URL:Mal // Rswiverfish.exe avast


(Kimon89) #1

Witam mam bardzo upierdliwy problem z tym wirusem od wczoraj, nie można normalnie używać żadnej przeglądaki, bo co chwilę spamuje avast że wykrył zagrożenie, próbowałem skanować avastem i adwcleaner, ale nic nie pomogło. Proces Rswiverfish.exe *32 jest cały czas uruchomiony w menadrzeże zadań próbując go zakończyć, włącza się na nowo... Nie mam już pojęcia co robić, licze na waszą pomoc.

 

skany z FRST:

http://www.wklej.org/id/1748404/

http://www.wklej.org/id/1748405/

http://www.wklej.org/id/1748406/


(Acorus) #2

Odinstaluj YAC(Yet Another Cleaner!).Otwórz notatnik systemowy i wklej:

CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [S-1-5-21-1247196123-4226258953-2049497328-1000] => Internet Explorer proxy is enabled
ProxyServer: [S-1-5-21-1247196123-4226258953-2049497328-1000] => http=127.0.0.1:9880
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
OPR Extension: (derjanb) - C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Extensions\mfdhdgbonjidekjkjmjaneanmdmpmidf [2015-06-09]
R2 iSafeService; C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe [118048 2015-06-26] (Elex do Brasil Participações Ltda)
R2 Rswiverfish; C:\Program Files (x86)\Rswiverfish\Rswiverfish.exe [281088 2015-06-16] () [File not signed] <==== ATTENTION
R1 iSafeKrnl; C:\Program Files (x86)\Elex-tech\YAC\iSafeKrnl.sys [262344 2015-06-26] (Elex do Brasil Participações Ltda)
S3 iSafeKrnlBoot; C:\Windows\System32\DRIVERS\iSafeKrnlBoot.sys [55056 2015-06-26] (Elex do Brasil Participações Ltda)
R1 iSafeKrnlKit; C:\Program Files (x86)\Elex-tech\YAC\iSafeKrnlKit.sys [110112 2015-06-26] (Elex do Brasil Participações Ltda)
R1 iSafeKrnlMon; C:\Program Files (x86)\Elex-tech\YAC\iSafeKrnlMon.sys [52440 2015-06-26] (Elex do Brasil Participações Ltda)
R1 iSafeKrnlR3; C:\Program Files (x86)\Elex-tech\YAC\iSafeKrnlR3.sys [94056 2015-06-26] (Elex do Brasil Participações Ltda)
R1 iSafeNetFilter; C:\Windows\System32\DRIVERS\iSafeNetFilter.sys [52392 2015-04-17] (Elex do Brasil Participações Ltda)
2015-06-28 22:28 - 2015-06-26 06:25 - 00055056 _____ (Elex do Brasil Participações Ltda) C:\Windows\system32\Drivers\iSafeKrnlBoot.sys
2015-06-28 22:28 - 2015-04-17 04:43 - 00052392 _____ (Elex do Brasil Participações Ltda) C:\Windows\system32\Drivers\iSafeNetFilter.sys
2015-06-28 22:27 - 2015-06-28 22:27 - 00001906 _____ C:\Users\Public\Desktop\YAC.lnk
2015-06-28 22:27 - 2015-06-28 22:27 - 00000000 ____ D C:\Windows\system32\log
2015-06-28 22:27 - 2015-06-28 22:27 - 00000000 ____ D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YAC
2015-06-28 22:27 - 2015-06-28 22:27 - 00000000 ____ D C:\Program Files (x86)\Elex-tech
2015-06-28 22:26 - 2015-06-28 22:26 - 00867736 _____ () C:\Users\admin\Downloads\yet_another_cleaner_sk_786492.exe
2015-06-28 22:26 - 2015-06-28 22:26 - 00000000 ____ D C:\Users\admin\AppData\Roaming\Elex-tech
2015-06-26 13:12 - 2015-06-28 20:42 - 00000000 ____ D C:\AdwCleaner
2015-06-23 21:01 - 2015-06-23 21:01 - 00000000 __SHD C:\Program Files (x86)\Rswiverfish
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.


(Kimon89) #3

Wszystko fajnie super pomogło, komunikaty zniknęły, tylko że próbując usuwać syf  i odinstalować parę tych dziwnych programów, w jednym z nich klikając opcje odinstaluj, uruchomiła się kolejna instalacja, sama z siebie i zainfekowała ponownie, tylko że tym razem inne pliki… Wybaczacie że zawracam znowu głowę, ale prosiłbym o ponowne rozpatrzenie skanów z FRST i napisanie mi fixlist.

