SafeGroup

SafeGroup > Bezpieczeństwo > Pomoc po zainfekowaniu > strony wolno się wczytuja
Pełna wersja: strony wolno się wczytuja
Aktualnie przeglądasz uproszczoną wersję forum. Kliknij tutaj, by zobaczyć wersję z pełnym formatowaniem.

dre4merOn

17.04.2014, 09:32
Objawy zainfekowania:
Stronki wolno się wczytują.
Wykonywane działania:
Skanowałem esetem wykrył dwa zagrożenia.

Logi:

[Aby zobaczyć linki, zarejestruj się tutaj]


[Aby zobaczyć linki, zarejestruj się tutaj]


[Aby zobaczyć linki, zarejestruj się tutaj]


[Aby zobaczyć linki, zarejestruj się tutaj]

tachion

17.04.2014, 20:14
Do notatnika wklej i zapisz jako fixlist.txt

Kod:
Winlogon\Notify\ur32artreg: C:\Documents and Settings\All Users\Dokumenty\Settings\ur32art.dll [X]
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\S-1-5-21-1060284298-616249376-682003330-1003\...\Policies\Explorer: [NoBandCustomize] 0
SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} -No File
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://lookfor.cc?pin=37794
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar_bak = http://lookfor.cc/sp.php?pin=37794
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page_bak = http://lookfor.cc/sp.php?pin=37794
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
URLSearchHook: HKCU - (No Name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} -No File
URLSearchHook: HKCU - (No Name) - {98261132-AD0F-5FE3-4DD2-9258D2C4930D} - porka_.dll No File
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {79C01CC7-C814-4AB9-AC10-0B67C31E2B46} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
BHO: No Name - {399F6682-0414-4A43-8472-9E83A55E5699} -No File
BHO: No Name - {3C9BBD1E-56AD-7621-D58F-5040409BFCC8} -No File
Toolbar: HKLM - FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\0.999\fdabar.dll (FreeDownloadsAccelerator.COM)
Toolbar: HKLM - No Name - {ACB1E670-3217-45C4-A021-6B829A8A27CB} -No File
Toolbar: HKCU - No Name - {84257613-7957-F4ED-E95C-BC615252883B} -No File
Toolbar: HKCU - No Name - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -No File
Toolbar: HKCU - FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\0.999\fdabar.dll (FreeDownloadsAccelerator.COM)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -No File
DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} http://arcaonline.arcabit.com/ArcaOnline.cab
DPF: {3E339D3C-4B12-4E8C-A529-9CC4BEEAFD4F} http://advnt01.com/dialer/russia.CAB
DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121017261875
DPF: {68282C51-9459-467B-95BF-3C0E89627E55} http://www.mks.com.pl/skaner/SkanerOnline.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} http://www.content-loader.com/load/ccaccess.cab
FF Plugin: [email protected]/YahooActiveXPluginBridge;version=1.0.0.1 - C:\PROGRA~1\YAHOO!\COMMON\npyaxmpb.dll (Yahoo! Inc.)
S2 MksVirMonSvc; C:\Program Files\MKS\Bin\mksmonsv.exe [X]
U0 Bfj61; System32\Drivers\Bfj61.sys [X]
S2 BTTUNER; system32\drivers\BTTUNER.SYS [X]
S2 BTXBAR; system32\drivers\BTXBAR.SYS [X]
S3 catchme; \??\C:\DOCUME~1\RK\USTAWI~1\Temp\catchme.sys [X]
S3 MksMonEn; \??\C:\Program Files\MKS\Bin\MksMonEn.sys [X]
S3 MksMonEv; \??\C:\Program Files\MKS\Bin\MksMonEv.sys [X]
S3 MksMonFd; \??\C:\Program Files\MKS\Bin\MksMonFd.sys [X]
S0 Unab26; No ImagePath
S0 viaagp1; System32\DRIVERS\viaagp1.sys [X]
S3 vsdatant; System32\vsdatant.sys [X]
U3 Winsock - Google Desktop Search Backup Before First Install; No ImagePath
U3 Winsock - Google Desktop Search Backup Before Last Install; No ImagePath
C:\ComboFix
C:\WINDOWS\system32\config\Doctor Web.evt
C:\Documents and Settings\RK\Doctor Web
Task: C:\WINDOWS\Tasks\Norton Security Scan.job => C:\Program Files\Norton Security Scan\Nss.exe
Task: C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task 1fb44da2-2cc0-403c-9266-fa15d5256fbb.job => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Task: C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task fbde531d-ceb3-4178-85af-8be037aba1ba.job => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Bfj61.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Bfj61.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"
Reg: reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f


Zapisany skrypt umieść obok ściągniętego programu FRST
Następnie w programie kliknij Fix ,po wykonaniu pokaż raport z tego działania.

W Google Chrome

W pasku adresów wpisz chrome//plugins

i wyłącz Vividas Player Plugin i Yahoo! activeX Plug-in Bridge

kolejne widoczne wtyczki wyłącz i włącz
SafeGroup > Bezpieczeństwo > Pomoc po zainfekowaniu > strony wolno się wczytuja