jessica

Otwórz Notatnik i wklej w nim:

CMD: sc config wscsvc start= delayed-auto /C
Task: {1697A218-19B3-4B04-9071-916DAA6CDCA1} - System32\Tasks\{1DB272E0-C8C3-4F71-A84C-66B95B5009FE} => pcalua.exe -a C:\setup.exe -d C:\
Task: {42ED4656-154B-44F8-8FBE-9100A5FB94F9} - System32\Tasks\{E7A0805D-7A4E-4378-8146-BD9466A16EF4} => pcalua.exe -a "C:\Users\Iwonka\Desktop\Pliki instalacyjne do IntericadT5\InteriCad_T5_PL\InteriCad_T5_PL\System\setup.exe" -d "C:\Users\Iwonka\Desktop\Pliki instalacyjne do IntericadT5\InteriCad_T5_PL\InteriCad_T5_PL\System"
Task: {5807903F-47B0-43B2-B23D-6ED504428266} - System32\Tasks\{8C4681F0-8238-41F2-A95F-57C3A270AEDD} => pcalua.exe -a "C:\Users\Iwonka\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XW6WP519\Aris_T5.exe" -d C:\Users\Iwonka\Desktop
Task: {A90837CF-F255-46E1-8081-C0AB4200A6C9} - System32\Tasks\{7D8805AE-7C71-45B4-BD51-C64C41D05FB7} => pcalua.exe -a "C:\Users\Iwonka\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XW6WP519\Suszek_T5.exe" -d C:\Users\Iwonka\Desktop
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
C:\9072e047
C:\Users\Public\AlexaNSISPlugin.3080.dll
EmptyTemp:

jessi

Otwórz Notatnik i wklej w nim:

Task: {72E395D7-3063-4A68-9C36-552D4F9B354C} - System32\Tasks\{48F941F9-AEAB-4513-8C7D-22FF30EE63D4} => pcalua.exe -a "C:\Program Files (x86)\Crosswords\Crosswords.exe" -c /s /n /i:"ExecuteCommands;UninstallCommands" ""
C:\Program Files (x86)\Crosswords
Task: {C060AF62-76EA-4CBB-8777-5FD597087618} - System32\Tasks\{E5DFBE3B-C716-4F19-9329-86AA891A3CF6} => pcalua.exe -a C:\Users\Jarek\Desktop\blazingcolorsviz.exe -d C:\Users\Jarek\Desktop
C:\Users\Jarek\Desktop\blazingcolorsviz.exe
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\globalupdate Helper" /f
R4 IOMap; \??\C:\Windows\system32\drivers\IOMap64.sys [X]
C:\Windows\Minidump\*.dmp
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [Not Found]
C:\Windows\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Diablo III\Pomoc techniczna Blizzard.lnk
EmptyTemp:

Czy problem znikł?

jessi

Nie widzę tu żadnej infekcji.

Temat powinien być przesunięty do innego działu forum.

Kosmetyka:

Otwórz Notatnik i wklej w nim:

Toolbar: HKU\S-1-5-21-508712993-3177087407-4023105644-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

HKU\S-1-5-21-508712993-3177087407-4023105644-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

S3 btwaudio; system32\drivers\btwaudio.sys [X]

S3 btwavdt; \SystemRoot\system32\DRIVERS\btwavdt.sys [X]

S3 btwl2cap; system32\DRIVERS\btwl2cap.sys [X]

S3 btwrchid; \SystemRoot\system32\DRIVERS\btwrchid.sys [X]

S3 catchme; \??\C:\Users\Win7\AppData\Local\Temp\catchme.sys [X]

S3 ewusbmbb; system32\DRIVERS\ewusbwwan.sys [X]

S3 ewusbnet; system32\DRIVERS\ewusbnet.sys [X]

S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]

S3 ew_usbenumfilter; system32\DRIVERS\ew_usbenumfilter.sys [X]

S3 huawei_cdcacm; system32\DRIVERS\ew_jucdcacm.sys [X]

S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]

S3 huawei_ext_ctrl; system32\DRIVERS\ew_juextctrl.sys [X]

S3 huawei_wwanecm; system32\DRIVERS\ew_juwwanecm.sys [X]

S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]

EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe

Uruchom FRST i kliknij przycisk Fix.

jessi

Tcpip\Parameters: [DhcpNameServer] 8.8.8.8 8.8.4.4

Tcpip\..\Interfaces\{02851EE5-C5EE-4A1F-99D4-C7B8D8453973}: [NameServer] 8.8.8.8,8.8.4.4

Tcpip\..\Interfaces\{02851EE5-C5EE-4A1F-99D4-C7B8D8453973}: [DhcpNameServer] 8.8.8.8 8.8.4.4

 

Tak, ok.

jessi

Otwórz Notatnik i wklej w nim:

FF SelectedSearchEngine: sweet-page
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
NETSVCx32: NetSetupSvc -> C:\Windows\SysWOW64\NetSetupSvc.dll ==> No File
NETSVCx32: UserManager -> C:\Windows\SysWOW64\usermgr.dll ==> No File
C:\ProgramData\boost_interprocess
C:\WINDOWS\SysWOW64\AI_RecycleBin
Task: {04A8AF47-AF52-410C-BA28-11E30092305E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d No Task File <==== ATTENTION
Task: {245DA489-4FEF-4BCF-BE81-C05A58616DD7} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d No Task File <==== ATTENTION
Task: {24F954C1-33EE-4252-A8D1-A65551093272} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig No Task File <==== ATTENTION
Task: {3F431FBD-0ED8-40BC-A261-90386655A6C0} - \Microsoft\Windows\Setup\gwx\launchtrayprocess No Task File <==== ATTENTION
Task: {5801550E-1095-47EE-9890-49FCD0949B77} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d No Task File <==== ATTENTION
Task: {65ABDF05-41A6-447B-BA14-EAC3CA5D4149} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d No Task File <==== ATTENTION
Task: {66AE64A6-C8A7-44CF-A7F5-91CFDCEC05B3} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd No Task File <==== ATTENTION
Task: {6CFC2D8C-3426-47F1-9BCE-DA7D57C5FE0F} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B No Task File <==== ATTENTION
Task: {8454B100-0317-4FE0-AF56-3BFBA61906C5} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent No Task File <==== ATTENTION
Task: {D258FF3E-AA00-46C8-AA8B-2FB454482E73} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent No Task File <==== ATTENTION
Task: {F81D59D9-0B81-4B89-AB3E-0305E2A3A0AA} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d No Task File <==== ATTENTION
EmptyTemp:

Okazuje się że tego "Smart Wrapper Ad" wcale nie masz, nie widać go w logach FRST, Adw-Cleaner też go nie wykrył.

Możemy więc kończyć:

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

jessi

1) Użyj >Adw-cleaner
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt

2) Zrób nowe logi FRST.

jessi

 w jaki sposób mam wykonać polecenie 1 i 2? z dodaj usuń programy się nie da rady:(

to przejdź do użycia Adw-Cleaner'a.

jessi

1) Odinstaluj:

globalupdate Helper (Version: 1.3.25.0 - globalupdate Inc.) Hidden <==== ATTENTION

爱奇艺万能播放器 (HKLM\...\GeePlayer) (Version: 1.5.10.1295 - 爱奇艺)
爱奇艺影音 (HKLM\...\IQIYI Video) (Version:  - 爱奇艺)

2)
Otwórz Notatnik i wklej w nim:

CustomCLSID: HKU\S-1-5-21-3050552178-2778190213-2786081387-1000_Classes\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\InprocServer32 -> C:\IQIYI Video\LStyle\npWebPlayer.dll (爱奇艺公司)
CustomCLSID: HKU\S-1-5-21-3050552178-2778190213-2786081387-1000_Classes\CLSID\{61CED8F3-2CB2-4C3C-9484-7530E1127A58}\InprocServer32 -> C:\IQIYI Video\LStyle\npWebPlayer.dll (爱奇艺公司)
CustomCLSID: HKU\S-1-5-21-3050552178-2778190213-2786081387-1000_Classes\CLSID\{D96C1D26-5CDF-4506-9244-57233C3984DF}\InprocServer32 -> C:\IQIYI Video\LStyle\npWebPlayer.dll (爱奇艺公司)
CustomCLSID: HKU\S-1-5-21-3050552178-2778190213-2786081387-1000_Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\localserver32 -> C:\Users\Alex\AppData\Local\Temp\DBE8\temp\_mp4hentai__Xpress_Train_-_01_uncen.exe ()
CustomCLSID: HKU\S-1-5-21-3050552178-2778190213-2786081387-1000_Classes\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF-NOT}\InprocServer32 -> C:\IQIYI Video\LStyle\npWebPlayer.dll (爱奇艺公司)
C:\IQIYI Video
Task: {0C5AD787-6310-4964-AA62-9A07ED531145} - System32\Tasks\65b1263e-e246-43e3-bf46-21dd1ae42b63-5_user => C:\Program Files\CinemaPlus-3.2cV17.07\65b1263e-e246-43e3-bf46-21dd1ae42b63-5.exe <==== ATTENTION
Task: {116CFB13-97FB-42D8-90F4-B7C837941460} - System32\Tasks\temp_337fb1ed-f59b-4815-8de7-a0b476c310ca-6 => C:\Program Files\CinemaPlus-3.2cV02.06\337fb1ed-f59b-4815-8de7-a0b476c310ca-6.exe <==== ATTENTION
Task: {15F72CA7-88CC-407B-B1C3-782161B803DA} - System32\Tasks\60361efe-6fea-4d98-864b-9930a4c4dfc4-3 => C:\Program Files\CinemaPlus-3.2cV26.07\60361efe-6fea-4d98-864b-9930a4c4dfc4-3.exe <==== ATTENTION
Task: {18C672B1-C3DC-446D-9070-43E25E532E7D} - System32\Tasks\60361efe-6fea-4d98-864b-9930a4c4dfc4-5_user => C:\Program Files\CinemaPlus-3.2cV26.07\60361efe-6fea-4d98-864b-9930a4c4dfc4-5.exe <==== ATTENTION
Task: {1D4B2C7D-DF82-4733-8719-3ACE2572928F} - System32\Tasks\vKj2JFxHqfv9WOGtUya => C:\Users\Alex\AppData\Roaming\vKj2JFxHqfv9WOGtUya.exe <==== ATTENTION
Task: {212D48E4-C298-4AF0-9FE9-C5C7EAF3D911} - System32\Tasks\f706a8f7-287f-4a40-893c-ca55c01ea0aa-1-6 => C:\Program Files\CinemaPlus-3.2cV29.07\f706a8f7-287f-4a40-893c-ca55c01ea0aa-1-6.exe <==== ATTENTION
Task: {3687B27E-9BD9-4C08-8601-58AC50F45B00} - System32\Tasks\d131932d-2bfb-4f57-94fc-116f683bacae-1-6 => C:\Program Files\CinemaPlus-3.2cV06.07\d131932d-2bfb-4f57-94fc-116f683bacae-1-6.exe <==== ATTENTION
Task: {389D93F7-B2AA-4A23-A411-9CAD41635E80} - System32\Tasks\f706a8f7-287f-4a40-893c-ca55c01ea0aa-6 => C:\Program Files\CinemaPlus-3.2cV29.07\f706a8f7-287f-4a40-893c-ca55c01ea0aa-6.exe <==== ATTENTION
Task: {44BB6A88-519B-416A-8A71-22D73D75007D} - System32\Tasks\{4568873B-B6AC-429C-A271-F397F6F36772} => pcalua.exe -a C:\Users\Alex\AppData\Roaming\mystartsearch\UninstallManager.exe -c  -ptid=cmi
Task: {4527E12E-B199-4323-843D-F287AF8FE350} - System32\Tasks\temp_60361efe-6fea-4d98-864b-9930a4c4dfc4-10_user => C:\Program Files\CinemaPlus-3.2cV26.07\60361efe-6fea-4d98-864b-9930a4c4dfc4-10.exe <==== ATTENTION
Task: {5332EE0B-4583-4BDF-9BE0-7ECE88513F12} - System32\Tasks\temp_51515474-c5d1-462f-906c-9d2743e452f1-10_user => C:\Program Files\CinemaPlus-4.2vV03.07\51515474-c5d1-462f-906c-9d2743e452f1-10.exe <==== ATTENTION
Task: {54A799C9-0B93-4FAA-8015-E792A195C566} - System32\Tasks\temp_51515474-c5d1-462f-906c-9d2743e452f1-1-6 => C:\Program Files\CinemaPlus-4.2vV03.07\51515474-c5d1-462f-906c-9d2743e452f1-1-6.exe <==== ATTENTION
Task: {55C37305-7F4F-4DA8-98E4-0CB75880A050} - System32\Tasks\RsDelayLauncher_{8A34248E-7D35-4832-8378-7659E0B0A380} => C:\PROGRAM FILES\RISING\RAV\rsdelaylauncher.exe [2014-05-15] (Beijing Rising Information Technology Co., Ltd.)
Task: {56D3AC46-C95A-4631-85CB-E2D0EF292650} - System32\Tasks\f706a8f7-287f-4a40-893c-ca55c01ea0aa-5_user => C:\Program Files\CinemaPlus-3.2cV29.07\f706a8f7-287f-4a40-893c-ca55c01ea0aa-5.exe <==== ATTENTION
Task: {57B588F8-D837-44E5-8796-8BF32FB8FE03} - System32\Tasks\65b1263e-e246-43e3-bf46-21dd1ae42b63-5 => C:\Program Files\CinemaPlus-3.2cV17.07\65b1263e-e246-43e3-bf46-21dd1ae42b63-5.exe <==== ATTENTION
Task: {5DE3752D-827B-4F49-8743-D1E937547BE1} - System32\Tasks\globalUpdateUpdateTaskMachineUA => C:\Program Files\globalUpdate\Update\globalupdate.exe <==== ATTENTION
Task: {6116FF07-EE30-401A-B1D2-84235B0BDE17} - System32\Tasks\d131932d-2bfb-4f57-94fc-116f683bacae-6 => C:\Program Files\CinemaPlus-3.2cV06.07\d131932d-2bfb-4f57-94fc-116f683bacae-6.exe <==== ATTENTION
Task: {7619C814-76BD-422D-BE0D-884FB54958B3} - System32\Tasks\Crossbrowse => C:\Program Files\Crossbrowse\Crossbrowse\Application\utility.exe <==== ATTENTION
Task: {78ED8342-617E-452E-9494-FC60B9B7373B} - System32\Tasks\d131932d-2bfb-4f57-94fc-116f683bacae-1-7 => C:\Program Files\CinemaPlus-3.2cV06.07\d131932d-2bfb-4f57-94fc-116f683bacae-1-7.exe <==== ATTENTION
Task: {7966E7A1-0D33-4392-A6B7-F252B207E23D} - System32\Tasks\temp_337fb1ed-f59b-4815-8de7-a0b476c310ca-1-6 => C:\Program Files\CinemaPlus-3.2cV02.06\337fb1ed-f59b-4815-8de7-a0b476c310ca-1-6.exe <==== ATTENTION
Task: {7A24EF2D-0668-40A5-B880-149E9B6114BD} - System32\Tasks\d131932d-2bfb-4f57-94fc-116f683bacae-10_user => C:\Program Files\CinemaPlus-3.2cV06.07\d131932d-2bfb-4f57-94fc-116f683bacae-10.exe <==== ATTENTION
Task: {8237BCEE-23C9-4AC0-A390-A095AE805B9E} - System32\Tasks\X82FxyOAlfq82FaPhMv => C:\Users\Alex\AppData\Roaming\X82FxyOAlfq82FaPhMv.exe [2015-04-20] () <==== ATTENTION
Task: {93E88428-3A04-48AC-8B7F-C98100C15300} - System32\Tasks\Bidaily Synchronize Task[973b] => c:\programdata\{c52147f3-0b53-8214-c521-147f30b51fcc}\_mp4hentai__xpress_train_-_01_uncen.exe <==== ATTENTION
Task: {969CEF98-A85A-4F3B-A11A-BA8755387B84} - System32\Tasks\d131932d-2bfb-4f57-94fc-116f683bacae-5_user => C:\Program Files\CinemaPlus-3.2cV06.07\d131932d-2bfb-4f57-94fc-116f683bacae-5.exe <==== ATTENTION
Task: {9A3CBD60-3012-47B7-8B69-9294641CAAD1} - System32\Tasks\60361efe-6fea-4d98-864b-9930a4c4dfc4-1-6 => C:\Program Files\CinemaPlus-3.2cV26.07\60361efe-6fea-4d98-864b-9930a4c4dfc4-1-6.exe <==== ATTENTION
Task: {9CBA5ABC-E905-4DFB-8287-9D70CFE38375} - System32\Tasks\f706a8f7-287f-4a40-893c-ca55c01ea0aa-10_user => C:\Program Files\CinemaPlus-3.2cV29.07\f706a8f7-287f-4a40-893c-ca55c01ea0aa-10.exe <==== ATTENTION
Task: {9F578E4C-647E-4623-BC6C-3CA908835E17} - System32\Tasks\Bidaily Synchronize Task[74c7] => c:\programdata\{2f8a2b62-bee9-309f-2f8a-a2b62beead8a}\hqghumeaylnlf.exe <==== ATTENTION
Task: {A0F2CB5D-F701-4159-98FA-70D218020436} - System32\Tasks\65b1263e-e246-43e3-bf46-21dd1ae42b63-1-6 => C:\Program Files\CinemaPlus-3.2cV17.07\65b1263e-e246-43e3-bf46-21dd1ae42b63-1-6.exe <==== ATTENTION
Task: {AE770A31-69A5-46EB-9E7F-06D2A6D8AC09} - System32\Tasks\f706a8f7-287f-4a40-893c-ca55c01ea0aa-7 => C:\Program Files\CinemaPlus-3.2cV29.07\f706a8f7-287f-4a40-893c-ca55c01ea0aa-7.exe <==== ATTENTION
Task: {CD8F0AE4-FA7A-43F5-95A5-E1D1D171F46A} - System32\Tasks\f706a8f7-287f-4a40-893c-ca55c01ea0aa-1-7 => C:\Program Files\CinemaPlus-3.2cV29.07\f706a8f7-287f-4a40-893c-ca55c01ea0aa-1-7.exe <==== ATTENTION
