Zarażenie - URL : Mal wykryte przez Avast


(Askor15) #1

Witam,

 

 

 Od kliku dni program Avast wyświetla seryjnie bez przerwy informację o zarażeniu URL:Mal z procesu C:\Windows\explorer.exe - w załączniku logi

 

 

http://www.wklej.org/id/1751073/

http://www.wklej.org/id/1751074/

http://www.wklej.org/id/1751075/

 

 

Uprzejmie proszę o pomoc.

 

z góry dziękuję ! :slight_smile:

 

 

Asia

 


(Atis) #2

W panelu sterowania odinstaluj Ad-Aware i McAfee Security Scan Plus.

Pobierz i uruchom AdwCleaner Kliknij Skanuj i później Usuń.

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

CloseProcesses:
HKLM-x32\...\Run: [gmsd_pl_109] => [X]
HKLM-x32\...\Run: [gmsd_pl_118] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3688503647-4200787984-459021576-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sweet-page.com/web/?type=ds&ts=1435939518&z=d621eef3602b96ef5a74b33gazbc2w0tec1t5w4gfo&from=cor&uid=ST9500325AS_5VE5MLSGXXXX5VE5MLSG&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sweet-page.com/web/?type=ds&ts=1435939518&z=d621eef3602b96ef5a74b33gazbc2w0tec1t5w4gfo&from=cor&uid=ST9500325AS_5VE5MLSGXXXX5VE5MLSG&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-3688503647-4200787984-459021576-1001\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sweet-page.com/web/?type=ds&ts=1435939518&z=d621eef3602b96ef5a74b33gazbc2w0tec1t5w4gfo&from=cor&uid=ST9500325AS_5VE5MLSGXXXX5VE5MLSG&q={searchTerms}
HKU\S-1-5-21-3688503647-4200787984-459021576-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sweet-page.com/web/?type=ds&ts=1435939518&z=d621eef3602b96ef5a74b33gazbc2w0tec1t5w4gfo&from=cor&uid=ST9500325AS_5VE5MLSGXXXX5VE5MLSG&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3688503647-4200787984-459021576-1001 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKU\S-1-5-21-3688503647-4200787984-459021576-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.sweet-page.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST9500325AS_5VE5MLSGXXXX5VE5MLSG&ts=1435939730&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3688503647-4200787984-459021576-1001 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.sweet-page.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST9500325AS_5VE5MLSGXXXX5VE5MLSG&ts=1435939730&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3688503647-4200787984-459021576-1001 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.sweet-page.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST9500325AS_5VE5MLSGXXXX5VE5MLSG&ts=1435939730&type=default&q={searchTerms}
FF Extension: killjasminpierros14com - C:\Users\Asia\AppData\Roaming\Mozilla\Firefox\Profiles\8g3nt23q.default-1431458192495\Extensions\killjasmin@pierros14.com [2015-05-16]
FF HKU\S-1-5-21-3688503647-4200787984-459021576-1001\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
FF Extension: McAfee Security Scan Plus - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014-04-04]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
S2 Update Edu App; "C:\Program Files (x86)\Edu App\updateEduApp.exe" [X]
S1 tbfd_1_10_0_15; system32\drivers\tbfd_1_10_0_15.sys [X]
S1 tbfd_1_10_0_16; system32\drivers\tbfd_1_10_0_16.sys [X]
2015-07-03 18:09 - 2015-07-03 18:09 - 00000000 ____ D C:\ProgramData\IHProtectUpDate
2015-07-03 18:08 - 2015-07-03 18:22 - 00000000 ____ D C:\Program Files (x86)\MiuiTab
2015-07-03 17:17 - 2015-07-03 17:43 - 00000000 ____ D C:\AdwCleaner
2015-06-30 18:01 - 2015-07-02 20:52 - 00000000 ___HD C:\Users\Asia\AppData\Roaming\BA3A3B3A
2015-06-30 18:00 - 2015-06-30 18:02 - 00000000 ___HD C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2013-05-11 11:50 - 2013-05-11 11:50 - 4167680 _____ () C:\Program Files (x86)\GUTD808.tmp
2010-08-24 06:04 - 2010-08-24 06:04 - 0000016 _____ () C:\Users\Asia\AppData\Roaming\bawuho.dat
2015-07-01 18:10 - 2015-07-01 21:17 - 0000115 _____ () C:\Users\Asia\AppData\Roaming\LogFile.txt
2013-05-20 20:31 - 2013-05-20 20:32 - 0000004 _____ () C:\Users\Asia\AppData\Roaming\skype.ini
2011-03-26 15:21 - 2011-03-26 15:21 - 0027639 _____ () C:\Users\Asia\AppData\Roaming\UserTile.png
CustomCLSID: HKU\S-1-5-21-3688503647-4200787984-459021576-1001_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\fwcfg.dll (poctifiCtarroronM oso) <==== ATTENTION
Task: {26826869-FD1A-4BA8-8926-CBD3D9B9D755} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-3688503647-4200787984-459021576-1001 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe [2013-04-16] (RealNetworks, Inc.)
Task: {57F88F7B-55BB-44FE-95CD-9802907C8109} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-3688503647-4200787984-459021576-1001 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe [2013-04-16] (RealNetworks, Inc.)
Task: {640CF178-B487-4E64-978B-CB19F5168BD0} - System32\Tasks\Chromium => C:\Users\Asia\AppData\Local\Chromium\APPLIC~1\450240~1.0\INSTAL~1\UNINST~1.EXE
Task: {80EE32FF-333A-4834-95AF-2D70AB75B069} - System32\Tasks\Ad-Aware Update (Weekly) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2015-05-26] (Lavasoft )
Task: {D7F26481-DF6A-4534-B567-C20DD165494F} - System32\Tasks\{76247A36-69FF-47E3-96C5-0CE34B3BAAA6} => pcalua.exe -a "C:\Users\Asia\AppData\Local\Temp\CProgram Files (x86)Opera\Opera_1101_int_Setup.exe" -d C:\Windows\system32
Task: C:\Windows\Tasks\Ad-Aware Update (Weekly).job => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: C:\Windows\Tasks\Chromium.job => C:\Users\Asia\AppData\Local\Chromium\APPLIC~1\450240~1.0\INSTAL~1\UNINST~1.EXE
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Lavasoft Ad-Aware Service => ""="Service"
EmptyTemp:

Uruchom FRST i kliknij Fix. Pokaż raport z usuwania Fixlog.

Kliknij Scan i pokaż nowy raport z FRST bez Addition i Shortcut.


(Askor15) #3

raport z fixlog: http://www.wklej.org/id/1751167/

nowy raport FRST: http://www.wklej.org/id/1751174/


(Atis) #4

Nie wiem co Ty wyprawiasz, ale proponuję żebyś dokładnie przeczytała moją poprzednią odpowiedź.

Masz utworzyć taki Fixlist:

CloseProcesses:
HKLM-x32\...\Run: [gmsd_pl_109] => [X]
HKLM-x32\...\Run: [gmsd_pl_118] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3688503647-4200787984-459021576-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sweet-page.com/web/?type=ds&ts=1435939518&z=d621eef3602b96ef5a74b33gazbc2w0tec1t5w4gfo&from=cor&uid=ST9500325AS_5VE5MLSGXXXX5VE5MLSG&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sweet-page.com/web/?type=ds&ts=1435939518&z=d621eef3602b96ef5a74b33gazbc2w0tec1t5w4gfo&from=cor&uid=ST9500325AS_5VE5MLSGXXXX5VE5MLSG&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-3688503647-4200787984-459021576-1001\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sweet-page.com/web/?type=ds&ts=1435939518&z=d621eef3602b96ef5a74b33gazbc2w0tec1t5w4gfo&from=cor&uid=ST9500325AS_5VE5MLSGXXXX5VE5MLSG&q={searchTerms}
HKU\S-1-5-21-3688503647-4200787984-459021576-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sweet-page.com/web/?type=ds&ts=1435939518&z=d621eef3602b96ef5a74b33gazbc2w0tec1t5w4gfo&from=cor&uid=ST9500325AS_5VE5MLSGXXXX5VE5MLSG&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3688503647-4200787984-459021576-1001 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKU\S-1-5-21-3688503647-4200787984-459021576-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.sweet-page.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST9500325AS_5VE5MLSGXXXX5VE5MLSG&ts=1435939730&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3688503647-4200787984-459021576-1001 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.sweet-page.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST9500325AS_5VE5MLSGXXXX5VE5MLSG&ts=1435939730&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3688503647-4200787984-459021576-1001 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.sweet-page.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST9500325AS_5VE5MLSGXXXX5VE5MLSG&ts=1435939730&type=default&q={searchTerms}
FF Extension: killjasminpierros14com - C:\Users\Asia\AppData\Roaming\Mozilla\Firefox\Profiles\8g3nt23q.default-1431458192495\Extensions\killjasmin@pierros14.com [2015-05-16]
FF HKU\S-1-5-21-3688503647-4200787984-459021576-1001\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
FF Extension: McAfee Security Scan Plus - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014-04-04]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
S2 Update Edu App; "C:\Program Files (x86)\Edu App\updateEduApp.exe" [X]
S1 tbfd_1_10_0_15; system32\drivers\tbfd_1_10_0_15.sys [X]
S1 tbfd_1_10_0_16; system32\drivers\tbfd_1_10_0_16.sys [X]
2015-07-03 18:09 - 2015-07-03 18:09 - 00000000 ____ D C:\ProgramData\IHProtectUpDate
2015-07-03 18:08 - 2015-07-03 18:22 - 00000000 ____ D C:\Program Files (x86)\MiuiTab
2015-07-03 17:17 - 2015-07-03 17:43 - 00000000 ____ D C:\AdwCleaner
2015-06-30 18:01 - 2015-07-02 20:52 - 00000000 ___HD C:\Users\Asia\AppData\Roaming\BA3A3B3A
