jessica
-
Postów
4 099 -
Dołączył
-
Ostatnia wizyta
Odpowiedzi opublikowane przez jessica
-
-
bez jakiś większych postępów...
teraz zostawiam temat fachowcom z tego działu forum - mam nadzieję, że któryś zajrzy do Twego tematu.
jessi
-
Nie wszystko się usunęło - brak logu Shortcut.TXT, więc improwizowałam, ale to nie udało się. To mało ważne, więc zostawiamy to w spokoju.
Wg mnie powinno już być OK.
Otwórz Notatnik i wklej w nim:
DeleteQuarantine:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix.
przez SHIFT+DEL usuń pozostały folder C:\FRST.jessi
-
tak z ciekawości: ta infekcja zawsze szyfruje pliki Użytkownika (zdjęcia, dokumenty) - czy u Ciebie nie zaszyfrowała?
jessi
-
1) Odinstaluj ten program:
Update for PriceFountain (HKU\S-1-5-21-1603798188-3409358739-4023605629-1001\...\Price Fountain) (Version: - Update for PriceFountain) <==== ATTENTION
2) Otwórz Notatnik i wklej w nim:
HKLM-x32\...\Run: [CMD] => cmd.exe /c start http://zivlingamer.org&& exit
HKU\S-1-5-21-1603798188-3409358739-4023605629-1001\...\Run: [EpicScale] => [X]
IFEO\adwcleaner_4.204.exe: [Debugger] svchost.exe
IFEO\AnVir.exe: [Debugger] svchost.exe
IFEO\AutoLogger.exe: [Debugger] svchost.exe
IFEO\avz.exe: [Debugger] svchost.exe
IFEO\CCleaner.exe: [Debugger] svchost.exe
IFEO\CCleaner64.exe: [Debugger] svchost.exe
IFEO\FRST.exe: [Debugger] svchost.exe
IFEO\FRST64.exe: [Debugger] svchost.exe
IFEO\HiJackThis.exe: [Debugger] svchost.exe
IFEO\regedit.exe: [Debugger] svchost.exe
IFEO\RegWorks.exe: [Debugger] svchost.exe
IFEO\RSIT.exe: [Debugger] svchost.exe
IFEO\RSITx64.exe: [Debugger] svchost.exe
ShortcutTarget: Registration Brothers In Arms.LNK -> D:\Users\Albert\Downloads\[ DARMOWE-TORENTY.PL ] Brothers In Arms Road To Hill 30 [PL]\BIA\Support\Register\RegistrationReminder.exe (No File)
ShortcutTarget: Registration Heroes of Might & Magic 5 - Hammers of Fate.LNK -> D:\Program Files (x86)\Ubisoft\Heroes of Might and Magic V Collector Edition\registrationa1\RegistrationReminder.exe (No File)
ShortcutTarget: Registration Heroes of Might & Magic 5 - Tribes of the East.LNK -> D:\Program Files (x86)\Ubisoft\Heroes of Might and Magic V - Dzikie Hordy\registration\RegistrationReminder.exe (No File)
ShortcutTarget: Registration Heroes of Might & Magic 5.LNK -> D:\Program Files (x86)\Ubisoft\Heroes of Might and Magic V Collector Edition\registration\RegistrationReminder.exe (No File)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.omiga-plus.com/?type=hppp&ts=1420906686&from=cor&uid=WDCXWD1600AAJS-00PSA0_WD-WMAP9184929449294
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://isearch.omiga-plus.com/web/?type=ds&ts=1420906610&from=cor&uid=WDCXWD1600AAJS-00PSA0_WD-WMAP9184929449294&q={searchTerms}
Task: {0881D68E-8B47-4413-8A55-A56B955A6A21} - System32\Tasks\YTAHelper => C:\Program Files (x86)\YTAHelper\YTAHelper.exe <==== ATTENTION
Task: {0D7CF67F-9FFC-4D8F-A780-6ECC2EA58DAA} - System32\Tasks\Installer_shopperpro => C:\Users\Albert\AppData\Local\Installer\Installshopperpro_25350\DCytaiesmt_smtyc_setup.exe <==== ATTENTION
Task: {83802072-3D81-4B14-909A-F58285014A37} - System32\Tasks\YTAUpdate_logon => C:\PROGRA~2\YOUTUB~1\Updater.exe <==== ATTENTION
Task: {91A579AE-5DBA-48CE-BF70-CBA20335DF6F} - System32\Tasks\SMW_UpdateTask_Time_343139353431323131382d5a4a6c414a34572a506c415a => Wscript.exe //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0 <==== ATTENTION
Task: {A986801E-259D-45FF-80DA-9FE130563DA9} - System32\Tasks\{6829FEB9-37F4-4DBB-B852-0E9B1EF731B3} => pcalua.exe -a "C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe" -c /AppMode=SETUP /Uninstall /UDS=1
Task: {CE847ECB-1E4F-4C36-86C7-0E3DDE85B25A} - System32\Tasks\SMWUpd => C:\Program Files\Common Files\Goobzo\GBUpdate\updater.exe <==== ATTENTION
Task: {E526EF94-64BF-42E4-B16F-C366E681CAE7} - System32\Tasks\YTAUpdate => C:\PROGRA~2\YOUTUB~1\Updater.exe <==== ATTENTION
C:\Program Files\Common Files\Goobzo
C:\ProgramData\SearchModule
C:\PROGRA~2\YOUTUB~1
C:\Users\Albert\AppData\Local\Installer\Installshopperpro_25350
Reg: reg delete HKU\S-1-5-21-1603798188-3409358739-4023605629-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v GoobzoYouTubeAccelerator /f
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/?type=hppp&ts=1420906686&from=cor&uid=WDCXWD1600AAJS-00PSA0_WD-WMAP9184929449294