Task: {DE925C0A-9AF7-401A-BC7A-33679051EE95} - System32\Tasks\globalUpdateUpdateTaskMachineCore => C:\Program Files\globalUpdate\Update\globalupdate.exe <==== ATTENTION
Task: {EC9F0473-0F49-4557-8EE6-35E82FA60BC9} - System32\Tasks\temp_f706a8f7-287f-4a40-893c-ca55c01ea0aa-1-6 => C:\Program Files\CinemaPlus-3.2cV29.07\f706a8f7-287f-4a40-893c-ca55c01ea0aa-1-6.exe <==== ATTENTION
Task: {EEE33474-BDAA-40D7-903E-806959CBF39E} - System32\Tasks\65b1263e-e246-43e3-bf46-21dd1ae42b63-6 => C:\Program Files\CinemaPlus-3.2cV17.07\65b1263e-e246-43e3-bf46-21dd1ae42b63-6.exe <==== ATTENTION
Task: {F209F725-51CB-4022-B07F-D0080C8A05F3} - System32\Tasks\f706a8f7-287f-4a40-893c-ca55c01ea0aa-5 => C:\Program Files\CinemaPlus-3.2cV29.07\f706a8f7-287f-4a40-893c-ca55c01ea0aa-5.exe <==== ATTENTION
Task: {F4AF0E7E-6517-421D-AE8A-A64C10741B9E} - System32\Tasks\GoogleUpdateTaskMachineUA1d09a038b4810b3 => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-05-29] (Google Inc.)
Task: {FF4DAA8E-F16E-4E24-8F10-16E11B1B9FEE} - System32\Tasks\SmartWeb Upgrade Trigger Task => C:\Users\Alex\AppData\Local\SmartWeb\SmartWebHelper.exe <==== ATTENTION
Task: C:\Windows\Tasks\Bidaily Synchronize Task[74c7].job => c:\programdata\{2f8a2b62-bee9-309f-2f8a-a2b62beead8a}\hqghumeaylnlf.exe <==== ATTENTION
Task: C:\Windows\Tasks\Bidaily Synchronize Task[973b].job => c:\programdata\{c52147f3-0b53-8214-c521-147f30b51fcc}\_mp4hentai__xpress_train_-_01_uncen.exe <==== ATTENTION
Task: C:\Windows\Tasks\Crossbrowse.job => C:\Program Files\Crossbrowse\Crossbrowse\Application\utility.exe <==== ATTENTION
Task: C:\Windows\Tasks\globalUpdateUpdateTaskMachineCore.job => C:\Program Files\globalUpdate\Update\globalupdate.exe <==== ATTENTION
Task: C:\Windows\Tasks\globalUpdateUpdateTaskMachineUA.job => C:\Program Files\globalUpdate\Update\globalupdate.exe <==== ATTENTION
C:\Program Files\globalUpdate
Task: C:\Windows\Tasks\vKj2JFxHqfv9WOGtUya.job => C:\Users\Alex\AppData\Roaming\vKj2JFxHqfv9WOGtUya.exe <==== ATTENTION
Task: C:\Windows\Tasks\X82FxyOAlfq82FaPhMv.job => C:\Users\Alex\AppData\Roaming\X82FxyOAlfq82FaPhMv.exe <==== ATTENTION
C:\Users\Alex\AppData\Roaming\X82FxyOAlfq82FaPhMv.exe
C:\Users\Alex\AppData\Roaming\vKj2JFxHqfv9WOGtUya.exe
C:\Program Files\Crossbrowse
c:\programdata\{c52147f3-0b53-8214-c521-147f30b51fcc}
c:\programdata\{2f8a2b62-bee9-309f-2f8a-a2b62beead8a}
C:\Users\Alex\AppData\Local\SmartWeb
C:\Program Files\CinemaPlus-3.2cV29.07
C:\PROGRAM FILES\RISING
C:\Users\Alex\AppData\Roaming\mystartsearch
C:\ProgramData\iWinManProi
C:\Program Files\MiuiTab
C:\Program Files\baidu
HKLM\...\Run: [RSDTRAY] => C:\Program Files\Rising\RSD\popwndexe.exe [126808 2012-09-25] (Beijing Rising Information Technology Co., Ltd.)
HKLM\...\Run: [RavTRAY] => C:\Program Files\Rising\RAV\RSTRAY.EXE [111000 2014-05-15] (Beijing Rising Information Technology Co., Ltd.)
HKU\S-1-5-21-3050552178-2778190213-2786081387-1000\...\Run: [GoogleChromeAutoLaunch_3281FCF30DCFA21CFEF4D2ECFEF8608D] => "C:\Program Files\Crossbrowse\Crossbrowse\Application\crossbrowse.exe" --no-startup-window
HKU\S-1-5-21-3050552178-2778190213-2786081387-1000\...\Run: [apphide] => C:\Program Files\baidu\baidu.exe [69632 2015-07-22] ()
HKU\S-1-5-21-3050552178-2778190213-2786081387-1000\...\Run: [HCDNClient] => C:\IQIYI Video\Common\QyKernel.exe [576104 2015-05-12] (iQIYI.COM)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hao123.com/?tn=98388105_hao_pg
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=ds&ts=1438673568&z=f0fb2a4da6cb3468f42e789g3zfc2b2q8m3caq9o3e&from=face&uid=ST3500320AS_9QM22M3DXXXX9QM22M3D&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.istartsurf.com/?type=hp&ts=1438673568&z=f0fb2a4da6cb3468f42e789g3zfc2b2q8m3caq9o3e&from=face&uid=ST3500320AS_9QM22M3DXXXX9QM22M3D
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.istartsurf.com/web/?type=ds&ts=1438673568&z=f0fb2a4da6cb3468f42e789g3zfc2b2q8m3caq9o3e&from=face&uid=ST3500320AS_9QM22M3DXXXX9QM22M3D&q={searchTerms}
HKU\S-1-5-21-3050552178-2778190213-2786081387-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mystartsearch.com/web/?type=ds&ts=1436197717&z=f291ebabb30ea4eb981bdcdgczcccq8gft7mdmebdw&from=cmi&uid=ST3500320AS_9QM22M3DXXXX9QM22M3D&q={searchTerms}
HKU\S-1-5-21-3050552178-2778190213-2786081387-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hao123.com/?tn=98388105_hao_pg
HKU\S-1-5-21-3050552178-2778190213-2786081387-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.istartsurf.com/?type=hp&ts=1438673568&z=f0fb2a4da6cb3468f42e789g3zfc2b2q8m3caq9o3e&from=face&uid=ST3500320AS_9QM22M3DXXXX9QM22M3D
HKU\S-1-5-21-3050552178-2778190213-2786081387-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mystartsearch.com/web/?type=ds&ts=1436197717&z=f291ebabb30ea4eb981bdcdgczcccq8gft7mdmebdw&from=cmi&uid=ST3500320AS_9QM22M3DXXXX9QM22M3D&q={searchTerms}
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.istartsurf.com/web/?type=ds&ts=1438673568&z=f0fb2a4da6cb3468f42e789g3zfc2b2q8m3caq9o3e&from=face&uid=ST3500320AS_9QM22M3DXXXX9QM22M3D&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.istartsurf.com/web/?type=ds&ts=1438673568&z=f0fb2a4da6cb3468f42e789g3zfc2b2q8m3caq9o3e&from=face&uid=ST3500320AS_9QM22M3DXXXX9QM22M3D&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3050552178-2778190213-2786081387-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.istartsurf.com/web/?type=ds&ts=1438673568&z=f0fb2a4da6cb3468f42e789g3zfc2b2q8m3caq9o3e&from=face&uid=ST3500320AS_9QM22M3DXXXX9QM22M3D&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3050552178-2778190213-2786081387-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.istartsurf.com/web/?type=ds&ts=1438673568&z=f0fb2a4da6cb3468f42e789g3zfc2b2q8m3caq9o3e&from=face&uid=ST3500320AS_9QM22M3DXXXX9QM22M3D&q={searchTerms}
BHO: Rising Web Helper -> {14A5E567-034B-471A-89D8-598A6A93B24B} -> C:\Program Files\Rising\RAV\rsscrbho.dll [2012-11-13] (Beijing Rising Information Technology Co., Ltd.)
BHO: °®ĆćŇŐÖúĘÖ -> {FB4F6285-4C32-49F2-950F-A5998F9CEC6C} -> C:\IQIYI Video\Common\Accelerator\IEHelper.dll [2015-04-29] (爱奇艺)
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe http://www.mystartsearch.com/?type=sc&ts=1436197717&z=f291ebabb30ea4eb981bdcdgczcccq8gft7mdmebdw&from=cmi&uid=ST3500320AS_9QM22M3DXXXX9QM22M3D
FF Plugin: @iqiyi.com/npclient -> C:\IQIYI Video\LStyle\npclient.dll [2015-05-12] ()
FF Plugin: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll [2015-04-29] (爱奇艺公司)
FF Plugin: @qq.com/QQPCMgr -> C:\Program Files\Tencent\QQPCMgr\10.7.16066.216\npQMExtensionsMozilla.dll [2015-08-04] (Tencent Technology (Shenzhen) Company Limited)
FF Plugin: @rising.com.cn/nprising -> C:\Program Files\Rising\RAV\nprising.dll [2013-06-27] (Beijing Rising Information Technology Co., Ltd.)
FF Plugin: @staging.google.com/globalUpdate Update;version=10 -> C:\Program Files\globalUpdate\Update\1.3.25.0\npglobalupdateUpdate4.dll No File
