Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

[Rozwiązano] Wirus zamykający programy, analiza logów FRST

Kubaaa6 19 Lip 2018 11:17 126 2
  • #1 19 Lip 2018 11:17
    Kubaaa6
    Poziom 2  

    Witam. Od niedawna mam pewien problem, coś zamyka mi programy typu malwarebytes, FRST oraz zamyka przeglądarkę z wyszukiwaniami dotyczącymi wpisów typu malware, wirus czy stronami z oprogramowaniem antywirusowym. Od tego czasu procent zużycia procesora przez proces svchost zaczął wynosić ok 50-60. Po zapoznaniu się z podobnymi problemami na forum zamieszczam logi z FRST i proszę o analizę.

    0 2
  • Pomocny post
    #2 19 Lip 2018 11:32
    safbot1st
    Poziom 43  

    Wklej w notatnik:

    CloseProcesses:
    Hosts:
    Winlogon\Notify\igfxcui: igfxdev.dll [X]
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Ograniczenia <==== UWAGA
    HKU\S-1-5-21-4175383298-2732921329-1377175680-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [18334528 2018-04-12] (Piriform Ltd)
    HKU\S-1-5-21-4175383298-2732921329-1377175680-1000\...\Policies\Explorer: []
    HKU\S-1-5-21-4175383298-2732921329-1377175680-1000\...\MountPoints2: {481af54d-8b0f-11e8-b674-e006e6b83ab3} - E:\HiSuiteDownLoader.exe
    HKU\S-1-5-21-4175383298-2732921329-1377175680-1000\...\MountPoints2: {8cb3947f-1a40-11e8-8621-3c970e16dd6d} - F:\setup.exe
    FF Plugin: @microsoft.com/GENUINE -> disabled [Brak pliku]
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled [Brak pliku]
    CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
    S3 cpuz143; \??\C:\Windows\temp\cpuz143\cpuz143_x64.sys [X]
    2018-07-19 09:46 - 2018-07-19 10:00 - 000000000 ____D C:\AdwCleaner
    2018-07-13 21:28 - 2018-07-19 07:47 - 000003742 _____ C:\Windows\System32\Tasks\{15628133-1D38-5CEE-9DD9-B6BB4BA65C73}
    2018-07-13 21:28 - 2018-07-19 07:47 - 000003608 _____ C:\Windows\System32\Tasks\{64B4196B-D750-4AC7-E8B5-73A65C0E5738}
    2018-07-13 21:28 - 2018-07-19 07:47 - 000003430 _____ C:\Windows\System32\Tasks\{59AC53E5-9872-AE2A-960A-4C26A706899D}
    2018-07-13 21:28 - 2018-07-13 21:28 - 000000002 _____ C:\Users\Kuba\AppData\Local\imw.ini
    2018-07-19 10:00 - 2018-04-11 23:03 - 000000000 ____D C:\Users\Kuba\AppData\LocalLow\IObit
    2018-07-19 10:00 - 2018-04-11 23:03 - 000000000 ____D C:\ProgramData\IObit
    2018-07-19 10:00 - 2018-04-11 23:03 - 000000000 ____D C:\Program Files (x86)\IObit
    2018-07-19 07:47 - 2018-05-01 21:41 - 000003250 _____ C:\Windows\System32\Tasks\{4F5433B0-C1BF-40CB-933D-BC1679461A11}
    2018-07-19 07:47 - 2018-02-25 14:35 - 000003438 _____ C:\Windows\System32\Tasks\nWizard_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
    2018-07-18 19:02 - 2018-04-11 23:03 - 000000000 ____D C:\Users\Kuba\AppData\Roaming\IObit
    2018-06-19 18:51 - 2018-03-09 20:03 - 000000000 ___HD C:\Windows\msdownld.tmp
    2009-07-14 03:14 - 2009-07-14 03:14 - 000073216 ____N (Microsoft Corporation) C:\Program Files (x86)\mOuymyyIVgeWv.exe
    2009-07-14 03:14 - 2009-07-14 03:14 - 000073216 ____N (Microsoft Corporation) C:\Program Files (x86)\UHEa.exe
    2009-07-14 03:14 - 2009-07-14 03:14 - 000073216 ____N (Microsoft Corporation) C:\Users\Kuba\AppData\Roaming\BuFDxXAI.exe
    2009-07-14 03:14 - 2009-07-14 03:14 - 000186368 ____N (Microsoft Corporation) C:\Users\Kuba\AppData\Roaming\EyxAfyuUgU.exe




