Elektroda.pl
Elektroda.pl
X
CControls
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

FRST - utworzenie fixlist - malware rujack?

katarzynazmuda 14 Paź 2018 22:58 156 5
  • CControls
  • Pomocny post
    #2 14 Paź 2018 23:02
    RADU23
    Moderator - Komputery Serwis

    Otwórz notatnik i wklej zawartość:

    Cytat:
    GroupPolicy: Ograniczenia ? <==== UWAGA
    GroupPolicy\User: Ograniczenia ? <==== UWAGA
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
    HKU\S-1-5-21-1915660979-2043672588-136543548-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://go.microsoft.com/fwlink/p/?LinkId=620947&OCID=AVRES000&pc=UE00
    SearchScopes: HKU\S-1-5-21-1915660979-2043672588-136543548-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE00
    SearchScopes: HKU\S-1-5-21-1915660979-2043672588-136543548-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE00
    SearchScopes: HKU\S-1-5-21-1915660979-2043672588-136543548-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={C8A5D8EB-0126-4AD3-8D50-0F031EBED58F}&mid=62468697bc7947cfa874f98b9b89f92d-a835ada3a1d3d91eab6dc902fee6e4c642e65086&lang=pl&ds=AVG&coid=avgtbavg&cmpid=0217tb&pr=fr&d=2016-10-04 19:53:28&v=4.3.7.452&pid=wtu&sg=&sap=dsp&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-1915660979-2043672588-136543548-1001 -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://go.mail.ru/distib/ep/?q={searchTerms}&fr=ntg&product_id=%7B0D66CC69-068E-4708-99E0-24B2972567C8%7D&gp=811139
    FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.3.8\\npsitesafety.dll [Brak pliku]
    CHR HomePage: Default -> inline.go.mail.ru
    CHR StartupUrls: Default -> "hxxp://mail.ru/cnt/10445?gp=811141"
    CHR HKU\S-1-5-21-1915660979-2043672588-136543548-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx




    CHR HKU\S-1-5-21-1915660979-2043672588-136543548-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mbckjcfnjmoiinpgddefodcighgikkgn] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [bhjhnafpiilpffhglajcaepjbnbjemci] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [hcadgijmedbfgciegjomfpjcdchlhnif] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [lfgkmlldjpjacgicdjmmgcboihbghpal] - hxxps://clients2.google.com/service/update2/crx
    ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> Brak pliku
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> Brak pliku
    Task: {22419429-38A5-41B8-87B4-FCD0AAC70FD7} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== UWAGA
    Task: {25E3BEF3-8435-40E9-AFCC-B18A27E54D04} - System32\Tasks\UhUGoEXXVRg => C:\Program Files (x86)\zDtjy.bat [2017-03-18] () <==== UWAGA
    Task: {C9A49348-50AF-4D17-8F00-D06CAAA5E5C1} - \Microsoft\Windows\UNP\RunCampaignManager -> Brak pliku <==== UWAGA
    Task: C:\WINDOWS\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== UWAGA
    HKU\S-1-5-21-1915660979-2043672588-136543548-1001\...\StartupApproved\Run: => "MailRuUpdater"


    Plik zapisz pod nazwą fixlist.txt i umieść w folderze, gdzie masz FRST.exe.
    Uruchom FRST i kliknij w Fix/Napraw.

    0
  • CControls
  • Pomocny post
    #3 14 Paź 2018 23:13
    Kolobos
    Spec od komputerów

    Odinstaluj:
    AVG Web TuneUp
    Google Toolbar for Internet Explorer
    Intel Security True Key
    SpyHunter 5
    Nero TuneItUp

