:\Users\Garrett\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Intеrnеt Ехрlоrеr (Nо Аdd-оns).lnk
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Моzillа Firеfох.lnk
    C:\Users\Public\Desktop\Моzillа Firеfох.lnk
    C:\Users\Garrett\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Моzillа Firеfох.lnk

    Wykonaj Fixlist.txt dla FRST:
    Task: {23A99FA0-B08D-4161-BC67-F9AECAEADFB2} - System32\Tasks\Scisso Weft Pro => C:\Windows\system32\rundll32.exe "C:\Program Files\Scisso Weft Pro\Scisso Weft Pro.dll",xslPqZNzqAis <==== UWAGA
    Task: {4CD4BA8C-6F55-46D3-B800-8D2E7059414F} - System32\Tasks\LaCieS => C:\Disk\WebService.exe [2017-09-18] (TODO: <Company name>)
    Task: {24AFF1C1-D77B-435F-89ED-36E168D0944F} - System32\Tasks\jJKowXmxzIFxIuj => rundll32 "C:\Program Files (x86)\TQoarIXzU\obExCl.dll",#1
    Task: {6E403708-F76F-4949-9D2B-A75500471D9B} - System32\Tasks\{A2E49849-CC6D-4074-B893-ED47BC7A4E18} => C:\Windows\system32\pcalua.exe -a C:\Users\Garrett\Downloads\SgmPil64.exe -d C:\Users\Garrett\Downloads
    Task: {8403006B-F1BC-4988-8425-AB1745C13E06} - System32\Tasks\Game_Booster_Startup => E:\Game Booster 3\gbtray.exe
    Task: {C12455C0-F926-48ED-8445-80AE3411B6C6} - System32\Tasks\LSjUFtTofwjkxN => rundll32 "C:\Program Files (x86)\ICBaloCIDxXU2\XoLbWESxvCylk.dll",#1
    Task: {EA99B3F9-600D-40CB-B668-398D1EF750C7} - System32\Tasks\jJKowXmxzIFxIuj2 => rundll32 "C:\Program Files (x86)\TQoarIXzU\obExCl.dll",#1
    Task: C:\Windows\Tasks\jJKowXmxzIFxIuj.job => C:\Program Files (x86)\TQoarIXzU\obExCl.dll
    C:\Users\Garrett\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Ехрlоrеr.lnk
    C:\Users\Garrett\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Intеrnеt Ехрlоrеr (Nо Аdd-оns).lnk
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Моzillа Firеfох.lnk
    C:\Users\Public\Desktop\Моzillа Firеfох.lnk
    C:\Users\Garrett\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Моzillа Firеfох.lnk




