Virus poczty polskiej

Dla specjalistów Bezpieczeństwo
#1

Witam, kolega ( wiem wiem, janusz internetu) otworzyl rara ze spamu PP, no i sie zaczelo, zaczelo sie szyfrowanie plikow, wylaczyl kompa. 

#2

Utworzyć raporty z FRST bez uruchamiania systemu:

http://forum.dobreprogramy.pl/analiza-i-usuwanie-infekcji-z-zewn%C4%85trz-t416123/

#3

Raporty:

#4

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

HKU\S-1-5-21-150972867-3053824913-731646005-1194\...\Run: [efugugeg] => C:\ProgramData\ylfdukik.exe [427929 2015-07-28] ()
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
FF NewTab: chrome://quick_start/content/index.html
FF SearchPlugin: C:\Users\pkozinski\AppData\Roaming\Mozilla\Firefox\Profiles\e12ozmzk.default\searchplugins\ask-web-search.xml [2013-12-07]
FF SearchPlugin: C:\Users\pkozinski\AppData\Roaming\Mozilla\Firefox\Profiles\e12ozmzk.default\searchplugins\buenosearch.xml [2014-03-08]
CHR HKU\S-1-5-21-150972867-3053824913-731646005-1194\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - https://clients2.google.com/service/update2/crx
S4 MaintainerSvc4.16.1074588; C:\ProgramData\5327bf3a-385d-43de-b57d-c607b633644e\maintainer.exe [123640 2014-11-17] ()
S3 getPlusHelper; C:\Program Files\NOS\bin\getPlus_Helper.dll [X]
S2 VideoDownloadConverter_4zService; C:\PROGRA~1\VIDEOD~2\bar\1.bin\4zbarsvc.exe [X]
S1 {03fda909-5f3e-458f-a83c-6836a2cc6a7a}Gt; C:\Windows\System32\drivers\{03fda909-5f3e-458f-a83c-6836a2cc6a7a}Gt.sys [55832 2014-11-08] (StdLib)
S1 {173eed1c-a592-466a-a26a-691233a290ca}Gt; C:\Windows\System32\drivers\{173eed1c-a592-466a-a26a-691233a290ca}Gt.sys [55832 2014-11-12] (StdLib)
S1 {d5bd8bd6-ccca-4d39-8d67-fa24da52010c}Gt; C:\Windows\System32\drivers\{d5bd8bd6-ccca-4d39-8d67-fa24da52010c}Gt.sys [55832 2014-11-16] (StdLib)
S1 {fc92b428-ea48-44cd-9184-9c31fb1ae21f}Gt; C:\Windows\System32\drivers\{fc92b428-ea48-44cd-9184-9c31fb1ae21f}Gt.sys [55832 2014-11-10] (StdLib)
S4 UIUSys; system32\DRIVERS\UIUSYS.SYS [X]
C:\Windows\System32\drivers\{03fda909-5f3e-458f-a83c-6836a2cc6a7a}Gt.sys
C:\Windows\System32\drivers\{173eed1c-a592-466a-a26a-691233a290ca}Gt.sys
C:\Windows\System32\drivers\{d5bd8bd6-ccca-4d39-8d67-fa24da52010c}Gt.sys
C:\Windows\System32\drivers\{fc92b428-ea48-44cd-9184-9c31fb1ae21f}Gt.sys
2015-07-28 07:35 - 2015-07-28 07:36 - 00000000 ____ D C:\ProgramData\eduzubyseruwajyl
2011-06-27 11:47 - 2011-06-27 11:47 - 0000000 ____ H () C:\Users\pkozinski\AppData\Roaming\ActUpdate.log
C:\Users\pkozinski\AppData\Roaming\*.exe
C:\Users\pkozinski\AppData\Local\*.tmp
C:\ProgramData\*.sys
C:\ProgramData\*.exe
CustomCLSID: HKU\S-1-5-21-150972867-3053824913-731646005-1194_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\pkozinski\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay No File
CustomCLSID: HKU\S-1-5-21-150972867-3053824913-731646005-1194_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-150972867-3053824913-731646005-1194_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-150972867-3053824913-731646005-1194_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
Task: {03768E24-8CB6-4FF9-8A97-8A99966A7F64} - System32\Tasks\{1DC579B6-1C94-40E1-A6D6-5141B1BBD477} => Firefox.exe http://ui.skype.com/ui/0/5.8.0.158/pl/abandoninstall?page=tsMain
Task: {11FE1B3E-4AF0-4FFB-8FD3-645BD2B8326F} - System32\Tasks\APSnotifierPP2 => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {1C3DBB09-0BDC-4A9F-AED3-805BDF758079} - System32\Tasks\WinThruster_UPDATES => C:\Program Files\WinThruster\WinThruster.exe [2012-10-15] (Solvusoft Corporation)
Task: {32749AD0-80B9-4B7B-809A-54E248D335A7} - System32\Tasks\{84439242-6F2E-4E71-8D3C-933279ABCB24} => Firefox.exe http://ui.skype.com/ui/0/6.6.0.106/en/abandoninstall?page=tsMain
Task: {456BF8F7-70FF-4C5E-A302-30518744F6E9} - System32\Tasks\Norton Security Scan for pkozinski => C:\Program Files\Norton Security Scan\Engine\2.7.3.34\Nss.exe
Task: {532E233E-F9A2-4D44-805D-7CF9D0B6A834} - System32\Tasks\{90EE97BD-BCC8-40A7-982F-8AD3CC31F410} => Firefox.exe http://ui.skype.com/ui/0/5.8.0.158/en/abandoninstall?page=tsMain
Task: {66931F91-6579-48D1-A25B-25E35500B18F} - System32\Tasks\WinThruster_DEFAULT => C:\Program Files\WinThruster\WinThruster.exe [2012-10-15] (Solvusoft Corporation)
Task: {6DDD0A3B-44F0-416D-8DF7-5C1848654015} - System32\Tasks\RealUpgradeScheduledTaskS-1-5-21-150972867-3053824913-731646005-1194 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2011-09-27] (RealNetworks, Inc.)
Task: {778CD6D4-39FB-4D6D-A075-A4D0531C5119} - System32\Tasks\RealUpgradeLogonTaskS-1-5-21-150972867-3053824913-731646005-1194 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2011-09-27] (RealNetworks, Inc.)
Task: {910B8128-5508-4987-9817-298029D949C0} - System32\Tasks\Registry Reviver-pkozinski-Startup => C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe
Task: {AEDAF788-5586-4101-948E-7413BB5A4311} - System32\Tasks\APSnotifierPP3 => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {DF7376FA-E00A-422B-AAEF-44ED009ED768} - System32\Tasks\{6FBC5CBD-EF30-44D4-BBB0-2BC3DC97F35B} => Firefox.exe http://ui.skype.com/ui/0/5.8.0.158/en/abandoninstall?page=tsMain
Task: {EC60C6DE-266D-44BC-AC38-C81BC6A953DA} - System32\Tasks\{0F078A18-25B1-42A7-8759-6D4B089386B1} => pcalua.exe -a "C:\Users\pkozinski\Desktop\Programy i instalatory\winmail_opener.exe" -d F:\ -c F:\Nero
Task: {F8A664C6-B668-4559-893F-918D37C69148} - System32\Tasks\APSnotifierPP1 => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP3.job => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\Registry Reviver-pkozinski-Startup.job => C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe
Task: C:\Windows\Tasks\WinThruster_DEFAULT.job => C:\Program Files\WinThruster\WinThruster.exe
Task: C:\Windows\Tasks\WinThruster_UPDATES.job => C:\Program Files\WinThruster\WinThruster.exe
EmptyTemp:

Uruchom FRST i kliknij Fix. Pokaż raport z usuwania Fixlog.

Kliknij Scan i pokaż nowy raport z FRST bez Addition i Shortcut.

#5

Proszę i dziękuje :slight_smile:

#6

Prawdopodobnie nie odszyfrujesz tych plików. To może być wirus CryptoLocker:

http://www.eset.pl/O_nas/Centrum_prasowe/Aktualnosci,news_id,10779

http://www.dobreprogramy.pl/Dzieki-DecryptCryptoLocker-odzyskamy-pliki-zaszyfrowane-przez-popularnego-szkodnika,News,56988.html

W każdym razie wygląda na to, że wirus został usunięty i zostały tylko śmieci adware.

Pobierz i uruchom AdwCleaner Kliknij Skanuj i później Usuń.

Kliknij Scan i pokaż nowy raport z FRST bez Addition i Shortcut.

#7

Proszę 

#8

Uruchom normalnie system i wtedy utwórz logi.

Skasowałeś Addition to skąd mam wiedzieć jakie programy wymagają aktualizacji?

Jeżeli nie masz aktualnej licencji na stary ESET to odinstaluj ten program.

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

HKLM\...\RunOnce: [*EmptyTemp] => cmd /c rd /q/s C:\FRST\Temp
HKLM\...\Policies\Explorer: [NoSetHomePage] 1
HKU\S-1-5-21-150972867-3053824913-731646005-1194\...\RunOnce: [Report] => C:\AdwCleaner\AdwCleaner[S0].txt [13428 2015-07-29] ()
Startup: C:\Users\pkozinski\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2015-04-02]
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: No Name -> {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} -> No File
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {1205F511-7BBA-45B9-BAF9-6F1666C8C9C2} http://91.189.72.40/ocx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
2015-07-29 11:51 - 2015-07-29 11:58 - 00000000 ____ D C:\AdwCleaner
DeleteQuarantine:

Uruchom FRST i kliknij Fix. Pokaż raport z usuwania Fixlog.

Kliknij Scan i pokaż nowy raport z FRST.

#9

Proszę: 

#10

Skasuj folder C:\FRST

Dysk przeskanuj Malwarebytes Anti-Malware

Podczas instalacji usuń zaznaczenie przy Uruchom okres testowy Malwarebytes Anti-Malware Premium.

http://wstaw.org/m/2014/03/25/2014-03-25_123039.png

Język PL > Settings > General Settings > Language > Polish

Odinstaluj:

Adobe Reader X

Adobe Shockwave Player 11.5

Java 6 Update 13

Java SE Runtime Environment 6

Microsoft Silverlight

Zainstaluj:

Adobe Reader XI 11.0.12

Java 8 Update 51

Silverlight 5.1.40620.0

Internet Explorer 9

#11

Zrobione, wstawiam po wszystkim skan 

#12

Tak.

#13

Bardzo Ci dziękuje za poświęcony czas!!

 

Pozdrawiam!