Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

[Rozwiązano] Infekcja systemu operacyjnego przez wirus tmp.exe

adrianneekk 25 Mar 2018 14:49 534 7
  • #1 25 Mar 2018 14:49
    adrianneekk
    Poziom 3  

    Potrzebuję fixlist do FRST . Proszę o pomoc niewiem co robić adwcleaner nie może znaleźć tego wirusa . Wirus jest tak sprytny ,że jak wlączam menedżer zadań to obniża pracę CPU.

    0 7
  • #2 25 Mar 2018 14:50
    mati211p
    Specjalista - HDD i odzyskiwanie danych

    Skoro potrzebujesz fixlist to załącz odpowiednie logi z FRST. Na jakiej podstawie ten fixlist ma powstać?

    0
  • #3 25 Mar 2018 14:52
    adrianneekk
    Poziom 3  

    Sory zapomniałem dodać z tych nerwów...

    0
  • Pomocny post
    #4 25 Mar 2018 15:39
    krzychupar
    Poziom 40  

    Otwórz notatnik systemowy i wklej:

    ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> Brak pliku
    ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> Brak pliku
    ShellIconOverlayIdentifiers: [{BFD98515-CD74-48A4-98E2-13D209E3EE4F}] -> {BFD98515-CD74-48A4-98E2-13D209E3EE4F} => C:\Windows\system32\mcicda64.dll -> Brak pliku
    Task: {2136245C-7CC9-4C2D-A89E-E59AB00A30FC} - System32\Tasks\GoogleUpdateSecurityTaskMachine_HB => C:\ProgramData\5a5d6bc477f5456fb9fbdb99ed0f5fa8\HandlerExecution.exe <==== UWAGA
    Task: {41176192-E742-472C-8A5E-D6BE23881741} - System32\Tasks\{39AEF68E-2057-4FA4-BE6C-5BD1C8CEE100} => C:\Windows\system32\pcalua.exe -a C:\Users\Adrian\AppData\Roaming\CRMSvc\CRMSvc.exe -c --uninst
    Task: {4143508E-1379-49B2-BAEE-9EF41C745759} - System32\Tasks\{0D797847-0E0C-7E0D-7E11-0C7E0A09117E} => C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand OwAgACAAIAAgACAAOwAgACAAOwA7ADsAOwA7ACAAIAA7ACAAIAAgACAAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAcwB0AG8AcAAiADsAJABzAGMAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAVwBhAHIA (dane wartości zawierają 10208 znaków więcej). <==== UWAGA
    Task: {6D5B0099-20C5-4BFC-87A0-996662F4A90B} - System32\Tasks\GoogleUpdateSecurityTaskMachine_DZ => C:\Users\Adrian\AppData\Roaming\5d90e690055640e4beb893e3af6da142\HandlerExecution.exe <==== UWAGA
    Task: {6D872DA3-5593-462E-99CA-CD54881BD0E8} - System32\Tasks\{1B35B1BA-4CA2-4B19-BAE0-81FDCEB80A7C} => C:\Windows\system32\pcalua.exe -a C:\Users\Adrian\Downloads\GameRangerSetup.exe -d C:\Users\Adrian\Downloads
    Task: {9200147C-3802-4BA8-B3F4-88C861094EB3} - System32\Tasks\GoogleUpdateSecurityTaskMachine_SA => C:\Users\Adrian\AppData\Local\Temp\88f16f6d09c54512b207b328c477bd1d\HandlerExecution.exe <==== UWAGA
    Task: {9222D506-E5BE-4729-B846-F5D20EE32AA2} - System32\Tasks\GoogleUpdateSecurityTaskMachine_SS => C:\ProgramData\d98b6fe870fc4620b3437a6eb369b02d\HandlerExecution.exe <==== UWAGA
    Task: {970885F5-BBC0-42CD-AC94-DF55F31B224E} - System32\Tasks\GoogleUpdateSecurityTaskMachine_TO => C:\Users\Adrian\AppData\Roaming\8eccfb48cb254c97be1317dd1a8e2ec5\HandlerExecution.exe <==== UWAGA
    Task: {974D3D30-669C-485C-AFE2-40678FE28328} - System32\Tasks\winregis => C:\Users\Adrian\AppData\Roaming\winregis.exe <==== UWAGA
    Task: {C60C2B82-B3AE-47B9-BA9A-8808964C6FD6} - System32\Tasks\Freeplane for Outlook => C:\Windows\system32\rundll32.exe "C:\Program Files\Freeplane for Outlook\Freeplane for Outlook.dll",eJTyJr <==== UWAGA
    Task: {EA702787-8172-48FC-B072-306FE58882C0} - System32\Tasks\AVGPCTuneUp_Task_BkGndMaintenance => C:\Program Files (x86)\AVG\AVG PC TuneUp\tuscanx.exe
    Hosts:
    AlternateDataStreams: C:\ProgramData:NT [40]
    AlternateDataStreams: C:\ProgramData:NT2 [346]