    2017-09-21 22:29 - 2015-06-01 07:28 - 002448384 _____ () C:\Program Files\Scisso Weft Pro\Scisso Weft Pro.dll
    2017-09-21 23:00 - 2017-09-22 00:36 - 000567296 _____ () C:\Windows\TEMP\g57D.tmp.exe
    Hosts:
    () C:\Windows\Temp\g57D.tmp.exe
    HKLM-x32\...\Run: [] => [X]
    HKLM\...\RunOnce: [MICHAL-PC] => C:\Windows\TEMP\gFE4B.tmp.exe [212992 2017-09-21] () <==== UWAGA
    HKLM\ DisallowedCertificates: 03D22C9C66915D58C88912B64C1F984B8344EF09 (Comodo Security Solutions) <==== UWAGA
    HKLM\ DisallowedCertificates: 0F684EC1163281085C6AF20528878103ACEFCAAB (F-Secure Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: 1667908C9E22EFBD0590E088715CC74BE4C60884 (FRISK Software International/F-Prot) <==== UWAGA
    HKLM\ DisallowedCertificates: 18DEA4EFA93B06AE997D234411F3FD72A677EECE (Bitdefender SRL) <==== UWAGA
    HKLM\ DisallowedCertificates: 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF (G DATA Software AG) <==== UWAGA
    HKLM\ DisallowedCertificates: 249BDA38A611CD746A132FA2AF995A2D3C941264 (Malwarebytes Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF (Symantec Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 (Trend Micro) <==== UWAGA
    HKLM\ DisallowedCertificates: 3353EA609334A9F23A701B9159E30CB6C22D4C59 (Webroot Inc.) <==== UWAGA
    HKLM\ DisallowedCertificates: 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A (SUPERAntiSpyware.com) <==== UWAGA
    HKLM\ DisallowedCertificates: 3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F (Kaspersky Lab) <==== UWAGA
    HKLM\ DisallowedCertificates: 3D496FA682E65FC122351EC29B55AB94F3BB03FC (AVG Technologies CZ) <==== UWAGA
    HKLM\ DisallowedCertificates: 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 (PC Tools) <==== UWAGA
    HKLM\ DisallowedCertificates: 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 (K7 Computing Pvt Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 4420C99742DF11DD0795BC15B7B0ABF090DC84DF (Doctor Web Ltd.) <==== UWAGA
    HKLM\ DisallowedCertificates: 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF (Emsisoft Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 5240AB5B05D11B37900AC7712A3C6AE42F377C8C (Check Point Software Technologies Ltd.) <==== UWAGA
    HKLM\ DisallowedCertificates: 5DD3D41810F28B2A13E9A004E6412061E28FA48D (Emsisoft Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 7457A3793086DBB58B3858D6476889E3311E550E (K7 Computing Pvt Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 (BullGuard Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 775B373B33B9D15B58BC02B184704332B97C3CAF (McAfee) <==== UWAGA
    HKLM\ DisallowedCertificates: 872CD334B7E7B3C3D1C6114CD6B221026D505EAB (Comodo Security Solutions) <==== UWAGA
    HKLM\ DisallowedCertificates: 88AD5DFE24126872B33175D1778687B642323ACF (McAfee) <==== UWAGA
    HKLM\ DisallowedCertificates: 9132E8B079D080E01D52631690BE18EBC2347C1E (Adaware Software) <==== UWAGA
    HKLM\ DisallowedCertificates: 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 (Safer Networking Ltd.) <==== UWAGA
    HKLM\ DisallowedCertificates: 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 (Webroot Inc.) <==== UWAGA
    HKLM\ DisallowedCertificates: 9C43F665E690AB4D486D4717B456C5554D4BCEB5 (ThreatTrack Security) <==== UWAGA
    HKLM\ DisallowedCertificates: 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 (CURIOLAB S.M.B.A.) <==== UWAGA
    HKLM\ DisallowedCertificates: A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 (Avira Operations GmbH & Co. KG) <==== UWAGA