    2009-07-14 03:14 - 2009-07-14 03:14 - 000073216 ____N (Microsoft Corporation) C:\Users\Kuba\AppData\Local\IItiYignYU.exe
    2018-07-13 21:28 - 2018-07-13 21:28 - 000000002 _____ () C:\Users\Kuba\AppData\Local\imw.ini
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> Brak pliku
    ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll -> Brak pliku
    Task: {02B59473-90D2-4A79-B16A-E060F2655D15} - System32\Tasks\{59AC53E5-9872-AE2A-960A-4C26A706899D} => C:\Users\Kuba\AppData\Roaming\BuFDxXAI.exe [2009-07-14] (Microsoft Corporation) <==== UWAGA
    Task: {58BFFAF4-ABAA-4628-8ABB-F984C597B0DA} - System32\Tasks\Driver Booster SkipUAC (Kuba) => C:\Program Files (x86)\IObit\Driver Booster\5.3.0\DriverBooster.exe
    Task: {E2B47C12-1491-4EC2-B035-F2DFC4D47EAD} - System32\Tasks\{64B4196B-D750-4AC7-E8B5-73A65C0E5738} => C:\Program Files (x86)\UHEa.exe [2009-07-14] (Microsoft Corporation) <==== UWAGA
    Task: {F4598A88-3AF1-4B6D-8412-4862B280FB13} - System32\Tasks\{4F5433B0-C1BF-40CB-933D-BC1679461A11} => C:\Windows\system32\pcalua.exe -a "C:\Users\Kuba\Downloads\Microsoft OFFICE 2010\Microsoft OFFICE 2010.exe" -d "C:\Users\Kuba\Downloads\Microsoft OFFICE 2010"
    Task: C:\Windows\Tasks\AdwCleaner_onReboot.job => C:\Users\Kuba\Desktop\adwcleaner_7.2.2.exe
    FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
    FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
    FirewallRules: [TCP Query User{1CCA3E06-5322-4595-A276-55DC2876ACC8}C:\program files (x86)\hearthstone\hearthstone.exe] => (Allow) C:\program files (x86)\hearthstone\hearthstone.exe
    FirewallRules: [UDP Query User{C11F5498-20A1-45D1-8A83-EDB83D1836BA}C:\program files (x86)\hearthstone\hearthstone.exe] => (Allow) C:\program files (x86)\hearthstone\hearthstone.exe
    FirewallRules: [{33E1B533-E5A7-44AD-8F4A-15F971C446F8}] => (Allow) C:\Program Files\DAEMON Tools Lite\DiscSoftBusServiceLite.exe
    FirewallRules: [TCP Query User{98E0CBB4-DBD1-424E-9C28-3AD1CA37E63C}C:\users\kuba\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\kuba\appdata\local\akamai\netsession_win.exe
    FirewallRules: [UDP Query User{B77AB67B-BA6F-4201-99D2-E1DD5A8E8344}C:\users\kuba\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\kuba\appdata\local\akamai\netsession_win.exe
    FirewallRules: [TCP Query User{775BB19A-33D3-4633-BE0C-F3B585102EBA}C:\users\kuba\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\kuba\appdata\local\akamai\netsession_win.exe
    FirewallRules: [UDP Query User{344EF370-DC87-4FED-9140-1D8270F35A6A}C:\users\kuba\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\kuba\appdata\local\akamai\netsession_win.exe
    FirewallRules: [TCP Query User{B52B23EE-CCC3-4535-9FB3-E51CF297F93B}C:\program files (x86)\hearthstone\hearthstone.exe] => (Allow) C:\program files (x86)\hearthstone\hearthstone.exe
    FirewallRules: [UDP Query User{A26618EE-6384-473D-AC6B-991304FD1B85}C:\program files (x86)\hearthstone\hearthstone.exe] => (Allow) C:\program files (x86)\hearthstone\hearthstone.exe
    FirewallRules: [{BE3402E1-CB62-4A96-9D76-EA7F16B765D6}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
    FirewallRules: [{84CA65DF-30F5-495C-81D3-18F4DDD0560D}] => (Allow) C:\Users\Kuba\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{D771A385-C263-495E-97C5-A2B1B261B6F2}] => (Allow) C:\Users\Kuba\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{0C8E1AF4-69D3-4ED2-BAE4-5C4AB51EECE2}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
    FirewallRules: [{FFAB0B45-1B86-4CAF-9421-DC0AA068F356}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
    FirewallRules: [{759A7C82-0BAF-4524-A6FA-4C4806B3190F}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
    FirewallRules: [{84E48EE4-4B57-44CF-AF63-B12FBAD754CF}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
    FirewallRules: [{B996DC7E-72D7-4B78-94AE-B6F7D9745050}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
    FirewallRules: [{5966E753-5A43-4EA3-9633-E5483A408679}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
