Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Wirus Mail.ru, Wirusy, Koń trojański, Software, ruskie wirusy, laptop

Dvwciu 09 Gru 2017 19:03 573 11
  • Pomocny post
    #2 09 Gru 2017 19:07
    Kolobos
    Spec od komputerów

    Skoro takie pilne to dlaczego nie napisales we wlasciwym dziale i nie zamiesciles wymaganych logow z FRST?

    0
  • Pomocny post
    #4 09 Gru 2017 23:39
    Kolobos
    Spec od komputerów

    W tym do ktorego watek zostal przeniesiony.

    Uzyj AdwCleaner, opcja Scan/Szukaj i Clean/Usun: http://www.bleepingcomputer.com/download/adwcleaner/

    Wykonaj Fixlist.txt dla Frst:
    Closeprocesses:
    Task: {AD0AF02A-BE28-462E-930B-2C8471FAA83B} - System32\Tasks\setupsk_upd => C:\Users\MSI\AppData\Roaming\setupsk_upd\python\pythonw.exe [2017-07-08] (Python Software Foundation) <==== UWAGA
    Task: {AE6E47E3-EE92-4B5F-BF69-C74A01219880} - System32\Tasks\setupsk => C:\Users\MSI\AppData\Roaming\setupsk\python\pythonw.exe [2017-07-08] (Python Software Foundation) <==== UWAGA
    Task: {B9FE3040-06D9-4605-974C-910774524670} - System32\Tasks\curls => C:\Users\MSI\AppData\Roaming\curl\curl.exe <==== UWAGA
    Task: {ED5FABE7-D52A-44AF-BF79-3E068E5D8401} - System32\Tasks\curl => C:\Users\MSI\AppData\Roaming\curl\curl_7_54.exe [2017-12-05] (curl, hxxps://curl.haxx.se/) <==== UWAGA
    (Python Software Foundation) C:\Users\MSI\AppData\Roaming\setupsk\python\pythonw.exe
    HKU\S-1-5-21-770303237-719257357-2482713325-1000\...\Run: [setupsk_upd] => C:\Users\MSI\AppData\Roaming\setupsk_upd\python\pythonw.exe [96408 2017-07-08] (Python Software Foundation) <==== UWAGA
    HKU\S-1-5-21-770303237-719257357-2482713325-1000\...\Run: [setupsk] => C:\Users\MSI\AppData\Roaming\setupsk\python\pythonw.exe [96408 2017-07-08] (Python Software Foundation) <==== UWAGA
    HKU\S-1-5-21-770303237-719257357-2482713325-1000\...\MountPoints2: {4f746a74-a45e-11e7-b62b-84ef18c4f562} - I:\Install.exe
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=ir...s_ver%3D6.1%26os%3DWindows%2B7%2BProfessional
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?bcutc=sp-118-756
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?bcutc=sp-118-756&q={searchTerms}




    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
    HKU\S-1-5-21-770303237-719257357-2482713325-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?bcutc=sp-118-756&q={searchTerms}
    HKU\S-1-5-21-770303237-719257357-2482713325-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/pl-pl/?ocid=iehp
    SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart...D6.1%26os%3DWindows%2B7%2BProfessional&p={searchTerms}
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart...D6.1%26os%3DWindows%2B7%2BProfessional&p={searchTerms}
    SearchScopes: HKLM-x32 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-118-756&q={searchTerms}
    SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart...D6.1%26os%3DWindows%2B7%2BProfessional&p={searchTerms}
    SearchScopes: HKLM-x32 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-118-756&q={searchTerms}
    FF Homepage: Mozilla\Firefox\Profiles\42t52bbp.default -> hxxp://mail.ru/cnt/10445?gp=855461
    C:\Users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\42t52bbp.default\Extensions\homepage@mail.ru.xpi
    C:\Users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\42t52bbp.default\Extensions\search@mail.ru.xpi
    C:\Users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\42t52bbp.default\Extensions\{a38384b3-2d1d-4f36-bc22-0f7ae402bcd7}.xpi
    FF Extension: (Домашняя страница Mail.Ru) - C:\Users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\42t52bbp.default\Extensions\homepage@mail.ru.xpi [2017-12-05]
    FF Extension: (Поиск@Mail.Ru) - C:\Users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\42t52bbp.default\Extensions\search@mail.ru.xpi [2017-12-05] [Przestarzałe]
    FF Extension: (Пульт) - C:\Users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\42t52bbp.default\Extensions\{a38384b3-2d1d-4f36-bc22-0f7ae402bcd7}.xpi [2017-12-05]
    FF SearchPlugin: C:\Users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\42t52bbp.default\searchplugins\mailru.xml [2017-12-05]
    CHR HomePage: Default -> inline.go.mail.ru
    CHR DefaultSearchURL: Default -> hxxps://inline.go.mail.ru/search?inline_comp=dse&q={searchTerms}&fr=chxtn12.0.23
    CHR DefaultSearchKeyword: Default -> inline.go.mail.ru
    CHR DefaultSuggestURL: Default -> hxxp://suggests.go.mail.ru/chrome?q={searchTerms}
    CHR HKLM\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-770303237-719257357-2482713325-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [bhjhnafpiilpffhglajcaepjbnbjemci] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [hcadgijmedbfgciegjomfpjcdchlhnif] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [indjgiebmakhmnaplnlnanodkfiejfjd] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [lhemechcanjmilllmccjbjldonmnnjjj] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
    2017-12-09 18:11 - 2017-12-09 18:11 - 000000000 ____D C:\Program Files (x86)\GUM79F0.tmp
    2017-12-09 18:10 - 2017-12-09 18:10 - 000000000 ____D C:\Program Files (x86)\GUM623C.tmp
    2017-12-08 21:04 - 2017-12-08 22:10 - 000000150 _____ C:\Windows\Reimage.ini
    2017-12-05 18:11 - 2017-12-05 18:11 - 000000000 ____D C:\Users\MSI\AppData\Local\NetBoxLogs
    2017-12-05 18:11 - 2017-12-05 18:11 - 000000000 ____D C:\Users\MSI\AppData\Local\Chromium
    2017-12-05 17:51 - 2017-12-05 17:51 - 000003862 _____ C:\Windows\System32\Tasks\setupsk_upd
    2017-12-05 17:51 - 2017-12-05 17:51 - 000003526 _____ C:\Windows\System32\Tasks\curl
    2017-12-05 17:51 - 2017-12-05 17:51 - 000003402 _____ C:\Windows\System32\Tasks\setupsk
    2017-12-05 17:51 - 2017-12-05 17:51 - 000003314 _____ C:\Windows\System32\Tasks\curls
    2017-12-05 17:51 - 2017-12-05 17:51 - 000000000 ____D C:\Users\MSI\AppData\Roaming\curl
    2017-12-05 17:50 - 2017-12-06 11:20 - 000000000 ____D C:\Users\MSI\AppData\Roaming\setupsk_upd
    2017-12-05 17:50 - 2017-12-06 11:20 - 000000000 ____D C:\Users\MSI\AppData\Roaming\setupsk
    2017-12-05 17:50 - 2017-12-06 11:20 - 000000000 ____D C:\Users\MSI\AppData\Local\yc
    2017-12-05 17:42 - 2017-12-08 11:42 - 000000000 ____D C:\Program Files (x86)\Mail.Ru
    2017-12-05 17:41 - 2017-12-05 18:42 - 000000000 ____D C:\ProgramData\Mail.Ru
    2017-11-21 01:23 - 2017-11-29 01:40 - 000006144 _____ () C:\Users\MSI\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    C:\Users\MSI\AppData\Roaming\setupsk_upd\python\pythonw.exe
    C:\Users\MSI\AppData\Roaming\setupsk\python\pythonw.exe