    HKLM\ DisallowedCertificates: A5341949ABE1407DD7BF7DFE75460D9608FBC309 (BullGuard Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: A59CC32724DD07A6FC33F7806945481A2D13CA2F (ESET) <==== UWAGA
    HKLM\ DisallowedCertificates: AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 (AVG Technologies CZ) <==== UWAGA
    HKLM\ DisallowedCertificates: AD4C5429E10F4FF6C01840C20ABA344D7401209F (Avast Antivirus/Software) <==== UWAGA
    HKLM\ DisallowedCertificates: AD96BB64BA36379D2E354660780C2067B81DA2E0 (Symantec Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 (Malwarebytes Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: CDC37C22FE9272D8F2610206AD397A45040326B8 (Trend Micro) <==== UWAGA
    HKLM\ DisallowedCertificates: D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 (Kaspersky Lab) <==== UWAGA
    HKLM\ DisallowedCertificates: DB303C9B61282DE525DC754A535CA2D6A9BD3D87 (ThreatTrack Security) <==== UWAGA
    HKLM\ DisallowedCertificates: DB77E5CFEC34459146748B667C97B185619251BA (Avast Antivirus/Software) <==== UWAGA
    HKLM\ DisallowedCertificates: E22240E837B52E691C71DF248F12D27F96441C00 (Total Defense, Inc.) <==== UWAGA
    HKLM\ DisallowedCertificates: E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF (AVG Technologies CZ) <==== UWAGA
    HKLM\ DisallowedCertificates: ED841A61C0F76025598421BC1B00E24189E68D54 (Bitdefender SRL) <==== UWAGA
    HKLM\ DisallowedCertificates: F83099622B4A9F72CB5081F742164AD1B8D048C9 (ESET) <==== UWAGA
    HKLM\ DisallowedCertificates: FBB42F089AF2D570F2BF6F493D107A3255A9BB1A (Panda Security S.L) <==== UWAGA
    HKLM\ DisallowedCertificates: FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 (Doctor Web Ltd.) <==== UWAGA
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Ograniczenia <==== UWAGA
    HKU\S-1-5-21-2711563879-3268990805-2848906630-1000\...\MountPoints2: {71f9b79d-1d4c-11e7-80fb-bc5ff40eb390} - G:\HiSuiteDownLoader.exe
    HKU\S-1-5-21-2711563879-3268990805-2848906630-1000\...\MountPoints2: {71f9b7a2-1d4c-11e7-80fb-bc5ff40eb390} - G:\HiSuiteDownLoader.exe
    HKU\S-1-5-21-2711563879-3268990805-2848906630-1000\...\MountPoints2: {8915703e-39b0-11e7-a83e-bc5ff40eb390} - G:\HiSuiteDownLoader.exe
    HKU\S-1-5-21-2711563879-3268990805-2848906630-1000\...\MountPoints2: {bfe51036-714c-11e3-a3c8-bc5ff40eb390} - I:\Startme.exe
    GroupPolicy: Ograniczenia - Chrome <==== UWAGA
    CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <==== UWAGA
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
    SearchScopes: HKU\S-1-5-21-2711563879-3268990805-2848906630-1000 -> {B2D2B89D-DA08-4cf2-8C5C-198ECEE856BD} URL = hxxp://www.google.com/custom?client=pub-37942...%3BGIMP%3A0000FF%3BFORID%3A1&hl=pl&q={searchTerms}
    BHO-x32: YoutubeAdBlock -> {C0D38E5A-7CF8-4105-8FE8-31B81443A114} -> C:\Program Files (x86)\CKCpTyVyQIE\kfGm77lJ.dll [2017-09-21] ()
    CHR Extension: (Adblocker for Youtube™) - C:\Users\Garrett\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdlphncgdlaajddhdginocbkndmceaml [2017-09-21]
    CHR Extension: (Quick Searcher) - C:\Users\Garrett\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbdpajcdgknpendpmecafmopknefafha [2017-09-21]
    C:\Users\Garrett\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbdpajcdgknpendpmecafmopknefafha
    C:\Users\Garrett\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdlphncgdlaajddhdginocbkndmceaml