    Wykonaj Fixlist.txt dla FRST:
    CloseProcesses:
    Task: {22419429-38A5-41B8-87B4-FCD0AAC70FD7} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== UWAGA
    Task: {25E3BEF3-8435-40E9-AFCC-B18A27E54D04} - System32\Tasks\UhUGoEXXVRg => C:\Program Files (x86)\zDtjy.bat [2017-03-18] () <==== UWAGA
    C:\Users\Kasia\ygEOer.exe
    Task: {8309BE8B-D943-42F6-8A72-63D2424A8909} - System32\Tasks\iagEkuYLitAwH => C:\Users\Kasia\ygEOer.exe [2017-03-18] (Microsoft Corporation)
    Task: {B7F2D1A9-53CC-426C-B4F4-5B5E841DF4F4} - System32\Tasks\LOuWU => C:\WINDOWS\iosAO.bat [2017-03-18] ()
    Task: {C9A49348-50AF-4D17-8F00-D06CAAA5E5C1} - \Microsoft\Windows\UNP\RunCampaignManager -> Brak pliku <==== UWAGA
    Task: C:\WINDOWS\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== UWAGA
    2018-10-14 21:14 - 2018-10-14 21:14 - 000000016 _____ C:\spyhunter.fix
    2018-10-14 21:11 - 2018-10-14 21:11 - 000000000 ___HD C:\OCcpqjJYhW5LUUar
    2018-10-14 18:34 - 2018-10-14 18:34 - 000061624 _____ (EnigmaSoft Limited) C:\WINDOWS\system32\Drivers\EnigmaFileMonDriver.sys
    2018-10-14 18:34 - 2018-10-14 18:34 - 000001055 _____ C:\Users\Public\Desktop\SpyHunter5.lnk
    2018-10-14 18:34 - 2018-10-14 18:34 - 000000000 ____D C:\sh5ldr
    2018-10-14 18:34 - 2018-10-14 18:34 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnigmaSoft
    2018-10-14 18:34 - 2018-10-14 18:34 - 000000000 ____D C:\ProgramData\EnigmaSoft Limited
    2018-10-14 18:33 - 2018-10-14 18:33 - 005937968 _____ (EnigmaSoft Limited) C:\Users\Kasia\Downloads\SpyHunter-Installer.exe
    2018-10-14 18:33 - 2018-10-14 18:33 - 000000000 ____D C:\Program Files\EnigmaSoft
    2018-09-20 17:31 - 2018-10-14 18:18 - 000003526 _____ C:\WINDOWS\System32\Tasks\LOuWU
    2018-09-20 17:31 - 2017-03-18 22:59 - 000001128 _____ C:\Users\Kasia\TecyNNlOEYpU.bat
    2018-09-20 17:31 - 2017-03-18 22:59 - 000000057 _____ C:\WINDOWS\iosAO.bat
    2018-10-14 21:17 - 2018-09-13 21:41 - 000003360 _____ C:\WINDOWS\System32\Tasks\UhUGoEXXVRg
    2018-09-20 17:31 - 2017-03-18 22:59 - 000001128 _____ () C:\Users\Kasia\TecyNNlOEYpU.bat
    2018-01-07 20:04 - 2017-03-18 22:58 - 000059392 _____ (Microsoft Corporation) C:\Users\Kasia\ygEOer.exe
    2018-01-07 20:04 - 2017-03-18 22:58 - 000174592 _____ (Microsoft Corporation) C:\Program Files (x86)\UoJAkqlO.exe
    2018-01-07 20:04 - 2017-03-18 22:59 - 000000062 _____ () C:\Program Files (x86)\zDtjy
    2018-09-13 21:41 - 2017-03-18 22:59 - 000000062 _____ () C:\Program Files (x86)\zDtjy.bat
    2018-01-07 20:04 - 2018-01-07 20:04 - 000000001 _____ () C:\Users\Kasia\AppData\Local\WMI.ini
    HKU\S-1-5-21-1915660979-2043672588-136543548-1001\...\RunOnce: [Application Restart #0] => C:\Windows\System32\Taskmgr.exe [1326952 2018-04-12] (Microsoft Corporation)
    HKU\S-1-5-21-1915660979-2043672588-136543548-1001\...\RunOnce: [Application Restart #1] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1469784 2018-09-15] (Google Inc.)
    Lsa: [Notification Packages] scecli C:\Program Files\TrueKey\McAfeeTrueKeyPasswordFilter
    GroupPolicy: Ograniczenia ? <==== UWAGA
    GroupPolicy\User: Ograniczenia ? <==== UWAGA
    HKU\S-1-5-21-1915660979-2043672588-136543548-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://go.microsoft.com/fwlink/p/?LinkId=620947&OCID=AVRES000&pc=UE00
    SearchScopes: HKU\S-1-5-21-1915660979-2043672588-136543548-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE00
    SearchScopes: HKU\S-1-5-21-1915660979-2043672588-136543548-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE00
    SearchScopes: HKU\S-1-5-21-1915660979-2043672588-136543548-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={C8A5D8EB-0126-4AD3-8D50-0F031EBED58F}&mid=62468697bc7947cfa874f98b9b89f92d-a835ada3a1d3d91eab6dc902fee6e4c642e65086&lang=pl&ds=AVG&coid=avgtbavg&cmpid=0217tb&pr=fr&d=2016-10-04 19:53:28&v=4.3.7.452&pid=wtu&sg=&sap=dsp&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-1915660979-2043672588-136543548-1001 -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://go.mail.ru/distib/ep/?q={searchTerms}&fr=ntg&product_id=%7B0D66CC69-068E-4708-99E0-24B2972567C8%7D&gp=811139
    CHR HKU\S-1-5-21-1915660979-2043672588-136543548-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-1915660979-2043672588-136543548-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mbckjcfnjmoiinpgddefodcighgikkgn] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [bhjhnafpiilpffhglajcaepjbnbjemci] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [hcadgijmedbfgciegjomfpjcdchlhnif] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [lfgkmlldjpjacgicdjmmgcboihbghpal] - hxxps://clients2.google.com/service/update2/crx
    S2 EsgShKernel; C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe [9872688 2018-10-14] (EnigmaSoft Limited)
    S3 EnigmaFileMonDriver; C:\WINDOWS\system32\Drivers\EnigmaFileMonDriver.sys [61624 2018-10-14] (EnigmaSoft Limited)
    R1 UCGuard; C:\WINDOWS\System32\DRIVERS\ucguard.sys [80768 2016-04-25] (Huorong Borui (Beijing) Technology Co., Ltd.) <==== UWAGA


    Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
    http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
    oraz http://ftp.drweb.com/pub/drweb/cureit/launch.exe

    Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    0
  • #5 15 Paź 2018 08:02
    krzychupar
    Poziom 40  

    Nie zamieszczaj fixloga tylko podaj czy problem ustąpił czy nie ? Jak nie to zamieść nowe logi z FRST.

    0
  • #6 15 Paź 2018 08:14
    Kolobos
    Spec od komputerów

    > Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    0