Programy typu hemkajdoa.exe itp na komputerze

[artur99b]

Witam, komputer mam zamulony tymi wirusami, w dodatku wirusy jakoś zablokowały mi dostęp do internetu w komputerze i wyłączyły systemowy antywirus na Windows 10. W załączniku log z FRST. Proszę o pomoc. Z góry dzięki.

[ordynat]

Otwórz Notatnik i wklej w nim:

RemoveDirectory: C:\Users\Artur\AppData\Roaming\Hemkajdoa
RemoveDirectory: C:\Program Files (x86)\wanttoxiamen
RemoveDirectory: C:\Users\Artur\AppData\Roaming\Lerlule
RemoveDirectory: C:\Program Files (x86)\Zuzodom
RemoveDirectory: C:\Users\Artur\AppData\Roaming\HPReyos
RemoveDirectory: C:\Users\Artur\AppData\Roaming\AzigcWig
RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\鲁大师
RemoveDirectory: C:\Users\Artur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC浏览器
RemoveDirectory: C:\Users\Artur\AppData\LocalLow\Company
RemoveDirectory: C:\Users\Artur\AppData\Local\Tempfolder
RemoveDirectory: C:\Users\Artur\AppData\Local\svchost
RemoveDirectory: C:\Users\Public\Thunder Network
RemoveDirectory: C:\ProgramData\Thunder Network
RemoveDirectory: C:\ProgramData\Avira
RemoveDirectory: C:\ProgramData\Avg
RemoveDirectory: C:\ProgramData\AVAST Software
RemoveDirectory: C:\Users\Artur\AppData\Local\Hperward
RemoveDirectory: C:\Users\Artur\AppData\Local\Barolegtety
RemoveDirectory: C:\Program Files\My Web Shield
RemoveDirectory: C:\Users\Artur\AppData\Roaming\ArchiverApp
HKLM-x32\...\Run: [app] => C:\Program Files (x86)\wanttoxiamen\uc.exe
ShellExecuteHooks: - {1F71A654-9E97-11E6-AA4B-64006A5CFC23} - C:\Users\Artur\AppData\Roaming\Lerlule\Tikoing.dll Brak pliku [ ]
GroupPolicy: Ograniczenia <======= UWAGA
Tcpip\..\Interfaces\{14c7510c-1fb0-47fa-ac1a-04a2be369c2c}: [NameServer] 104.197.191.4
Tcpip\..\Interfaces\{4e1ebe37-3102-4e19-aa37-405e4cab8c24}: [NameServer] 104.197.191.4
Tcpip\..\Interfaces\{b04f8e05-7af7-11e6-a41c-806e6f6e6963}: [NameServer] 104.197.191.4
R2 Viokdojvaf; C:\Users\Artur\AppData\Roaming\Hemkajdoa\Hemkajdoa.exe [170496 2016-08-11] () [Brak podpisu cyfrowego]
S2 Citdhwa; "C:\Users\Artur\AppData\Roaming\AzigcWig\Geeswu.exe" -cms [X]
S2 HPReyos Service; C:\Users\Artur\AppData\Roaming\HPReyos\HPReyosSrv3.exe [X]
S2 Magelyanadasp; C:\Program Files (x86)\Zuzodom\CncCnt.dll [X]
R1 ucdrv; C:\Windows\System32\drivers:ucdrv-x64.sys [20324 ] (UC Web Inc.) <==== UWAGA
S3 asmthub3; \SystemRoot\System32\drivers\asmthub3.sys [X]
S3 asmtxhci; \SystemRoot\System32\drivers\asmtxhci.sys [X]
2016-11-09 22:36 - 2016-11-09 15:55 - 00778752 _____ C:\Windows\system32\chtbrkg.dll
2016-11-09 22:36 - 2016-11-09 15:55 - 00590848 _____ C:\Windows\SysWOW64\chtbrkg.dll
2016-11-09 22:33 - 2016-11-09 22:33 - 00000000 _____ C:\TOSTACK
2016-11-09 22:33 - 2016-08-31 16:00 - 00057680 _____ C:\Windows\system32\Drivers\mwescontroller.sys
HOSTS:
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix (NAPRAW).

2) Zrób nowe logi FRST.
Przed skanem zaznacz "Addition.txt".
.

