Elektroda.pl
Elektroda.pl
X

Search our partners

Find the latest content on electronic components. Datasheets.com
Elektroda.pl
Please add exception to AdBlock for elektroda.pl.
If you watch the ads, you support portal and users.

Wirus Mail.ru, Wirusy, Koń trojański, Software, ruskie wirusy, laptop

09 Dec 2017 19:03 936 11
  • Trendy 2021 w branży Internetu rzeczy [Webinar 02.07.2021, g.12.00]. Zarejestruj się za darmo
  • Helpful post
    IT specialist
    Skoro takie pilne to dlaczego nie napisales we wlasciwym dziale i nie zamiesciles wymaganych logow z FRST?
  • Helpful post
    IT specialist
    W tym do ktorego watek zostal przeniesiony.

    Uzyj AdwCleaner, opcja Scan/Szukaj i Clean/Usun: http://www.bleepingcomputer.com/download/adwcleaner/

    Wykonaj Fixlist.txt dla Frst:
    Closeprocesses:
    Task: {AD0AF02A-BE28-462E-930B-2C8471FAA83B} - System32\Tasks\setupsk_upd => C:\Users\MSI\AppData\Roaming\setupsk_upd\python\pythonw.exe [2017-07-08] (Python Software Foundation) <==== UWAGA
    Task: {AE6E47E3-EE92-4B5F-BF69-C74A01219880} - System32\Tasks\setupsk => C:\Users\MSI\AppData\Roaming\setupsk\python\pythonw.exe [2017-07-08] (Python Software Foundation) <==== UWAGA
    Task: {B9FE3040-06D9-4605-974C-910774524670} - System32\Tasks\curls => C:\Users\MSI\AppData\Roaming\curl\curl.exe <==== UWAGA
    Task: {ED5FABE7-D52A-44AF-BF79-3E068E5D8401} - System32\Tasks\curl => C:\Users\MSI\AppData\Roaming\curl\curl_7_54.exe [2017-12-05] (curl, hxxps://curl.haxx.se/) <==== UWAGA
    (Python Software Foundation) C:\Users\MSI\AppData\Roaming\setupsk\python\pythonw.exe
    HKU\S-1-5-21-770303237-719257357-2482713325-1000\...\Run: [setupsk_upd] => C:\Users\MSI\AppData\Roaming\setupsk_upd\python\pythonw.exe [96408 2017-07-08] (Python Software Foundation) <==== UWAGA
    HKU\S-1-5-21-770303237-719257357-2482713325-1000\...\Run: [setupsk] => C:\Users\MSI\AppData\Roaming\setupsk\python\pythonw.exe [96408 2017-07-08] (Python Software Foundation) <==== UWAGA
    HKU\S-1-5-21-770303237-719257357-2482713325-1000\...\MountPoints2: {4f746a74-a45e-11e7-b62b-84ef18c4f562} - I:\Install.exe
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=ir...s_ver%3D6.1%26os%3DWindows%2B7%2BProfessional
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?bcutc=sp-118-756
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?bcutc=sp-118-756&q={searchTerms}
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
    HKU\S-1-5-21-770303237-719257357-2482713325-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?bcutc=sp-118-756&q={searchTerms}
    HKU\S-1-5-21-770303237-719257357-2482713325-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/pl-pl/?ocid=iehp
    SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart...D6.1%26os%3DWindows%2B7%2BProfessional&p={searchTerms}
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart...D6.1%26os%3DWindows%2B7%2BProfessional&p={searchTerms}
    SearchScopes: HKLM-x32 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-118-756&q={searchTerms}
    SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart...D6.1%26os%3DWindows%2B7%2BProfessional&p={searchTerms}
    SearchScopes: HKLM-x32 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?bcutc=sp-118-756&q={searchTerms}
    FF Homepage: Mozilla\Firefox\Profiles\42t52bbp.default -> hxxp://mail.ru/cnt/10445?gp=855461
    C:\Users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\42t52bbp.default\Extensions\homepage@mail.ru.xpi
    C:\Users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\42t52bbp.default\Extensions\search@mail.ru.xpi
    C:\Users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\42t52bbp.default\Extensions\{a38384b3-2d1d-4f36-bc22-0f7ae402bcd7}.xpi
    FF Extension: (Домашняя страница Mail.Ru) - C:\Users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\42t52bbp.default\Extensions\homepage@mail.ru.xpi [2017-12-05]
    FF Extension: (Поиск@Mail.Ru) - C:\Users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\42t52bbp.default\Extensions\search@mail.ru.xpi [2017-12-05] [Przestarzałe]
    FF Extension: (Пульт) - C:\Users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\42t52bbp.default\Extensions\{a38384b3-2d1d-4f36-bc22-0f7ae402bcd7}.xpi [2017-12-05]
    FF SearchPlugin: C:\Users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\42t52bbp.default\searchplugins\mailru.xml [2017-12-05]
    CHR HomePage: Default -> inline.go.mail.ru
    CHR DefaultSearchURL: Default -> hxxps://inline.go.mail.ru/search?inline_comp=dse&q={searchTerms}&fr=chxtn12.0.23
    CHR DefaultSearchKeyword: Default -> inline.go.mail.ru
    CHR DefaultSuggestURL: Default -> hxxp://suggests.go.mail.ru/chrome?q={searchTerms}
    CHR HKLM\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-770303237-719257357-2482713325-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [bhjhnafpiilpffhglajcaepjbnbjemci] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [hcadgijmedbfgciegjomfpjcdchlhnif] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [indjgiebmakhmnaplnlnanodkfiejfjd] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [lhemechcanjmilllmccjbjldonmnnjjj] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
    2017-12-09 18:11 - 2017-12-09 18:11 - 000000000 ____D C:\Program Files (x86)\GUM79F0.tmp
    2017-12-09 18:10 - 2017-12-09 18:10 - 000000000 ____D C:\Program Files (x86)\GUM623C.tmp
    2017-12-08 21:04 - 2017-12-08 22:10 - 000000150 _____ C:\Windows\Reimage.ini
    2017-12-05 18:11 - 2017-12-05 18:11 - 000000000 ____D C:\Users\MSI\AppData\Local\NetBoxLogs
    2017-12-05 18:11 - 2017-12-05 18:11 - 000000000 ____D C:\Users\MSI\AppData\Local\Chromium
    2017-12-05 17:51 - 2017-12-05 17:51 - 000003862 _____ C:\Windows\System32\Tasks\setupsk_upd
    2017-12-05 17:51 - 2017-12-05 17:51 - 000003526 _____ C:\Windows\System32\Tasks\curl
    2017-12-05 17:51 - 2017-12-05 17:51 - 000003402 _____ C:\Windows\System32\Tasks\setupsk
    2017-12-05 17:51 - 2017-12-05 17:51 - 000003314 _____ C:\Windows\System32\Tasks\curls
    2017-12-05 17:51 - 2017-12-05 17:51 - 000000000 ____D C:\Users\MSI\AppData\Roaming\curl
    2017-12-05 17:50 - 2017-12-06 11:20 - 000000000 ____D C:\Users\MSI\AppData\Roaming\setupsk_upd
    2017-12-05 17:50 - 2017-12-06 11:20 - 000000000 ____D C:\Users\MSI\AppData\Roaming\setupsk
    2017-12-05 17:50 - 2017-12-06 11:20 - 000000000 ____D C:\Users\MSI\AppData\Local\yc
    2017-12-05 17:42 - 2017-12-08 11:42 - 000000000 ____D C:\Program Files (x86)\Mail.Ru
    2017-12-05 17:41 - 2017-12-05 18:42 - 000000000 ____D C:\ProgramData\Mail.Ru
    2017-11-21 01:23 - 2017-11-29 01:40 - 000006144 _____ () C:\Users\MSI\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    C:\Users\MSI\AppData\Roaming\setupsk_upd\python\pythonw.exe
    C:\Users\MSI\AppData\Roaming\setupsk\python\pythonw.exe

