Премини към съдържанието
Форумът в приложение

По-лесно сърфиране. Научи повече.
Kaldata.com - Форуми

Приложение на форума на цял екран с push известия, значки и други.

За да инсталирате това приложение на iOS и iPadOS
  1. Докоснете Иконата за споделяне в Safari
  2. Превъртете менюто и докоснете Добавяне към началния екран.
  3. Докоснете Добавяне в горния десен ъгъл.
За да инсталирате това приложение на Android
  1. Докоснете менюто с 3 точки (⋮) в горния десен ъгъл на браузъра.
  2. Докоснете Добавяне към началния екран или Инсталиране на приложение.
  3. Потвърдете, като докоснете Инсталиране.
Добави Kaldata.com в предпочитани източници в Google

Добре дошли!

Добре дошли в нашите форуми, пълни с полезна информация. Имате проблем с компютъра или телефона си? Публикувайте нова тема и ще намерите решение на всичките си проблеми. Общувайте свободно и открийте безброй нови приятели.

Моля, регистрирайте се за да публикувате тема и да получите пълен достъп до всички функции.

 

зараза от криптовирус CryptXXX 4.0

Invocation
в Премахване на зловреден софтуер

Featured Replies

Всички файлове са криптирани като имената им са сменени

5e33fbb94bb74a60.jpg

Качих един от файловете в този сайт за идентификация : https://id-ransomware.malwarehunterteam.com/identify.php  и го идентифицираха като CryptoXXXX -> http://www.bleepingcomputer.com/news/security/cryptxxx-ransomware-is-now-scrambling-the-filenames-of-encrypted-files/

  За жалост няма декриптор, но бих искал да почистим все пак системата. И възможно ли е възстановяване от shadowcopies или програма за възстановяване на изтрити файлове? Знам, че имаше някой криптовируси които криптираха файловете и триеха оригиналите .

FRST:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 10-10-2016
Ran by SALI_2 (administrator) on SALIPC (11-10-2016 12:50:12)
Running from C:\Users\SALI_2\Desktop
Loaded Profiles: SALI_2 (Available Profiles: Sali & SALI_2)
Platform: Windows 7 Home Premium (X64) Language: Български (България)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
() C:\Windows\SysWOW64\SupportAppPT\cdrom_monEx.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(© 2015 Microsoft Corporation) C:\Users\SALI_2\AppData\Local\Microsoft\BingSvc\BingSvc.exe
(cv cryptovision GmbH) C:\Program Files (x86)\cv cryptovision\cv act sc interface\RegisterTool.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe


==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13192848 2012-08-30] (Realtek Semiconductor)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [285240 2012-09-01] (Intel Corporation)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [8900328 2016-08-16] (AVAST Software)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [508800 2014-12-17] (Oracle Corporation)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3059408512-1433983424-3302805123-1104\...\Run: [Skype] => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
HKU\S-1-5-21-3059408512-1433983424-3302805123-1104\...\Run: [BingSvc] => C:\Users\SALI_2\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2016-02-19] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-3059408512-1433983424-3302805123-1104\...\MountPoints2: {5895577a-3d69-11e4-94c0-bc5ff4a55616} - F:\AutoRun.exe
HKU\S-1-5-21-3059408512-1433983424-3302805123-1104\...\MountPoints2: {58955797-3d69-11e4-94c0-bc5ff4a55616} - F:\AutoRun.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-07-16] (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\cv act sc interface RegisterTool.lnk [2013-09-27]
ShortcutTarget: cv act sc interface RegisterTool.lnk -> C:\Program Files (x86)\cv cryptovision\cv act sc interface\RegisterTool.exe (cv cryptovision GmbH)
Startup: C:\Users\Sali\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D5AE261975B2.lnk [2016-07-22]
ShortcutTarget: D5AE261975B2.lnk -> C:\Users\Sali\AppData\Roaming\MICROS~1\Windows\NETWOR~1\@README.BMP (No File)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{6C51E1E3-B497-4718-B322-6026194C1015}: [NameServer] 192.168.2.1

