V9.com delta-homes.com itd

[grant322]

Witam

Zainfekowany system to win8 x64. W folderze pliki programów (x86) tworzą się nowe foldery z plikami .dat, jak tylko usunę dziwnie nazywające się katalogi to od razu pojawiają się nowe (Woot! Watcher). Strony startowe w firefoxie i chromie to V9.com delta-homes.com, opera wyglada ok. Odinstalowałem też kilka programów z poziomu panelu sterowania takich jak OkayFreedom, Super Optimizer i wiele innych dziwnych nazw.

Załączam logi z Avasta bo znalazł dosyć dużo rzeczy podczas skanowania w trybie przed uruchomieniem systemu.

 

Z góry dzięki za pomoc.

Addition.txt

FRST.txt

gmer.txt

Shortcut.txt

Avast-Browser-Cleanup-silent.txt

nshield.txt

Cleaner.txt

aswAr1.txt

selfdef.txt

Avast-Browser-Cleanup.txt

[jessica]

HKU\S-1-5-21-570381415-172665024-2664267942-1002\...\Run: [ViStart] => C:\Users\Agnieszka Śliwa\AppData\Roaming\ViStart\ViStart.exe

Znasz to?

 

Otwórz Notatnik i wklej w nim:

 

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v9.com?type=hp&ts=1433840770&from=mych123&uid=hgstxhts541075a9e680_jd12001w11yl6a11yl6ax&z=1ff6e82b68466207b9e3c18g9z8cac9bazae2mdmfg

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.v9.com?type=hp&ts=1433840770&from=mych123&uid=hgstxhts541075a9e680_jd12001w11yl6a11yl6ax&z=1ff6e82b68466207b9e3c18g9z8cac9bazae2mdmfg

HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://isearch.omiga-plus.com/web/?type=ds&ts=1421579734&from=cor&uid=HGSTXHTS541075A9E680_JD12001W11YL6A11YL6AX&q={searchTerms}

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = https://uk.search.yahoo.com/yhs/search?type=agc511&hspart=avast&hsimp=yhs-001&p={searchTerms}

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v9.com?type=hp&ts=1433840770&from=mych123&uid=hgstxhts541075a9e680_jd12001w11yl6a11yl6ax&z=1ff6e82b68466207b9e3c18g9z8cac9bazae2mdmfg

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v9.com?type=hp&ts=1433840770&from=mych123&uid=hgstxhts541075a9e680_jd12001w11yl6a11yl6ax&z=1ff6e82b68466207b9e3c18g9z8cac9bazae2mdmfg

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1421579734&from=cor&uid=HGSTXHTS541075A9E680_JD12001W11YL6A11YL6AX&q={searchTerms}

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v9.com?type=hp&ts=1433840770&from=mych123&uid=hgstxhts541075a9e680_jd12001w11yl6a11yl6ax&z=1ff6e82b68466207b9e3c18g9z8cac9bazae2mdmfg

HKU\S-1-5-21-570381415-172665024-2664267942-1002\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v9.com?type=hp&ts=1433840770&from=mych123&uid=hgstxhts541075a9e680_jd12001w11yl6a11yl6ax&z=1ff6e82b68466207b9e3c18g9z8cac9bazae2mdmfg

HKU\S-1-5-21-570381415-172665024-2664267942-1002\Software\Microsoft\Internet Explorer\Main,Search Page = https://uk.search.yahoo.com/yhs/search?type=agc511&hspart=avast&hsimp=yhs-001&p={searchTerms}

HKU\S-1-5-21-570381415-172665024-2664267942-1002\Software\Microsoft\Internet Explorer\Main,Search Bar = https://uk.yahoo.com/?fr=hp-avast&type=agc511

HKU\S-1-5-21-570381415-172665024-2664267942-1002\Software\Microsoft\Internet Explorer\Main,First Home Page = http://g.uk.msn.com/HPALL14/175

HKU\S-1-5-21-570381415-172665024-2664267942-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v9.com?type=hp&ts=1433840770&from=mych123&uid=hgstxhts541075a9e680_jd12001w11yl6a11yl6ax&z=1ff6e82b68466207b9e3c18g9z8cac9bazae2mdmfg

SearchScopes: HKLM -> DefaultScope {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL =

SearchScopes: HKLM-x32 -> DefaultScope {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = http://www.v9.com/web?type=ds&ts=1433840770&from=zzgbkk123&uid=hgstxhts541075a9e680_jd12001w11yl6a11yl6ax&z=1ff6e82b68466207b9e3c18g9z8cac9bazae2mdmfg&q={searchTerms}

SearchScopes: HKLM-x32 -> {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = http://www.v9.com/web?type=ds&ts=1433840770&from=zzgbkk123&uid=hgstxhts541075a9e680_jd12001w11yl6a11yl6ax&z=1ff6e82b68466207b9e3c18g9z8cac9bazae2mdmfg&q={searchTerms}

SearchScopes: HKLM-x32 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://uk.search.yahoo.com/yhs/search?type=agc511&hspart=avast&hsimp=yhs-001&p={searchTerms}

SearchScopes: HKU\S-1-5-21-570381415-172665024-2664267942-1002 -> DefaultScope {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = http://www.v9.com/web?type=ds&ts=1433840770&from=zzgbkk123&uid=hgstxhts541075a9e680_jd12001w11yl6a11yl6ax&z=1ff6e82b68466207b9e3c18g9z8cac9bazae2mdmfg&q={searchTerms}

