Podejrzenie infekcji - prośba o analizę logów


(Polski Derp) #1

Cześć,

Podejrzewam infekcję na laptopa, ponieważ Windows zamyka aplikacje. Np. MyDrive Connect.

 

FRST: http://wklej.org/id/1674301/

Addition: http://wklej.org/id/1674302/

 

Pozdrawiam,

Polski Derp


(Acorus) #2

Otwórz notatnik systemowy i wklej:

Task: {25EB4FE3-4586-448A-9B57-0436240C77BA} - \Yahoo! Search Updater No Task File ==== ATTENTION
Task: {C8437B24-68C1-47FF-B5B2-16B29A2E8D95} - System32\Tasks\{2B7E9362-2284-40D9-8BF5-131931FCEF08} = Chrome.exe http://ui.skype.com/ui/0/6.6.0.106/pl/abandoninstall?page=tsMain
Task: {E978CB04-FEE1-43FC-962C-36FC37091F8D} - System32\Tasks\{056C5787-CA82-44CE-8055-CFD78B6679CD} = Chrome.exe http://ui.skype.com/ui/0/6.6.0.106/pl/eula
Task: {F37F08A5-28EC-44A8-90FA-2F6ABC7CA930} - \Yahoo! Search No Task File ==== ATTENTION
IFEO\bitguard.exe: [Debugger] tasklist.exe
IFEO\bprotect.exe: [Debugger] tasklist.exe
IFEO\bpsvc.exe: [Debugger] tasklist.exe
IFEO\browserdefender.exe: [Debugger] tasklist.exe
IFEO\browserprotect.exe: [Debugger] tasklist.exe
IFEO\browsersafeguard.exe: [Debugger] tasklist.exe
IFEO\dprotectsvc.exe: [Debugger] tasklist.exe
IFEO\jumpflip: [Debugger] tasklist.exe
IFEO\protectedsearch.exe: [Debugger] tasklist.exe
IFEO\searchinstaller.exe: [Debugger] tasklist.exe
IFEO\searchprotection.exe: [Debugger] tasklist.exe
IFEO\searchprotector.exe: [Debugger] tasklist.exe
IFEO\searchsettings.exe: [Debugger] tasklist.exe
IFEO\searchsettings64.exe: [Debugger] tasklist.exe
IFEO\snapdo.exe: [Debugger] tasklist.exe
IFEO\stinst32.exe: [Debugger] tasklist.exe
IFEO\stinst64.exe: [Debugger] tasklist.exe
IFEO\umbrella.exe: [Debugger] tasklist.exe
IFEO\utiljumpflip.exe: [Debugger] tasklist.exe
IFEO\volaro: [Debugger] tasklist.exe
IFEO\vonteera: [Debugger] tasklist.exe
IFEO\websteroids.exe: [Debugger] tasklist.exe
IFEO\websteroidsservice.exe: [Debugger] tasklist.exe
HKLM\...\AppCertDlls: [x86] - C:\Program Files\Browser Tab Search by Ask\SafetyNut\safetycrt.dll
HKLM\...\AppCertDlls: [x64] - c:\program files\browser tab search by ask\safetynut\x64\safetycrt.dll
GroupPolicy: Group Policy on Chrome detected ======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction ======= ATTENTION
CHR HKU\S-1-5-21-2542781312-1828673966-3776682253-1000\SOFTWARE\Policies\Google: Policy restriction ======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2488} URL = http://dts.search.ask.com/sr?src=iebgct=dsappid=210systemid=488v=n12521-435apn_uid=5193631250714549apn_dtid=TCH001o=APN11459apn_ptnrs=AG1q={searchTerms}
SearchScopes: HKLM - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}SearchSource=4ctid=CT2417076
SearchScopes: HKU\S-1-5-21-2542781312-1828673966-3776682253-1000 - {6D3AEBAB-D9CE-4B0C-B927-99D24B3F95AA} URL = http://rts.dsrlte.com/?q={searchTerms}
SearchScopes: HKU\S-1-5-21-2542781312-1828673966-3776682253-1000 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2488} URL = http://dts.search.ask.com/sr?src=iebgct=dsappid=210systemid=488v=n12521-435apn_uid=5193631250714549apn_dtid=TCH001o=APN11459apn_ptnrs=AG1q={searchTerms}
SearchScopes: HKU\S-1-5-21-2542781312-1828673966-3776682253-1000 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}SearchSource=4ctid=CT2417076
FF HKLM\...\Firefox\Extensions: [SpecialSavings@SpecialSavings.com] - C:\Users\KRZYSZTOF\AppData\Roaming\Mozilla\Extensions\SpecialSavings@SpecialSavings.com
FF Extension: SpecialSavings - C:\Users\KRZYSZTOF\AppData\Roaming\Mozilla\Extensions\SpecialSavings@SpecialSavings.com [2013-04-17]
FF HKU\S-1-5-21-2542781312-1828673966-3776682253-1000\...\Firefox\Extensions: [SpecialSavings@SpecialSavings.com] - C:\Users\KRZYSZTOF\AppData\Roaming\Mozilla\Extensions\SpecialSavings@SpecialSavings.com
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IntcAzAudAddService; system32\drivers\RTKVHDA.sys [X]
2015-03-29 15:10 - 2015-03-29 15:10 - 00000000 ____ D () C:\AdwCleaner
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.