logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Virus on computer - programs download themselves, anti-virus itself OFF

DewMaster 2955 5
ADVERTISEMENT
Treść została przetłumaczona polish » english Zobacz oryginalną wersję tematu
Reply | New topic
  • #1 16472366
    DewMaster
    Level 7  
    Hello,
    I noticed that some strange things are starting to happen to my computer.
    Ex: Chroma website changed to LuckySearch.com, the antivirus crashed, Big Bang Empire, Big Farm and Mozilla Firefox started to download. Despite my removal of programs and restarting browsers the problem keeps repeating. it did not detect (full scan). I'm new to the forum and if I have imposed a rule, sorry but I am writing it quickly because I would like to use the computer normally. Please help :)

    System: Win10
    Attachments:
  • ADVERTISEMENT
  • #2 16472517
    Kolobos
    IT specialist
    Zgraj zakladki z FF i odinstaluj Firefox.
    W Chrome zmien profil na drugi, a ten utworzony przez infekcje usun.

    Odinstaluj WorldofTanks

    Wykonaj Fixlist.txt dla FRST:
    CloseProcesses:
    2017-05-11 21:01 - 2017-05-11 21:01 - 00001910 _____ C:\Users\User\Desktop\big_bang_empire.lnk
    2017-05-11 21:01 - 2017-05-11 21:01 - 00001884 _____ C:\Users\User\Desktop\BigFarm.lnk
    HKU\S-1-5-21-2055952257-4250577601-441890819-1001\...\ChromeHTML: -> C:\Program Files (x86)\Dayglad\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\MIO\MIO.exe [2017-05-11] () msiexec.exe /i hxxp://D2Buh1bF1G584W.CLouDfRoNT.net/mmtsk/occup.php?p=SAMSUNGXHD502HJ_S20BJ9FB300266&d=20170428 /q pcalua.exe -a "C:\Program Files (x86)\ivo\Ivona_Rehab-1.0\rejestracja_ivony_rehab.exe" -d "C:\Program Files (x86)\ivo\Ivona_Rehab-1.0" -c C:\Program Files (x86)\ivo\Ivona_Rehab-1.0\ivona.id
    Task: {8FF2E168-6BCB-426D-8387-C0CCCF03088A} - System32\Tasks\Windows-PG => powershell.exe C:\windows\psgo\psgo.ps1
    Task: {B7BD1BAB-F6E6-45F3-8353-467D923BC158} - System32\Tasks\Ajuent => msiexec.exe /i hxxp://D2bUH1bF1g584W.clOuDfroNt.net/mmtsk/occup.php?p=SAMSUNGXHD502HJ_S20BJ9FB300266&d=20170427 /q C:\Program Files (x86)\Rerjutain\vihght.exe [2017-04-27] (Google Inc.)
    Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Dayglad\Application\chrome.exe (Google Inc.)
    Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Dayglad\Application\chrome.exe (Google Inc.)
    Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\360c22b137d62ce9\Google Chrome.lnk -> C:\Program Files (x86)\Dayglad\Application\chrome.exe (Google Inc.)
    Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\167c78b32431516\Google Chrome.lnk -> C:\Program Files (x86)\Dayglad\Application\chrome.exe (Google Inc.)
    Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Dayglad\Application\chrome.exe (Google Inc.)
    Shortcut: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Dayglad\Application\chrome.exe (Google Inc.)
    ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WorldofTanks\WorldofTanks.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.ourluckysites.com/?type=sc&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266
    ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.ourluckysites.com/?type=sc&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266
    2017-04-27 22:51 - 2017-04-27 22:51 - 00316928 _____ () C:\Program Files (x86)\Gogekqahsy Log\local64spl.dll
    2016-08-10 17:03 - 2017-01-31 22:47 - 00304456 _____ () C:\Program Files\ByteFence\rtop\bin\rtop_svc.exe
    2017-05-03 23:37 - 2017-05-03 06:29 - 00107672 _____ () C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe
    2016-08-21 16:21 - 2017-01-31 22:47 - 00619848 _____ () C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe
    2017-05-09 14:58 - 2017-05-09 16:40 - 00323584 _____ () C:\Users\User\AppData\Local\background_fault\bf.dll
    2017-05-09 14:58 - 2017-04-11 08:36 - 67718656 _____ () C:\Users\User\AppData\Local\background_fault\libcef.dll
    2017-05-09 14:58 - 2017-04-11 08:36 - 01922560 _____ () C:\Users\User\AppData\Local\background_fault\libglesv2.dll
    2017-05-09 14:58 - 2017-04-11 08:36 - 00079872 _____ () C:\Users\User\AppData\Local\background_fault\libegl.dll
    2017-05-03 23:39 - 2017-04-19 06:04 - 02864984 _____ () C:\Program Files (x86)\Dayglad\Application\libglesv2.dll
    2017-05-03 23:39 - 2017-04-19 06:04 - 00087384 _____ () C:\Program Files (x86)\Dayglad\Application\libegl.dll
    Hosts:
    () C:\Program Files\ByteFence\rtop\bin\rtop_svc.exe
    () C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe
    () C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe
    (© 2015 Microsoft Corporation) C:\Users\User\AppData\Local\Microsoft\BingSvc\BingSvc.exe
    (AVAST Software) C:\Users\User\AppData\Local\background_fault\aswRD.exe
    (Tencent) C:\Users\User\AppData\Local\background_fault\QQIme.exe
    HKU\S-1-5-21-2055952257-4250577601-441890819-1001\...\Run: [BingSvc] => C:\Users\User\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2016-03-22] (© 2015 Microsoft Corporation)
    HKU\S-1-5-21-2055952257-4250577601-441890819-1001\...\Run: [ALLUpdate] => "E:\ALLPlayer\ALLUpdate.exe" "sleep"
    HKU\S-1-5-21-2055952257-4250577601-441890819-1001\...\Run: [ALLPlayer WiFi Remote] => C:\Program Files (x86)\ALLPlayer Remote\ALLPlayerRemoteControl.exe