    Po wykonaniu usun katalog C:\FRST.

    Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
    http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
  • Helpful post
    IT specialist
    Wykonaj jeszcze taki Fixlist.txt dla Frst:
    Tcpip\..\Interfaces\{6D373540-A6DB-4ED3-838C-1C2008401787}: [NameServer] 35.177.46.238,46.101.28.31,82.202.226.203
    Tcpip\..\Interfaces\{BBA79392-C7B3-4D5A-9959-3BC9846D9A80}: [NameServer] 35.177.46.238,46.101.28.31,82.202.226.203

    Jezeli nic sie nie zmieni to zgraj zakladki z Chrome i usun katalog profilu przegladarki z: C:\Users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\42t52bbp.default

    Mozesz tez zamiescic nowe logi z Frst, ze skanowania.
  • IT specialist
    Nie wykonales podanego wczesniej Fixlist, dlaczego?

    Nie uzywaj wiecej combofix, mozliwe, ze po uzyciu system spowolnil.

    Wykonaj Fixlist.txt dla FRST:
    Tcpip\..\Interfaces\{6D373540-A6DB-4ED3-838C-1C2008401787}: [NameServer] 35.177.46.238,46.101.28.31,82.202.226.203
    Tcpip\..\Interfaces\{BBA79392-C7B3-4D5A-9959-3BC9846D9A80}: [NameServer] 35.177.46.238,46.101.28.31,82.202.226.203
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    S3 SWDUMon; system32\DRIVERS\SWDUMon.sys [X]
    2017-12-10 01:48 - 2017-12-10 01:51 - 000000000 ____D C:\AdwCleaner
    2017-12-09 20:12 - 2017-12-09 20:12 - 000019256 _____ C:\ComboFix.txt
    2017-12-09 20:05 - 2017-12-09 20:12 - 000000000 ____D C:\Qoobox
    2017-12-09 20:05 - 2011-06-26 07:45 - 000256000 _____ C:\Windows\PEV.exe
    2017-12-09 20:05 - 2010-11-07 18:20 - 000208896 _____ C:\Windows\MBR.exe
    2017-12-09 20:05 - 2009-04-20 05:56 - 000060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
    2017-12-09 20:05 - 2000-08-31 01:00 - 000518144 _____ (SteelWerX) C:\Windows\SWREG.exe
    2017-12-09 20:05 - 2000-08-31 01:00 - 000406528 _____ (SteelWerX) C:\Windows\SWSC.exe
    2017-12-09 20:05 - 2000-08-31 01:00 - 000098816 _____ C:\Windows\sed.exe
    2017-12-09 20:05 - 2000-08-31 01:00 - 000080412 _____ C:\Windows\grep.exe
    2017-12-09 20:05 - 2000-08-31 01:00 - 000068096 _____ C:\Windows\zip.exe


    Profil Chrome usunales?

    Zamiesc screen z:
    CrystalDiskInfo: http://portableapps.com/apps/utilities/crystaldiskinfo_portable
    oraz:
    Process Explorer: https://technet.microsoft.com/pl-pl/sysinternals/processexplorer
    Hwinfo (sensors only): https://www.hwinfo.com/download.php
    (screeny calych okien!)
  • IT specialist
    Nowe logi sa zbedne, jezeli juz jest ok to usun katalog C:\FRST i to wszystko.
  • Level 4  
    W takim razie bardzo dziękuję za pomoc w razie czego będę pisał ;)