jessica

jak mnie nie ma w domu, ani na pewno nikt mi nie wchodzi na laptopa) zostają wysyłane wiadomości do wszystkich znajomych na skype

 

czyli Twój komputer nie ma nic wspólnego z tymi wiadomościami, wszystko odbywa się na serwerze. Nic na to nie poradzisz.

Napisz o tym do wszystkich swoich znajomych, by nie obwiniali Ciebie, za coś, na co nie masz żadnego wpływu.

W logach nie ma niczego podejrzanego.

Otwórz Notatnik i wklej w nim:

URLSearchHook: [s-1-5-21-3019487804-52293770-1750824518-1001] ATTENTION => Default URLSearchHook is missing

SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

C:\WINDOWS\SysWOW64\AI_RecycleBin

EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe

Uruchom FRST i kliknij przycisk Fix.

Na wszelki wypadek:

Użyj  > MBAM

Podczas instalacji usuń zaznaczenie z okienka przy "Uruchom okres testowy Malwarebytes Anti-Malware Premium".

jessi

Chyba znalazłem co powoduje problem. Po wyłączeniu dodatku Video Downloader All In One problem zniknął i wyskakujące okienka się nie pojawiają.

 

Ta wiadomość mi się przyda, dziękuję.

jessi

Ponieważ w logach nie ma niczego podejrzanego, to przeinstaluj Operę, bo najwyraźniej jest zarażona.

jessi

OPR Extension: (vux777) - C:\Users\Paweł\AppData\Roaming\Opera Software\Opera Stable\Extensions\bpmgfnikhlpakdkeeahboleoommganka [2015-06-18]

OPR Extension: (gorhill) - C:\Users\Paweł\AppData\Roaming\Opera Software\Opera Stable\Extensions\clblbeknmgobkgonndomehcjpckopfeh [2015-04-21]

OPR Extension: (twentythird) - C:\Users\Paweł\AppData\Roaming\Opera Software\Opera Stable\Extensions\fnbofgmfpnlfgbebhlakhkghalpibjfl [2015-04-09]

OPR Extension: (Pin It Button) - C:\Users\Paweł\AppData\Roaming\Opera Software\Opera Stable\Extensions\gpdjojdkbbmdfjfahjcgigfpmkopogic [2015-04-09]

OPR Extension: (SearchPreview) - C:\Users\Paweł\AppData\Roaming\Opera Software\Opera Stable\Extensions\hcjdanpjacpeeppdjkppebobilhaglfo [2015-07-23]

OPR Extension: (olshevchenko) - C:\Users\Paweł\AppData\Roaming\Opera Software\Opera Stable\Extensions\hejmbdkkeoiiemfkhpolhpehkpogcdip [2015-04-08]

OPR Extension: (Facebook - Delete All Messages) - C:\Users\Paweł\AppData\Roaming\Opera Software\Opera Stable\Extensions\hgiidlnejdlfoacoeleopkljhbckmlko [2015-04-09]

OPR Extension: (Video Downloader All In One) - C:\Users\Paweł\AppData\Roaming\Opera Software\Opera Stable\Extensions\hncfligbngnblibbmgeacoomaelmhpko [2015-04-08]

OPR Extension: (LastPass) - C:\Users\Paweł\AppData\Roaming\Opera Software\Opera Stable\Extensions\hnjalnkldgigidggphhmacmimbdlafdo [2015-04-08]

OPR Extension: (esolutionsnordicab) - C:\Users\Paweł\AppData\Roaming\Opera Software\Opera Stable\Extensions\jikibpedldihacokaanimbcjipghbloo [2015-04-08]

OPR Extension: (gorhill) - C:\Users\Paweł\AppData\Roaming\Opera Software\Opera Stable\Extensions\kccohkcpppjjkkjppopfnflnebibpida [2015-04-09]

OPR Extension: (QuHno) - C:\Users\Paweł\AppData\Roaming\Opera Software\Opera Stable\Extensions\kgpkcoplbemkfoacdhpjhgdokcagnhkg [2015-04-08]

OPR Extension: (Download Chrome Extension) - C:\Users\Paweł\AppData\Roaming\Opera Software\Opera Stable\Extensions\kipjbhgniklcnglfaldilecjomjaddfi [2015-04-08]

OPR Extension: (Nekomajin) - C:\Users\Paweł\AppData\Roaming\Opera Software\Opera Stable\Extensions\ldjjgoghneoimklgonjoomilngfnhiji [2015-06-17]