[artur99b]

FRST i Addition w załączniku, dodam że nadal nie mam internetu w komputerze , mam wifi domowe i przez telefon łączy sie bez problemu

[ordynat]

Otwórz Notatnik i wklej w nim:

Task: {128590A7-9B33-413B-870C-7BE12EC739C6} - System32\Tasks\Gherolysezot Center => C:\Program Files (x86)\Zuzodom\basut.exe
Task: {2D36B97B-68C2-484D-8CD7-3B541D78C5B7} - System32\Tasks\SecureUpdater => C:\Program Files (x86)\UCBrowser\Application\uclauncher.exe <==== UWAGA
RemoveDirectory: C:\Program Files (x86)\UCBrowser
RemoveDirectory: C:\Program Files (x86)\Zuzodom
RemoveDirectory: C:\Program Files\Nahimic
RemoveDirectory: C:\users\artur\appdata\roaming\baidu
RemoveDirectory: C:\Program Files (x86)\LuDaShi
RemoveDirectory: C:\Program Files (x86)\GreatMaker
Task: {57464AC7-4FEE-4425-9613-62F1EC6FFCBB} - System32\Tasks\Nahimic2Svc64Run => C:\Program Files\Nahimic\Nahimic2\UserInterface\x64\Nahimic2Svc64.exe
Task: {D8F68504-D903-4AB1-B2E1-CBAFA40ED8E4} - System32\Tasks\Nahimic2UILauncherRun => C:\Program Files\Nahimic\Nahimic2\UserInterface\Nahimic2UILauncher.exe
Task: {DC7D17A5-998D-4008-A6EF-E652611924F6} - System32\Tasks\99d0354b3f712d5f143f6ff793030b9b => Rundll32.exe "C:\Program Files (x86)\Steam\034n56.dll",e62dc6c6547f46bda862da2d05af6862 <==== UWAGA
Task: {FC11588F-2F19-4396-96DE-5218B30D4D70} - System32\Tasks\Nahimic2Svc32Run => C:\Program Files\Nahimic\Nahimic2\UserInterface\Nahimic2Svc32.exe
WMI_ActiveScriptEventConsumer_ASEC: <===== UWAGA
C:\Users\Artur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Intеrnеt Ехрlоrеr.lnk
2016-11-10 02:34 - 2016-11-10 02:34 - 00142848 ____H () C:\local64spl.dll
2016-11-10 02:34 - 2016-11-10 02:34 - 00142848 ____H () C:\1\local64spl.dll
2016-11-10 02:34 - 2016-11-10 02:34 - 00142848 ____H () E:\Artur\local64spl.dll
2016-11-10 02:34 - 2016-11-10 02:34 - 00142848 ____H () E:\Artur1\local64spl.dll
2016-11-10 02:34 - 2016-11-10 02:34 - 00142848 ____H () E:\Filmy\local64spl.dll
2016-11-10 02:34 - 2016-11-10 02:34 - 00142848 ____H () E:\Filmy1\local64spl.dll
2016-11-10 02:34 - 2016-11-10 02:34 - 00142848 ____H () E:\Games\local64spl.dll
2016-11-10 02:34 - 2016-11-10 02:34 - 00142848 ____H () E:\Games1\local64spl.dll
2016-11-10 02:34 - 2016-11-10 02:34 - 00142848 ____H () E:\Killjoys.S02E03.720p.WEB-DL.x264-FUM[ettv]\local64spl.dll
2016-11-10 02:34 - 2016-11-10 02:34 - 00142848 ____H () E:\Killjoys.S02E03.720p.WEB-DL.x264-FUM[ettv]1\local64spl.dll
2016-11-10 02:34 - 2016-11-10 02:34 - 00142848 ____H () E:\Muzyka\local64spl.dll
2016-11-10 02:34 - 2016-11-10 02:34 - 00142848 ____H () E:\Muzyka1\local64spl.dll
2016-11-10 02:34 - 2016-11-10 02:34 - 00142848 ____H () E:\Phoenix\local64spl.dll
2016-11-10 02:34 - 2016-11-10 02:34 - 00142848 ____H () E:\Phoenix1\local64spl.dll
AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x64.sys [20324]
AlternateDataStreams: C:\Windows\system32\drivers:x64 [360904]
AlternateDataStreams: C:\Windows\system32\drivers:x86 [1157922]
