Laptop infekuje inne urządzenia

[halu]

Witam, laptop infekuje mi inne urzadzenia typu pendrive, zauwazylem w procesach boabu.exe.

FRST http://pokazywarka.pl/v8bytv/

ADD http://pokazywarka.pl/h4rdt9/

SHO http://pokazywarka.pl/7n4qf6/

GMER http://pokazywarka.pl/kxxgtt/

[picasso]

Prócz punktowanego problemu jest tu także śmietnik od adware. Działania do przeprowadzenia:

 

1. Deinstalacje:

- Przez Panel sterowania odinstaluj adware/PUP WinZip (to podróbka WinZip, a nie Wizip od Corela).

- Uruchom Program Install and Uninstall Troubleshooter i za jego pomocą usuń odpadek Google Update Helper.

 

2. Otwórz Notatnik i wklej w nim:

 

CloseProcesses:
CreateRestorePoint:
HKU\S-1-5-21-3451519264-229654876-2956084100-1000\...\Run: [boabu] => C:\Users\user\boabu.exe [49152 2015-04-23] ()
R2 WinSystemSvcW; C:\Program Files (x86)\Windows Expro\winprow.exe [339456 2016-08-03] () [brak podpisu cyfrowego]
R2 winzipersvc; C:\Program Files (x86)\WinZipper\winzipersvc.exe [1018416 2016-08-03] (ExWzp Pvt Ltd.) 
S2 WindowsMangerProtect; C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe -service [X] 
S3 cpuz138; \??\C:\Users\user\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X]
S1 iSafeKrnlMon; \??\C:\Program Files (x86)\Elex-tech\YAC\iSafeKrnlMon.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
Task: {1FB886DB-88EE-42E9-BCC2-98FE2BBFC654} - System32\Tasks\{F69CDE2C-6E18-4546-81B6-453C79F5A7B5} => pcalua.exe -a "C:\Program Files (x86)\WinZipper\eUninstall.exe" 
Task: {915E0AF9-D3E4-441F-A186-31DADE94B0FC} - System32\Tasks\{30DCEEA4-AB18-489B-ABEA-D7D603179D2A} => pcalua.exe -a F:\SETUP.EXE -d F:\
Task: {AD77A0B7-27FC-45E7-867C-8197EE46D6B7} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe
GroupPolicyScripts: Ograniczenia 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia 
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.v9.com?type=hp&ts=1435574949&from=mych123&uid=wdcxwd10jpcx-24ue4t0_wd-wx51e93awj97awj97&z=3958d08c7c8998fcfb4d13dgdz9c3wfwcm8zctfz5e
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.v9.com?type=hp&ts=1435574949&from=mych123&uid=wdcxwd10jpcx-24ue4t0_wd-wx51e93awj97awj97&z=3958d08c7c8998fcfb4d13dgdz9c3wfwcm8zctfz5e
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.v9.com?type=hp&ts=1435574949&from=mych123&uid=wdcxwd10jpcx-24ue4t0_wd-wx51e93awj97awj97&z=3958d08c7c8998fcfb4d13dgdz9c3wfwcm8zctfz5e
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.v9.com?type=hp&ts=1435574949&from=mych123&uid=wdcxwd10jpcx-24ue4t0_wd-wx51e93awj97awj97&z=3958d08c7c8998fcfb4d13dgdz9c3wfwcm8zctfz5e
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKU\S-1-5-21-3451519264-229654876-2956084100-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://search.delta-homes.com/web/?type=ds&ts=1418977195&from=wpm12173&uid=WDCXWD10JPCX-24UE4T0_WD-WX51E93AWJ97AWJ97&q={searchTerms}
HKU\S-1-5-21-3451519264-229654876-2956084100-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.v9.com?type=hp&ts=1435574949&from=mych123&uid=wdcxwd10jpcx-24ue4t0_wd-wx51e93awj97awj97&z=3958d08c7c8998fcfb4d13dgdz9c3wfwcm8zctfz5e
HKU\S-1-5-21-3451519264-229654876-2956084100-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.v9.com?type=hp&ts=1435574949&from=mych123&uid=wdcxwd10jpcx-24ue4t0_wd-wx51e93awj97awj97&z=3958d08c7c8998fcfb4d13dgdz9c3wfwcm8zctfz5e
SearchScopes: HKLM -> DefaultScope {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL =
SearchScopes: HKLM-x32 -> DefaultScope {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = hxxp://www.v9.com/web?type=ds&ts=1435574949&from=zzgbkk123&uid=wdcxwd10jpcx-24ue4t0_wd-wx51e93awj97awj97&z=3958d08c7c8998fcfb4d13dgdz9c3wfwcm8zctfz5e&q={searchTerms}