    Po wykonaniu usun katalog C:\FRST.

    Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
    http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

    0
  • Pomocny post
    #6 10 Gru 2017 09:31
    Kolobos
    Spec od komputerów

    Wykonaj jeszcze taki Fixlist.txt dla Frst:
    Tcpip\..\Interfaces\{6D373540-A6DB-4ED3-838C-1C2008401787}: [NameServer] 35.177.46.238,46.101.28.31,82.202.226.203
    Tcpip\..\Interfaces\{BBA79392-C7B3-4D5A-9959-3BC9846D9A80}: [NameServer] 35.177.46.238,46.101.28.31,82.202.226.203

    Jezeli nic sie nie zmieni to zgraj zakladki z Chrome i usun katalog profilu przegladarki z: C:\Users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\42t52bbp.default

    Mozesz tez zamiescic nowe logi z Frst, ze skanowania.

    0
  • #8 10 Gru 2017 17:31
    Kolobos
    Spec od komputerów

    Nie wykonales podanego wczesniej Fixlist, dlaczego?

    Nie uzywaj wiecej combofix, mozliwe, ze po uzyciu system spowolnil.

    Wykonaj Fixlist.txt dla FRST:
    Tcpip\..\Interfaces\{6D373540-A6DB-4ED3-838C-1C2008401787}: [NameServer] 35.177.46.238,46.101.28.31,82.202.226.203
    Tcpip\..\Interfaces\{BBA79392-C7B3-4D5A-9959-3BC9846D9A80}: [NameServer] 35.177.46.238,46.101.28.31,82.202.226.203
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    S3 SWDUMon; system32\DRIVERS\SWDUMon.sys [X]
    2017-12-10 01:48 - 2017-12-10 01:51 - 000000000 ____D C:\AdwCleaner
    2017-12-09 20:12 - 2017-12-09 20:12 - 000019256 _____ C:\ComboFix.txt
    2017-12-09 20:05 - 2017-12-09 20:12 - 000000000 ____D C:\Qoobox
    2017-12-09 20:05 - 2011-06-26 07:45 - 000256000 _____ C:\Windows\PEV.exe
    2017-12-09 20:05 - 2010-11-07 18:20 - 000208896 _____ C:\Windows\MBR.exe
    2017-12-09 20:05 - 2009-04-20 05:56 - 000060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
    2017-12-09 20:05 - 2000-08-31 01:00 - 000518144 _____ (SteelWerX) C:\Windows\SWREG.exe
    2017-12-09 20:05 - 2000-08-31 01:00 - 000406528 _____ (SteelWerX) C:\Windows\SWSC.exe
    2017-12-09 20:05 - 2000-08-31 01:00 - 000098816 _____ C:\Windows\sed.exe
    2017-12-09 20:05 - 2000-08-31 01:00 - 000080412 _____ C:\Windows\grep.exe
    2017-12-09 20:05 - 2000-08-31 01:00 - 000068096 _____ C:\Windows\zip.exe


    Profil Chrome usunales?

    Zamiesc screen z:
    CrystalDiskInfo: http://portableapps.com/apps/utilities/crystaldiskinfo_portable
    oraz:
    Process Explorer: https://technet.microsoft.com/pl-pl/sysinternals/processexplorer
    Hwinfo (sensors only): https://www.hwinfo.com/download.php
    (screeny calych okien!)

    0
  • #11 10 Gru 2017 18:45
    Kolobos
    Spec od komputerów

    Nowe logi sa zbedne, jezeli juz jest ok to usun katalog C:\FRST i to wszystko.

    0
  • #12 10 Gru 2017 20:04
    Dvwciu
    Poziom 3  

    W takim razie bardzo dziękuję za pomoc w razie czego będę pisał ;)

    0