Timur Ibragimov

CLOSED Помогите, мой компьютер заражён !!!!!!!!

Recommended Posts

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-902657796-2216782368-3167530159-1000\...\Policies\Explorer: [NoToolbarsOnTaskbar] 0
HKU\S-1-5-21-902657796-2216782368-3167530159-1000\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-21-902657796-2216782368-3167530159-1000\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-21-902657796-2216782368-3167530159-1000\...\Policies\Explorer: [ClassicShell] 0
HKU\S-1-5-21-902657796-2216782368-3167530159-1000\...\Policies\Explorer: [NoBandCustomize] 0
HKU\S-1-5-21-902657796-2216782368-3167530159-1000\...\Policies\Explorer: [NoMovingBands] 0
HKU\S-1-5-21-902657796-2216782368-3167530159-1000\...\Policies\Explorer: [NoCloseDragDropBands] 0
GroupPolicy: Restriction - Chrome <==== ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
SearchScopes: HKU\.DEFAULT -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> No File
BHO-x32: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> No File
Toolbar: HKLM-x32 - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-902657796-2216782368-3167530159-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
Task: {0B93607A-B270-4970-99C7-139A3B382A25} - System32\Tasks\BmHhCekqquvtRi => rundll32 "C:\Program Files (x86)\vknAtWNPMhpU2\lDWNyEUKlOAkx.dll",#1
Task: {5711B4D5-2D0F-4598-8863-00A1ED052CE1} - \jVVcebPoCjhHKmi -> No File <==== ATTENTION
Task: {726A26AC-84F2-44E9-BCBA-4811CDA20D8F} - System32\Tasks\boQbXxbEJPaDgWztw => rundll32 "C:\Program Files (x86)\OGqwJxyzdjgEZIvrFER\ApKMsqP.dll",#1
Task: {B8B7346D-6D94-4396-B3C0-1F42E22904EC} - System32\Tasks\boQbXxbEJPaDgWztw2 => rundll32 "C:\Program Files (x86)\OGqwJxyzdjgEZIvrFER\ApKMsqP.dll",#1
Task: {DDB0F423-985C-4BFC-8085-E424545A5A2F} - System32\Tasks\jVVcebPoCjhHKmi2 => rundll32 "C:\Program Files (x86)\ExRIRmygU\DNEKOk.dll",#1
Task: {EB02381F-D652-4B1C-894A-712498C62C51} - \Microsoft\Windows\MUI\LPRemove -> No File <==== ATTENTION
Task: C:\Windows\Tasks\boQbXxbEJPaDgWztw.job => C:\Program Files (x86)\OGqwJxyzdjgEZIvrFER\ApKMsqP.dll
Shortcut: C:\Users\User\Desktop\Gmаil.lnk -> C:\Users\User\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <==== Cyrillic
Shortcut: C:\Users\User\Desktop\Gоoglе Рhotos.lnk -> C:\Users\User\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <==== Cyrillic
Shortcut: C:\Users\User\Desktop\Диск Gоogle.lnk -> C:\Users\User\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <==== Cyrillic
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Приложения Chrome\Gmаil.lnk -> C:\Users\User\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <==== Cyrillic
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Приложения Chrome\Gооglе Photоs.lnk -> C:\Users\User\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <==== Cyrillic
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Приложения Chrome\YоuTube.lnk -> C:\Users\User\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <==== Cyrillic
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Приложения Chrome\Диск Gоogle (1).lnk -> C:\Users\User\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <==== Cyrillic
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Приложения Chrome\Диск Gоogle.lnk -> C:\Users\User\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <==== Cyrillic
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gоogle Сhromе.lnk -> C:\Users\User\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <==== Cyrillic
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gооgle Сhrоmе (2).lnk -> C:\Users\User\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <==== Cyrillic
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gооgle Сhrоmе.lnk -> C:\Users\User\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <==== Cyrillic
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Диспетчер задач Windows.lnk -> C:\Windows\System32\taskmgr.exe (Microsoft Corporation) <==== Cyrillic
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Моzillа Firеfох (2).lnk -> C:\Users\User\AppData\Roaming\Browsers\exe.xoferif.bat (No File) <==== Cyrillic
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Моzillа Firеfох.lnk -> C:\Users\User\AppData\Roaming\Browsers\exe.xoferif.bat (No File) <==== Cyrillic
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gоogle Chrоme.lnk -> C:\Users\User\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <==== Cyrillic
Shortcut: C:\Users\Public\Desktop\Gоogle Chrome.lnk -> C:\Users\User\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <==== Cyrillic
Shortcut: C:\Users\Public\Desktop\Моzilla Firefoх.lnk -> C:\Users\User\AppData\Roaming\Browsers\exe.xoferif.bat (No File) <==== Cyrillic
C:\Program Files (x86)\ExRIRmygU\DNEKOk.dll
C:\Program Files (x86)\ExRIRmygU
C:\Program Files (x86)\OGqwJxyzdjgEZIvrFER\ApKMsqP.dll
C:\Program Files (x86)\OGqwJxyzdjgEZIvrFER
C:\Program Files (x86)\vknAtWNPMhpU2\lDWNyEUKlOAkx.dll
C:\Program Files (x86)\vknAtWNPMhpU2