    HKU\S-1-5-21-2055952257-4250577601-441890819-1001\...\Run: [background_fault] => C:\Users\User\AppData\Local\background_fault\aswRD.exe [1419576 2017-05-09] (AVAST Software) Brak pliku
    ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\User\AppData\Local\MEGAsync\ShellExtX64.dll -> Brak pliku
    ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\User\AppData\Local\MEGAsync\ShellExtX64.dll -> Brak pliku
    ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\User\AppData\Local\MEGAsync\ShellExtX64.dll -> Brak pliku
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> Brak pliku
    ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\User\AppData\Local\MEGAsync\ShellExtX32.dll -> Brak pliku
    ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\User\AppData\Local\MEGAsync\ShellExtX32.dll -> Brak pliku
    ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\User\AppData\Local\MEGAsync\ShellExtX32.dll -> Brak pliku
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.ourluckysites.com/?type=hp&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.ourluckysites.com/?type=hp&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.ourluckysites.com/search/?type=ds&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266&q={searchTerms}
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.ourluckysites.com/search/?type=ds&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266&q={searchTerms}
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.ourluckysites.com/?type=hp&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.ourluckysites.com/?type=hp&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266&q={searchTerms}
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266&q={searchTerms}
    HKU\S-1-5-21-2055952257-4250577601-441890819-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.bing.com/search?q={searchTerms}
    HKU\S-1-5-21-2055952257-4250577601-441890819-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.ourluckysites.com/?type=hp&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266
    HKU\S-1-5-21-2055952257-4250577601-441890819-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.ourluckysites.com/?type=hp&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266
    SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266&q={searchTerms}
    SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266&q={searchTerms}
    SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266&q={searchTerms}
    SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://www.bing.com/search?q={searchTerms}
    SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-2055952257-4250577601-441890819-1001 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-2055952257-4250577601-441890819-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.ourluckysites.com/search/?type=ds&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-2055952257-4250577601-441890819-1001 -> {ielnksrch} URL = hxxp://www.bing.com/search?q={searchTerms}
    Edge HomeButtonPage: HKU\S-1-5-21-2055952257-4250577601-441890819-1001 -> hxxp://www.ourluckysites.com/?type=hp&ts=1494334708&z=14d03aef6942c6953cf1477gezetazbc0c0zdmbgfo&from=che0812&uid=SAMSUNGXHD502HJ_S20BJ9FB300266
    FF DefaultProfile: sh1v03py.default
    FF ProfilePath: C:\Users\User\AppData\Roaming\Firefox\Firefox\Profiles\sh1v03py.default [2017-05-12]
    FF Extension: (SimilarWeb) - C:\Users\User\AppData\Roaming\Firefox\Firefox\Profiles\sh1v03py.default\Extensions\@DA3566E2-F709-11E5-8E87-A604BC8E7F8B.xpi [2017-05-12] [Brak podpisu cyfrowego]
    FF Extension: (HSearch) - C:\Users\User\AppData\Roaming\Firefox\Firefox\Profiles\sh1v03py.default\Extensions\@E97YHOMI-FU8L-IM23-VUT9-RVDZT7M8XL8H.xpi [2017-05-03] [Brak podpisu cyfrowego]
    FF Extension: (FF Adr) - C:\Users\User\AppData\Roaming\Firefox\Firefox\Profiles\sh1v03py.default\Extensions\@H99KV4DO-UCCF-9PFO-9ZLK-8RRP4FVOKD9O.xpi [2017-05-03] [Brak podpisu cyfrowego]
    FF Extension: (Polski Language Pack) - C:\Users\User\AppData\Roaming\Firefox\Firefox\Profiles\sh1v03py.default\Extensions\langpack-pl@firefox.mozilla.org.xpi [2017-05-03] [Brak podpisu cyfrowego]
    CHR DefaultProfile: ChromeDefaultData
    CHR HomePage: ChromeDefaultData -> msn.com
    CHR StartupUrls: ChromeDefaultData -> "hxxp://www.luckysearch123.com?type=hp&ts=1494084920&from=d6440504&uid=samsungxhd502hj_s20bj9fb300266&z=b138fe27347949195ee1e7agaz3t3zfe6b2zetdocc"
    CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-05-11] C:\Program Files (x86)\Dayglad\Application\chrome.exe (Google Inc.)
  • ADVERTISEMENT
  • ADVERTISEMENT
  • #4 16472638
    Kolobos
    IT specialist
    > If you could just tell me what the cause was, that would be great.

    The usual mindless download of pirated infected games or programs.

    You still have an infected profile in Chrome:
    CHR DefaultProfile: ChromeDefaultData
    CHR Profile: C: \ Users \ User \ AppData \ Local \ Google \ Chrome \ User Data \ ChromeDefaultData [5/12/2017]
  • ADVERTISEMENT
  • #6 16472699
    Kolobos
    IT specialist
    > After you do, delete the directory C: \ FRST and that's it.
Reply | New topic
Report a violation of the law
ADVERTISEMENT