    AlternateDataStreams: C:\Users\All Users:NT [40]
    AlternateDataStreams: C:\Users\All Users:NT2 [346]
    AlternateDataStreams: C:\Users\Adrian\Dane aplikacji:NT [40]
    AlternateDataStreams: C:\Users\Adrian\Dane aplikacji:NT2 [346]
    AlternateDataStreams: C:\Users\Adrian\AppData\Roaming:NT [40]
    AlternateDataStreams: C:\Users\Adrian\AppData\Roaming:NT2 [346]
    AlternateDataStreams: C:\ProgramData\.rdata:X [526]
    AlternateDataStreams: C:\ProgramData\Application Data:NT [40]
    AlternateDataStreams: C:\ProgramData\Application Data:NT2 [346]
    AlternateDataStreams: C:\ProgramData\Dane aplikacji:NT [40]
    AlternateDataStreams: C:\ProgramData\Dane aplikacji:NT2 [346]
    AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT [40]
    AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT2 [346]
    AlternateDataStreams: C:\Users\Public\AppData:CSM [470]
    HKLM\ DisallowedCertificates: 03D22C9C66915D58C88912B64C1F984B8344EF09 (Comodo Security Solutions) <==== UWAGA
    HKLM\ DisallowedCertificates: 0F684EC1163281085C6AF20528878103ACEFCAAB (F-Secure Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: 1667908C9E22EFBD0590E088715CC74BE4C60884 (FRISK Software International/F-Prot) <==== UWAGA
    HKLM\ DisallowedCertificates: 18DEA4EFA93B06AE997D234411F3FD72A677EECE (Bitdefender SRL) <==== UWAGA
    HKLM\ DisallowedCertificates: 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF (G DATA Software AG) <==== UWAGA
    HKLM\ DisallowedCertificates: 249BDA38A611CD746A132FA2AF995A2D3C941264 (Malwarebytes Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF (Symantec Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 (Trend Micro) <==== UWAGA
    HKLM\ DisallowedCertificates: 3353EA609334A9F23A701B9159E30CB6C22D4C59 (Webroot Inc.) <==== UWAGA
    HKLM\ DisallowedCertificates: 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A (SUPERAntiSpyware.com) <==== UWAGA
    HKLM\ DisallowedCertificates: 3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F (Kaspersky Lab) <==== UWAGA
    HKLM\ DisallowedCertificates: 3D496FA682E65FC122351EC29B55AB94F3BB03FC (AVG Technologies CZ) <==== UWAGA
    HKLM\ DisallowedCertificates: 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 (PC Tools) <==== UWAGA
    HKLM\ DisallowedCertificates: 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 (K7 Computing Pvt Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 4420C99742DF11DD0795BC15B7B0ABF090DC84DF (Doctor Web Ltd.) <==== UWAGA
    HKLM\ DisallowedCertificates: 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF (Emsisoft Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 5240AB5B05D11B37900AC7712A3C6AE42F377C8C (Check Point Software Technologies Ltd.) <==== UWAGA
    HKLM\ DisallowedCertificates: 5DD3D41810F28B2A13E9A004E6412061E28FA48D (Emsisoft Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 7457A3793086DBB58B3858D6476889E3311E550E (K7 Computing Pvt Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 (BullGuard Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 775B373B33B9D15B58BC02B184704332B97C3CAF (McAfee) <==== UWAGA
    HKLM\ DisallowedCertificates: 872CD334B7E7B3C3D1C6114CD6B221026D505EAB (Comodo Security Solutions) <==== UWAGA
    HKLM\ DisallowedCertificates: 88AD5DFE24126872B33175D1778687B642323ACF (McAfee) <==== UWAGA
    HKLM\ DisallowedCertificates: 9132E8B079D080E01D52631690BE18EBC2347C1E (Adaware Software) <==== UWAGA
    HKLM\ DisallowedCertificates: 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 (Safer Networking Ltd.) <==== UWAGA
    HKLM\ DisallowedCertificates: 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 (Webroot Inc.) <==== UWAGA
    HKLM\ DisallowedCertificates: 9C43F665E690AB4D486D4717B456C5554D4BCEB5 (ThreatTrack Security) <==== UWAGA
    HKLM\ DisallowedCertificates: 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 (CURIOLAB S.M.B.A.) <==== UWAGA
    HKLM\ DisallowedCertificates: A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 (Avira Operations GmbH & Co. KG) <==== UWAGA
