Iexplore.exe wirus

Dla specjalistów Bezpieczeństwo
#1

Witam, odpala mi się proces iexplore.exe, wiem że to wirus, sprawdzałem wszystkie fora na temat tego jak to usunąć ale nic nie zadziałało. Proszę o pomoc, próbowałem combofixem i nic, FRST też i nic. Z góry dzięki.

#2 
FRST też i nic.

A jaki skrypt zastosowałeś?

#3

Właśnie nie moge teraz go znaleźć w necie a program już usunąłem, dodam że robiłem jeszcze OTL, skrypt: :Processes

Explorer.EXE

:OTL

O4 - HKCU…\Run: [Microsoft Active X] C:\Users\Aleksander\AppData\Roaming\mshx32.exe (Windows-Trust)

:Commands

[emptytemp]

[start explorer]

#4

Pobierz Farbar Recovery Scan Tool http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ zgodny z wersją systemu 32-bit lub 64-bit.

#5

LOG FRST : http://wklej.org/id/1587998/

LOG ADDITION : Nie dałem na wlkej.org bo był jakiś błąd na stronie 500 Internal Server Error więc dam tu : http://wklej.se/6842

#6

Odinstaluj Adobe Reader 9.5.5 - Polish.Pokaż cały log FRST.txt

#7

Odinstalowałem Adobe Reader, na wklej.org są jakieś błędy i nie pokazuje logu całego, masz na wklej.se : http://wklej.se/251c

#8

Odinstaluj Adobe Reader 9.5.5 - Polish.Otwórz notatnik systemowy i wklej:

CustomCLSID: HKU\S-1-5-21-3012084760-990230296-27709176-1000_Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InprocServer32 - C:\Users\Jacek\AppData\Roaming\tricomfi\tivesen.dll () ==== ATTENTION
Task: {079E9B19-8D94-4F07-8D33-61F34335815D} - \Microsoft\Windows\Maintenance\SMupdate2 No Task File ==== ATTENTION
Task: {C836CA64-ED6C-4D3D-B1A3-7177F4811AC4} - System32\Tasks\SPBIW_UpdateTask_Time_323632323033353238312d3437415a556c2a3223346c41 = Wscript.exe //B "C:\ProgramData\ShopperPro\spbihe.js" spbiu.exe /invoke /f:check_services /l:0 ==== ATTENTION
Task: {CBC1618F-59E6-4B54-BCEA-DA33EBBB2911} - System32\Tasks\YTDownloaderUpd = C:\Program Files (x86)\YTDownloader\updater.exe ==== ATTENTION
Task: {D909884B-452A-4908-B844-9CDD0024D041} - \Microsoft\Windows\Multimedia\SMupdate3 No Task File ==== ATTENTION
AlternateDataStreams: C:\ProgramData:NT2
AlternateDataStreams: C:\Users\All Users:NT2
AlternateDataStreams: C:\ProgramData\Application Data:NT2
AlternateDataStreams: C:\ProgramData\Dane aplikacji:NT2
AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT2
AlternateDataStreams: C:\Users\Jacek\Dane aplikacji:NT
AlternateDataStreams: C:\Users\Jacek\Dane aplikacji:NT2
AlternateDataStreams: C:\Users\Jacek\AppData\Roaming:NT
AlternateDataStreams: C:\Users\Jacek\AppData\Roaming:NT2
HKLM\...\Run: [AdobeAAMUpdater-1.0] = C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [472992 2013-03-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [WinampAgent] = C:\Program Files (x86)\Winamp\winampa.exe [85600 2013-12-13] (Nullsoft, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] = C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
ShellIconOverlayIdentifiers: [00avast] - {472083B0-C522-11CF-8763-00608CC02F24} = No File
GroupPolicy: Group Policy on Chrome detected ======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction ======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction ======= ATTENTION
HKU\S-1-5-21-3012084760-990230296-27709176-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction ======= ATTENTION
HKU\S-1-5-21-3012084760-990230296-27709176-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://terra.im/
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKU\S-1-5-21-3012084760-990230296-27709176-1000 - DefaultScope {4187F0FC-AF41-4E4B-AE67-84C8FD35A0AE} URL = http://terra.im/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3012084760-990230296-27709176-1000 - {3DC35270-8A92-4131-B14B-AD3711AA95CB} URL = http://www.idg.pl?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3012084760-990230296-27709176-1000 - {4187F0FC-AF41-4E4B-AE67-84C8FD35A0AE} URL = http://terra.im/search?q={searchTerms}
FF Extension: MEGA - C:\Users\Jacek\AppData\Roaming\Mozilla\Firefox\Profiles\gtqenf8a.default\Extensions\firefox@mega.co.nz.xpi [2014-11-23]
FF Extension: Quiknowledge - C:\Program Files (x86)\Mozilla Firefox\extensions\quiknowledge@quiknowledge.com [2014-12-09]
CHR Extension: (BBlockUoTubeAd) - C:\Users\Jacek\AppData\Local\Google\Chrome\User Data\Default\Extensions\dheoacacmmlbgelcmiofhjkmepgnkbli [2014-01-31]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path
CHR HKLM-x32\...\Chrome\Extension: [fooihgffjknjfdidhkpgeibbipkjlhpn] - C:\Users\Jacek\AppData\Local\Temp\ccex.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [pmholphmkflmlgknogfaflfkknjegfje] - C:\ProgramData\TheBflix\pmholphmkflmlgknogfaflfkknjegfje.crx [Not Found]
S3 EagleX64; \\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 FairplayKD; \\C:\ProgramData\MTA San Andreas All\Common\temp\FairplayKD.sys [X]
S3 injectDLL; \\C:\Users\Jacek\Desktop\xqz ring0 by dedi\injectDLL.sys [X]
2015-01-01 20:10 - 2015-01-01 20:12 - 00000000 ____ D () C:\Program Files\Common Files\ShopperPro
2015-01-01 20:10 - 2015-01-01 20:10 - 00004246 _____ () C:\Windows\System32\Tasks\SPBIW_UpdateTask_Time_323632323033353238312d3437415a556c2a3223346c41
2015-01-01 20:08 - 2015-01-01 20:08 - 00003916 _____ () C:\Windows\System32\Tasks\YTDownloaderUpd
2015-01-01 20:07 - 2015-01-01 20:07 - 00000000 __SHD () C:\Users\Jacek\AppData\Local\EmieBrowserModeList
2015-01-01 20:07 - 2015-01-01 20:07 - 00000000 ____ D () C:\Users\Jacek\AppData\Roaming\tricomfi
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.

#9

Problem chyba zażegnany ! Dziękuje Acorus za pomoc :slight_smile:

#10

Skasuj folder C:\FRST