Strong signals - wirus?

Dla specjalistów Bezpieczeństwo
#1

Witam

Mam problem z wirusem/robakiem Strong Signal. Objawia się to reklamami w przeglądarkach, natrętnym wyskakiwaniem yahoo i ogólnym zamuleniem komputera. 

Próbowałem usuwać to domowymi sposobami ale bez skutku.

 

Wklejki z FRST:

 

Addition:  http://www.wklej.org/id/1704436/

Shortcut: http://www.wklej.org/id/1704437/

FRST:     http://www.wklej.org/id/1704438/

 

 

#2

Usuń szkodliwe rozszerzenia w przeglądarce Firefox i Operze w pasek adresu wpisz: opera:extensions

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

CloseProcesses:
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
ShellIconOverlayIdentifiers: [SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers: [SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers: [SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers-x32: [SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers-x32: [SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers-x32: [SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://q.search-simple.com/?affID=bl_48696074-6a41-4b53-86a0-7e795c846cf5
HKU\S-1-5-21-2643334295-1950182277-2930636355-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://q.search-simple.com/?affID=bl_48696074-6a41-4b53-86a0-7e795c846cf5
HKU\S-1-5-21-2643334295-1950182277-2930636355-1002\Software\Microsoft\Internet Explorer\Main,Start Page = http://q.search-simple.com/?affID=bl_48696074-6a41-4b53-86a0-7e795c846cf5
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://q.search-simple.com/?affID=bl_48696074-6a41-4b53-86a0-7e795c846cf5&q={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://q.search-simple.com/?affID=bl_48696074-6a41-4b53-86a0-7e795c846cf5&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://q.search-simple.com/?affID=bl_48696074-6a41-4b53-86a0-7e795c846cf5&q={searchTerms}
SearchScopes: HKLM -> {8CDE19E6-71C2-4B46-89B7-35F6A18C571A} URL = http://q.search-simple.com/?affID=bl_48696074-6a41-4b53-86a0-7e795c846cf5&q={searchTerms}
SearchScopes: HKLM-x32 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = https://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2643334295-1950182277-2930636355-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://q.search-simple.com/?affID=bl_48696074-6a41-4b53-86a0-7e795c846cf5&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2643334295-1950182277-2930636355-1002 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://q.search-simple.com/?affID=bl_48696074-6a41-4b53-86a0-7e795c846cf5&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2643334295-1950182277-2930636355-1002 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://q.search-simple.com/?affID=bl_48696074-6a41-4b53-86a0-7e795c846cf5&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2643334295-1950182277-2930636355-1002 -> {8CDE19E6-71C2-4B46-89B7-35F6A18C571A} URL = http://q.search-simple.com/?affID=bl_48696074-6a41-4b53-86a0-7e795c846cf5&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2643334295-1950182277-2930636355-1002 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = http://q.search-simple.com/?affID=bl_48696074-6a41-4b53-86a0-7e795c846cf5&q={searchTerms}
FF NewTab: hxxp://search.yahoo.com/?fr=hp-ddc-bd-tab&type=bg_616_bl-is-19 __alt__ ddc_dsssyctab_bd_com
FF SelectedSearchEngine: Yahoo! Search
FF Extension: Strong Signal - C:\Users\Asus\AppData\Roaming\Mozilla\Firefox\Profiles\haltoi0v.default\Extensions\{a79c3626-182f-4a17-8a9b-c339fc78f352}.xpi [2015-05-05]
OPR StartupUrls: "hxxp://search.yahoo.com/?fr=hp-ddc-bd&type=bg_616_bl-is-19 __alt__ ddc_dsssyc_bd_com"
OPR Extension: (Strong Signal) - C:\Users\Asus\AppData\Roaming\Opera Software\Opera Stable\Extensions\fhenmccifbacmpkimjenglmplcpiehke [2015-05-05]
U4 AvastVBoxSvc; "C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe" [X]
R2 Service Mgr StrongSignal; C:\ProgramData\0780f478-67ce-4ec3-98db-39a65f4618ce\PluginContainer.exe [556304 2015-05-05] ()
R2 Update Mgr StrongSignal; C:\Program Files (x86)\Common Files\0780f478-67ce-4ec3-98db-39a65f4618ce\Updater.exe [478992 2015-05-05] ()
U4 VBoxAswDrv; \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [X]
C:\ProgramData\0780f478-67ce-4ec3-98db-39a65f4618ce
C:\Program Files (x86)\Common Files\0780f478-67ce-4ec3-98db-39a65f4618ce
42015-05-05 22:26 - 2015-05-05 22:42 - 00000000 ____ D () C:\AdwCleaner
2015-04-15 13:42 - 2013-05-01 13:18 - 00000000 ____ D () C:\ProgramData\McAfee
Task: {B16E1C62-912F-4DE5-A2FB-0ACC698BC434} - System32\Tasks\{7A3E0681-076B-40FA-983B-0DC9CA2BA6CD} => pcalua.exe -a C:\Users\Asus\AppData\Roaming\key-find\UninstallManager.exe -c -ptid=cor
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
EmptyTemp:

Uruchom FRST i kliknij Fix. Pokaż raport z usuwania Fixlog.

Kliknij Scan i pokaż nowy raport z FRST bez Addition i Shortcut.

#3

Fixlog: http://www.wklej.org/id/1705240/

FRST: http://www.wklej.org/id/1705244/

 

Wszystko śmiga, dzięki wielkie!  :slight_smile:

#4

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

HKU\S-1-5-21-2643334295-1950182277-2930636355-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://q.search-simple.com/?affID=bl_48696074-6a41-4b53-86a0-7e795c846cf5
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
FF DefaultSearchEngine: Yahoo! Search
FF Homepage: hxxp://search.yahoo.com/?fr=hp-ddc-bd&type=bg_616_bl-is-19 __alt__ ddc_dsssyc_bd_com
FF Keyword.URL: hxxp://search.yahoo.com/yhs/search?hspart=ddc&hsimp=yhs-ddc_bd&type=bg_616_bl-is-19 __alt__ ddc_dss_bd_com&p={searchTerms}
FF Extension: Strong Signal - C:\Users\Asus\AppData\Roaming\Mozilla\Firefox\Profiles\haltoi0v.default\Extensions\{cf2e72d6-ff45-4f2e-8c1a-e2f060b90cec}.xpi [2015-05-06]
U4 VBoxAswDrv; \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [X]
2015-05-05 23:50 - 2015-05-05 23:50 - 00000000 ____ D () C:\Program Files (x86)\Strong Signal
2015-05-05 22:26 - 2015-05-05 22:42 - 00000000 ____ D () C:\AdwCleaner
DeleteQuarantine:

Uruchom FRST i kliknij Fix. Skasuj folder C:\FRST

Usuń stare punkty przywracania: Przywracanie systemu i kopie w tle

Dysk przeskanuj Malwarebytes Anti-Malware

Podczas instalacji usuń zaznaczenie przy Uruchom okres testowy Malwarebytes Anti-Malware Premium.

http://wstaw.org/m/2014/03/25/2014-03-25_123039.png

Język PL > Settings > General Settings > Language > Polish

Przeczytaj w jaki sposób należy instalować programy: KLIK - KLIK - KLIK - KLIK

#5

Zrobione, dzięki :slight_smile: