Winlogon.exe wirus, potrzebna pomoc

Porelsr1 · 15 Sierpień 2014 16:12

Witam, jakos od 3 dni mam na kompie wirusa prawdopodobnie winlogon.exe nie moge go usunac bo pisze ze nie mam wystarczajacych uprawnien, jedyna osoba ktora posiada te uprawnienia to ,trustedinstaller,

Atis · 15 Sierpień 2014 16:37

Chcesz usunąć ważny plik systemowy?

W panelu sterowania odinstaluj McAfee Security Scan.

Pobierz Farbar Recovery Scan Tool 32-Bit Version

Uruchom FRST i kliknij Scan. Pokaż raport FRST i Addition.

Raporty umieść na http://wklej.org/ i podaj link.

Porelsr1 · 15 Sierpień 2014 17:04

http://wklej.org/id/1440364/ Addition

Atis · 15 Sierpień 2014 17:23

Miałeś wirusa szyfrującego pliki.

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

() C:\Program Files\F10DE075-EE9C-4182-AE10-C6767F4F23FB\etmajyzoqm.exe
(Clichelper) C:\Users\1234\AppData\Local\Temp\clicup\clicup.exe
HKU\S-1-5-21-11920542-4284252898-3449161403-1162\...\Run: [cwkvxjwc] => regsvr32.exe "C:\ProgramData\cwkvxjwc.dat"
HKU\S-1-5-21-11920542-4284252898-3449161403-1162\...\Run: [nrlaoa] => regsvr32.exe "C:\ProgramData\nrlaoa.dat"
HKU\S-1-5-21-11920542-4284252898-3449161403-1162\...\Run: [EjhoNveg] => regsvr32.exe "C:\ProgramData\EjhoNveg.dat"
HKU\S-1-5-21-11920542-4284252898-3449161403-1162\...\Run: [AcgeJezb] => regsvr32.exe "C:\ProgramData\AcgeJezb.dat"
HKU\S-1-5-21-11920542-4284252898-3449161403-1162\...\Run: [EmmaPriwu] => regsvr32.exe "C:\ProgramData\EmmaPriwu.dat"
HKU\S-1-5-21-11920542-4284252898-3449161403-1162\...\Run: [UrexYeliy] => regsvr32.exe "C:\ProgramData\UrexYeliy.dat"
HKU\S-1-5-21-11920542-4284252898-3449161403-1162\...\Run: [UgolQeta] => regsvr32.exe "C:\ProgramData\UgolQeta.dat"
HKU\S-1-5-21-11920542-4284252898-3449161403-1162\...\Run: [clicup-Agent] => C:\Users\1234\AppData\Local\Temp\clicup\clicup.exe [445424 2014-07-10] (Clichelper) <===== ATTENTION
Startup: C:\Users\1234\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Rejestracja produktu.lnk
ShellIconOverlayIdentifiers: SkyDrive1 -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers: SkyDrive2 -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers: SkyDrive3 -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
URLSearchHook: HKLM - Hero Fighterb Toolbar - {eee0f822-21a9-408f-8787-6899c00b5bae} - C:\Users\1234\AppData\LocalLow\Hero_Fighterb\prxtbHer0.dll (ClientConnect Ltd.)
URLSearchHook: HKCU - Hero Fighterb Toolbar - {eee0f822-21a9-408f-8787-6899c00b5bae} - C:\Users\1234\AppData\LocalLow\Hero_Fighterb\prxtbHer0.dll (ClientConnect Ltd.)
SearchScopes: HKLM - {CC865B26-C31D-4D23-B17B-96548EEF03F6} URL = http://speedial.com/results.php?f=4&q={searchTerms}&a=spd_ir_14_23_ie&cd=2XzuyEtN2Y1L1QzutDtD0F0FtB0EtC0E0FyE0BtAyD0A0AyCtN0D0Tzu0SzzzytDtN1L2XzutBtFtBtDtFtCzytFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StByDtA0B0EyE0FtBtG0A0FzyzztGyDtDzy0FtGyEyB0FyCtGtC0DtC0F0AzzyDzz0DyCyD0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2StDtBzyzy0A0EtAyDtG0DzytDyBtGyByBtCzztGyDtAtDtBtGyE0A0EtByD0EtBtAzztDtB0C2Q&cr=158049351&ir=
SearchScopes: HKCU - {B505E6B7-4360-49C5-AE01-1D16FA05CBBF} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468&UP=SP1766E30E-6631-4280-A4AB-2CE7CDD25641&SSPV=
SearchScopes: HKCU - {CC865B26-C31D-4D23-B17B-96548EEF03F6} URL = http://www.trovi.com/Results.aspx?gd=&ctid=CT3314958&octid=EB_ORIGINAL_CTID&ISID=ISID_ID&SearchSource=58&CUI=&UM=5&UP=SP1766E30E-6631-4280-A4AB-2CE7CDD25641&q={searchTerms}&SSPV=
SearchScopes: HKCU - {CD251E02-6C9F-42BD-AD00-5C00EA5A1BB2} URL = http://www.trovi.com/Results.aspx?gd=&ctid=CT3314958&octid=EB_ORIGINAL_CTID&ISID=ISID_ID&SearchSource=58&CUI=&UM=5&UP=SP1766E30E-6631-4280-A4AB-2CE7CDD25641&q={searchTerms}&SSPV=
BHO: No Name -> {C9C42510-9B41-42c1-9DCD-7282A2D07C61}C -> No File
BHO: Hero Fighterb Toolbar -> {eee0f822-21a9-408f-8787-6899c00b5bae} -> C:\Users\1234\AppData\LocalLow\Hero_Fighterb\prxtbHer0.dll (ClientConnect Ltd.)
Toolbar: HKLM - Hero Fighterb Toolbar - {eee0f822-21a9-408f-8787-6899c00b5bae} - C:\Users\1234\AppData\LocalLow\Hero_Fighterb\prxtbHer0.dll (ClientConnect Ltd.)
Toolbar: HKCU - Hero Fighterb Toolbar - {EEE0F822-21A9-408F-8787-6899C00B5BAE} - C:\Users\1234\AppData\LocalLow\Hero_Fighterb\prxtbHer0.dll (ClientConnect Ltd.)
Hosts:
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\mystarttb.xml
FF Extension: AllDaySavings - C:\Users\1234\AppData\Roaming\Mozilla\Firefox\Profiles\jvnrpf46.default\Extensions\j005-bwqhdvbmcimdkh@jetpack.xpi [2014-07-28]
FF Extension: Hotspot Shield Extension - C:\Program Files\Mozilla Firefox\browser\extensions\afproxy@anchorfree.com [2014-01-23]
FF HKLM\...\Firefox\Extensions: [DynamicPricer@dynamic-pricer.com] - C:\Users\1234\AppData\Local\DynamicPricer\Firefox\DynamicPricer.xpi
CHR NewTab: "chrome-extension://blmchfpimpbbdmgpcieclabeafkljbhm/newtab.html",
CHR Extension: (ssaaviingtoeyou) - C:\Users\1234\AppData\Local\Google\Chrome\User Data\Default\Extensions\bnfcnjkomialhppbeganhljipikcghme [2014-06-14]
CHR Extension: (DynamicPricer) - C:\Users\1234\AppData\Local\DynamicPricer\Chrome [2014-03-19]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
R2 AllDaySavingsService; C:\Program Files\F10DE075-EE9C-4182-AE10-C6767F4F23FB\etmajyzoqm.exe [150528 2014-07-31] () [File not signed]
U2 Ati HotKey Poller; 
U2 ATI Smart; 
S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X]
S3 FairplayKD; \??\C:\ProgramData\MTA San Andreas All\1.3\temp\FairplayKD.sys [X]
S3 FairplayKD; \??\C:\ProgramData\MTA San Andreas All\1.3\temp\FairplayKD.sys [X]
S3 vtany; \??\C:\Windows\vtany.sys [X]
S3 WinRing0_1_2_0; \??\C:\Program Files\IObit\Game Booster 3\Driver\WinRing0.sys [X]
S3 XDva401; \??\C:\Windows\system32\XDva401.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
C:\Users\1234\AppData\Roaming\OpenCandy
C:\!KillBox
C:\AdwCleaner
C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
C:\Program Files\AllDaySaving
C:\Program Files\F10DE075-EE9C-4182-AE10-C6767F4F23FB
C:\Program Files\005
C:\ProgramData\*.dat
C:\Users\Public\AlexaNSISPlugin.6240.dll
C:\Users\1234\AppData\Roaming\*.HTML
C:\Users\1234\AppData\Roaming\*.TXT
C:\Users\1234\AppData\Roaming\*.URL
CustomCLSID: HKU\S-1-5-21-11920542-4284252898-3449161403-1162_Classes\CLSID\{EEE0F822-21A9-408F-8787-6899C00B5BAE}\InprocServer32 -> C:\Users\1234\AppData\LocalLow\Hero_Fighterb\prxtbHer0.dll (ClientConnect Ltd.)
CustomCLSID: HKU\S-1-5-21-11920542-4284252898-3449161403-1162_Classes\CLSID\{7473b6bd-4691-4744-a82b-7854eb3d70b6}\InprocServer32 -> C:\Users\1234\AppData\LocalLow\uTorrentControl_v2\prxtbuTo2.dll No File
CustomCLSID: HKU\S-1-5-21-11920542-4284252898-3449161403-1162_Classes\CLSID\{66E8DCC7-97D2-4A89-8E08-D0610FF0878C}\InprocServer32 -> C:\Users\1234\AppData\Local\Conduit\Community Alerts\Aler0.dll No File
CustomCLSID: HKU\S-1-5-21-11920542-4284252898-3449161403-1162_Classes\CLSID\{537F4F0B-3542-4C7D-A3E5-CF121482696C}\InprocServer32 -> C:\Users\1234\AppData\LocalLow\uTorrentControl_v2\prxtbuTo2.dll No File
CustomCLSID: HKU\S-1-5-21-11920542-4284252898-3449161403-1162_Classes\CLSID\{2737A12D-7A00-4799-8F8B-5E5584018A61}\InprocServer32 -> C:\Users\1234\AppData\LocalLow\Hero_Fighterb\prxtbHer0.dll (ClientConnect Ltd.)
CustomCLSID: HKU\S-1-5-21-11920542-4284252898-3449161403-1162_Classes\CLSID\{1BBF13E0-551E-42DD-91F4-1A547443FFDA}\InprocServer32 -> C:\Users\1234\AppData\Local\Tbccint\Community Alerts\Aler0.dll No File
C:\Users\1234\AppData\Local\Tbccint
C:\Users\1234\AppData\LocalLow\Hero_Fighterb
Task: {00214AAE-0F3D-49EB-B63F-CC7275BDC52C} - System32\Tasks\MediaPlayerEnhance-codedownloader => C:\Program Files\MediaPlayerEnhance\MediaPlayerEnhance-codedownloader.exe
Task: {05289F41-3EFC-4979-AEF3-29C4258AD8F9} - System32\Tasks\Swordsman WW2 => Chrome.exe http://ad.arcgames.com/ad/35431
Task: {0AC75200-9908-4126-8157-22B0A1A44E60} - System32\Tasks\Swordsman WW1 => Chrome.exe http://ad.arcgames.com/ad/35431
Task: {0E8122C0-DED8-4015-BCCB-DBBA1A53E4B9} - System32\Tasks\GoodGameEmpire NextW1 => Chrome.exe --app=http://a2g-secure.com/?E=bwsPamg0MAiwFF%2bnM1a0Fg%3d%3d&amp;s1= --app-window-size=1920,1080
Task: {1E8F7CF0-A4E4-4E09-9472-F07DC213EF50} - System32\Tasks\GoodGameEmpire NextW2 => Chrome.exe --app=http://a2g-secure.com/?E=bwsPamg0MAiwFF%2bnM1a0Fg%3d%3d&amp;s1= --app-window-size=1920,1080
Task: {1E9DF809-F085-46D0-B2BF-65CA2FCB59FD} - System32\Tasks\Plus-HD-2.6-enabler => C:\Program Files\Plus-HD-2.6\Plus-HD-2.6-enabler.exe
Task: {1F94D054-890F-422F-B598-247161586848} - System32\Tasks\Plus-HD-2.6-codedownloader => C:\Program Files\Plus-HD-2.6\Plus-HD-2.6-codedownloader.exe
Task: {2235AC90-64DE-4B0C-969E-F2CF0E95435C} - System32\Tasks\{202D7005-43E9-42AB-9C35-B8DF903D80E6} => C:\Users\ppp\Desktop\MinecraftSP.exe
Task: {24A46696-8DFC-404F-8202-BEA22C8BFBF4} - System32\Tasks\RegistryDr_Start => C:\Program Files\Registry Dr\RegistryDr.exe <==== ATTENTION
Task: {442B3746-8DA6-41C8-BDB7-70B12F8A9628} - System32\Tasks\RegistryDr_Popup => C:\Program Files\Registry Dr\Splash.exe <==== ATTENTION
Task: {678737BF-7287-4A6A-9BC8-4F031BB51021} - System32\Tasks\Swordsman W2 => Chrome.exe http://ad.arcgames.com/ad/35431
Task: {75E53AF8-CCBB-45D1-B442-E452EE905B96} - System32\Tasks\GoodGameEmpire W2 => Chrome.exe --app=http://a2g-secure.com/?E=bwsPamg0MAiwFF%2bnM1a0Fg%3d%3d&amp;s1= --app-window-size=1920,1080
Task: {7B169B3A-3F24-4AD0-8C41-0903A5498E97} - System32\Tasks\MediaPlayerEnhance-enabler => C:\Program Files\MediaPlayerEnhance\MediaPlayerEnhance-enabler.exe
Task: {8CDF7B8D-60FD-4790-82A8-BDA79639CEC5} - System32\Tasks\Plus-HD-2.6-firefoxinstaller => C:\Program Files\Plus-HD-2.6\Plus-HD-2.6-firefoxinstaller.exe
Task: {8EBCB882-C210-4703-8575-DD742B4C481F} - System32\Tasks\AdobeAAMUpdater-1.0-ppp-Komputer-ppp => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2012-04-04] (Adobe Systems Incorporated)
Task: {9BCB8A2F-944F-46EE-94A8-CDF49F8D0AE0} - System32\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv => C:\Windows\TEMP\{C6ECA25F-B713-4AE0-9FA0-91C3971011DC}.exe
Task: {A79A6FD6-3B70-4385-9531-664D4DA595AA} - System32\Tasks\Plus-HD-2.6-updater => C:\Program Files\Plus-HD-2.6\Plus-HD-2.6-updater.exe
Task: {B6989035-5B3B-481C-9FCD-308BF3591AAE} - System32\Tasks\UpdateVO => C:\Users\ppp\AppData\Roaming\VOPackage\VOPackage.exe
Task: {CD273B73-4C24-403A-80F7-68B01617EED7} - System32\Tasks\MediaPlayerEnhance-chromeinstaller => C:\Program Files\MediaPlayerEnhance\MediaPlayerEnhance-chromeinstaller.exe
Task: {E25608A4-F25D-4842-AE68-D47D2EB512B8} - System32\Tasks\GoodGameEmpire W1 => Chrome.exe --app=http://a2g-secure.com/?E=bwsPamg0MAiwFF%2bnM1a0Fg%3d%3d&amp;s1= --app-window-size=1920,1080
Task: {E3585EDC-A1D9-4F92-8467-C6C96AF2C912} - System32\Tasks\Swordsman W1 => Chrome.exe http://ad.arcgames.com/ad/35431
Task: {E89D8D21-10F5-491F-941C-9883EC047618} - System32\Tasks\Plus-HD-2.6-chromeinstaller => C:\Program Files\Plus-HD-2.6\Plus-HD-2.6-chromeinstaller.exe
Task: {F5BE33B7-4ABD-4A8E-BBBD-7F78E6B29AC6} - System32\Tasks\MediaPlayerEnhance-updater => C:\Program Files\MediaPlayerEnhance\MediaPlayerEnhance-updater.exe
Task: {F8E5D858-E365-40E6-8E9C-A4BF45F56729} - System32\Tasks\Game_Booster_AutoUpdate => C:\Program Files\IObit\Game Booster 3\AutoUpdate.exe
Task: {FF34BA29-4D66-4B10-9F6B-6624035D2E16} - System32\Tasks\MediaPlayerEnhance-firefoxinstaller => C:\Program Files\MediaPlayerEnhance\MediaPlayerEnhance-firefoxinstaller.exe
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\Windows\TEMP\{C6ECA25F-B713-4AE0-9FA0-91C3971011DC}.exe
Task: C:\Windows\Tasks\MediaPlayerEnhance-chromeinstaller.job => C:\Program Files\MediaPlayerEnhance\MediaPlayerEnhance-chromeinstaller.exe <==== ATTENTION
Task: C:\Windows\Tasks\MediaPlayerEnhance-codedownloader.job => C:\Program Files\MediaPlayerEnhance\MediaPlayerEnhance-codedownloader.exe <==== ATTENTION
Task: C:\Windows\Tasks\MediaPlayerEnhance-enabler.job => C:\Program Files\MediaPlayerEnhance\MediaPlayerEnhance-enabler.exe <==== ATTENTION
Task: C:\Windows\Tasks\MediaPlayerEnhance-firefoxinstaller.job => C:\Program Files\MediaPlayerEnhance\MediaPlayerEnhance-firefoxinstaller.exe <==== ATTENTION
Task: C:\Windows\Tasks\MediaPlayerEnhance-updater.job => C:\Program Files\MediaPlayerEnhance\MediaPlayerEnhance-updater.exe <==== ATTENTION
Task: C:\Windows\Tasks\Plus-HD-2.6-chromeinstaller.job => C:\Program Files\Plus-HD-2.6\Plus-HD-2.6-chromeinstaller.exe <==== ATTENTION
Task: C:\Windows\Tasks\Plus-HD-2.6-codedownloader.job => C:\Program Files\Plus-HD-2.6\Plus-HD-2.6-codedownloader.exe <==== ATTENTION
Task: C:\Windows\Tasks\Plus-HD-2.6-enabler.job => C:\Program Files\Plus-HD-2.6\Plus-HD-2.6-enabler.exe <==== ATTENTION
Task: C:\Windows\Tasks\Plus-HD-2.6-firefoxinstaller.job => C:\Program Files\Plus-HD-2.6\Plus-HD-2.6-firefoxinstaller.exe <==== ATTENTION
Task: C:\Windows\Tasks\Plus-HD-2.6-updater.job => C:\Program Files\Plus-HD-2.6\Plus-HD-2.6-updater.exe <==== ATTENTION
C:\Users\1234\AppData\Local\DynamicPricer
AlternateDataStreams: C:\Users\ppp\AppData\Roaming:NT
CMD: del /f /s /q %TEMP%\*.*
Reboot:

Uruchom FRST i kliknij Fix. Pokaż raport z usuwania Fixlog.

Kliknij Scan i pokaż nowy raport z FRST bez Addition.

Porelsr1 · 15 Sierpień 2014 17:30

Wybacz, ale mozesz mi napisac dokladnie gdzie mam wkleic ten notatnik? bo nie rozumie za bardzo.

Atis · 15 Sierpień 2014 17:42

Wszystkie programy -> Akcesoria -> Notatnik

Zapisz w tym samym folderze w którym jest program FRST.

Porelsr1 · 15 Sierpień 2014 19:02

http://wklej.org/id/1440458/

Atis · 15 Sierpień 2014 20:22

Przeczytaj całą odpowiedź.