    HKLM\ DisallowedCertificates: A5341949ABE1407DD7BF7DFE75460D9608FBC309 (BullGuard Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: A59CC32724DD07A6FC33F7806945481A2D13CA2F (ESET) <==== UWAGA
    HKLM\ DisallowedCertificates: AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 (AVG Technologies CZ) <==== UWAGA
    HKLM\ DisallowedCertificates: AD4C5429E10F4FF6C01840C20ABA344D7401209F (Avast Antivirus/Software) <==== UWAGA
    HKLM\ DisallowedCertificates: AD96BB64BA36379D2E354660780C2067B81DA2E0 (Symantec Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 (Malwarebytes Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: CDC37C22FE9272D8F2610206AD397A45040326B8 (Trend Micro) <==== UWAGA
    HKLM\ DisallowedCertificates: D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 (Kaspersky Lab) <==== UWAGA
    HKLM\ DisallowedCertificates: DB303C9B61282DE525DC754A535CA2D6A9BD3D87 (ThreatTrack Security) <==== UWAGA
    HKLM\ DisallowedCertificates: DB77E5CFEC34459146748B667C97B185619251BA (Avast Antivirus/Software) <==== UWAGA
    HKLM\ DisallowedCertificates: E22240E837B52E691C71DF248F12D27F96441C00 (Total Defense, Inc.) <==== UWAGA
    HKLM\ DisallowedCertificates: E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF (AVG Technologies CZ) <==== UWAGA
    HKLM\ DisallowedCertificates: ED841A61C0F76025598421BC1B00E24189E68D54 (Bitdefender SRL) <==== UWAGA
    HKLM\ DisallowedCertificates: F83099622B4A9F72CB5081F742164AD1B8D048C9 (ESET) <==== UWAGA
    HKLM\ DisallowedCertificates: FBB42F089AF2D570F2BF6F493D107A3255A9BB1A (Panda Security S.L) <==== UWAGA
    HKLM\ DisallowedCertificates: FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 (Doctor Web Ltd.) <==== UWAGA
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Ograniczenia <==== UWAGA
    HKU\S-1-5-21-598704028-718976043-3184748461-1000\...\CurrentVersion\Windows: [Load] C:\Users\Adrian\AppData\Local\Temp\FolderN\name.exe.lnk <==== UWAGA
    AppInit_DLLs-x32: C:\ProgramData\Subair\Physnix.dll => Brak pliku
    ShellExecuteHooks: Brak nazwy - {BFD98515-CD74-48A4-98E2-13D209E3EE4F} - C:\Windows\system32\mcicda64.dll -> Brak pliku
    GroupPolicy: Ograniczenia - Chrome <==== UWAGA
    HKU\S-1-5-21-598704028-718976043-3184748461-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61...D0LcEQDn6HB4mD12U0oRykDO0pEGrUMhfNadCE&q={searchTerms}
    HKU\S-1-5-21-598704028-718976043-3184748461-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp:///
    SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM-x32 -> DefaultScope - brak wartości
    FF Extension: (Avira SafeSearch Plus) - C:\Users\Adrian\AppData\Roaming\Mozilla\Firefox\Profiles\9t3n0g4p.default\Extensions\safesearchplus2@avira.com [2017-05-10] [Przestarzałe]
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [Brak pliku]
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [Brak pliku]
    CHR res: Zainfekowany resources.pak (Adware script). Przeinstaluj Chrome. <==== UWAGA
    CHR HomePage: Default -> hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61...cUafYVjSQH7_9BXexZ3_4IRldRop1ZjAkbu38G64PsyI2
    CHR StartupUrls: Default -> "hxxps://www.google.pl/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8"
    CHR HKLM\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-598704028-718976043-3184748461-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
    S2 system_socket_service; C:\ProgramData\9e962dd29f\a389e7ba1b.exe [X]
    S1 ArcCtrl; system32\drivers\ArcCtrl.sys [X]
    U1 aswbdisk; Brak ImagePath
    S1 ESProtectionDriver; \??\C:\Windows\system32\drivers\mbae64.sys [X]
    S3 gdrv; \??\C:\Windows\gdrv.sys [X]
    S3 MBAMProtection; \??\C:\Windows\system32\drivers\mbam.sys [X]
    S3 MBAMWebProtection; \??\C:\Windows\system32\drivers\mwac.sys [X]
    S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
    S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
    S3 VGPU; System32\drivers\rdvgkmd.sys [X]
    S3 X6va063; \??\C:\Windows\SysWOW64\Drivers\X6va063 [X]
    S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
    2018-03-23 22:21 - 2017-03-25 16:32 - 000000000 ____D C:\AdwCleaner
    EmptyTemp:

    Plik zapisz pod nazwą fixlist.txt i umieść w folderze, gdzie masz FRST.exe.
    Uruchom FRST i kliknij w Fix/Napraw.

    0
  • #5 25 Mar 2018 16:11
    adrianneekk
    Poziom 3  

    Niby juz nie ma tego tmp ale wciąż jak włączam menedżer zadań to sprytnie jakiś wirus obniża wydajność CPUw mgnieniu oka z 30% do 0%* a jak wyłączam to automatycznie znowu skacze do góry wydajność.Procesor i5 661 3.33GHz.

    *a może to jest tylko wtedy kiedy włączam menedżera?? ;d
    Dodano po 13 [minuty]:
    Załączam fixloga i jeszcze raz nowy skan z FRST i Addition

    0
  • Pomocny post
    #6 25 Mar 2018 16:35
    krzychupar
    Poziom 40  

    W logach infekcji nie widać. A co do wydajności to chyba jest dobrze jak nic nie robisz to użycie procesora spada do zera.

    0
  • #7 25 Mar 2018 16:49
    adrianneekk
    Poziom 3  

    Ok myślę ze zamknę temat dziękuję za pomoc.

    0
  • #8 25 Mar 2018 16:50
    adrianneekk
    Poziom 3  

    Ok myślę ze zamknę temat dziękuję za pomoc.

    Dodano po 58 [sekundy]:

    krzychupar pomógł mi rozwiązać problem.

    0