SearchScopes: HKU\S-1-5-21-570381415-172665024-2664267942-1002 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://isearch.omiga-plus.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=HGSTXHTS541075A9E680_JD12001W11YL6A11YL6AX&ts=1421579782&type=default&q={searchTerms}

SearchScopes: HKU\S-1-5-21-570381415-172665024-2664267942-1002 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.delta-homes.com/web/?type=ds&ts=1432820694&z=e7d0d57de26ee4dc32196cagdz4c5o8b5ofe1q3t8z&from=wpm05283&uid=HGSTXHTS541075A9E680_JD12001W11YL6A11YL6AX&q={searchTerms}

SearchScopes: HKU\S-1-5-21-570381415-172665024-2664267942-1002 -> {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = http://www.v9.com/web?type=ds&ts=1433840770&from=zzgbkk123&uid=hgstxhts541075a9e680_jd12001w11yl6a11yl6ax&z=1ff6e82b68466207b9e3c18g9z8cac9bazae2mdmfg&q={searchTerms}

SearchScopes: HKU\S-1-5-21-570381415-172665024-2664267942-1002 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://uk.search.yahoo.com/yhs/search?type=agc511&hspart=avast&hsimp=yhs-001&p={searchTerms}

SearchScopes: HKU\S-1-5-21-570381415-172665024-2664267942-1002 -> {ABBBABFF-B355-4947-A73D-CB39C254F93F} URL = http://isearch.omiga-plus.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=HGSTXHTS541075A9E680_JD12001W11YL6A11YL6AX&ts=1421579782&type=default&q={searchTerms}

SearchScopes: HKU\S-1-5-21-570381415-172665024-2664267942-1002 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://isearch.omiga-plus.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=HGSTXHTS541075A9E680_JD12001W11YL6A11YL6AX&ts=1421579782&type=default&q={searchTerms}

FF NewTab: hxxp://www.delta-homes.com/newtab/?type=nt&ts=1432820694&z=e7d0d57de26ee4dc32196cagdz4c5o8b5ofe1q3t8z&from=wpm05283&uid=HGSTXHTS541075A9E680_JD12001W11YL6A11YL6AX

FF SelectedSearchEngine: delta-homes

FF Homepage: hxxp://www.delta-homes.com/?type=hp&ts=1432820694&z=e7d0d57de26ee4dc32196cagdz4c5o8b5ofe1q3t8z&from=wpm05283&uid=HGSTXHTS541075A9E680_JD12001W11YL6A11YL6AX

FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\delta-homes.xml [2015-05-28]

FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\omiga-plus.xml [2015-01-18]

CHR Extension: (No Name) - C:\Users\Agnieszka Śliwa\AppData\Local\Google\Chrome\User Data\Default\Extensions\nanjbjffndkhfmfmajgjieopjpckpeho [2015-06-02]

S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]

S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]

S2 Update Solution Real; "C:\Program Files (x86)\Solution Real\updateSolutionReal.exe" [X]

S2 Util Solution Real; "C:\Program Files (x86)\Solution Real\bin\utilSolutionReal.exe" [X]

Task: {23EE47A7-F2A9-477E-A28B-F71C1C584421} - System32\Tasks\{336DF296-4FDC-4D1D-BBA9-A7FFAEEDC3C1} => pcalua.exe -a "C:\Users\Agnieszka Śliwa\AppData\Roaming\omiga-plus\UninstallManager.exe" -c -ptid=cor <==== ATTENTION

C:\Users\Agnieszka Śliwa\AppData\Roaming\omiga-plus

Task: {E2615DB5-50B3-4FE2-9A56-A9B1AA664FE2} - System32\Tasks\{9D20B877-CCB2-4F51-B467-EA87C7506EDB} => pcalua.exe -a F:\Uruchom.exe -d F:\

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

CHR HKU\S-1-5-21-570381415-172665024-2664267942-1002\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

HKU\S-1-5-21-570381415-172665024-2664267942-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe

Uruchom FRST i kliknij przycisk Fix.

Powstanie plik fixlog.txt.

Daj ten log.

 

Jesli jeszcze będzie "coś nie tak", to użyjesz Adw-cleaner

najpierw klikniesz na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to klikniesz na niego.

Pokażesz raport z niego C:\AdwCleaner\AdwCleaner.txt

 

 

 

CHR dev: Chrome dev build detected! <======= ATTENTION

Odinstaluj tę dziurawą wersję Google Chrome.

Zainstaluj stąd > http://www.google.com/chrome/

 

Zrób nowe logi FRST

 

jessi

[grant322]

Dzięki za pomoc.

Zamieszczam logi. Niestety fixlog się nadpisał bo za drugim razem dodałem sam ten wpis "Vistart.exe".

Adw cleaner już nic nie znajduje.

Czy wygląda już czysto?

AdwCleanerS0.txt

Addition.txt

Fixlog.txt

FRST.txt

Shortcut.txt

[jessica]

Drobna kosmetyka:

Otwórz Notatnik i wklej w nim:

 

C:\Users\Public\Desktop\Google Chrome.lnk
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
S3 MozillaMaintenance; "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" [X]
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.

 

Powinno już być OK.

 

Otwórz Notatnik i wklej w nim:

 

DeleteQuarantine:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix.
przez SHIFT+DEL usuń pozostały folder C:\FRST.

W Adw-Cleaner kliknij na przycisk Odinstaluj (UNINSTALL).

 

jessi

[grant322]

Zrobione. Jeszcze raz wielkie dzięki.