FF Plugin: @staging.google.com/globalUpdate Update;version=4 -> C:\Program Files\globalUpdate\Update\1.3.25.0\npglobalupdateUpdate4.dll No File
FF Plugin HKU\S-1-5-21-3050552178-2778190213-2786081387-1000: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll [2015-04-29] (爱奇艺公司)
FF Plugin HKU\S-1-5-21-3050552178-2778190213-2786081387-1000: @rising.com.cn/nprising -> C:\Program Files\Rising\RAV\nprising.dll [2013-06-27] (Beijing Rising Information Technology Co., Ltd.)
R2 IHProtect Service; C:\Program Files\MiuiTab\ProtectService.exe [125112 2015-07-30] (XTab system)
R2 QQPCRTP; C:\Program Files\Tencent\QQPCMgr\10.7.16066.216\QQPCRTP.exe [297608 2015-08-04] (Tencent)
C:\Program Files\Tencent
R2 RsMgrSvc; C:\Program Files\Rising\RSD\RsMgrSvc.exe [179992 2014-09-02] (Beijing Rising Information Technology Co., Ltd.)
R2 RsRavMon; C:\Program Files\Rising\RAV\ravmond.exe [277552 2014-05-15] (Beijing Rising Information Technology Co., Ltd.)
R3 TAOFrame; C:\Program Files\Tencent\QQPCMgr\10.7.16066.216\TAOFrame.exe [293728 2015-08-04] (Tencent)
R2 WindowsMangerProtect; C:\ProgramData\iWinManProi\ProtectWindowsManager.exe [708264 2015-08-01] (DTools LIMITED) <==== ATTENTION
R2 copofute; C:\Program Files\00000000-1433171668-0000-0000-1C6F6547AC60\knsr96FA.tmp [X]
R2 fivyzipo; C:\Users\Alex\AppData\Roaming\00000000-1433171668-0000-0000-1C6F6547AC60\hnsgA1ED.tmp [X]
S2 globalUpdate; C:\Program Files\globalUpdate\Update\globalupdate.exe /svc [X] <==== ATTENTION
S3 globalUpdatem; C:\Program Files\globalUpdate\Update\globalupdate.exe /medsvc [X] <==== ATTENTION
S2 tyvozyno; C:\Users\Alex\AppData\Roaming\00000000-1433171668-0000-0000-1C6F6547AC60\jnsb8CC6.tmp [X]
C:\Users\Alex\AppData\Roaming\00000000-1433171668-0000-0000-1C6F6547AC60
C:\Program Files\00000000-1433171668-0000-0000-1C6F6547AC60
R1 kguard; C:\Windows\System32\DRIVERS\kguard.sys [68376 2014-05-14] (Beijing Rising Information Technology Co., Ltd.)
R1 QMIEProtect; C:\Program Files\Tencent\QQPCMgr\10.7.16066.216\QMIEProtect.sys [49080 2015-08-04] ()
R1 QMUdisk; C:\Program Files\Tencent\QQPCMgr\10.7.16066.216\QMUdisk.sys [60600 2015-08-04] (Tencent)
S1 QQPCHelper; C:\Program Files\Tencent\QQPCMgr\10.7.16066.216\QQPCHelper.sys [22360 2015-08-04] (Tencent)
R2 QQSysMon; C:\Program Files\Tencent\QQPCMgr\10.7.16066.216\QQSysMon.sys [108344 2015-08-04] (电脑管家)
R2 rsdsys; C:\Windows\system32\drivers\protreg.sys [24120 2014-05-28] (Beijing Rising Information Technology Co., Ltd.)
R1 rsutils; C:\Windows\System32\DRIVERS\rsutils.sys [58664 2014-08-15] (Beijing Rising Information Technology Co., Ltd.)
R0 sysmon; C:\Windows\System32\DRIVERS\sysmon.sys [156144 2014-09-10] (Beijing Rising Information Technology Co., Ltd.)
R2 TAOAccelerator; C:\Windows\system32\Drivers\TAOAccelerator.sys [77016 2015-08-04] (Tencent)
R1 TAOKernelDriver; C:\Windows\System32\Drivers\TAOKernel.sys [138552 2015-08-04] (Tencent Technology(Shenzhen) Company Limited)
R3 TFsFlt; C:\Windows\System32\Drivers\TFsFlt.sys [149944 2015-08-04] (电脑管家)
R3 TS888; C:\Program Files\Tencent\QQPCMgr\10.7.16066.216\TS888.sys [30392 2015-08-04] (Tencent)
R1 TSCPM; C:\Program Files\Tencent\QQPCMgr\10.7.16066.216\tscpm.sys [43448 2015-08-04] (电脑管家)
R1 TSDefenseBt; C:\Windows\System32\DRIVERS\TSDefenseBt.sys [14008 2015-08-04] (Tencent)
R0 TsFltMgr; C:\Windows\System32\drivers\TsFltMgr.sys [128120 2015-08-04] (电脑管家)
R1 TSKSP; C:\Program Files\Tencent\QQPCMgr\10.7.16066.216\TSKsp.sys [204312 2015-08-04] (电脑管家)
R1 TSSysKit; C:\Program Files\Tencent\QQPCMgr\10.7.16066.216\TSSysKit.sys [101560 2015-08-04] (电脑管家)
S1 innfd_1_10_0_14; system32\drivers\innfd_1_10_0_14.sys [X]
S1 wsafd_1_10_0_19; system32\drivers\wsafd_1_10_0_19.sys [X]
C:\Windows\system32\Drivers\TS888.sys
2015-08-04 10:37 - 2015-08-04 10:37 - 00000000 ____D C:\ProgramData\TXQMPC
2015-08-04 10:09 - 2015-08-04 10:09 - 00000132 __RSH C:\rising.ini
2015-08-04 10:09 - 2015-08-04 10:09 - 00000122 _____ C:\Windows\system32\BsMain.ini
2015-08-04 10:09 - 2015-08-04 10:09 - 00000000 ___RD C:\RavBin
2015-08-04 10:09 - 2014-09-10 08:11 - 00156144 ____N (Beijing Rising Information Technology Co., Ltd.) C:\Windows\system32\Drivers\sysmon.sys
2015-08-04 10:09 - 2014-08-15 03:22 - 00058664 ____N (Beijing Rising Information Technology Co., Ltd.) C:\Windows\system32\Drivers\rsutils.sys
2015-08-04 10:09 - 2014-07-30 04:44 - 00091928 ____N (Beijing Rising Information Technology Co., Ltd.) C:\Windows\system32\vpatch.dll
2015-08-04 10:09 - 2014-05-14 04:02 - 00068376 ____N (Beijing Rising Information Technology Co., Ltd.) C:\Windows\system32\Drivers\kguard.sys
2015-08-04 10:09 - 2013-12-30 09:33 - 00256280 ____N (Beijing Rising Information Technology Co., Ltd.) C:\Windows\system32\ravext.dll
2015-08-04 10:09 - 2012-09-06 02:30 - 00240472 ____N (Beijing Rising Information Technology Co., Ltd.) C:\Windows\system32\bsmain.exe
2015-08-04 10:09 - 2012-02-29 09:49 - 00010808 ____N (Beijing Rising Information Technology Co., Ltd.) C:\Windows\system32\Drivers\rsndisp.sys
2015-08-04 10:08 - 2015-08-04 10:09 - 00000000 ____D C:\ProgramData\Rising
2015-08-04 10:08 - 2015-08-04 10:08 - 00000000 ____D C:\Program Files\Rising
2015-08-04 10:08 - 2014-05-28 09:37 - 00024120 ____N (Beijing Rising Information Technology Co., Ltd.) C:\Windows\system32\Drivers\protreg.sys
2015-08-04 10:07 - 2015-08-04 10:06 - 00138552 _____ (Tencent Technology(Shenzhen) Company Limited) C:\Windows\system32\Drivers\TAOKernel.sys
2015-08-04 10:07 - 2015-08-04 10:06 - 00077016 _____ (Tencent) C:\Windows\system32\Drivers\TAOAccelerator.sys
2015-08-04 10:07 - 2015-08-04 10:06 - 00014008 _____ (Tencent) C:\Windows\system32\Drivers\TSDefenseBt.sys
2015-08-04 10:06 - 2015-08-04 10:51 - 00000000 ____D C:\Users\Alex\AppData\Roaming\Tencent
2015-08-04 10:06 - 2015-08-04 10:51 - 00000000 ____D C:\ProgramData\Tencent
2015-08-04 10:06 - 2015-08-04 10:07 - 00000000 ____D C:\Program Files\Common Files\Tencent
2015-08-04 10:06 - 2015-08-04 10:06 - 00149944 _____ (电脑管家) C:\Windows\system32\Drivers\TFsFlt.sys
2015-08-04 10:06 - 2015-08-04 10:06 - 00128120 _____ (电脑管家) C:\Windows\system32\Drivers\TsFltMgr.sys
2015-08-04 10:06 - 2015-08-04 10:06 - 00000000 ____D C:\Users\Alex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\腾讯软件
2015-08-04 10:06 - 2015-08-04 10:06 - 00000000 ____D C:\Program Files\Tencent
2015-08-04 09:35 - 2015-08-04 09:35 - 00000000 ____D C:\Users\Alex\AppData\Local\SysassistByHotWheel
2015-08-04 09:34 - 2015-08-04 11:07 - 00000000 ____D C:\Users\Alex\AppData\Local\Unity
2015-08-04 09:33 - 2015-08-04 11:07 - 00000000 ____D C:\ProgramData\IQIYI Video
2015-08-04 09:33 - 2015-08-04 11:03 - 00000000 ____D C:\Users\Alex\AppData\Roaming\IQIYI Video
2015-08-04 09:33 - 2015-08-04 11:02 - 00000000 ____D C:\IQIYI Video
2015-08-04 09:33 - 2015-08-04 09:33 - 00000000 ____D C:\Users\Public\QiYi
C:\ProgramData\6WinManPro6
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
EmptyTemp:

3) Zrób nowe logi FRST.

UWAGA:

Jeśli zjawi się tu nowy Moderator @Naathim, https://www.fixitpc.pl/user/12-naathim/

to wypełniaj Jego zalecenia, a nie moje.

jessi

1) Użyj >Adw-cleaner
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt

2)

R1 wStLib64; C:\Windows\System32\drivers\wStLib64.sys [61112 2014-03-22] (StdLib)

Jeśli Adw-Cleaner nie usunie tego pliku, to sprawdzisz ten plik na --> JOTTI/ albo na VIRUSTOTAL
 

3) Kosmetyka:

Otwórz Notatnik i wklej w nim:

CustomCLSID: HKU\S-1-5-21-3858547714-159695882-337848512-1001_Classes\CLSID\{E68D0A55-3C40-4712-B90D-DCFA93FF2534}\InprocServer32 -> C:\Users\matesz\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll No File
Task: {FD0B5BBA-910C-4E7A-8634-29DC811B0C74} - System32\Tasks\{261F9D32-E8C3-466F-AB7E-A8EDA5BE5C2B} => pcalua.exe -a "C:\Program Files (x86)\EPSON\TPMANUAL\ESDX4000_4050_CX3900\USE_G\DOCUNINS.EXE"
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.delta-homes.com/web/?type=ds&ts=1402596724&from=wpm0612&uid=TOSHIBAXMK6475GSX_62HGSZ7HSXX62HGSZ7HS&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.aartemis.com/web/?type=ds&ts=1388152512&from=cor&uid=TOSHIBAXMK6475GSX_62HGSZ7HSXX62HGSZ7HS&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.aartemis.com/web/?type=ds&ts=1388152512&from=cor&uid=TOSHIBAXMK6475GSX_62HGSZ7HSXX62HGSZ7HS&q={searchTerms}
HKU\S-1-5-21-3858547714-159695882-337848512-1001\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.delta-homes.com/web/?utm_source=b&utm_medium=wpm0226&utm_campaign=installer&utm_content=ds&from=wpm0226&uid=TOSHIBAXMK6475GSX_62HGSZ7HSXX62HGSZ7HS&ts=1393425183&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3858547714-159695882-337848512-1001 -> DefaultScope {1408CA6D-7563-425B-8D0E-BF3B1D6CC0A5} URL =
SearchScopes: HKU\S-1-5-21-3858547714-159695882-337848512-1001 -> {1408CA6D-7563-425B-8D0E-BF3B1D6CC0A5} URL =
SearchScopes: HKU\S-1-5-21-3858547714-159695882-337848512-1001 -> {AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8} URL = http://www.daemon-search.com/search?q={searchTerms}
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [Not Found]
ShellIconOverlayIdentifiers: [GGDriveOverlay1] -> {E68D0A50-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll No File
ShellIconOverlayIdentifiers: [GGDriveOverlay2] -> {E68D0A51-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll No File
ShellIconOverlayIdentifiers: [GGDriveOverlay3] -> {E68D0A52-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll No File
ShellIconOverlayIdentifiers: [GGDriveOverlay4] -> {E68D0A53-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll No File
Toolbar: HKLM - DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll No File
Toolbar: HKLM-x32 - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF HKLM-x32\...\Firefox\Extensions: [shortcutff@gmail.com] - C:\Users\matesz\AppData\Roaming\Mozilla\Firefox\Profiles\1zh3k0i9.default\extensions\shortcutff@gmail.com
S1 iSafeNetFilter; \??\C:\Program Files (x86)\iSafe\iSafeNetFilter.sys [X]
EmptyTemp:

jessi

Usunęłam plik "lenowo-9264.vbs", a nie usunęłam Zaplanowanego Zadania, więc:

Otwórz Notatnik i wklej w nim:

Task: {4A3853C5-D13D-4644-8910-1A1762F906EF} - System32\Tasks\Lenovo\Lenovo-9264 => C:\ProgramData\Lenovo-9264.vbs
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.

Jeśli będzie OK, to będziemy kończyć:
Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix.
przez SHIFT+DEL usuń pozostały folder C:\FRST.

W Adw-Cleaner kliknij na przycisk Odinstaluj (UNINSTALL).

jessi

Tcpip\Parameters: [DhcpNameServer] 158.69.135.184 8.8.8.8

Tcpip\..\Interfaces\{02851EE5-C5EE-4A1F-99D4-C7B8D8453973}: [DhcpNameServer] 158.69.135.184 8.8.8.8

https://ipinfo.io/158.69.135.184

ale to chyba nie jest szkodliwe.

jessi

1)

Shopper-Pro (HKLM-x32\...\ShopperPro) (Version:  - ) <==== ATTENTION

Jeszcze raz spróbuj odinstalować ten program.

2)

globalupdate Helper (x32 Version: 1.3.25.0 - globalupdate Inc.) Hidden <==== ATTENTION

Odinstaluj ten program.

3) Użyj >Adw-cleaner
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt

3) Zrób nowe logi FRST.

jessi

W nowych logach nie widzę już żadnej infekcji.

Oczywiście widać Twoje zaszyfrowane pliki - na to nic nie poradzę.

jessi

Nie bardzo wiem jaki drugi raport mam załączyć bo  program wygenerował jeden. Wszystkie znalezione rzeczy podświetlił na zielono informując że są bezpieczne nie wiem czy je też mam skasować ?. 

wcale nie wykrył bułgarskich DNS :(

Zrób nowy log FRST, by zobaczyć, czy te DNS zniknęło

jessi

(dziś od 20:00 i jutro nie będzie mnie na forum)

Wg ustawień routera, moje DNS-y to:http://img125.imagevenue.com/img.php?image=08828_3_122_238lo.jpg. Internet z Netii, wątpię. że to wina dostawcy.

ale DNS'y GOOGLE są też dobre, doskonale mogą zastępować DNS Netii.

jessi

Dalej nie rozumiem, co DNS i router mają wspólnego z SALITY.

W logach widzę DNS  GOOGLE'a:

T

cpip\Parameters: [DhcpNameServer] 8.8.8.8 8.8.4.4
Tcpip\..\Interfaces\{2C58A7E5-8FD6-4DBE-B69E-2093C0DABE7A}: [DhcpNameServer] 8.8.8.8 8.8.4.4
Tcpip\..\Interfaces\{4ACB4215-3E64-408A-A62D-BCD46EE2C372}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{4ACB4215-3E64-408A-A62D-BCD46EE2C372}: [DhcpNameServer] 8.8.8.8 8.8.4.4

Jeśli coś "nie gra" z routerem, to skontaktuj się ze swoim dostawcą internetu.

jessi

Tcpip\Parameters: [DhcpNameServer] 5.104.175.150 8.8.8.8

Tcpip\..\Interfaces\{02851EE5-C5EE-4A1F-99D4-C7B8D8453973}: [DhcpNameServer] 5.104.175.150 8.8.8.8

Dalej jest ten bułgarski DNS (dhcp=router)

Użyj >>RogueKiller (aby pobrać kliknij na obrazek x64 po Lien de téléchargement :)

Kliknij w nim SCAN, a po wyszukaniu szkodliwych rzeczy kliknij DELETE. Pokaż oba raporty z niego.

jessi

nawiedziła mnie infekcja routera, będzie to prawdopodobnie Win32/Sality

 

skąd ten pomysł?

w logach nic nie wskazuje na istnienie SALITY.

ani na infekcję routera

Otwórz Notatnik i wklej w nim:

Task: {A82E3176-409A-421B-BB44-656C5A06B0FD} - System32\Tasks\{367A41C0-C160-400A-8DFF-8824EC7FDCC5} => pcalua.exe -a C:\Users\Kolbe\Downloads\HAL_9000_4_3.exe -d C:\Users\Kolbe\Downloads

AlternateDataStreams: C:\Users\Kolbe\Ustawienia lokalne:dVN5DgGGU4zccna0nq6l5K

AlternateDataStreams: C:\Users\Kolbe\AppData\Local:dVN5DgGGU4zccna0nq6l5K

AlternateDataStreams: C:\Users\Kolbe\AppData\Local\Dane aplikacji:dVN5DgGGU4zccna0nq6l5K

AlternateDataStreams: C:\Users\Kolbe\AppData\Local\Temporary Internet Files:UJKslb48ts5WSVDf

Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f

Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f

Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

HKU\S-1-5-21-4059769512-2160792119-2253301434-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

S3 VGPU; System32\drivers\rdvgkmd.sys [X]

C:\Users\Kolbe\MediaInfo.dll

C:\Users\Kolbe\temp.dat

C:\Users\Kolbe\Desktop\Anita\Pulpit\Maj 2011-uchwały-projekty.doc.lnk

C:\Users\postgres\Desktop\Launch Fahrenheit.lnk

C:\Users\postgres\Desktop\Play Star Wars Battlefront II.lnk

C:\Users\UpdatusUser\Desktop\Launch Fahrenheit.lnk

C:\Users\UpdatusUser\Desktop\Play Star Wars Battlefront II.lnk

EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe

Uruchom FRST i kliknij przycisk Fix.

jessi

1)

Service  C:\WINDOWS\System32\Drivers\6edf95fac9406c4e.sys (*** hidden *** )    [bOOT] 6edf95fac9406c4e                             <-- ROOTKIT !!!

Rootkit NECURS!

Zrób log z TDSSKiller (bo to przy jego pomocy trzeba usuwać tego Rootkita) - https://www.fixitpc.pl/topic/8-dezynfekcja-zbi%C3%B3r-narz%C4%99dzi-usuwaj%C4%85cych/#entry33542

2) Otwórz Notatnik i wklej w nim:

Unlock: C:\Windows\System32\Drivers\6edf95fac9406c4e.sys
HKLM\...\Run: [sunJavaUpdateSched] => C:\Documents and Settings\All Users.WINDOWS\svchost.exe
HKLM\...\Run: [Regedit32] => C:\WINDOWS\system32\regedit.exe
HKLM\...\Run: [uqirqmyv] => C:\WINDOWS\ynydefuk.exe [439273 2015-07-21] ()
HKLM\...\Policies\Explorer\Run: [49812] => c:\Documents and Settings\All Users.WINDOWS\dxhalsz.exe [76800 2010-01-18] (If*)
HKU\S-1-5-21-1085031214-1229272821-682003330-1004\...\Run: [y1ag2rtq9f] => C:\Documents and Settings\Sekretariat\y1ag2rtq9f.exe
HKU\S-1-5-21-1085031214-1229272821-682003330-1004\...\Run: [q.com] => C:\Documents and Settings\Sekretariat\Dane aplikacji\q\q.com
HKU\S-1-5-21-1085031214-1229272821-682003330-1004\...\Run: [{1DF79C7D-1415-1C53-C1F7-6E6D69E47C04}] => C:\Documents and Settings\Sekretariat\Dane aplikacji\Citazy\ledi.exe [141824 2011-12-01] ()
HKU\S-1-5-21-1085031214-1229272821-682003330-1004\...\Run: [dxhalsz.exe] => C:\Documents and Settings\All Users.WINDOWS\dxhalsz.exe [76800 2010-01-18] (If*)
HKU\S-1-5-21-1085031214-1229272821-682003330-1004\...\Run: [00a1d38d.exe] => C:\Documents and Settings\Sekretariat\Ustawienia lokalne\Temp\00a1d38d.exe [1245800 2014-07-09] () <===== ATTENTION
HKU\S-1-5-21-1085031214-1229272821-682003330-1004\...\Run: [007f30f9.exe] => C:\Documents and Settings\Sekretariat\Ustawienia lokalne\Temp\007f30f9.exe [1245782 2014-09-15] () <===== ATTENTION
HKU\S-1-5-21-1085031214-1229272821-682003330-1004\...\Run: [007f79f8.exe] => C:\Documents and Settings\Sekretariat\Ustawienia lokalne\Temp\007f79f8.exe [1156608 2014-09-15] () <===== ATTENTION
HKU\S-1-5-21-1085031214-1229272821-682003330-1004\...\RunOnce: [Microsoft] => C:\Documents and Settings\Sekretariat\Ustawienia lokalne\Dane aplikacji\svchost.exe
C:\Documents and Settings\All Users.WINDOWS\svchost.exe
C:\WINDOWS\system32\regedit.exe
C:\WINDOWS\ynydefuk.exe
c:\Documents and Settings\All Users.WINDOWS\dxhalsz.exe
C:\Documents and Settings\Sekretariat\y1ag2rtq9f.exe
C:\Documents and Settings\Sekretariat\Dane aplikacji\q\q.com
C:\Documents and Settings\Sekretariat\Dane aplikacji\q
C:\Documents and Settings\Sekretariat\Dane aplikacji\Citazy\ledi.exe
C:\Documents and Settings\Sekretariat\Dane aplikacji\Citazy
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope Yandex URL = http://yandex.ru/yandsearch?clid=154468&text={searchTerms}
SearchScopes: HKLM -> Yandex URL = http://yandex.ru/yandsearch?clid=154468&text={searchTerms}
SearchScopes: HKU\S-1-5-21-1085031214-1229272821-682003330-1004 -> DefaultScope Yandex URL = http://yandex.ru/yandsearch?clid=154468&text={searchTerms}
SearchScopes: HKU\S-1-5-21-1085031214-1229272821-682003330-1004 -> Moikrug URL = http://moikrug.ru/persons/?clid=154468&charset=utf-8&keywords={searchTerms}&submitted=1
SearchScopes: HKU\S-1-5-21-1085031214-1229272821-682003330-1004 -> Yandex URL = http://yandex.ru/yandsearch?clid=154468&text={searchTerms}
FF Extension: No Name - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [not found]
U5 6edf95fac9406c4e; C:\Windows\System32\Drivers\6edf95fac9406c4e.sys [44160 2011-12-27] () <===== ATTENTION Necurs Rootkit?
C:\Documents and Settings\Sekretariat\Moje dokumenty\DECRYPT_INSTRUCTIONS.html
2015-07-21 10:34 - 2015-07-21 10:34 - 00007748 _____ C:\Documents and Settings\Sekretariat\DECRYPT_INSTRUCTIONS.html
2015-07-21 10:34 - 2015-07-21 10:34 - 00003197 _____ C:\Documents and Settings\Sekretariat\Moje dokumenty\DECRYPT_INSTRUCTIONS.txt
2015-07-21 10:34 - 2015-07-21 10:34 - 00003197 _____ C:\Documents and Settings\Sekretariat\DECRYPT_INSTRUCTIONS.txt
2015-07-21 10:29 - 2015-08-02 12:01 - 00007748 _____ C:\Documents and Settings\Sekretariat\Pulpit\DECRYPT_INSTRUCTIONS.html
2015-07-21 10:29 - 2015-08-02 12:01 - 00003197 _____ C:\Documents and Settings\Sekretariat\Pulpit\DECRYPT_INSTRUCTIONS.txt
2015-07-21 10:25 - 2015-07-21 10:25 - 00007748 _____ C:\Documents and Settings\NetworkService\DECRYPT_INSTRUCTIONS.html
2015-07-21 10:25 - 2015-07-21 10:25 - 00007748 _____ C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\DECRYPT_INSTRUCTIONS.html
2015-07-21 10:25 - 2015-07-21 10:25 - 00007748 _____ C:\Documents and Settings\LocalService\DECRYPT_INSTRUCTIONS.html
2015-07-21 10:25 - 2015-07-21 10:25 - 00007748 _____ C:\Documents and Settings\LocalService.ZARZĄDZANIE NT\Ustawienia lokalne\Dane aplikacji\DECRYPT_INSTRUCTIONS.html
2015-07-21 10:25 - 2015-07-21 10:25 - 00007748 _____ C:\Documents and Settings\Gość\Ustawienia lokalne\Dane aplikacji\DECRYPT_INSTRUCTIONS.html
2015-07-21 10:25 - 2015-07-21 10:25 - 00003197 _____ C:\Documents and Settings\NetworkService\DECRYPT_INSTRUCTIONS.txt
2015-07-21 10:25 - 2015-07-21 10:25 - 00003197 _____ C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\DECRYPT_INSTRUCTIONS.txt
2015-07-21 10:25 - 2015-07-21 10:25 - 00003197 _____ C:\Documents and Settings\LocalService\DECRYPT_INSTRUCTIONS.txt
2015-07-21 10:25 - 2015-07-21 10:25 - 00003197 _____ C:\Documents and Settings\LocalService.ZARZĄDZANIE NT\Ustawienia lokalne\Dane aplikacji\DECRYPT_INSTRUCTIONS.txt
2015-07-21 10:25 - 2015-07-21 10:25 - 00003197 _____ C:\Documents and Settings\Gość\Ustawienia lokalne\Dane aplikacji\DECRYPT_INSTRUCTIONS.txt
2015-07-21 10:24 - 2015-07-21 10:24 - 00007748 _____ C:\Documents and Settings\Gość\Pulpit\DECRYPT_INSTRUCTIONS.html
2015-07-21 10:24 - 2015-07-21 10:24 - 00007748 _____ C:\Documents and Settings\Default User\DECRYPT_INSTRUCTIONS.html
2015-07-21 10:24 - 2015-07-21 10:24 - 00007748 _____ C:\Documents and Settings\Default User.WINDOWS\DECRYPT_INSTRUCTIONS.html
2015-07-21 10:24 - 2015-07-21 10:24 - 00003197 _____ C:\Documents and Settings\Gość\Pulpit\DECRYPT_INSTRUCTIONS.txt
2015-07-21 10:24 - 2015-07-21 10:24 - 00003197 _____ C:\Documents and Settings\Default User\DECRYPT_INSTRUCTIONS.txt
2015-07-21 10:24 - 2015-07-21 10:24 - 00003197 _____ C:\Documents and Settings\Default User.WINDOWS\DECRYPT_INSTRUCTIONS.txt
2015-07-21 10:22 - 2015-07-21 10:22 - 00439273 _____ C:\WINDOWS\ynydefuk.exe
2015-07-21 10:22 - 2015-07-21 10:22 - 00000000 ____D C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\ekytenomocatyhox
2015-07-21 10:22 - 2015-07-21 10:22 - 00000000 ____D C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\ekytenomocatyhox
C:\Documents and Settings\All Users.WINDOWS\dxbitq.exe
CustomCLSID: HKU\S-1-5-21-1085031214-1229272821-682003330-1004_Classes\CLSID\{43887C67-4D5D-4127-BAAC-87A288494C7C}\InprocServer32 -> C:\Program Files\OpenOffice.org 3\Basis\program\xmergesync.dll No File
CustomCLSID: HKU\S-1-5-21-1085031214-1229272821-682003330-1004_Classes\CLSID\{BDD611C3-7BAB-460F-8711-5B9AC9EF6020}\InprocServer32 -> C:\Program Files\OpenOffice.org 3\Basis\program\xmergesync.dll No File
CustomCLSID: HKU\S-1-5-21-1085031214-1229272821-682003330-1004_Classes\CLSID\{C6AB3E74-9F4F-4370-8120-A8A6FABB7A7C}\InprocServer32 -> C:\Program Files\OpenOffice.org 3\Basis\program\xmergesync.dll No File
CustomCLSID: HKU\S-1-5-21-1085031214-1229272821-682003330-1004_Classes\CLSID\{CB43F086-838D-4FA4-B5F6-3406B9A57439}\InprocServer32 -> C:\Program Files\OpenOffice.org 3\Basis\program\xmergesync.dll No File
C:\Documents and Settings\All Users\Menu Start\Programy\Skype\Skype.lnk
C:\Documents and Settings\Sekretariat\Pulpit\Venessa Sieć na Venessa-01.lnk
C:\Documents and Settings\Sekretariat\Pulpit\różne programy\Adobe Media Player.lnk
C:\Documents and Settings\Sekretariat\Pulpit\różne programy\Adobe Reader 8.lnk
C:\Documents and Settings\Sekretariat\Pulpit\różne programy\Adobe Reader 9.lnk
C:\Documents and Settings\Sekretariat\Pulpit\różne programy\Adobe Reader X.lnk
C:\Documents and Settings\Sekretariat\Pulpit\różne programy\GIMP 2.lnk
C:\Documents and Settings\Sekretariat\Pulpit\różne programy\iTunes.lnk
C:\Documents and Settings\Sekretariat\Pulpit\różne programy\McAfee Security Scan Plus.lnk
C:\Documents and Settings\Sekretariat\Pulpit\różne programy\Play Lineage II.lnk
C:\Documents and Settings\Sekretariat\NetHood\Venessa Sieć na Venessa-01\target.lnk -> \\VENESSA-01\Venessa Sieć (No File)
C:\Documents and Settings\Sekretariat\NetHood\Users na Venessa-01\target.lnk -> \\VENESSA-01\Users (No File)
C:\Documents and Settings\Sekretariat\NetHood\SharedDocs na Venessa-janusz\target.lnk -> \\VENESSA-JANUSZ\SharedDocs (No File)
C:\Documents and Settings\Sekretariat\NetHood\SharedDocs na Dyspozytor\target.lnk -> \\DYSPOZYTOR\SharedDocs (No File)
C:\Documents and Settings\Sekretariat\NetHood\public na My Book Live Network Storage (Mybooklive)\target.lnk -> \\MYBOOKLIVE\Public (No File)
C:\Documents and Settings\Sekretariat\NetHood\Outlook Poczta 2014 na Venessa-01\target.lnk -> \\VENESSA-01\Outlook Poczta 2014 (No File)
C:\Documents and Settings\Sekretariat\NetHood\Outlook kopia 2013 na Venessa-01\target.lnk -> \\VENESSA-01\Outlook kopia 2013 (No File)
C:\Documents and Settings\Sekretariat\NetHood\Outlook Express na Dyspozytor\target.lnk -> \\DYSPOZYTOR\Outlook Express (No File)
C:\Documents and Settings\Sekretariat\NetHood\Dyspozytor 2015 na Dyspozytor\target.lnk -> \\DYSPOZYTOR\Dyspozytor 2015 (No File)
C:\Documents and Settings\Sekretariat\NetHood\Dyspozytor 2014 na Dyspozytor\target.lnk -> \\DYSPOZYTOR\Dyspozytor 2014 (No File)
C:\Documents and Settings\Sekretariat\NetHood\Dyspozytor 2013 na Dyspozytor\target.lnk -> \\DYSPOZYTOR\Dyspozytor 2013 (No File)
C:\Documents and Settings\Sekretariat\NetHood\Dyspozytor 2012 na Dyspozytor\target.lnk -> \\DYSPOZYTOR\Dyspozytor 2012 (No File)
C:\Documents and Settings\Sekretariat\NetHood\Dyspozytor 2011r na Dyspozytor\target.lnk -> \\DYSPOZYTOR\Dyspozytor 2011r (No File)
C:\Documents and Settings\Sekretariat\NetHood\Dyspozytor 2010 na Dyspozytor\target.lnk -> \\DYSPOZYTOR\Dyspozytor 2010 (No File)
C:\Documents and Settings\Sekretariat\NetHood\dvd na Dyspozytor\target.lnk -> \\DYSPOZYTOR\dvd (No File)
C:\Documents and Settings\Sekretariat\NetHood\Dokumentacje skrzyżowań na Dyspozytor\target.lnk -> \\DYSPOZYTOR\Dokumentacje skrzyżowań (No File)
C:\Documents and Settings\Sekretariat\NetHood\c na Stacja2 (Stacja-2)\target.lnk -> \\Stacja-2\c (No File)
C:\Documents and Settings\Sekretariat\NetHood\c na Dyspozytor\target.lnk -> \\Dyspozytor\c (No File)
C:\Documents and Settings\Sekretariat\NetHood\Archiwum_Dyrekcja na My Book Live Network Storage (Mybooklive)\target.lnk -> \\MYBOOKLIVE\Archiwum_Dyrekcja (No File)
EmptyTemp:

3) Zrób nowe logi FRST.

----------------------------------------

Masz kilkanaście różnych infekcji, więc zastanawiam się, czy w ogóle warto zajmować się ich usuwaniem, może lepiej sformatować dysk i wgrać System od nowa?

Nie jestem "na bieżąco" z tą infekcją, więc nie wiem, czy jest już jakiś deszyfrator plików zaszyfrowanych przez tę wersję infekcji.

Podobno jest już deszyfrator, ale czy akurat tej wersji? - Nie wiem.

Od dzisiaj pomaganiem w tym dziale forum ma się zajmować nowy Moderator @Naathim https://www.fixitpc.pl/user/12-naathim/

ale nie wiem, czy zajmie się tez Twoim tematem, czy może tylko nowymi tematami?

jeśli się zajmie Twoim tematem, to oczywiście wykonuj Jego zalecenia, a nie moje!

jessi
 

Kończymy:

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

jessi

1) Użyj >Adw-cleaner
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt

2) Otwórz Notatnik i wklej w nim:

C:\Program Files (x86)\MiuiTab
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.istartsurf.com/?type=hppp&ts=1438195491&z=222d5f6d150e128e5c0d9ffg5z4c8b0g6tew3z7qde&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.istartsurf.com/?type=hppp&ts=1438195491&z=222d5f6d150e128e5c0d9ffg5z4c8b0g6tew3z7qde&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=dspp&ts=1438195491&z=222d5f6d150e128e5c0d9ffg5z4c8b0g6tew3z7qde&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=dspp&ts=1438195491&z=222d5f6d150e128e5c0d9ffg5z4c8b0g6tew3z7qde&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.istartsurf.com/?type=hppp&ts=1438195491&z=222d5f6d150e128e5c0d9ffg5z4c8b0g6tew3z7qde&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.istartsurf.com/?type=hppp&ts=1438195491&z=222d5f6d150e128e5c0d9ffg5z4c8b0g6tew3z7qde&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.istartsurf.com/web/?type=dspp&ts=1438195491&z=222d5f6d150e128e5c0d9ffg5z4c8b0g6tew3z7qde&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.istartsurf.com/web/?type=dspp&ts=1438195491&z=222d5f6d150e128e5c0d9ffg5z4c8b0g6tew3z7qde&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686&q={searchTerms}
HKU\S-1-5-21-3592890206-491889516-2803871890-1002\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.istartsurf.com/?type=hppp&ts=1438195491&z=222d5f6d150e128e5c0d9ffg5z4c8b0g6tew3z7qde&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686
HKU\S-1-5-21-3592890206-491889516-2803871890-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.istartsurf.com/?type=hppp&ts=1438195491&z=222d5f6d150e128e5c0d9ffg5z4c8b0g6tew3z7qde&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.istartsurf.com/web/?type=dspp&ts=1438195491&z=222d5f6d150e128e5c0d9ffg5z4c8b0g6tew3z7qde&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.istartsurf.com/web/?type=dspp&ts=1438195491&z=222d5f6d150e128e5c0d9ffg5z4c8b0g6tew3z7qde&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.istartsurf.com/web/?type=dspp&ts=1438195491&z=222d5f6d150e128e5c0d9ffg5z4c8b0g6tew3z7qde&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.istartsurf.com/web/?type=dspp&ts=1438195491&z=222d5f6d150e128e5c0d9ffg5z4c8b0g6tew3z7qde&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3592890206-491889516-2803871890-1002 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.istartsurf.com/web/?type=dspp&ts=1438195491&z=222d5f6d150e128e5c0d9ffg5z4c8b0g6tew3z7qde&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3592890206-491889516-2803871890-1002 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686&ts=1438195502&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3592890206-491889516-2803871890-1002 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686&ts=1438195502&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3592890206-491889516-2803871890-1002 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.istartsurf.com/web/?type=dspp&ts=1438195491&z=222d5f6d150e128e5c0d9ffg5z4c8b0g6tew3z7qde&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3592890206-491889516-2803871890-1002 -> {5F1783B9-CB72-4876-A6E2-4541E4873BB9} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686&ts=1438195502&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3592890206-491889516-2803871890-1002 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD302686&ts=1438195502&type=default&q={searchTerms}
BHO-x32: GoodTab Class -> {1F91A9A1-01BA-4c81-863D-3BA0751E1419} -> C:\Program Files (x86)\MiuiTab\SupTab.dll [2015-07-23] (Thinkgood Co. Limited)
FF DefaultSearchEngine: istartsurf
FF SelectedSearchEngine: istartsurf
FF SearchPlugin: C:\Users\lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\8r9a4b82.default\searchplugins\istartsurf.xml [2015-08-02]
FF Extension: Default SearchProtected  - C:\Users\lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\8r9a4b82.default\Extensions\defsearchp@gmail.com [2015-07-29]
FF HKLM-x32\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\8r9a4b82.default\extensions\defsearchp@gmail.com
R2 IHProtect Service; C:\Program Files (x86)\MiuiTab\ProtectService.exe [125112 2015-07-23] (XTab system)
R2 WindowsMangerProtect; C:\ProgramData\cWinManProc\ProtectWindowsManager.exe [435880 2015-07-29] (DTools LIMITED) <==== ACHTUNG
C:\ProgramData\cWinManProc
S3 GPUZ; \??\C:\WINDOWS\TEMP\GPUZ.sys [X]
S1 qsafd_vw_1_10_0_20; system32\drivers\qsafd_vw_1_10_0_20.sys [X]
C:\ProgramData\IHProtectUpDate
C:\ProgramData\Lenovo-9264.vbs
EmptyTemp:

3) Napisz, czy problem znikł?

jessi

1) Odinstaluj ten program:

Record Page (HKLM\...\Record Page) (Version: 2.0.5692.11486 - Record Page)

2) Użyj >Adw-cleaner
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt

3) Otwórz Notatnik i wklej w nim:

Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\sztuka2.LNK
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\prezentacja III rok (2).LNK
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\paragrafy.LNK
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\Poster_Żaneta_Broniowska 2015.LNK
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\Poster_Żaneta_Broniowska.LNK
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\prezentacja III rok.LNK
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\program zajec tg - czerwiec 2012.LNK
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\program zajec tg - maj 2012.LNK
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\snp - lista uczestnikow - podzial na grupy iv.2012.LNK
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\snp - lista uczestnikow - podzial na grupy vi.2012 v2.LNK
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\sztuka2.LNK
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\szyby.LNK
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\telefon internet.LNK
 C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\testowanie-1.LNK
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\tmobile.LNK
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\TOYOTA SALEE.LNK
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\UV2.LNK
C:\Documents and Settings\user\Dane aplikacji\Microsoft\Office\Niedawny\ZDJĘCIA NA ŚCIANĘ.LNK
CustomCLSID: HKU\S-1-5-21-746137067-1390067357-839522115-1003_Classes\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-746137067-1390067357-839522115-1003_Classes\CLSID\{28286AE2-3628-11D4-8168-0050DACFAE5F}\InprocServer32 ->  No File
CustomCLSID: HKU\S-1-5-21-746137067-1390067357-839522115-1003_Classes\CLSID\{28286AE3-3628-11D4-8168-0050DACFAE5F}\InprocServer32 ->  No File
CustomCLSID: HKU\S-1-5-21-746137067-1390067357-839522115-1003_Classes\CLSID\{44EC053A-400F-11D0-9DCD-00A0C90391D3}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-746137067-1390067357-839522115-1003_Classes\CLSID\{4969CDC0-6307-11D4-8194-0050DACFAE5F}\InprocServer32 ->  No File
CustomCLSID: HKU\S-1-5-21-746137067-1390067357-839522115-1003_Classes\CLSID\{65105120-AB6A-11D4-81E0-0050DACFAE5F}\InprocServer32 ->  No File
CustomCLSID: HKU\S-1-5-21-746137067-1390067357-839522115-1003_Classes\CLSID\{FC17C3E0-A694-11D4-81DB-0050DACFAE5F}\InprocServer32 ->  No File
2015-08-02 14:23 - 2015-08-02 14:23 - 01139464 ____N () C:\Documents and Settings\All Users\Dane aplikacji\87737dd0-ad90-4193-bd48-336966b8d777\plugincontainer.exe
2015-08-02 14:30 - 2015-08-02 14:30 - 01074952 ____N () C:\Program Files\Common Files\87737dd0-ad90-4193-bd48-336966b8d777\updater.exe
2015-08-02 16:01 - 2015-08-02 16:01 - 01219336 _____ () C:\Documents and Settings\All Users\Dane aplikacji\87737dd0-ad90-4193-bd48-336966b8d777\plugins\8\plugin.exe
2015-08-02 16:01 - 2015-08-02 16:01 - 01759496 _____ () C:\Documents and Settings\All Users\Dane aplikacji\87737dd0-ad90-4193-bd48-336966b8d777\plugins\2\plugin.exe
2015-08-02 16:14 - 2015-08-02 16:14 - 01171720 _____ () C:\Documents and Settings\All Users\Dane aplikacji\87737dd0-ad90-4193-bd48-336966b8d777\plugins\3\plugin.exe
2015-08-02 06:24 - 2015-08-02 06:24 - 00908040 _____ () C:\Documents and Settings\All Users\Dane aplikacji\87737dd0-ad90-4193-bd48-336966b8d777\plugins\7\plugin.exe
2015-08-02 16:14 - 2015-08-02 06:24 - 00055560 _____ () C:\Documents and Settings\user\Ustawienia lokalne\Temp\{BD127E26-532F-461B-AB9D-03BFB5EEC3D0}.xpi
C:\Documents and Settings\All Users\Dane aplikacji\87737dd0-ad90-4193-bd48-336966b8d777
C:\Program Files\Common Files\87737dd0-ad90-4193-bd48-336966b8d777
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://do-search.com/web/?type=ds&ts=1433275202&z=0ecaa53bc8f2ea99f7c0d5bg9zfcec5o3m1wao4ece&from=cor&uid=ST9250410AS_5VG1C4E4&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://do-search.com/web/?type=ds&ts=1433275202&z=0ecaa53bc8f2ea99f7c0d5bg9zfcec5o3m1wao4ece&from=cor&uid=ST9250410AS_5VG1C4E4&q={searchTerms}
HKU\S-1-5-21-746137067-1390067357-839522115-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://services.eshield.com/general/newhometab.php?hometab=home&partner=11467&guid={D524EF42-1786-4BC3-AB58-F2FE4C04F8A3}&i=
HKU\S-1-5-21-746137067-1390067357-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://do-search.com/web/?type=ds&ts=1433275202&z=0ecaa53bc8f2ea99f7c0d5bg9zfcec5o3m1wao4ece&from=cor&uid=ST9250410AS_5VG1C4E4&q={searchTerms}
HKU\S-1-5-21-746137067-1390067357-839522115-1003\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://do-search.com/web/?type=ds&ts=1433275202&z=0ecaa53bc8f2ea99f7c0d5bg9zfcec5o3m1wao4ece&from=cor&uid=ST9250410AS_5VG1C4E4&q={searchTerms}
HKU\S-1-5-21-746137067-1390067357-839522115-1003\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://services.eshield.com/general/newhometab.php?hometab=home&partner=11467&guid={D524EF42-1786-4BC3-AB58-F2FE4C04F8A3}&i=
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "http://services.eshield.com/general/newhometab.php?hometab=home&partner=11467&guid={D524EF42-1786-4BC3-AB58-F2FE4C04F8A3}&i="<======= ATTENTION
SearchScopes: HKU\S-1-5-21-746137067-1390067357-839522115-1003 -> DefaultScope {D7C2796E-F2BA-4A19-8302-C8705E96D074} URL = http://search.eshield.com/serp?guid={D524EF42-1786-4BC3-AB58-F2FE4C04F8A3}&action=default_search&k={searchTerms}
SearchScopes: HKU\S-1-5-21-746137067-1390067357-839522115-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://do-search.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST9250410AS_5VG1C4E4&ts=1433275288&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-746137067-1390067357-839522115-1003 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://do-search.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST9250410AS_5VG1C4E4&ts=1433275288&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-746137067-1390067357-839522115-1003 -> {8F9282A3-54E9-4B8F-B7F8-77549B4E2AB2} URL = http://search.yahoo.com/search?p={searchTerms}&fr=tightropetb&type=11467
SearchScopes: HKU\S-1-5-21-746137067-1390067357-839522115-1003 -> {D7C2796E-F2BA-4A19-8302-C8705E96D074} URL = http://search.eshield.com/serp?guid={D524EF42-1786-4BC3-AB58-F2FE4C04F8A3}&action=default_search&k={searchTerms}
SearchScopes: HKU\S-1-5-21-746137067-1390067357-839522115-1003 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://do-search.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST9250410AS_5VG1C4E4&ts=1433275288&type=default&q={searchTerms}
BHO: Record Page -> {2335267c-dbba-4dd5-a9d0-c4db8e6a75a4} -> C:\Program Files\Record Page\Extensions\2335267c-dbba-4dd5-a9d0-c4db8e6a75a4.dll [2015-08-02] ()
C:\Program Files\Record Page
FF SelectedSearchEngine: eShield Safe Web
FF Homepage: hxxp://services.eshield.com/general/newhometab.php?hometab=home&partner=11467&guid={D524EF42-1786-4BC3-AB58-F2FE4C04F8A3}&i=
FF Keyword.URL: hxxp://search.eshield.com/serp?guid={D524EF42-1786-4BC3-AB58-F2FE4C04F8A3}&action=default_search&k=
FF Extension: Record Page - C:\Documents and Settings\user\Dane aplikacji\Mozilla\Firefox\Profiles\z7oxjz15.default-1423939123625\Extensions\{2dd1d62d-6394-45a3-8d61-d2008f76ce9e}.xpi [2015-08-02]
R2 Service Mgr RecordPage; C:\Documents and Settings\All Users\Dane aplikacji\87737dd0-ad90-4193-bd48-336966b8d777\plugincontainer.exe [1139464 2015-08-02] ()
R2 Update Mgr RecordPage; C:\Program Files\Common Files\87737dd0-ad90-4193-bd48-336966b8d777\updater.exe [1074952 2015-08-02] ()
S3 pccsmcfd; system32\DRIVERS\pccsmcfd.sys [X]
EmptyTemp:

4) Napisz, czy problem znikł?

jessi

Tcpip\Parameters: [DhcpNameServer] 5.104.175.150 8.8.8.8

Tcpip\..\Interfaces\{02851EE5-C5EE-4A1F-99D4-C7B8D8453973}: [DhcpNameServer] 5.104.175.150 8.8.8.8

Jeśli używasz routera, to:

Zaloguj się do routera:

- Zmień ustawienia DNS. Jeśli nie wiesz na jakie, możesz ustawić adresy Google: 8.8.8.8 + 8.8.4.4

- Zabezpiecz router: zmień hasło oraz zamknij dostęp do panelu zarządzania od strony Internetu. Porównaj z tymi artykułami:

http://multimo.telestrada.pl/uwaga1

http://www.pcworld.pl/artykuly/394764_3/Zmasowany.atak.na.routery.polskich.uzytkownikow.Orange.blokuje.falszywe.DNS.y.html

Po konfiguracji uruchom ten test mający potwierdzić zabezpieczenie:

http://cert.orange.pl/modemscan/

Otwórz Notatnik i wklej w nim:

Task: {538DC2DB-1DBE-4799-AF16-B6B65688F925} - System32\Tasks\{277D1B3E-9B9D-4D3D-893E-9E1C230AC6F6} => pcalua.exe -a D:\kxdrv3536-full.exe -d D:\

URLSearchHook: [s-1-5-21-588558156-1312307999-820253825-1000] ATTENTION ==> Default URLSearchHook is missing

Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f

Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f

Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f

S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]

S3 tsusbhub; system32\drivers\tsusbhub.sys [X]

S3 VGPU; System32\drivers\rdvgkmd.sys [X]

EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe

Uruchom FRST i kliknij przycisk Fix.

Powstanie plik fixlog.txt.

Daj ten log.

Zrób nowy log FRST - już bez Additional i bez Shortcut.

Napisz, czy problem znikł?

jessi

Ale zauważyłem, że ta Avira wykrywa wirus nawet w pliku instalacyjnym open office, więc może coś z nią jest (avirą)

Być może, ale niekoniecznie, bo Antywirusy uważają, że instalatory programów, po ich zainstalowaniu, powinny być usuwane.

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix.

przez SHIFT+DEL usuń pozostały folder C:\FRST.

W Adw-Cleaner kliknij na przycisk Odinstaluj (UNINSTALL).

Roque Killer - usuń ręcznie.

FSS - usuń ręcznie.

jessi

Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk -> C:\Windows\System32\SnippingTool.exe (Microsoft Corporation)

Sprawdź te pliki na --> JOTTI/ albo na VIRUSTOTAL

Innych obiektów o tej nazwie w logach nie ma.

Otwórz Notatnik i wklej w nim:

C:\Windows\Installer\{B8AE7AD1-7534-4AA9-B3D4-886D8C653A47}

Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f

Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f

Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Podatnik.info\Podatnik.info - Widget.lnk

C:\Users\Anna\Desktop\Continue Live Installation (2).lnk

C:\Users\Anna\Desktop\RÓŻNE\oferta na stronę.lnk

C:\Users\Anna\Desktop\RÓŻNE\list motywacyjny Trenkwalder.lnk

C:\Users\Anna\Desktop\RÓŻNE\Skype.lnk

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Podatnik.info\Podatnik.info - Widget.lnk

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Podatnik.info - Widget.lnk

EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe

Uruchom FRST i kliknij przycisk Fix.

Powstanie plik fixlog.txt.

Daj ten log.

jessi