2015-06-30 18:00 - 2015-06-30 18:02 - 00000000 ___HD C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2013-05-11 11:50 - 2013-05-11 11:50 - 4167680 _____ () C:\Program Files (x86)\GUTD808.tmp
2010-08-24 06:04 - 2010-08-24 06:04 - 0000016 _____ () C:\Users\Asia\AppData\Roaming\bawuho.dat
2015-07-01 18:10 - 2015-07-01 21:17 - 0000115 _____ () C:\Users\Asia\AppData\Roaming\LogFile.txt
2013-05-20 20:31 - 2013-05-20 20:32 - 0000004 _____ () C:\Users\Asia\AppData\Roaming\skype.ini
2011-03-26 15:21 - 2011-03-26 15:21 - 0027639 _____ () C:\Users\Asia\AppData\Roaming\UserTile.png
CustomCLSID: HKU\S-1-5-21-3688503647-4200787984-459021576-1001_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\fwcfg.dll (poctifiCtarroronM oso) <==== ATTENTION
Task: {26826869-FD1A-4BA8-8926-CBD3D9B9D755} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-3688503647-4200787984-459021576-1001 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe [2013-04-16] (RealNetworks, Inc.)
Task: {57F88F7B-55BB-44FE-95CD-9802907C8109} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-3688503647-4200787984-459021576-1001 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe [2013-04-16] (RealNetworks, Inc.)
Task: {640CF178-B487-4E64-978B-CB19F5168BD0} - System32\Tasks\Chromium => C:\Users\Asia\AppData\Local\Chromium\APPLIC~1\450240~1.0\INSTAL~1\UNINST~1.EXE
Task: {80EE32FF-333A-4834-95AF-2D70AB75B069} - System32\Tasks\Ad-Aware Update (Weekly) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2015-05-26] (Lavasoft )
Task: {D7F26481-DF6A-4534-B567-C20DD165494F} - System32\Tasks\{76247A36-69FF-47E3-96C5-0CE34B3BAAA6} => pcalua.exe -a "C:\Users\Asia\AppData\Local\Temp\CProgram Files (x86)Opera\Opera_1101_int_Setup.exe" -d C:\Windows\system32
Task: C:\Windows\Tasks\Ad-Aware Update (Weekly).job => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: C:\Windows\Tasks\Chromium.job => C:\Users\Asia\AppData\Local\Chromium\APPLIC~1\450240~1.0\INSTAL~1\UNINST~1.EXE
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Lavasoft Ad-Aware Service => ""="Service"
EmptyTemp:

(Askor15) #5

Fixlog: http://www.wklej.org/id/1752968/

nowy scan: http://www.wklej.org/id/1752970/

 

 

z góry dziękuję.


(Atis) #6

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

SearchScopes: HKU\S-1-5-21-3688503647-4200787984-459021576-1001 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
S3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [X]
2015-07-03 18:10 - 2015-07-03 18:10 - 00000000 ___HD C:\Users\Asia\AppData\Roaming\GoldenGate
2015-07-03 21:55 - 2015-05-26 06:38 - 00000000 ____ D C:\ProgramData\Lavasoft
2015-07-03 18:15 - 2015-05-27 16:41 - 00013399 _____ C:\aaw7boot.log
DeleteQuarantine:

Uruchom FRST i kliknij Fix. Skasuj folder C:\FRST

Usuń stare punkty przywracania: Aby usunąć wszystkie punkty przywracania

Dysk przeskanuj Malwarebytes Anti-Malware

Podczas instalacji usuń zaznaczenie przy Uruchom okres testowy Malwarebytes Anti-Malware Premium.

http://wstaw.org/m/2014/03/25/2014-03-25_123039.png

Język PL > Settings > General Settings > Language > Polish

Przeczytaj w jaki sposób należy instalować programy: KLIK - KLIK - KLIK - KLIK

Odinstaluj:

Adobe Flash Player 17 ActiveX

Adobe Flash Player 17 NPAPI

Adobe Reader 9.4.6

Java 6 Update 2

Microsoft Silverlight

Zainstaluj:

Flash Player 18.0.0.194 NPAPI

Flash Player 18.0.0.194 ActiveX

Silverlight 5.1.40620.0

Service Pack 1 x64 (903.2 MB)

Internet Explorer 11