    CHR HKU\S-1-5-21-2711563879-3268990805-2848906630-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kfecnpmgnlnbmipaogfhoacoioifjgko] - hxxp://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [kfecnpmgnlnbmipaogfhoacoioifjgko] - hxxp://clients2.google.com/service/update2/crx
    OPR Extension: (0) - C:\Users\Garrett\AppData\Roaming\Opera Software\Opera Stable\Extensions\gfflcpencnmidmbdklfkbmfjmbieaopp [2017-09-21]
    OPR Extension: (Quick Searcher v16.2) - C:\Users\Garrett\AppData\Roaming\Opera Software\Opera Stable\Extensions\pbdpajcdgknpendpmecafmopknefafha [2017-09-21]
    C:\Users\Garrett\AppData\Roaming\Opera Software\Opera Stable\Extensions\pbdpajcdgknpendpmecafmopknefafha
    C:\Users\Garrett\AppData\Roaming\Opera Software\Opera Stable\Extensions\gfflcpencnmidmbdklfkbmfjmbieaopp
    U3 ahl1kmh5; C:\Windows\System32\Drivers\ahl1kmh5.sys [0 ] (Advanced Micro Devices) <==== UWAGA (zerobajtowy plik/folder)
    S1 wfcre; system32\drivers\wfcre.sys [X]
    2017-09-22 00:33 - 2017-09-22 00:35 - 000000000 ____D C:\AdwCleaner
    2017-09-21 23:19 - 2017-09-21 23:19 - 000000000 ____D C:\Users\Garrett\AppData\LocalLow\zwMRXEuCYLuhR
    2017-09-21 22:31 - 2017-09-21 22:31 - 000000266 __RSH C:\Users\Garrett\ntuser.pol
    2017-09-21 22:30 - 2017-09-22 00:36 - 000000292 _____ C:\Windows\Tasks\jJKowXmxzIFxIuj.job
    2017-09-21 22:30 - 2017-09-21 22:30 - 000003244 _____ C:\Windows\System32\Tasks\LaCieS
    2017-09-21 22:30 - 2017-09-21 22:30 - 000003060 _____ C:\Windows\System32\Tasks\LSjUFtTofwjkxN
    2017-09-21 22:30 - 2017-09-21 22:30 - 000002706 _____ C:\Windows\System32\Tasks\jJKowXmxzIFxIuj2
    2017-09-21 22:30 - 2017-09-21 22:30 - 000002566 _____ C:\Windows\System32\Tasks\jJKowXmxzIFxIuj
    2017-09-21 22:30 - 2017-09-21 22:30 - 000000000 ____D C:\Windat
    2017-09-21 22:30 - 2017-09-21 22:30 - 000000000 ____D C:\Users\Public\Thunder Network
    2017-09-21 22:30 - 2017-09-21 22:30 - 000000000 ____D C:\ProgramData\Thunder Network
    2017-09-21 22:30 - 2017-09-21 22:30 - 000000000 ____D C:\ProgramData\LCFApp
    2017-09-21 22:30 - 2017-09-21 22:30 - 000000000 ____D C:\Program Files (x86)\TQoarIXzU
    2017-09-21 22:30 - 2017-09-21 22:30 - 000000000 ____D C:\Program Files (x86)\ICBaloCIDxXU2
    2017-09-21 22:30 - 2017-09-21 22:30 - 000000000 ____D C:\Program Files (x86)\CKCpTyVyQIE
    2017-09-21 22:30 - 2017-09-21 22:30 - 000000000 ____D C:\Program Files (x86)\AvMVIUoBwtUn
    2017-09-21 22:30 - 2017-09-21 22:30 - 000000000 ____D C:\Disk
    2017-09-21 22:29 - 2017-09-22 00:41 - 000016724 _____ C:\Windows\System32\Tasks\Scisso Weft Pro
    2017-09-21 22:29 - 2017-09-21 22:31 - 000000000 ____D C:\Users\Garrett\AppData\Roaming\Easeware
    2017-09-21 22:28 - 2017-09-21 22:28 - 000000000 ____D C:\Users\Garrett\AppData\Local\PCBooster
    EmptyTemp:

    W FRST wybierz Napraw.

    Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    0
  • #3 22 Wrz 2017 07:50
    garrett89
    Poziom 2  

    co do tego usuwania recznie tych linijek z cyrylica.
    gdzie mam to zrobic?

    0
  • #4 22 Wrz 2017 10:57
    Kolobos
    Spec od komputerów

    Masz usunac pliki z dysku z podanych lokalizacji.

    0
  • #5 22 Wrz 2017 11:26
    garrett89
    Poziom 2  

    ok, sprawdze

    0
  • #6 22 Wrz 2017 11:38
    Kolobos
    Spec od komputerów

    Zamiast "sprawdzac" wykonaj to co napisalem, najlepiej bez kolejnych zbednych pytan.

    0
  • #7 22 Wrz 2017 15:25
    garrett89
    Poziom 2  

    ok, przepraszam, źle się wyraziłem

    Dodano po 3 [godziny] 30 [minuty]:

    Wszystko wróciło do normy,
    Bardzo dziękuje za pomoc.
    zainfekowana przeglądarka traffic media co..

    0