Rootkit ? Proszę o pomoc

Quba26 · 30 Styczeń 2015 15:06

Witam dzisiaj od rana po włączeniu kompa avast mi wykrył takie cudo http://www31.speedyshare.com/7CyFk/down … tytulu.jpg, pierwszy raz widze takie coś na moim komputerze, ale wiem co to jest. Próbowałem usunąć ale avast nie usuwa i próbowałem różnymi programami np. CCleaner itp. i co każde uruchomienie ponowne kompa to mam samo. Możliwe że to jest jakiś fałszywy alarm, więc wolę sie upewnić. Jeśli ktoś wie czy to jest fałszywy alarm lub jak to usunąć proszę o pomoc.

(Jestem pierwszy raz na forum, więc jeśli coś trzeba dodać to proszę o napisanie)

Acorus · 30 Styczeń 2015 15:39

To żaden rootkit.Pobierz Farbar Recovery Scan Tool http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ zgodny z wersją systemu 32-bit lub 64-bit.

Uruchom FRST i kliknij Scan. Pokaż raport FRST i Addition.

Raporty umieść na http://wklej.org/ i podaj link.

Quba26 · 31 Styczeń 2015 09:29

http://wklej.org/id/1617546/ FRST

Acorus · 31 Styczeń 2015 10:17

Odinstaluj AdvanceElite,mystartsearch uninstall.Otwórz notatnik systemowy i wklej:

Task: {D3950505-3309-41F6-ABB1-863FA169AF40} - System32\Tasks\{DA7B2800-1D7B-48E0-8608-0652BDFF136E} = pcalua.exe -a C:\Users\X\AppData\Roaming\mystartsearch\UninstallManager.exe -c -ptid=smt
HKLM-x32\...\Run: [SunJavaUpdateSched] = C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
GroupPolicy: Group Policy on Chrome detected ======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction ======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mystartsearch.com/web/?type=dsppts=1418646933from=smtuid=ST500DM005XHD502HJ_S20BJ90DC01520 /verysilent /hideuninstallq={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.mystartsearch.com/web/?type=dsppts=1418646933from=smtuid=ST500DM005XHD502HJ_S20BJ90DC01520 /verysilent /hideuninstallq={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mystartsearch.com/web/?type=dsppts=1418646933from=smtuid=ST500DM005XHD502HJ_S20BJ90DC01520 /verysilent /hideuninstallq={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mystartsearch.com/web/?type=dsppts=1418646933from=smtuid=ST500DM005XHD502HJ_S20BJ90DC01520 /verysilent /hideuninstallq={searchTerms}
HKU\S-1-5-21-3013317196-3480813224-3982538716-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mystartsearch.com/web/?type=dsppts=1418646933from=smtuid=ST500DM005XHD502HJ_S20BJ90DC01520 /verysilent /hideuninstallq={searchTerms}
HKU\S-1-5-21-3013317196-3480813224-3982538716-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mystartsearch.com/web/?type=dsppts=1418646933from=smtuid=ST500DM005XHD502HJ_S20BJ90DC01520 /verysilent /hideuninstallq={searchTerms}
SearchScopes: HKLM - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=dsppts=1418646933from=smtuid=ST500DM005XHD502HJ_S20BJ90DC01520 /verysilent /hideuninstallq={searchTerms}
SearchScopes: HKLM - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=dsppts=1418646933from=smtuid=ST500DM005XHD502HJ_S20BJ90DC01520 /verysilent /hideuninstallq={searchTerms}
SearchScopes: HKLM-x32 - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=dsppts=1418646933from=smtuid=ST500DM005XHD502HJ_S20BJ90DC01520 /verysilent /hideuninstallq={searchTerms}
SearchScopes: HKLM-x32 - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=dsppts=1418646933from=smtuid=ST500DM005XHD502HJ_S20BJ90DC01520 /verysilent /hideuninstallq={searchTerms}
SearchScopes: HKU\S-1-5-21-3013317196-3480813224-3982538716-1000 - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=dsppts=1418646933from=smtuid=ST500DM005XHD502HJ_S20BJ90DC01520 /verysilent /hideuninstallq={searchTerms}
SearchScopes: HKU\S-1-5-21-3013317196-3480813224-3982538716-1000 - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=dsppts=1418646933from=smtuid=ST500DM005XHD502HJ_S20BJ90DC01520 /verysilent /hideuninstallq={searchTerms}
SearchScopes: HKU\S-1-5-21-3013317196-3480813224-3982538716-1000 - {55A407BA-9E05-44A3-BF88-CC123808C066} URL = http://rts.dsrlte.com/?affID=naq={searchTerms}r=986
BHO-x32: AdvanceElite 1.0.0.7 - {3b2cb4c8-72ab-4b25-8fa1-219b36a60bed} - C:\Program Files (x86)\AdvanceElite\AdvanceEliteBHO.dll (AdvanceElite)
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe http://www.mystartsearch.com/?type=scts=1418646909from=smtuid=ST500DM005XHD502HJ_S20BJ90DC01520
CHR RestoreOnStartup: Default - "hxxp://search.yahoo.com/?fr=hp-ddc-bdtype=616_pr __alt__ ddc_dsssyc_bd_com"
CHR DefaultSearchKeyword: Default - mystartsearch
CHR DefaultSearchURL: Default - http://www.mystartsearch.com/web/?type=dsppts=1418646933from=smtuid=ST500DM005XHD502HJ_S20BJ90DC01520\t/verysilent /hideuninstallq={searchTerms}
CHR Extension: (AdvanceElite) - C:\Users\X\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkbbmldjcnhopjhpifcocnmkooiadpbb [2014-10-14]
R2 IHProtect Service; C:\Program Files (x86)\STab\ProtectService.exe [158864 2014-11-10] (TODO: Company name)
R2 Update AdvanceElite; C:\Program Files (x86)\AdvanceElite\updateAdvanceElite.exe [673000 2015-01-31] ()
R2 Util AdvanceElite; C:\Program Files (x86)\AdvanceElite\bin\utilAdvanceElite.exe [673000 2015-01-31] ()