Internet Explorer:
==================
HKU\S-1-5-21-3059408512-1433983424-3302805123-1104\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=SK2M&ocid=SK2MDHP&osmkt=en-us
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-07-16] (AVAST Software)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-05-04] (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2012-10-01] (Microsoft Corporation)
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll => No File
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll [2015-02-27] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-07-16] (AVAST Software)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-05-04] (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-02-27] (Oracle Corporation)
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-05-04] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-05-04] (Google Inc.)
Toolbar: HKU\S-1-5-21-3059408512-1433983424-3302805123-1104 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-05-04] (Google Inc.)
DPF: HKLM-x32 {167248DA-0F88-4DE1-B4B1-45176751026D} hxxps://aixbs.b-trust.org/wl-dl/bs/client_test2/js/renew/CertManX.cab
DPF: HKLM-x32 {4DB62416-BC86-4439-B5BA-366948F47C8D} hxxps://aixbs.b-trust.org/wl-dl/bs/client_test2/js/sign/SCManagerX.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://active.macromedia.com/flash5/cabs/swflash.cab
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-12-16] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-12-16] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-12-16] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-12-16] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\SALI_2\AppData\Roaming\Mozilla\Firefox\Profiles\w7prk62g.default [2016-10-11]
FF SearchEngineOrder.3: Mozilla\Firefox\Profiles\w7prk62g.default -> Bing
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\w7prk62g.default -> Bing
FF Homepage: Mozilla\Firefox\Profiles\w7prk62g.default -> about:home
FF Keyword.URL: Mozilla\Firefox\Profiles\w7prk62g.default -> hxxp://www.bing.com/search?FORM=SK2MDF&PC=SK2M&q=
FF Extension: (Bing Search) - C:\Users\SALI_2\AppData\Roaming\Mozilla\Firefox\Profiles\w7prk62g.default\Extensions\[email protected] [2016-02-19]
FF Extension: (B-Trust Tool) - C:\Users\SALI_2\AppData\Roaming\Mozilla\Firefox\Profiles\w7prk62g.default\Extensions\[email protected] [2016-01-05]
FF SearchPlugin: C:\Users\SALI_2\AppData\Roaming\Mozilla\Firefox\Profiles\w7prk62g.default\searchplugins\bing-.xml [2016-02-19]
FF SearchPlugin: C:\Users\SALI_2\AppData\Roaming\Mozilla\Firefox\Profiles\w7prk62g.default\searchplugins\bingp.xml [2014-08-06]
FF Extension: (B-Trust Smart Card Certificate) - C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected] [2016-10-02] [not signed]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-07-16]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-07-16]
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF HKU\S-1-5-21-3059408512-1433983424-3302805123-1104\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_23_0_0_162.dll [2016-09-14] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_23_0_0_162.dll [2016-09-14] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-02-27] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-02-27] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-16] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2012-10-01] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)

Chrome:
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\SALI_2\AppData\Local\Google\Chrome\User Data\Default [2016-02-19]
CHR Extension: (Google Docs) - C:\Users\SALI_2\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-07]
CHR Extension: (Google Drive) - C:\Users\SALI_2\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-08-07]
CHR Extension: (YouTube) - C:\Users\SALI_2\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-07]
CHR Extension: (Google Search) - C:\Users\SALI_2\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-07]
CHR Extension: (avast! Online Security) - C:\Users\SALI_2\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-08-14]
CHR Extension: (Google Wallet) - C:\Users\SALI_2\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-07]
CHR Extension: (Gmail) - C:\Users\SALI_2\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-07]
CHR HKU\S-1-5-21-3059408512-1433983424-3302805123-1104\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [daanglpcpkjjlkhcbladppjphglbigam] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-07-02]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Autorun CDROM Monitor; C:\Windows\SysWOW64\SupportAppPT\cdrom_monEx.exe [86016 2007-12-21] () [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-07-16] (AVAST Software)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 A38CCID; C:\Windows\System32\DRIVERS\a38ccid.sys [62976 2014-11-13] (Advanced Card Systems Ltd.)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-07-16] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-07-16] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [108304 2016-07-16] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-07-16] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-07-16] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-07-16] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [473592 2016-07-16] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [162904 2016-07-16] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [292704 2016-08-16] (AVAST Software)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28216 2012-09-01] (Intel Corporation)
R3 ISCT; C:\Windows\System32\DRIVERS\ISCTD64.sys [44992 2012-02-09] ()

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-10-11 12:50 - 2016-10-11 12:50 - 00016443 _____ C:\Users\SALI_2\Desktop\FRST.txt
2016-10-11 12:50 - 2016-10-11 12:50 - 00000000 ____D C:\FRST
2016-10-11 12:47 - 2016-10-11 12:48 - 02407424 _____ (Farbar) C:\Users\SALI_2\Desktop\FRST64.exe
2016-10-02 20:26 - 2016-10-06 18:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-09-22 09:06 - 2016-09-22 16:12 - 00000000 ____D C:\Users\Sali\AppData\Local\Microsoft Games