    FirewallRules: [{1FB22DB3-F23B-466F-9B93-50B93E04726C}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
    FirewallRules: [{502CC674-F524-4A53-8D25-963435C2EE41}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
    FirewallRules: [{8358C807-641B-4573-A2ED-0AF59B7B371B}] => (Allow) C:\Windows\SysWOW64\msiexec.exe
    FirewallRules: [{CEAF1E76-BFA1-4F1C-B9D2-EDB57C00CB93}] => (Allow) C:\Program Files (x86)\mOuymyyIVgeWv.exe
    FirewallRules: [{0CC9C034-D93F-4CFE-BDFC-ED48F26D692A}] => (Allow) C:\Users\Kuba\AppData\Local\IItiYignYU.exe
    FirewallRules: [{963B37B3-737E-48A7-91DF-4920A8E165DC}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{5088CE99-79A8-42D5-BF32-28B1FE819378}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{9F6DF76B-9890-4ECC-AB24-93307D243BAA}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{5171F513-D656-4BFA-A868-37A22DFADE07}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{70AA07A4-9D05-41FE-9843-07CBBBE41156}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{3D7F2925-8BA1-420D-9BDA-F7CA4EB1BB22}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{6B09F08C-7B2C-41FC-A067-1B7F851843EA}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{4BFBB285-A6E8-41EC-B8B6-189C4F5EF53F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Paladins\Binaries\Win32\HirezBridge.exe
    FirewallRules: [{DDA68815-21BB-4D96-B2A8-53B8FD929860}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Paladins\Binaries\Win32\HirezBridge.exe
    FirewallRules: [TCP Query User{E753C902-6C52-4756-B1D8-D5A7CD8D7319}C:\program files (x86)\steam\steamapps\common\paladins\binaries\win64\paladins.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\paladins\binaries\win64\paladins.exe
    FirewallRules: [UDP Query User{5A15D7B9-17DF-4318-94CB-FA38F8B668E7}C:\program files (x86)\steam\steamapps\common\paladins\binaries\win64\paladins.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\paladins\binaries\win64\paladins.exe
    FirewallRules: [{6AE08F5A-E631-47C8-A217-266EC36C07EA}] => (Allow) C:\Program Files\Opera\54.0.2952.51\opera.exe
    FirewallRules: [TCP Query User{13434AA8-C09F-4863-A74B-1B7D286AA84D}C:\users\kuba\appdata\roaming\utorrent\updates\3.5.3_44494.exe] => (Allow) C:\users\kuba\appdata\roaming\utorrent\updates\3.5.3_44494.exe
    FirewallRules: [UDP Query User{0CE40113-F3BE-4B6D-96B9-D01766841EE4}C:\users\kuba\appdata\roaming\utorrent\updates\3.5.3_44494.exe] => (Allow) C:\users\kuba\appdata\roaming\utorrent\updates\3.5.3_44494.exe
    FirewallRules: [{26C6D360-392F-458A-A78E-6B977A0F910D}] => (Allow) C:\Windows\SysWOW64\msiexec.exe
    FirewallRules: [{6B61C304-649C-4ADA-A5AB-3206E292B92F}] => (Allow) C:\Program Files (x86)\UHEa.exe
    FirewallRules: [{CD146F0F-D83A-4D41-83B3-FDF4FE37271C}] => (Allow) C:\Users\Kuba\AppData\Roaming\BuFDxXAI.exe
    FirewallRules: [{513423FC-13E0-473C-AEBB-E9CEE7663598}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{27A5CD6A-36CC-4CF0-8170-54FD78F1A042}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{3AC668CF-840F-473A-BE15-7CCD33560305}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{9ED6213F-0943-4950-A27E-B2E1E2257ACB}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{733F69AF-DA4D-40CF-8C8A-8934AA7CF38B}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{926A8A47-BB55-41B3-A990-F6968D7A1969}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{F42FF5A6-E6E3-4821-8C85-ACA7A0F9447F}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{BDF8CD4E-40D9-4838-AB9A-F872B6E56F1F}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{3A92506A-6DCF-400B-BCCB-3DB12C4874E2}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{09AD8FC2-E03D-4467-AD37-67641BEFC9A5}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{0E0FCD01-9D32-451E-A847-72B577B61CD1}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{EE5AA2AC-9C24-46D5-A924-277A99E5D13C}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{AE33F324-D8C3-4D01-9C90-C52EADD497D3}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{7C9BF913-9D48-40F3-874C-3822F00F31A4}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{22EDDBD2-1492-4B1E-B85C-DC401388881C}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{0780F75E-4570-4E57-8AE7-4059DDCE868A}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{BD77287D-8BE0-4D49-AFAD-7D3CEE14EA58}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{EE58E807-8DF9-4870-95AF-F3B4C931C18A}] => (Allow) C:\Program Files\Opera\54.0.2952.54\opera.exe
