Nie wczytują się niektóre strony, zainfekowany system


(Krzycho 90) #1

Witam,

mam problem tego typu, że nie wczytują mi się niektóre strony (facebook.com, milanos.pl), korzystam z Firefoxa, na IE sytuacja taka sama. Robiłem podstawową diagnostykę Firefoxa (przeinstalowanie przeglądarki, usuwanie pamięci podręcznej i plików cookies, tworzenie nowego profilu), ale bez zmian. Przez kilka dni komputer pracował online bez antywirusa, korzystałem z AVG, teraz jest zainstalowany AVAST, którym system został przeskanowany, ale nadal wyświetlane są komunikaty o wykrytych zagrożeniach. Zgodnie z instrukcją z forum zamieszczam logi i proszę o pomoc. Z góry dzięki i pozdrawiam.

 

FRST: http://www.wklej.org/id/1679936/

Additional: http://www.wklej.org/id/1679938/


(Atis) #2

Po co odznaczyłeś w msconfig wpisy od wirusa szyfrującego pliki?

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

CloseProcesses:
HKU\S-1-5-21-3735711621-2070076252-3594246139-1000\...\Run: [Opkics] => regsvr32.exe C:\Users\Urban\AppData\Local\Opkics\Test.dll <===== ATTENTION
HKU\S-1-5-21-3735711621-2070076252-3594246139-1000\...\Run: [UXNmedia] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Urban\AppData\Local\YdPack\Test.dll
HKU\S-1-5-21-3735711621-2070076252-3594246139-1000\...\Policies\Explorer: [Run] "C:\Users\Urban\AppData\Roaming\Microsoft\Windows\IEUpdate\osk.exe"
ShellIconOverlayIdentifiers: [0WinSecurityProvider] -> {F76FA5C2-3B6A-451E-8CA5-34C8D0AE0637} => C:\ProgramData\Microsoft\Security\Client\SecurityProvider.dll ()
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3735711621-2070076252-3594246139-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{17f22d14-307e-4c31-9c81-ab1c81bcb033} <======= ATTENTION (Policy Restriction on IP)
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yac.mx/?utm_source=b&utm_medium=iSafe&from=iSafe&uid=wdcxwd1600jb-00gva0_wd-wmal92033936
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.yac.mx/?utm_source=b&utm_medium=iSafe&from=iSafe&uid=wdcxwd1600jb-00gva0_wd-wmal92033936
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yac.mx/?utm_source=b&utm_medium=iSafe&from=iSafe&uid=wdcxwd1600jb-00gva0_wd-wmal92033936
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.yac.mx/?utm_source=b&utm_medium=iSafe&from=iSafe&uid=wdcxwd1600jb-00gva0_wd-wmal92033936
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
2015-04-04 18:10 - 2015-04-04 19:22 - 00000616 ____ H () C:\ProgramData\@system.temp
2015-04-03 01:29 - 2015-04-04 18:08 - 00000000 ____ D () C:\AdwCleaner
2015-03-31 16:48 - 2015-03-31 16:48 - 00008598 _____ () C:\Users\Urban\HELP_DECRYPT.HTML
2015-03-31 16:48 - 2015-03-31 16:48 - 00008598 _____ () C:\Users\Urban\Documents\HELP_DECRYPT.HTML
2015-03-31 16:48 - 2015-03-31 16:48 - 00008598 _____ () C:\Users\Urban\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-31 16:48 - 2015-03-31 16:48 - 00008598 _____ () C:\Users\Urban\AppData\HELP_DECRYPT.HTML
2015-03-31 16:48 - 2015-03-31 16:48 - 00004242 _____ () C:\Users\Urban\HELP_DECRYPT.TXT
2015-03-31 16:48 - 2015-03-31 16:48 - 00004242 _____ () C:\Users\Urban\Documents\HELP_DECRYPT.TXT
2015-03-31 16:48 - 2015-03-31 16:48 - 00004242 _____ () C:\Users\Urban\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-31 16:48 - 2015-03-31 16:48 - 00004242 _____ () C:\Users\Urban\AppData\HELP_DECRYPT.TXT
2015-03-31 16:48 - 2015-03-31 16:48 - 00000280 _____ () C:\Users\Urban\HELP_DECRYPT.URL
2015-03-31 16:48 - 2015-03-31 16:48 - 00000280 _____ () C:\Users\Urban\Documents\HELP_DECRYPT.URL
2015-03-31 16:48 - 2015-03-31 16:48 - 00000280 _____ () C:\Users\Urban\AppData\Roaming\HELP_DECRYPT.URL
2015-03-31 16:48 - 2015-03-31 16:48 - 00000280 _____ () C:\Users\Urban\AppData\HELP_DECRYPT.URL
2015-03-31 16:41 - 2015-03-31 16:41 - 00008598 _____ () C:\Users\Urban\AppData\Local\HELP_DECRYPT.HTML