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-10-11 12:46 - 2013-09-25 08:07 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-10-11 12:43 - 2014-08-07 07:56 - 00000998 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-10-11 11:59 - 2013-09-24 11:25 - 00004180 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-10-11 11:53 - 2014-09-18 15:18 - 00003962 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{0E17D482-E046-4737-A73F-B830A6C997CD}
2016-10-11 11:53 - 2009-07-14 08:13 - 00787118 _____ C:\Windows\system32\PerfStringBackup.INI
2016-10-11 11:53 - 2009-07-14 06:20 - 00000000 ____D C:\Windows\inf
2016-10-11 11:52 - 2009-07-14 07:45 - 00019488 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-10-11 11:52 - 2009-07-14 07:45 - 00019488 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-10-11 11:47 - 2014-08-07 07:56 - 00000994 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-10-11 11:46 - 2009-07-14 08:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-10-07 20:20 - 2013-09-24 11:44 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-10-06 18:44 - 2014-08-07 07:56 - 00002193 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-09-29 22:23 - 2015-01-05 08:58 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2016-09-19 18:29 - 2016-07-20 19:01 - 00003902 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1469030494
2016-09-14 18:46 - 2013-09-25 08:07 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-09-14 18:46 - 2013-09-25 08:07 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-09-14 18:46 - 2013-09-25 08:07 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-09-14 18:46 - 2013-09-25 08:07 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-09-14 18:46 - 2013-09-25 08:07 - 00000000 ____D C:\Windows\system32\Macromed

==================== Files in the root of some directories =======

2014-05-12 15:06 - 2016-03-25 11:49 - 0004096 ____H () C:\Users\SALI_2\AppData\Local\keyfile3.drm
2015-12-03 12:41 - 2016-05-05 10:15 - 0002741 _____ () C:\Users\SALI_2\AppData\Local\PfeSettings.xml

Some files in TEMP:
====================
C:\Users\Sali\AppData\Local\Temp\cvP11.dll
C:\Users\Sali\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Sali\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Sali\AppData\Local\Temp\pkcs11wrapper.dll
C:\Users\Sali\AppData\Local\Temp\pkcs11wrapper_1380021741500.dll
C:\Users\SALI_2\AppData\Local\Temp\BingSvc.exe
C:\Users\SALI_2\AppData\Local\Temp\BSvcProcessor.exe
C:\Users\SALI_2\AppData\Local\Temp\BSvcUpdater.exe
C:\Users\SALI_2\AppData\Local\Temp\certutil.exe
C:\Users\SALI_2\AppData\Local\Temp\cvP11.dll
C:\Users\SALI_2\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\SALI_2\AppData\Local\Temp\pkcs11wrapper.dll
C:\Users\SALI_2\AppData\Local\Temp\pkcs11wrapper_1395316486376.dll
C:\Users\SALI_2\AppData\Local\Temp\SkypeSetup.exe


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-10-06 22:18

==================== End of FRST.txt ============================

 

 

Addition.txt

  • Цитирай

    Изтеглете файла fixlist и го запазете на вашия десктоп.

    • Стартирайте FRST.exe и натиснете бутона FIX веднъж!
    • Почистването ще започне, не използвайте системата!
    • След като приключи, ако ви поиска рестартиране, съгласете се.
    • След като зареди системата публикувайте лог файла с име fixlog.txt, който се намира на десктопа Ви.

    Забележка: Текущия фикс да не се използва на други системи!

  • Цитирай

    Стъпка 1

    Изтеглете: 8864097u.png ADWCleaner.

    • Затворете всички браузъри и стартирайте AdwCleaner.exe.
    • Натиснете бутона SCAN.
    • След като приключи проверката натиснете бутона CLEAN.
    • Програмата ще затвори излишния софтуер и ще започне почистването.
    • След като приключи почистването ADWCleaner ще поиска рестарт. Съгласете се.
    • След зареждането на системата отидете до: C:\AdwCleaner и потърсете лог файл с името AdwCleaner[C0].txt.
    • Публикувайте съдържанието на "AdwCleaner[C0]" в следващия Ви коментар.

     

    Стъпка 2

    Изтеглете: 8864095R.jpg Malwarebytes Anti-Malware.