    FirewallRules: [{AD26C43D-2366-469B-947A-A5B06797E6C9}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{DE683E0B-265A-400E-B858-D70731AB2966}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{53C5A5E9-9995-43D9-A366-4A963CAEE9CA}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{18587B90-4CFE-4A78-82A7-E4BD9225BBA0}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{FA1C60B5-6444-4922-A3B2-D2C7E18E8928}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{9A18B433-2D95-4C4A-809E-ECD978B9FEBE}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{4DBC0103-A072-4729-B63F-CA28E27BA6C6}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{79B20475-76BB-45AC-8658-24AB27153EA9}] => (Allow) C:\Windows\SysWOW64\tracert.exe
    FirewallRules: [{1DA385B8-87CB-459E-AFBE-3D8DC1889928}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{6BD4D489-1627-4263-AFC3-41C31A17008F}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{8ED19F72-C2AC-48FB-999F-3889F92475DE}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{C2D44FCC-0563-4AB6-8F3E-4054F384956C}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{91CEAAD0-E000-472F-8F09-9E54B2B2BEE2}] => (Allow) C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe
    FirewallRules: [{B89DDC17-382D-41B1-A4E8-EFF74E87D71C}] => (Allow) C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe
    FirewallRules: [{8413D912-86B8-47C5-919C-92E408713989}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{84A74282-9B7E-4C1C-A068-E1F325145962}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{C7490BC1-A6C0-47A4-8AC3-06E0969C8710}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{865D79C6-DF48-4C86-BF87-D7F75A185556}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{8F7A95B8-C1BD-43AE-A69F-C62910C69A1B}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{028AE950-C566-49B5-8AEA-D76C497AA862}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{D7CCFEBB-ED0A-4CBA-BCE3-2B352C9C5B0E}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{D69DB1E3-6D86-4B23-A5D4-EDC5D39498DB}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{692FEB15-9367-4510-BB6A-1F13487D4427}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{4BD3AC72-C9F0-4EB6-A567-F3D6119B477C}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{E14FE475-A92B-4D1E-ACC0-6C8BCA610E93}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{4C28CAE5-ABA2-4797-B92D-35F7B85ECA26}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{DD7DE2FB-6BE9-4F70-A82D-89B706F1D824}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{0BEBA323-7C95-4939-BC45-2F3E606E6C06}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{F2816739-2A5B-4D7D-9F8E-45FD195E1ED3}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{92185502-47B5-49A5-8734-7ABD7BF669CE}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{6EB4E62F-8CF0-4B71-A937-209E858F8F02}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{B2AC9E6E-38BC-4871-9510-C896E9D6359C}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{70FC5CCA-8B79-4B1D-96EB-49AF9934CCEB}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{934E3FBA-BBEC-469E-9440-417765AF0C67}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{CC615F02-8A1B-48C3-8692-27E229DBD9D6}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    FirewallRules: [{2BE57B69-6000-4B75-B632-1A43413474B0}] => (Allow) C:\Windows\SysWOW64\svchost.exe
    EmptyTemp:

    po czym zapisz jako plik fixlist.txt obok FRST.exe i w FRST kliknij "Napraw".
    Po naprawie usuń C:\FRST i to wszystko.

    0
  • #3 19 Lip 2018 11:44
    Kubaaa6
    Poziom 2  

    Wielkie dzięki :)

    0