2015-03-31 16:41 - 2015-03-31 16:41 - 00004242 _____ () C:\Users\Urban\AppData\Local\HELP_DECRYPT.TXT
2015-03-31 16:41 - 2015-03-31 16:41 - 00000280 _____ () C:\Users\Urban\AppData\Local\HELP_DECRYPT.URL
2015-03-31 16:40 - 2015-03-31 16:40 - 00008598 _____ () C:\Users\Public\HELP_DECRYPT.HTML
2015-03-31 16:40 - 2015-03-31 16:40 - 00008598 _____ () C:\Users\Public\Documents\HELP_DECRYPT.HTML
2015-03-31 16:40 - 2015-03-31 16:40 - 00008598 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-03-31 16:40 - 2015-03-31 16:40 - 00004242 _____ () C:\Users\Public\HELP_DECRYPT.TXT
2015-03-31 16:40 - 2015-03-31 16:40 - 00004242 _____ () C:\Users\Public\Documents\HELP_DECRYPT.TXT
2015-03-31 16:40 - 2015-03-31 16:40 - 00004242 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-03-31 16:40 - 2015-03-31 16:40 - 00000280 _____ () C:\Users\Public\HELP_DECRYPT.URL
2015-03-31 16:40 - 2015-03-31 16:40 - 00000280 _____ () C:\Users\Public\Documents\HELP_DECRYPT.URL
2015-03-31 16:40 - 2015-03-31 16:40 - 00000280 _____ () C:\ProgramData\HELP_DECRYPT.URL
@system3.att2015-03-31 16:33 - 2015-04-04 19:22 - 00000352 ____ H () C:\ProgramData\@system3.att
2015-03-31 16:33 - 2015-03-31 16:33 - 00000480 ____ H () C:\Users\Urban\AppData\Roaming\麽鎒駓覜
2015-03-28 23:53 - 2015-03-31 21:02 - 00000000 ____ D () C:\ProgramData\kamliajindgpjndgijancomidadngmdn
2015-03-28 23:53 - 2015-03-31 20:01 - 00000000 ____ D () C:\ProgramData\{535d18ea-331e-cd8b-535d-d18ea33163a8}
2015-03-28 23:52 - 2015-03-31 21:02 - 00000000 ____ D () C:\ProgramData\{e661cb2d-cc4b-9956-e661-1cb2dcc42cb7}
2015-03-12 14:30 - 2015-03-12 14:30 - 00000000 ___HD () C:\Users\Urban\AppData\Roaming\10F70437
2015-03-05 21:35 - 2015-04-02 23:46 - 00000000 ____ D () C:\Users\Urban\AppData\Local\Opkics
2015-03-05 21:34 - 2015-04-03 08:41 - 00000000 ____ D () C:\Users\Urban\AppData\Local\YdPack
2015-03-30 14:31 - 2015-03-30 14:32 - 0011952 _____ () C:\Users\Urban\AppData\Local\Temp-log.txt
Task: {264D8F4F-B4C2-4A87-893B-331C4A8802E6} - System32\Tasks\{9602AAC6-06CA-4E74-AC2F-E3370E7426CC} => pcalua.exe -a D:\FILMY\wormy\wormsarm\RegSetup.exe -d D:\FILMY\wormy\wormsarm
Task: {5B283CBA-3279-4C57-AB86-5FB1F54C5CE7} - System32\Tasks\{AD5B37DF-3214-45D6-97A7-1FA278F6C815} => pcalua.exe -a D:\wormsy\Setup.exe -d D:\wormsy
Task: {76E736AE-7DFF-4861-9BA2-BBFEC5920B0C} - System32\Tasks\{293C8D53-9F16-444F-BB86-B037ACE79375} => pcalua.exe -a C:\Windows\IsUninst.exe -c -fd:\krzycho\worm\Uninst.isu
Task: {81A289A9-AC08-4F09-A00A-230AAC12F270} - System32\Tasks\{A1F41193-8E49-4ED6-A02D-FDFB681CDF71} => pcalua.exe -a "D:\Krzycho\rFactor 2008\mod 2009\mod_f1_2009_f1rl_v1.0.exe" -d "D:\Krzycho\rFactor 2008\mod 2009"
Task: {A2E392DB-3BD0-47F6-83BB-0A1282C598A6} - System32\Tasks\{6EC3E0E8-29FE-4456-AB2B-0321564D8765} => pcalua.exe -a G:\Installer.exe -d G:\
Task: {A35CC458-457D-47FA-88CE-F29A20DC5CAA} - System32\Tasks\{D8B9B26C-B1BC-463F-8160-0CC2A542E97C} => pcalua.exe -a E:\autorun.exe -d E:\
Task: {C10C70EF-E79A-44D1-B0F4-DB19620A4640} - System32\Tasks\{C25DA235-1F7B-47A8-ACE0-8EA14535E550} => pcalua.exe -a E:\WA_Set.exe -d E:\
Task: {DB7DCB3F-C738-43F6-8B93-A42BF3CE9A79} - System32\Tasks\{83A08B02-3C7A-40E7-A2ED-3A6A1D0EEAB0} => pcalua.exe -a "F:\WinRAR v3.71 PL\keygen.exe" -d "F:\WinRAR v3.71 PL"
Task: {E85FEC5F-9954-4B2D-AED9-A1D9DF22076D} - System32\Tasks\{7820E79D-AA35-42E4-B708-74782A819BA7} => pcalua.exe -a C:\Users\Urban\Desktop\ewido-setup_4.0.0.172.exe -d C:\Users\Urban\Desktop
Task: {E9DC6807-6FC1-444B-91A4-9A398D389FE9} - \osk No Task File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:76650B61
AlternateDataStreams: C:\Users\Urban\AppData\Local\Temporary Internet Files:CTq5NYV39lwd1FR30DLzK2m
C:\Users\Urban\AppData\Roaming\Microsoft\Windows\IEUpdate
C:\ProgramData\Microsoft\Security
EmptyTemp:

Uruchom FRST i kliknij Fix. Pokaż raport z usuwania Fixlog.

Kliknij Scan i pokaż nowy raport z FRST bez Addition.


(Krzycho 90) #3

Dzięki, strony już się wczytują, a oto raporty.

 

z usuwania Fixlog: http://wklej.org/id/1680082/

FRST: http://wklej.org/id/1680083/


(Atis) #4

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

2015-04-04 22:38 - 2015-04-04 22:38 - 00000616 ____ H () C:\ProgramData\@system.temp
2015-04-03 20:25 - 2015-04-04 22:35 - 00001114 _____ () C:\Windows\PFRO.log
2015-04-03 12:47 - 2011-06-26 08:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-04-03 12:47 - 2010-11-07 19:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-04-03 12:47 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-04-03 12:47 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-04-03 12:47 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-04-03 12:47 - 2000-08-31 02:00 - 00098816 _____ () C:\Windows\sed.exe
2015-04-03 12:47 - 2000-08-31 02:00 - 00080412 _____ () C:\Windows\grep.exe
2015-04-03 12:47 - 2000-08-31 02:00 - 00068096 _____ () C:\Windows\zip.exe
RemoveDirectory: C:\Qoobox
2015-03-31 21:45 - 2012-11-22 21:30 - 00000000 ____ D () C:\ProgramData\MFAData
2015-03-31 21:09 - 2015-02-24 21:55 - 00000000 ____ D () C:\ProgramData\AVG2015
2015-03-31 16:33 - 2015-03-31 16:33 - 00000480 ____ H () C:\Users\Urban\AppData\Roaming\麽鎒駓覜
2015-04-03 12:45 - 2015-04-03 19:29 - 00000000 ____ D () C:\Program Files (x86)\ewido anti-malware
2015-03-31 16:33 - 2015-04-04 22:38 - 00000352 ____ H () C:\ProgramData\@system3.att
2015-03-31 16:32 - 2015-04-04 16:50 - 00000000 ____ D () C:\Users\Urban\AppData\Roaming\FrameworkUpdate
2015-03-31 16:48 - 2015-03-31 16:48 - 0045513 _____ () C:\Users\Urban\AppData\Roaming\HELP_DECRYPT.PNG
2012-12-07 23:10 - 2015-02-23 16:23 - 0016560 _____ () C:\Users\Urban\AppData\Roaming\URBAN-KOMPUTER.MTBF.txt
2015-03-31 16:41 - 2015-03-31 16:41 - 0045513 _____ () C:\Users\Urban\AppData\Local\HELP_DECRYPT.PNG
2015-04-04 22:38 - 2015-04-04 22:38 - 0000616 ____ H () C:\ProgramData\@system.temp
2015-03-31 16:40 - 2015-03-31 16:40 - 0045513 _____ () C:\ProgramData\HELP_DECRYPT.PNG
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Urban^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HELP_DECRYPT.HTML" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Urban^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HELP_DECRYPT.PNG" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Urban^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HELP_DECRYPT.TXT" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Urban^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HELP_DECRYPT.URL" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Urban^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^NAPSTAT.lnk" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Urban^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^sapsalo.jar" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Urban^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xcopy.lnk" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG_UI" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Opkics" /f
C:\Windows\pss\HELP_DECRYPT.HTML.Startup
C:\Windows\pss\HELP_DECRYPT.PNG.Startup
C:\Windows\pss\HELP_DECRYPT.TXT.Startup
C:\Windows\pss\HELP_DECRYPT.URL.Startup
C:\Windows\pss\NAPSTAT.lnk.Startup
C:\Windows\pss\sapsalo.jar.Startup
C:\Windows\pss\xcopy.lnk.Startup
DeleteQuarantine:

Uruchom FRST i kliknij Fix. Skasuj folder C:\FRST

Dysk przeskanuj Malwarebytes Anti-Malware

Podczas instalacji usuń zaznaczenie przy Uruchom okres testowy Malwarebytes Anti-Malware Premium.

http://wstaw.org/m/2014/03/25/2014-03-25_123039.png

Język PL > Settings > General Settings > Language > Polish

Odinstaluj Java 7 Update 76 i zainstaluj Java 8 Update 40


(Krzycho 90) #5

Wielkie dzięki, zrobiłem wszystko zgodnie z instrukcją, jak na razie wszystko gra, pozdrawiam