FirewallRules: [TCP Query User{F726DF31-FDE4-42F3-A23F-9259D1508A5B}C:\users\artur\appdata\roaming\baidu\baiduyunguanjia\baiduyunguanjia.exe] => (Allow) C:\users\artur\appdata\roaming\baidu\baiduyunguanjia\baiduyunguanjia.exe
FirewallRules: [UDP Query User{5D67CE3F-B9A4-4A4A-A762-35F1BA017CF2}C:\users\artur\appdata\roaming\baidu\baiduyunguanjia\baiduyunguanjia.exe] => (Allow) C:\users\artur\appdata\roaming\baidu\baiduyunguanjia\baiduyunguanjia.exe
FirewallRules: [TCP Query User{1441763B-3216-49D6-8A2E-19F384C96344}E:\program files (x86)\quantum break\dx11\quantumbreak.exe] => (Allow) E:\program files (x86)\quantum break\dx11\quantumbreak.exe
FirewallRules: [UDP Query User{D4713B2A-A70C-4B2F-A67E-A072B0625BAA}E:\program files (x86)\quantum break\dx11\quantumbreak.exe] => (Allow) E:\program files (x86)\quantum break\dx11\quantumbreak.exe
FirewallRules: [{F19C458F-6ACE-496D-9B38-4BF62243AE79}] => (Allow) C:\Users\Artur\AppData\Local\Temp\is-P2K96.tmp\download\MiniThunderPlatform.exe
FirewallRules: [{DF29850D-402A-47CB-8481-8205F1B25BB6}] => (Allow) C:\Program Files (x86)\GreatMaker\MaohaWiFi\MaohaWifiSvr.exe
FirewallRules: [{8DCECBEF-0DC8-46D0-A246-074697B38605}] => (Allow) C:\Users\Artur\AppData\Local\Temp\00012288\inst_buychannel_07.exe
FirewallRules: [{1CB49BD5-688C-4E37-A3B2-6478C509513E}] => (Allow) C:\Users\Artur\AppData\Local\Temp\00012288\inst_buychannel_07.exe
FirewallRules: [{EA2965A4-1ECD-4F69-A923-D9CD8FC6CB6B}] => (Allow) C:\Program Files (x86)\LuDaShi\ComputerZTray.exe
FirewallRules: [{A84EFED8-6A6E-411A-BC16-BCF554E75771}] => (Allow) C:\Program Files (x86)\LuDaShi\ComputerZTray.exe
FirewallRules: [{94438CC0-5519-4F01-80DA-117202D2CFB6}] => (Allow) C:\Program Files (x86)\LuDaShi\Utils\mininews.exe
FirewallRules: [{7297B260-778E-4D20-BDAD-A387EB4B7338}] => (Allow) C:\Program Files (x86)\LuDaShi\Utils\mininews.exe
HKLM\...\Providers\0jv0ix3q: E:\Filmy\\local64spl.dll [142848 2016-11-10] ()
HKLM\...\Providers\62l57pfc: E:\Games\\local64spl.dll [142848 2016-11-10] ()
HKLM\...\Providers\aqyj5w9p: E:\Artur\\local64spl.dll [142848 2016-11-10] ()
HKLM\...\Providers\b5av9bfh: E:\Phoenix\\local64spl.dll [142848 2016-11-10] ()
HKLM\...\Providers\bmwlj0s4: E:\Muzyka1\local64spl.dll [142848 2016-11-10] ()
HKLM\...\Providers\co2xrvil: E:\Artur1\local64spl.dll [142848 2016-11-10] ()
HKLM\...\Providers\fxajclu1: E:\Muzyka\\local64spl.dll [142848 2016-11-10] ()
HKLM\...\Providers\fzgn1soa: E:\Filmy1\local64spl.dll [142848 2016-11-10] ()
HKLM\...\Providers\gs8bn5p1: E:\Killjoys.S02E03.720p.WEB-DL.x264-FUM[ettv]\\local64spl.dll [142848 2016-11-10] ()
HKLM\...\Providers\hra9ey31: E:\Killjoys.S02E03.720p.WEB-DL.x264-FUM[ettv]1\local64spl.dll [142848 2016-11-10] ()
HKLM\...\Providers\qvicqcar: C:\\local64spl.dll [142848 2016-11-10] ()
HKLM\...\Providers\r2wv6n3t: C:\1\local64spl.dll [142848 2016-11-10] ()
HKLM\...\Providers\uwmfw6os: E:\Games1\local64spl.dll [142848 2016-11-10] ()
HKLM\...\Providers\yuj8qxaa: E:\Phoenix1\local64spl.dll [142848 2016-11-10] ()
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix (NAPRAW).