S4 WindowsMangerProtect; C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [485888 2014-12-15] (Fuyu LIMITED) [File not signed]
R1 {94d62e35-4b43-494c-bf52-ba5935df36ef}Gw64; C:\Windows\System32\drivers\{94d62e35-4b43-494c-bf52-ba5935df36ef}Gw64.sys [48784 2014-12-05] (StdLib)
S1 {00aec75d-051f-41a9-9837-e94ac4f56303}Gw64; system32\drivers\{00aec75d-051f-41a9-9837-e94ac4f56303}Gw64.sys [X]
S1 {02bbe9df-d3b0-43f4-8dcb-e24500d3308f}Gw64; system32\drivers\{02bbe9df-d3b0-43f4-8dcb-e24500d3308f}Gw64.sys [X]
S1 {10e3e2da-8f7b-42cc-9f00-90007ce494b8}Gw64; system32\drivers\{10e3e2da-8f7b-42cc-9f00-90007ce494b8}Gw64.sys [X]
S1 {1de2a23f-1c23-4ea1-8ef4-79bc5c5cea78}Gw64; system32\drivers\{1de2a23f-1c23-4ea1-8ef4-79bc5c5cea78}Gw64.sys [X]
S1 {255a824a-3cde-4dee-9785-284605606456}Gw64; system32\drivers\{255a824a-3cde-4dee-9785-284605606456}Gw64.sys [X]
S1 {32c6b9d7-6b2c-4b03-9178-01abbf9c7194}Gw64; system32\drivers\{32c6b9d7-6b2c-4b03-9178-01abbf9c7194}Gw64.sys [X]
S1 {336e37ae-3235-4f16-98ec-8cdf679be7d2}Gw64; system32\drivers\{336e37ae-3235-4f16-98ec-8cdf679be7d2}Gw64.sys [X]
S1 {3b808196-ff63-49ee-b33b-efdf51723eca}Gw64; system32\drivers\{3b808196-ff63-49ee-b33b-efdf51723eca}Gw64.sys [X]
S1 {3cac76e7-8310-45ea-8277-96d048a78c60}Gw64; system32\drivers\{3cac76e7-8310-45ea-8277-96d048a78c60}Gw64.sys [X]
S1 {3fa44d1f-c300-4673-a8c1-5ba05468b4bd}Gw64; system32\drivers\{3fa44d1f-c300-4673-a8c1-5ba05468b4bd}Gw64.sys [X]
S1 {4530e639-76ab-4435-889d-a5e81ae090a4}Gw64; system32\drivers\{4530e639-76ab-4435-889d-a5e81ae090a4}Gw64.sys [X]
S1 {51b9c91c-8e38-40ae-80de-58a590512b6b}Gw64; system32\drivers\{51b9c91c-8e38-40ae-80de-58a590512b6b}Gw64.sys [X]
S1 {5d78e0ee-ca60-46a4-9492-4f24429cc925}Gw64; system32\drivers\{5d78e0ee-ca60-46a4-9492-4f24429cc925}Gw64.sys [X]
S1 {67f29abb-07b3-41f5-94cd-f819d7c1fc76}Gw64; system32\drivers\{67f29abb-07b3-41f5-94cd-f819d7c1fc76}Gw64.sys [X]
S1 {733fb217-c049-41ba-9504-3f2045e61977}Gw64; system32\drivers\{733fb217-c049-41ba-9504-3f2045e61977}Gw64.sys [X]
S1 {84e24724-32a5-4ef8-b981-cc669543b4a4}Gw64; system32\drivers\{84e24724-32a5-4ef8-b981-cc669543b4a4}Gw64.sys [X]
S1 {949aba83-1d7f-4d0b-b0ba-203450825231}Gw64; system32\drivers\{949aba83-1d7f-4d0b-b0ba-203450825231}Gw64.sys [X]
S1 {94c4b27a-8cb1-4214-9d76-87c59a8cf657}Gw64; system32\drivers\{94c4b27a-8cb1-4214-9d76-87c59a8cf657}Gw64.sys [X]
S1 {b0c7827f-c845-429a-833b-c2a798fc4fc3}Gw64; system32\drivers\{b0c7827f-c845-429a-833b-c2a798fc4fc3}Gw64.sys [X]
S1 {bb7b7a60-f574-47c2-8a0b-4c56f2da9802}Gw64; system32\drivers\{bb7b7a60-f574-47c2-8a0b-4c56f2da9802}Gw64.sys [X]
S1 {d428f5a9-a362-4938-a8b7-f0abd920078b}Gw64; system32\drivers\{d428f5a9-a362-4938-a8b7-f0abd920078b}Gw64.sys [X]
S1 {d997fcb4-42b4-4f84-a147-2e498567c954}Gw64; system32\drivers\{d997fcb4-42b4-4f84-a147-2e498567c954}Gw64.sys [X]
S1 {dbec4a38-79aa-4d48-ac2b-d4467b1ded12}Gw64; system32\drivers\{dbec4a38-79aa-4d48-ac2b-d4467b1ded12}Gw64.sys [X]
S1 {dc592624-f532-4311-9fc7-6920126fc404}Gw64; system32\drivers\{dc592624-f532-4311-9fc7-6920126fc404}Gw64.sys [X]
S1 {e9629596-2cbd-4eea-9329-7470e8b0fdae}Gw64; system32\drivers\{e9629596-2cbd-4eea-9329-7470e8b0fdae}Gw64.sys [X]
S1 {f5d136d7-adc2-4c84-85b2-e564334ab0bc}Gw64; system32\drivers\{f5d136d7-adc2-4c84-85b2-e564334ab0bc}Gw64.sys [X]
S1 {f63e4e62-e47d-4415-9bb4-c9b1dfe161b9}Gw64; system32\drivers\{f63e4e62-e47d-4415-9bb4-c9b1dfe161b9}Gw64.sys [X]
S1 {fc7329ef-e953-454c-8e78-ed2cf0acb2ef}Gw64; system32\drivers\{fc7329ef-e953-454c-8e78-ed2cf0acb2ef}Gw64.sys [X]
S1 {fce396ae-d8d1-4789-946e-2106fbe4292b}Gw64; system32\drivers\{fce396ae-d8d1-4789-946e-2106fbe4292b}Gw64.sys [X]
S1 {fd600559-a688-4110-b9b9-0f1a9beae8ae}Gw64; system32\drivers\{fd600559-a688-4110-b9b9-0f1a9beae8ae}Gw64.sys [X]
2015-01-31 10:11 - 2014-09-28 21:04 - 00000000 ____ D () C:\Program Files (x86)\AdvanceElite
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.

Quba26 · 31 Styczeń 2015 12:15

Dzięki, pomogło !

Acorus · 31 Styczeń 2015 12:27

Skasuj folder C:\FRST

Quba26 · 31 Styczeń 2015 15:03

Zrobione Dzięki.