OPR Extension: (franmart27) - C:\Users\Paweł\AppData\Roaming\Opera Software\Opera Stable\Extensions\lkefdgdkflglnokhamcliipleglggfde [2015-04-09]

OPR Extension: (reesmichael1) - C:\Users\Paweł\AppData\Roaming\Opera Software\Opera Stable\Extensions\pnnkalbgagmmfnidchpnamllaabklclj [2015-06-17]

 

zapomniałam zapytać, czy znasz te wszystkie rozszerzenia w Operze?

jessi

Task: {EC8A3501-D745-4105-8A37-3FC5C8C7B660} - System32\Tasks\Advanced System~Protector_startup => C:\Program Files (x86)\ASP\AdvancedSystemProtector.exe <==== ATTENTION

 

W logach tylko to jest podejrzane, więc daję to do usunięcia. Na dodatek takiego programu nie ma wcale na liście Twoich programów.

Otwórz Notatnik i wklej w nim:

Task: {0A46AB85-D79A-408A-BF69-BD7B035072DB} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION

Task: {0C3F2202-BAEF-44AD-8515-37149582F642} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION

Task: {160A6D2F-6DEB-4F39-9477-7D69DF67FD57} - System32\Tasks\{1660EEAC-CED0-4856-82AC-3B8A9E2FC8E4} => pcalua.exe -a "C:\Program Files (x86)\ASUS\AI Suite II\EasyUpdate\Temp\2\Setup.exe" -d "C:\Program Files (x86)\ASUS\AI Suite II\EasyUpdate\Temp\2" -c -s

Task: {1D2788FE-5057-41E9-ACDF-1F10282885BE} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION

Task: {3DE3A75D-EFF1-45E3-A6FA-DDAA37FE46D7} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION

Task: {83CD6275-B6EB-4989-87C4-8BF3EC700E0B} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION

Task: {8F1E0B8F-8468-4AEB-A3A6-766B54A967C4} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION

Task: {A6C91A33-B3FE-41DF-B953-08C192AAC5D0} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION

Task: {A9D52D8C-CC56-4FA8-BE40-7102C9754255} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION

Task: {B29DE151-D7B1-42D6-8ED1-D0170C2116AC} - System32\Tasks\{E7FE28FC-9D78-451D-AE04-C665160DC0E9} => pcalua.exe -a E:\opinie\038\Płyta\zawartość\start_Player.exe -d E:\opinie\038\Płyta\zawartość

Task: {BFD4571A-CB90-40BF-B9FC-F269F5BC8884} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION

Task: {D64DD4B2-51AA-40E1-B59C-3520EA0C55C1} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION

Task: {DBB83F15-4D07-49EC-8DEF-23EED3FF9A24} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION

Task: {EC8A3501-D745-4105-8A37-3FC5C8C7B660} - System32\Tasks\Advanced System~Protector_startup => C:\Program Files (x86)\ASP\AdvancedSystemProtector.exe <==== ATTENTION

C:\Program Files (x86)\ASP

HKLM-x32\...\Run: [] => [X]

FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.1\npGoogleUpdate3.dll [No File]

FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.1\npGoogleUpdate3.dll [No File]

S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]

C:\Users\Paweł\en_res.dll

C:\Users\Paweł\es_res.dll

C:\Users\Paweł\fr_res.dll

C:\Users\Paweł\grm_res.dll

C:\Users\Paweł\it_res.dll

C:\Users\Paweł\jp_res.dll

C:\Users\Paweł\mfc80u.dll

C:\Users\Paweł\msvcr80.dll

C:\Users\Paweł\PCPE Setup.exe

C:\Users\Paweł\pt_res.dll

C:\Users\Paweł\ResourceReader.dll

C:\Users\Paweł\ru_res.dll

C:\Users\Paweł\zh_res.dll

EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe

Uruchom FRST i kliknij przycisk Fix.

Powstanie plik fixlog.txt.

Daj ten log.

Uruchom FRST.

W polu SEARCH wklej:

*xsrving*.*

kliknij na przycisk "Search Files".

Raport z tego będzie tam, gdzie jest FRST.

Uruchom FRST.

W polu SEARCH wklej:

xsrving

kliknij na przycisk "Search Registry".

Raport z tego będzie tam, gdzie jest FRST.

jessi

Ok. 23 sierpnia wraca @Picasso, więc wtedy zgłoś swój temat w tym (lub podobnym, uaktualnionym) temacie: http://www.fixitpc.p...bez-odpowiedzi/- o ile uważasz, że warto.

jessi
 

1) Odinstaluj

Ads Remover (HKLM-x32\...\{37476589-E48E-439E-A706-56189E2ED4C4}_is1) (Version:  - Ads Remover) <==== ATTENTION

BocaRunner (HKLM-x32\...\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24b98b58}) (Version:  - Software Publisher) <==== ATTENTION

SystemSafeguard (HKLM-x32\...\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{fd3b02ee}) (Version:  - Software Publisher) <==== ATTENTION

2) Użyj >Adw-cleaner
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt

3) Otwórz Notatnik i wklej w nim:

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKU\S-1-5-21-1969771943-1992250132-2515998065-1001\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
C:\Users\Public\AlexaNSISPlugin.4388.dll
C:\ProgramData\19e5eb8800006947
C:\ProgramData\2289201406361604925
C:\ProgramData\393af48300007833
C:\Program Files (x86)\SystemSafeguard
R1 {55685567-4840-4a91-962b-49a412e9485a}Gw64; C:\Windows\System32\drivers\{55685567-4840-4a91-962b-49a412e9485a}Gw64.sys [61112 2014-05-26] (StdLib)
R1 {55685567-4840-4a91-962b-49a412e9485a}w64; C:\Windows\System32\drivers\{55685567-4840-4a91-962b-49a412e9485a}w64.sys [61112 2014-05-26] (StdLib)
R1 {9edd0ea8-2819-47c2-8320-b007d5996f8a}Gw64; C:\Windows\System32\drivers\{9edd0ea8-2819-47c2-8320-b007d5996f8a}Gw64.sys [61112 2014-04-28] (StdLib)
C:\Windows\System32\drivers\{9edd0ea8-2819-47c2-8320-b007d5996f8a}Gw64.sys
C:\Windows\System32\drivers\{55685567-4840-4a91-962b-49a412e9485a}w64.sys
C:\Windows\System32\drivers\{55685567-4840-4a91-962b-49a412e9485a}Gw64.sys
S4 24b98b58; "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\BocaRunner\BocaRunner.dll",serv
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S2 McAfee SiteAdvisor Service; c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [X]
c:\Program Files (x86)\BocaRunner
R2 fd3b02ee; c:\Program Files (x86)\SystemSafeguard\SystemSafeguard.dll [2712576 2015-08-13] () [File not signed]
c:\Program Files (x86)\SystemSafeguard
FF HKLM-x32\...\Firefox\Extensions: [searchengine@gmail.com] - C:\Users\Komputer\AppData\Roaming\Mozilla\Firefox\Profiles\r60vco4w.default-1401830103760\extensions\searchengine@gmail.com
FF Extension: Mini - Adblocker - C:\Users\Komputer\AppData\Roaming\Mozilla\Firefox\Profiles\nu54x2o1.default-1428679692836\Extensions\pxxavgpylscurt@jtkokkcabntoqiggjz.org [2015-08-14]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [No File]
Toolbar: HKU\S-1-5-21-1969771943-1992250132-2515998065-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.mystartsearch.com/web/?type=ds&ts=1427367248&from=wpc&uid=ST500LT012-9WS142_W0V15EA9XXXXW0V15EA9&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.mystartsearch.com/web/?type=ds&ts=1427367248&from=wpc&uid=ST500LT012-9WS142_W0V15EA9XXXXW0V15EA9&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.mystartsearch.com/?type=hp&ts=1427367248&from=wpc&uid=ST500LT012-9WS142_W0V15EA9XXXXW0V15EA9
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.mystartsearch.com/?type=hp&ts=1427367248&from=wpc&uid=ST500LT012-9WS142_W0V15EA9XXXXW0V15EA9
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.mystartsearch.com/web/?type=ds&ts=1427367248&from=wpc&uid=ST500LT012-9WS142_W0V15EA9XXXXW0V15EA9&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.mystartsearch.com/web/?type=ds&ts=1427367248&from=wpc&uid=ST500LT012-9WS142_W0V15EA9XXXXW0V15EA9&q={searchTerms}
HKU\S-1-5-21-1969771943-1992250132-2515998065-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.mystartsearch.com/?type=hp&ts=1427367248&from=wpc&uid=ST500LT012-9WS142_W0V15EA9XXXXW0V15EA9
EmptyTemp:

4) Napisz, czy problem znikł?

jessi
 

Kończymy:

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

jessi

Nie widzę tu żadnej infekcji.

Kosmetyka:

Otwórz Notatnik i wklej w nim:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2195184045-3265951034-2981680463-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-2195184045-3265951034-2981680463-1000 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://startsear.ch/?aff=2&src=sp&cf=3e30cbc9-dcc1-11e1-950c-b482fe52c840&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2195184045-3265951034-2981680463-1000 -> ToolbarSearchProviderProgress {96bd48dd-741b-41ae-ac4a-aff96ba00f7e}
SearchScopes: HKU\S-1-5-21-2195184045-3265951034-2981680463-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://startsear.ch/?aff=2&src=sp&cf=3e30cbc9-dcc1-11e1-950c-b482fe52c840&q={searchTerms}
BHO-x32: IplexToALLPlayer -> {DF925EF3-7A87-44E4-9CAF-8D7B280BF616} ->  No File
Toolbar: HKU\S-1-5-21-2195184045-3265951034-2981680463-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
CHR HKLM-x32\...\Chrome\Extension: [pbiamblgmkgbcgbcgejjgebalncpmhnp] - <no Path/update_url>
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 nmwcdcx64; system32\drivers\ccdcmbox64.sys [X]
S3 nmwcdx64; system32\drivers\ccdcmbx64.sys [X]
S3 pccsmcfd; system32\DRIVERS\pccsmcfdx64.sys [X]
S3 upperdev; system32\DRIVERS\usbser_lowerfltx64.sys [X]
S3 UsbserFilt; system32\DRIVERS\usbser_lowerfltx64j.sys [X]
S3 X6va003; \??\C:\Users\Brave\AppData\Local\Temp\00358F8.tmp [X]
Task: {75864C43-5BF1-40D0-A4E2-789C9CBEDF86} - System32\Tasks\{DC99E662-1431-40D0-B629-257EB54CB8F8} => pcalua.exe -a D:\GRY\Diablo-III-8370-plPL-Installer-downloader.exe -d D:\GRY
EmptyTemp:

jessi

Ok. 23 sierpnia wraca @Picasso, więc wtedy zgłoś swój temat w tym (lub podobnym, uaktualnionym) temacie: http://www.fixitpc.p...bez-odpowiedzi/

jessi

Ja tu już nic nie wymyślę, bo w logach nie widzę niczego podejrzanego.

Ok. 23 sierpnia wraca @Picasso, więc wtedy zgłoś swój temat w tym (lub podobnym, uaktualnionym) temacie: http://www.fixitpc.p...bez-odpowiedzi/
 

jessi

W nowych logach nie widzę już niczego podejrzanego.

Chyba możemy kończyć:

W Adw-Cleaner kliknij na przycisk Odinstaluj (UNINSTALL).

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

jessi

Do Notatnika wklej:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]

Poza tym w logach nie ma niczego podejrzanego.

Przeinstaluj Firefoxa.

jessi

Sądząc po logach, to z routerem jest już OK.

Otwórz Notatnik i wklej w nim:

Task: {38E7E29C-9CE7-48DE-9A8F-43D23FDBEE72} - System32\Tasks\{D1BBDE40-68F7-4042-9BFE-36EFD4FC6EF8} => pcalua.exe -a C:\Users\Sierotaa\AppData\Roaming\istartsurf\UninstallManager.exe -c  -ptid=smt
BHO-x32: No Name -> {1F91A9A1-01BA-4c81-863D-3BA0751E1419} ->  No File
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
S3 andnetadb; System32\Drivers\lgandnetadb.sys [X]
S3 AndNetDiag; system32\DRIVERS\lgandnetdiag64.sys [X]
S3 ANDNetModem; system32\DRIVERS\lgandnetmodem64.sys [X]
S3 NPF; system32\drivers\NPF.sys [X]
C:\Users\Sierotaa\Downloads\SpyHunter-Installer (1).exe
2015-07-24 15:59 - 2015-08-18 01:41 - 00000000 ____D C:\Program Files (x86)\SFK
2015-07-24 15:59 - 2015-08-05 17:15 - 00000000 ____D C:\ProgramData\lWinManProl
EmptyTemp:

jessi

2) Zrób nowe logi FRST.

 

to nie wykonane jeszcze

jessi

1) Otwórz Notatnik i wklej w nim:

HKU\S-1-5-21-3407648282-1425260306-897566876-1001\Software\Classes\.exe: exefile =>  <===== ATTENTION
HKU\S-1-5-21-3407648282-1425260306-897566876-1001\Software\Classes\exefile:  <===== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3407648282-1425260306-897566876-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
HKU\S-1-5-21-3407648282-1425260306-897566876-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBPxn49PYmQ6e1krQXBFZY3cpdwhZoKup-p_BEjzq8N_qxiOSokV5zDPACFAPRvfCJg2wnc9Fwo44M_yKxdsRg-yDhoA1fx-hAY1L56Fp2AmmJIQMgIrhi9tDzLRxSJo3En3qCGoWuWpvr5QQamKkONPk00f-wey-k9qQ,,&q={searchTerms}
S0 is3srv; SySWOW64\drivers\is3srv64.sys [X]
S0 szkg5; SySWOW64\drivers\szkg64.sys [X]
C:\Users\User\Downloads\SpyHunter-Installer.exe
C:\Users\User\AppData\Roaming\Solvusoft
C:\ProgramData\WWinManProW
C:\Users\User\AppData\Roaming\GoldenGate
2015-08-17 12:21 - 2015-08-18 16:10 - 00000000 ____D C:\ProgramData\Tristip
2015-08-17 12:21 - 2015-08-17 12:21 - 00000000 ____D C:\ProgramData\Tristips
EmptyTemp:

2) Zrób nowe logi FRST - już bez Shortcut.

jessi

SafeFinder (HKLM-x32\...\{B1228E32-6012-4A83-A136-FB49BEC46B0D}) (Version: 1.0.0.0 - Linkury)

Otwórz Notatnik i wklej w nim:

Reg: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeFinder" /f

Reg: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B1228E32-6012-4A83-A136-FB49BEC46B0D}" /f

EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe

Uruchom FRST i kliknij przycisk Fix.

Powstanie plik fixlog.txt.

Daj ten log.

Napisz, czy znikł z listy Programów?

jessi

1) Otwórz Notatnik i wklej w nim:
 

Task: {571D9061-DEC6-4BC1-97F1-DCC2FC1C7B68} - \snf -> No File <==== ATTENTION
Task: {852AF476-E5AA-4FDB-9185-87F46F862876} - \snp -> No File <==== ATTENTION
Task: {BCE6A675-A41A-4029-A77C-BB2CE726371F} - \APSnotifierPP1 -> No File <==== ATTENTION
Task: {C4EE912F-3A69-47B3-9B46-74C2CA732C38} - System32\Tasks\{1D20848B-9FF4-4D69-ABF2-BF8599D68F2F} => pcalua.exe -a C:\Users\Ilona\AppData\Roaming\mystartsearch\UninstallManager.exe -c  -ptid=cmi
C:\ProgramData\Tristip
AppInit_DLLs: C:\ProgramData\Tristip\tiaqgh20.dll => C:\ProgramData\Tristip\tiaqgh20.dll [136192 2015-08-19] ()
AppInit_DLLs-x32: C:\ProgramData\Tristip\x4wgamir.dll => C:\ProgramData\Tristip\x4wgamir.dll [119808 2015-08-19] ()
SearchScopes: HKU\S-1-5-21-2456979592-2387919666-1884685256-1002 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
FF DefaultSearchEngine: findit
OPR StartupUrls: "hxxp://www.mystartsearch.com/?type=hp&ts=1439294669&z=411cb8de5382f65c2712562g2zbc4t3oftez6w5b6b&from=cvs&uid=ST1000LM014-SSHD-8GB_W3812N51XXXXW3812N51"
S2 Application Hosting; C:\ProgramData\Application Hosting\Application Hosting.exe [X]
R2 Tristip; C:\ProgramData\Tristip\Tristip [X]
C:\WINDOWS\Minidump\*.dmp
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
C:\ProgramData\Tristips
C:\Users\Ilona\Downloads\SpyHunter-Installer.exe
C:\WINDOWS\System32\Tasks\{1D20848B-9FF4-4D69-ABF2-BF8599D68F2F}
C:\WINDOWS\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
C:\ProgramData\7b24ec7cc000461ebe26d116b88142c8
C:\ProgramData\Application Hosting
C:\Users\Ilona\AppData\Local\Microsoft\Windows\INetCache\IE\THHMD8KF\zd71854y.exe
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.

2) Zrób nowe logi FRST.

jessi

W logach nie widzę niczego podejrzanego.

Drobna kosmetyka:

Otwórz Notatnik i wklej w nim:

Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
roupPolicyScripts: Group Policy detected <======= ATTENTION
HKU\S-1-5-21-299502267-1060284298-682003330-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
EmptyTemp:

-------

Ok. 23 sierpnia wraca @Picasso, więc wtedy możesz zgłosić swój temat w tym (lub podobnym, uaktualnionym) temacie: http://www.fixitpc.p...bez-odpowiedzi/(o ile uważasz, że warto)

jessi

Wyszukiwanie nic nie znalazło, a jak jest w rzeczywistości?

jessi

to będziemy kończyć:
Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

jessi

TDSSKiller nic nie wykrył, bo NECURS został już wcześniej usunięty.

Otwórz Notatnik i wklej w nim:

Task: {16E72671-61F1-4E81-9C2B-0CC10BE16BC9} - \Advanced-System Protector_startup -> No File <==== ATTENTION
Task: {2928C2F9-EC75-4CE8-AF28-A05AA4AB1F9E} - \PhraseProfessor Auto Updater 1.10.0.21 Pending Update -> No File <==== ATTENTION
Task: {2CE75BC5-A788-47F2-B473-6C02891CEE11} - \PhraseProfessor Auto Updater 1.10.0.21 Core -> No File <==== ATTENTION
Task: {2D656894-BD7F-45CC-925D-7F30C9D77EBC} - \Microsoft\Windows\WindowsCalendar\Reminders - Administrator -> No File <==== ATTENTION
Task: {3F422672-4928-4108-8716-A1BB53EAA0FB} - \globalUpdateUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {4FF4F082-9069-463B-BAA4-1EC38A9AF614} - System32\Tasks\zNNNHgS7E3WsX => C:\Users\Administrator\AppData\Roaming\zNNNHgS7E3WsX.exe <==== ATTENTION
Task: {798D130B-1A21-4CEC-816C-DEA517C566E6} - \globalUpdateUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {93924823-74DA-45CB-933C-DD6A41D7911B} - \SmartWeb Upgrade Trigger Task -> No File <==== ATTENTION
C:\Users\Administrator\AppData\Roaming\zNNNHgS7E3WsX.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2511829651-333839240-3277264240-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-2511829651-333839240-3277264240-500 -> DefaultScope {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL =
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
EmptyTemp:

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Nie widzę tu nieprawidłowości, oczywiście poza samym wyłączeniem.

Ok. 23 sierpnia wraca @Picasso, więc wtedy zgłoś swój temat w tym (lub podobnym, uaktualnionym) temacie: http://www.fixitpc.p...bez-odpowiedzi/

jessi

Otwórz Notatnik i wklej w nim:

FirewallRules: [{B33B7699-E908-48B5-AB05-18376319226E}] => (Allow) C:\Users\Part\AppData\Local\Temp\nsq7BF4.tmp\CnetInstaller-10333488.exe
FirewallRules: [{F91DDCE0-4E8F-4E63-8A08-B4D7F32D90BF}] => (Allow) C:\Users\Part\AppData\Local\Temp\nsq7BF4.tmp\CnetInstaller-10333488.exe
EmptyTemp:

Potem możemy kończyć:

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

jessi

Otwórz Notatnik i wklej w nim:

GroupPolicyScripts: Group Policy detected <======= ATTENTION
GroupPolicyScripts-x32: Group Policy detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3964238456-481189441-1564628236-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3964238456-481189441-1564628236-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3964238456-481189441-1564628236-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://f.jiss360.cn/
HKU\S-1-5-21-3964238456-481189441-1564628236-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://f.jiss360.cn/
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
EmptyTemp:

Napisz, czy problem znikł?

jessi

U5 f19352234bf42685; C:\Windows\System32\Drivers\f19352234bf42685.sys [86272 2015-06-15] () <===== ATTENTION Necurs Rootkit?

Użyj TDSSKiller https://www.fixitpc.pl/topic/8-dezynfekcja-zbi%C3%B3r-narz%C4%99dzi-usuwaj%C4%85cych/?do=findComment&comment=33542

Daj raport z tego.

Zrób nowe logi FRST.

Zrób log z Farbar Service Scanner >http://download.bleepingcomputer.com/farbar/FSS.exe (do skanowania zaznacz wszystko).

co usuwał ComboFix?

jessi