2) Użyj RepairDNS > http://www.fixitpc.pl/topic/8-dezynfekcja-zbi%C3%B3r-narz%C4%99dzi-usuwaj%C4%85cych/#entry172749
Link zapasowy > http://www.mediafire.com/download/yedejtr7p4q36zm/RepairDNS.zip
Daj z tego raport.

3) Zrób nowe logi FRST.
Przed skanem zaznacz "Addition.txt" oraz "Shortcut.txt".
.

[artur99b]

Oto nowe skany, przeskanowałem też programem ADWCleaner i wykryło mi jedną infekcję o nazwie: ActiveScriptEventConsumer

[ordynat]

Otwórz Notatnik i wklej w nim:

GroupPolicy: Ograniczenia <======= UWAGA
GroupPolicyScripts: Ograniczenia <======= UWAGA
GroupPolicyScripts\User: Ograniczenia <======= UWAGA
Task: {128590A7-9B33-413B-870C-7BE12EC739C6} - System32\Tasks\Gherolysezot Center => C:\Program Files (x86)\Zuzodom\basut.exe
Task: {57464AC7-4FEE-4425-9613-62F1EC6FFCBB} - System32\Tasks\Nahimic2Svc64Run => C:\Program Files\Nahimic\Nahimic2\UserInterface\x64\Nahimic2Svc64.exe
Task: {D8F68504-D903-4AB1-B2E1-CBAFA40ED8E4} - System32\Tasks\Nahimic2UILauncherRun => C:\Program Files\Nahimic\Nahimic2\UserInterface\Nahimic2UILauncher.exe
Task: {DC7D17A5-998D-4008-A6EF-E652611924F6} - System32\Tasks\99d0354b3f712d5f143f6ff793030b9b => Rundll32.exe "C:\Program Files (x86)\Steam\034n56.dll",e62dc6c6547f46bda862da2d05af6862 <==== UWAGA
Task: {FC11588F-2F19-4396-96DE-5218B30D4D70} - System32\Tasks\Nahimic2Svc32Run => C:\Program Files\Nahimic\Nahimic2\UserInterface\Nahimic2Svc32.exe
C:\Program Files\Nahimic
C:\Program Files (x86)\Zuzodom
WMI_ActiveScriptEventConsumer_ASEC: <===== UWAGA
AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x64.sys [20324]
AlternateDataStreams: C:\Windows\system32\drivers:x64 [360904]
AlternateDataStreams: C:\Windows\system32\drivers:x86 [1157922]
Shortcut: C:\Users\Artur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Intеrnеt Ехрlоrеr.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) <===== Cyrillic
FirewallRules: [{F19C458F-6ACE-496D-9B38-4BF62243AE79}] => (Allow) C:\Users\Artur\AppData\Local\Temp\is-P2K96.tmp\download\MiniThunderPlatform.exe
FirewallRules: [{DF29850D-402A-47CB-8481-8205F1B25BB6}] => (Allow) C:\Program Files (x86)\GreatMaker\MaohaWiFi\MaohaWifiSvr.exe
FirewallRules: [{8DCECBEF-0DC8-46D0-A246-074697B38605}] => (Allow) C:\Users\Artur\AppData\Local\Temp\00012288\inst_buychannel_07.exe
FirewallRules: [{1CB49BD5-688C-4E37-A3B2-6478C509513E}] => (Allow) C:\Users\Artur\AppData\Local\Temp\00012288\inst_buychannel_07.exe
FirewallRules: [{EA2965A4-1ECD-4F69-A923-D9CD8FC6CB6B}] => (Allow) C:\Program Files (x86)\LuDaShi\ComputerZTray.exe
FirewallRules: [{A84EFED8-6A6E-411A-BC16-BCF554E75771}] => (Allow) C:\Program Files (x86)\LuDaShi\ComputerZTray.exe
FirewallRules: [{94438CC0-5519-4F01-80DA-117202D2CFB6}] => (Allow) C:\Program Files (x86)\LuDaShi\Utils\mininews.exe
FirewallRules: [{7297B260-778E-4D20-BDAD-A387EB4B7338}] => (Allow) C:\Program Files (x86)\LuDaShi\Utils\mininews.exe
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix (NAPRAW).

Zrób nowe logi FRST - już bez Shortcut.
.

[artur99b]

Oto kolejne logi.

[ordynat]

W nowych logach nie widzę już niczego podejrzanego, więc chyba możemy kończyć:
Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix (NAPRAW).
przez SHIFT+DEL usuń pozostały folder C:\FRST.

W Adw-Cleaner kliknij na PLIK, potem na ODINSTALUJ.
.

Autor postu otrzymał pochwałę

[artur99b]

Wielkie dzięki za pomoc.