 

http://wklej.org/id/1748856/

http://wklej.org/id/1748857/

http://wklej.org/id/1748859/


(Acorus) #4

Otwórz notatnik systemowy i wklej:

HKLM-x32\...\Run: [gmsd_pl_002030016] => [X]
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oursurfing.com/?type=hp&ts=1435600369&z=1b2d9afb074ac6768ac994cgdz3cawdq8e2e2cbbaw&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.oursurfing.com/?type=hp&ts=1435600369&z=1b2d9afb074ac6768ac994cgdz3cawdq8e2e2cbbaw&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oursurfing.com/web/?type=ds&ts=1435600369&z=1b2d9afb074ac6768ac994cgdz3cawdq8e2e2cbbaw&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.oursurfing.com/web/?type=ds&ts=1435600369&z=1b2d9afb074ac6768ac994cgdz3cawdq8e2e2cbbaw&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oursurfing.com/?type=hp&ts=1435600369&z=1b2d9afb074ac6768ac994cgdz3cawdq8e2e2cbbaw&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oursurfing.com/?type=hp&ts=1435600369&z=1b2d9afb074ac6768ac994cgdz3cawdq8e2e2cbbaw&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oursurfing.com/web/?type=ds&ts=1435600369&z=1b2d9afb074ac6768ac994cgdz3cawdq8e2e2cbbaw&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oursurfing.com/web/?type=ds&ts=1435600369&z=1b2d9afb074ac6768ac994cgdz3cawdq8e2e2cbbaw&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0&q={searchTerms}
HKU\S-1-5-21-1247196123-4226258953-2049497328-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oursurfing.com/?type=hp&ts=1435600369&z=1b2d9afb074ac6768ac994cgdz3cawdq8e2e2cbbaw&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0
HKU\S-1-5-21-1247196123-4226258953-2049497328-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/pl-pl/?ocid=iehp
HKU\S-1-5-21-1247196123-4226258953-2049497328-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oursurfing.com/?type=hp&ts=1435600369&z=1b2d9afb074ac6768ac994cgdz3cawdq8e2e2cbbaw&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0
SearchScopes: HKU\S-1-5-21-1247196123-4226258953-2049497328-1000 -> DefaultScope {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.oursurfing.com/web/?utm_source=b&utm_medium=2sq1&utm_campaign=install_ie&utm_content=ds&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0&ts=1435600438&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1247196123-4226258953-2049497328-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.oursurfing.com/web/?utm_source=b&utm_medium=2sq1&utm_campaign=install_ie&utm_content=ds&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0&ts=1435600438&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1247196123-4226258953-2049497328-1000 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.oursurfing.com/web/?utm_source=b&utm_medium=2sq1&utm_campaign=install_ie&utm_content=ds&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0&ts=1435600438&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1247196123-4226258953-2049497328-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.oursurfing.com/web/?utm_source=b&utm_medium=2sq1&utm_campaign=install_ie&utm_content=ds&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0&ts=1435600438&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1247196123-4226258953-2049497328-1000 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.oursurfing.com/web/?utm_source=b&utm_medium=2sq1&utm_campaign=install_ie&utm_content=ds&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0&ts=1435600438&type=default&q={searchTerms}
BHO-x32: LuckyTab Class -> {51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F} -> C:\Program Files (x86)\MiuiTab\SupTab.dll [2015-06-16] (Thinknice Co. Limited)
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe http://www.oursurfing.com/?type=sc&ts=1435600369&z=1b2d9afb074ac6768ac994cgdz3cawdq8e2e2cbbaw&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0
FF NewTab: hxxp://www.oursurfing.com/newtab/?type=nt&ts=1435600369&z=1b2d9afb074ac6768ac994cgdz3cawdq8e2e2cbbaw&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0
FF Homepage: hxxp://www.oursurfing.com/?type=hp&ts=1435600369&z=1b2d9afb074ac6768ac994cgdz3cawdq8e2e2cbbaw&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0
FF Extension: QuickSearch - C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\o98m6x1h.default\Extensions\searchffv2@gmail.com [2015-06-29]
FF HKLM-x32\...\Firefox\Extensions: [searchffv2@gmail.com] - C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\o98m6x1h.default\extensions\searchffv2@gmail.com
StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe http://www.oursurfing.com/?type=sc&ts=1435600369&z=1b2d9afb074ac6768ac994cgdz3cawdq8e2e2cbbaw&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0
StartMenuInternet: (HKLM) OperaStable - C:\Program Files (x86)\Opera\Launcher.exe http://www.oursurfing.com/?type=sc&ts=1435600369&z=1b2d9afb074ac6768ac994cgdz3cawdq8e2e2cbbaw&from=2sq1&uid=ST3500410AS_5VM0LVP0XXXX5VM0LVP0
R2 IHProtect Service; C:\Program Files (x86)\MiuiTab\ProtectService.exe [125112 2015-06-16] (XTab system)
R2 WikiBrowserUpdateService; C:\Users\admin\AppData\Local\WikiUpdate.exe [364032 2015-06-23] () [File not signed]
R2 WindowsMangerProtect; C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [695976 2015-06-29] (DTools LIMITED) <==== ATTENTION
2015-06-29 20:13 - 2015-06-29 20:13 - 00000000 ____ D C:\Program Files (x86)\predm
2015-06-29 19:54 - 2015-06-29 19:54 - 00000000 ____ D C:\ProgramData\IHProtectUpDate
2015-06-29 19:53 - 2015-06-29 19:54 - 00000000 ____ D C:\Program Files (x86)\MiuiTab
2015-06-29 19:53 - 2015-06-29 19:53 - 00000000 ____ D C:\ProgramData\WindowsMangerProtect

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.


(Kimon89) #5

Dzięki wielkie za pomoc, problem rozwiązany :slight_smile:


(Acorus) #6

Skasuj folder C:\FRST.

W AdwCleaner użyj opcji Uninstall.