    • Стартирайте инсталационния файл и следвайте съветника за инсталация.
    • Преди края на инсталацията премахнете отметката от: "Enable free trial of Malwarebytes Anti-Malware Premium" и се уверете че има отметка пред "Launch Malwarebytes Anti-Malware".
    • Отидете до табът Settings => Detection and Protection => сложете отметка на "Scan for rootkits".
    • Отидете до табът Dashboard => натиснете бутона "SCAN NOW".
    • Програмата автоматично ще провери за актуализации и ще започне сканирането.

    Забележка: Ако видите съобщението "Could not load DDA driver" натиснете бутона "YES". След което разрешете на системата да се рестартира.

    • След като проверката приключи натиснете бутона "Apply Actions".
    • Системата ще поиска рестарт, съгласете се.
    • След като системата зареди MBAB ще зареди.
    • Отидете до табът History => Applications Logs.
    • Потърсете лог с име "SCAN LOG" с последната дата и час и натиснете върху него.
    • Натиснете бутона EXPORT => Copy to Clipboard.
    • Поставете съдържанието на лога с клавишната комбинация CTRL+V към следващия Ви коментар.
  • Цитирай
    • Автор

    ADWCleaner даде грешка със стартирането

    adwarecleaner.png

    Malwarebytes не засече нищо и не поиска рестарт.

    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 13.10.2016 г.
    Scan Time: 08:04 ч.
    Logfile:
    Administrator: Yes

    Version: 2.2.1.1043
    Malware Database: v2016.10.13.03
    Rootkit Database: v2016.09.26.02
    License: Free
    Malware Protection: Disabled
    Malicious Website Protection: Disabled
    Self-protection: Disabled

    OS: Windows 7
    CPU: x64
    File System: NTFS
    User: SALI_2

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 340086
    Time Elapsed: 15 min, 35 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Enabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 0
    (No malicious items detected)

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 0
    (No malicious items detected)

    Files: 0
    (No malicious items detected)

    Physical Sectors: 0
    (No malicious items detected)


    (end)

  • Цитирай

    Относно грешката при AdwCleaner, ще кажа на колегите, вероятно е бъг във версията. 

    Системата е чиста. Последна стъпка, за да почистим използваните инструменти и логове.

    Изтеглете: 8864064T.png Delfix.

    • Стартирайте Delfix.exе.
    • По подразбиране трябва да има 2 отметки на "Remove disinfection tools" и "Purge system restore ". 
    • Махнете отметката от "Purge system restore".
    • Натиснете бутона "Run". 
    • Инструмента ще се самоизтрие след като приключи своята задача.
    • Изтрийте лог файла от Delfix.
    • Ако има останали програми, които сме използвали и не са се изтрили, ги изтрийте ръчно.

     

    За този вид крипто вирус, както знаете, декриптор няма. Не знам дали скоро се очаква такъв. Надявам се имате бекъп на някои файлове или на повечето, защото иначе възстановяването им ще е трудна, да не кажа невъзможна мисия. Можете да опитате с програмата за възстановяване на стария копия на файловете Shadow Explorer. Също може да опитате и с RStudio.

     

  • Цитирай
    • Автор

    Да за съжаление няма. Това ми е втория компютър който хваща подобна зараза и на този както и на предния имаше инсталирана безплатна версия на avast, което се оказва жалка защита. Новата ми практика е заедно с антивирусна да слагам и безплатния инструмент Malwarebytes Anti-Ransomware, но не мога да кажа до колко е ефикасно. Във всички случай съм Ви много благодарен за оказаната помощ и може да маркирате темата като решен.

  • Цитирай

    • Архивирана тема

    Темата е твърде стара и е архивирана. Не можете да добавяте нови отговори в нея, но винаги можете да публикувате нова тема, в която да продължи дискусията. Регистрирайте се или влезте във вашия профил за да публикувате нова тема.

    Назад

    Разглеждащи това в момента 0

    • Няма регистрирани потребители разглеждащи тази страница.

    Дарение

    • Подкрепи съществуването на форума - направи дарение
      25%
      Дарени 252.69 EUR от нужните 1,000.00 EUR

    Бюлетин

    Получавайте известие, когато има важна промяна или новина свързана с форума.
    Абонирайте се

    Профил

    Навигация

    Търсене

    Търсене

    Конфигуриране на push известия в браузъра
    Chrome (Android)
    1. Докоснете иконата на катинар до адресната лента.
    2. Докоснете Разрешения → Известия.
    3. Променете предпочитанията си.
    Chrome (Desktop)
    1. Кликнете върху иконата на катинар в адресната лента.
    2. Изберете Настройки на сайта.
    3. Намерете Известия и коригирайте предпочитанията си.