SearchScopes: HKLM-x32 -> {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = hxxp://www.v9.com/web?type=ds&ts=1435574949&from=zzgbkk123&uid=wdcxwd10jpcx-24ue4t0_wd-wx51e93awj97awj97&z=3958d08c7c8998fcfb4d13dgdz9c3wfwcm8zctfz5e&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3451519264-229654876-2956084100-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3451519264-229654876-2956084100-1000 -> {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = hxxp://www.v9.com/web?type=ds&ts=1435574949&from=zzgbkk123&uid=wdcxwd10jpcx-24ue4t0_wd-wx51e93awj97awj97&z=3958d08c7c8998fcfb4d13dgdz9c3wfwcm8zctfz5e&q={searchTerms}
FF HKLM-x32\...\Firefox\Extensions: [detgdp@gmail.com] - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\e0dks6s1.default\extensions\detgdp@gmail.com => nie znaleziono
ShortcutWithArgument: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.delta-homes.com/?type=sc&ts=1426769105&from=wpm031932&uid=WDCXWD10JPCX-24UE4T0_WD-WX51E93AWJ97AWJ97
ShortcutWithArgument: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.delta-homes.com/?type=sc&ts=1426769105&from=wpm031932&uid=WDCXWD10JPCX-24UE4T0_WD-WX51E93AWJ97AWJ97
ShortcutWithArgument: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.delta-homes.com/?type=sc&ts=1426769105&from=wpm031932&uid=WDCXWD10JPCX-24UE4T0_WD-WX51E93AWJ97AWJ97
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.delta-homes.com/?type=sc&ts=1426769105&from=wpm031932&uid=WDCXWD10JPCX-24UE4T0_WD-WX51E93AWJ97AWJ97
DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2
DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^user^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^House of Cards 2013 S03E05 720p WEBRip x264-2HD [eztv].lnk
DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\boabu => C:\Users\user\boabu.exe
DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\EaseUS EPM tray
DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\fuefue
DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\GoogleChromeAutoLaunch_4E874A737D5662A34EBBEADB3A9C4A09
DeleteKey: HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main
DeleteKey: HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main
DeleteKey: HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main
C:\Program Files (x86)\Windows Expro
C:\Program Files (x86)\WinZipper
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Heroes of Newerth
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDFCreator\Licenses\AFPL License.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Strife
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip
C:\Users\user\boabu.exe
C:\Users\user\AppData\Local\69ff07055291669bb2b218.72821112
C:\Users\user\AppData\Local\Google
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\openfm.lnk
C:\Users\user\AppData\Roaming\SETUP.EXE
C:\Windows\pss\House of Cards 2013 S03E05 720p WEBRip x264-2HD [eztv].lnk.Startup
CMD: netsh advfirewall reset
EmptyTemp:

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Plik zapisz pod nazwą fixlist.txt w folderze z którego uruchamiasz FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, nastąpi restart systemu. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt.

 

3. Zrób nowe logi: FRST z opcji Skanuj (Scan), bez Addition i Shortcut, oraz USBFix z opcji Listing wykonany przy podpiętych zarażonych pendrive. Dołącz też plik fixlog.txt.

Edytowane 24 Października 2016 przez picasso
Temat zostaje zamknięty z powodu braku odpowiedzi. //picasso