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

  • Thanks 1

Share this post


Link to post
Share on other sites

You will need to reinstall Firefox and Chrome.

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

  • Thanks 1

Share this post


Link to post
Share on other sites

Hello, Kevin! I did not delete my browsers, I just downloaded over old ones. Now there is an access to the Internet and shortcuts. But I do not see any browsers when I attached them to the Start menu. There are no folders. This is normal ? Also, I'm grateful to you for the help from my heart. May God bless you and your family!

scan_171201-105105.txt

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

No that is not normal.  Let's try resetting some areas of Windows to there defaults.

There may be some slight differences between the instructions and the programs interface.

Download Windows Repair by Tweaking.com http://www.tweaking.com/content/page/windows_repair_all_in_one.html to your desktop. Use the direct download link for the Portable version of Windows Repair by Tweaking.com

 

·         Double-click "tweaking.com_windows_repair_aio.zip" and extract the "Tweaking.com - Windows Repair" folder to your desktop.

·         Now open this folder and double-click "Repair_Windows.exe".

·         Click the "Repairs" tab on the far right.

·         Click the "Open Repairs" button (bottom right)

 

Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.

 

·         Click "Unselect All"

·         Put a checkmark in the following items:

·         01 - Reset Registry Permissions

·         02 - Reset File Permissions

·         03 - Reset Service Permissions

·         04 - Register System Files

·         05 - Repair WMI

·         10 - Remove Policies Set By Infections

·         11 - Repair Missing Start Menu Icons Removed By Infections

·         19 - Repair Volume Shadow Copy Service

·         21 - Repair MSI (Windows Installer)

·         22 - Repair Windows Snipping Tool

·         26 - Restore Important Windows Services

·         27 - Set Windows Services to Default Startup

Note: Leave everything else unchecked

 

·         Put a checkmark in "Restart System When Finished"

·         Now click the "Start" button (bottom right)

  • Thanks 1

Share this post


Link to post
Share on other sites

Thank you very much, Kevin! I did everything according to the instructions. But as before, the start menu has icons for all programs, except icons for browsers. But, when I enter the search in the start menu for the name of the browser, then they appear. So they are fixed there, but they are not visible. I think  that this does not threaten the system. How do you think? Do you think that this need to be corrected?

Share this post


Link to post
Share on other sites

Let's try a different tool.

Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop.

• Double-click on setup.exe to install RogueKiller.

Close all programs and disconnect any USB or external drives before running the tool.

• Right-click RogueKiller.exe and select Run As Administrator to run the tool.
• Once the Prescan has finished, click Scan.
• Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.

  • Thanks 1

Share this post


Link to post
Share on other sites

Hi,

Delete the following with RogueKiller

¤¤¤ Files : 3 ¤¤¤
[BitMiner.Gen0][Folder] C:\Users\User\AppData\Local\PCBooster -> Found

  • Thanks 1

Share this post


Link to post
Share on other sites

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
  • Click the Run button.

When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK

Run Windows Update and update your Windows Operating System.

Articles to Read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
How Did I Get Infected?

That should take care of everything.

Safe Surfing!

  • Thanks 1

Share this post


Link to post
Share on other sites

Thank you so much for helping Kevin! Done. I also became the owner of the license key for the antivirus of Emsisoft Anti Malware for 1 year. Thank you for the excellent service and products. Happy New Year to you and your whole family! :)

Share this post


Link to post
Share on other sites

Happy New Year and to you and yours.

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.