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1420906610&from=cor&uid=WDCXWD1600AAJS-00PSA0_WD-WMAP9184929449294&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1603798188-3409358739-4023605629-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=dspp&ts=1420906686&from=cor&uid=WDCXWD1600AAJS-00PSA0_WD-WMAP9184929449294&q={searchTerms}
BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File
BHO: YTAHelper -> {FCE3FA8B-BA81-467C-81D8-E43C00D1BC71} -> No File
BHO-x32: No Name -> {3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C} -> No File
BHO-x32: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File
BHO-x32: No Name -> {b608cc98-54de-4775-96c9-097de398500c} -> No File
FF SelectedSearchEngine: AVG Secure Search
FF Keyword.URL: hxxp://www-searches.com/search.aspx?s=F1Ezdefytd1,6b6268af-3076-4d9c-a5b6-1edc0b59a364,&q=
FF SearchPlugin: C:\Users\Albert\AppData\Roaming\Mozilla\Firefox\Profiles\t1dq93ol.default\searchplugins\omiga-plus.xml [2015-01-10]
FF HKLM-x32\...\Firefox\Extensions: [fftoolbar2014@etech.com] - C:\Users\Albert\AppData\Roaming\Mozilla\Firefox\Profiles\t1dq93ol.default\extensions\fftoolbar2014@etech.com
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> E:\VLC\npvlc.dll No File
FF SearchPlugin: C:\Users\Albert\AppData\Roaming\Mozilla\Firefox\Profiles\t1dq93ol.default\searchplugins\omiga-plus.xml [2015-01-10]
FF HKLM-x32\...\Firefox\Extensions: [fftoolbar2014@etech.com] - C:\Users\Albert\AppData\Roaming\Mozilla\Firefox\Profiles\t1dq93ol.default\extensions\fftoolbar2014@etech.com
S2 YouTubeAcceleratorService; C:\PROGRA~2\YOUTUB~1\YouTubeAcceleratorService.exe -start -scm [X]
S3 SMUpdd; \??\C:\Program Files\Common Files\Goobzo\GBUpdate\smw.sys [X]
S3 xhunter1; \??\C:\WINDOWS\xhunter1.sys [X]
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.3) Zrób nowe logi FRST
jessi
-
W Rejestrze jest widoczna infekcja, ale FRST nie pokazuje, czy jest aktywna, czy pozostał po niej tylko klucz.
Otwórz Notatnik i wklej w nim:
HKU\S-1-5-21-577312002-1100195492-3471646395-1000\...\Run: [NextLive] => C:\Windows\SysWOW64\rundll32.exe "C:\Users\Józek\AppData\Roaming\newnext.me\nengine.dll",EntryPoint -m l
C:\Users\Józek\AppData\Roaming\newnext.me
C:\Windows\SysWOW64\AI_RecycleBin
S3 BRDriver64_1_3_3_E02B25FC; \??\C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRDriver64.sys [X]
S3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]
S3 GPUZ; \??\C:\Users\JZEK~1\AppData\Local\Temp\GPUZ.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
HKLM\...\Run: [] => [X]
Task: {14997039-7103-4FE6-B471-90369E6A7B6E} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask No Task File <==== ATTENTION
Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification No Task File <==== ATTENTION
Task: {A1F906E1-6A75-4800-B131-6E71D6193184} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline No Task File <==== ATTENTION
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent No Task File <==== ATTENTION
Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector No Task File <==== ATTENTION
Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector No Task File <==== ATTENTION
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.jessi
-
1)
Wander Burst (HKLM-x32\...\Wander Burst) (Version: 2.0.5691.2480 - Wander Burst) <==== ATTENTIONSpróbuj odinstalować ten program.
2) Użyj >Adw-cleaner
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt3)
EDIT:
Czy temat jest w ogole jeszcze aktualny (pomoc na innym forum)?
jessi
-
1) Użyj >>RogueKiller (aby pobrać kliknij na obrazek x64 po Lien de téléchargement :)
Kliknij w nim SCAN, a po wyszukaniu szkodliwych rzeczy kliknij DELETE. Pokaż oba raporty z niego.2) Otwórz Notatnik i wklej w nim:
C:\Users\Anna\googleupdate.exe
C:\Users\Anna\jucheck.exe
C:\Users\Anna\notepad.exe
C:\Windows\Tasks\{271FC8F2-3068-4517-A5D2-DE0F32FABD26}.job
C:\$Recycle.Bin\S-1-5-21-3596678123-563365736-238587739-1000\$dd68e21f7ab636dd14d9852afa13c41a
C:\ProgramData\bddafffffbecbc.cfg
C:\ProgramData\birweksqwuqfndl
C:\ProgramData\poxfvcupxfporbe
C:\ProgramData\umisvraysicuqwx
C:\Users\Anna\AppData\Local\nsa478D.tmp
C:\ProgramData\InstallMate
FF HKLM-x32\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG Secure Search\FireFoxExt\17.3.0.49
FF HKLM-x32\...\Firefox\Extensions: [8hffxtbr@Allin1Convert_8h.com] - C:\Program Files (x86)\Allin1Convert_8h\bar\1.bin
FF HKU\S-1-5-21-3596678123-563365736-238587739-1000\...\Firefox\Extensions: [{7FF62C02-5B5D-CE36-F37E-D2B63C8A2E4F}] - C:\Program Files (x86)\ver5BlockAndSurf\187.xpi
FF HKLM-x32\...\Firefox\Extensions: [4zffxtbr@VideoDownloadConverter_4z.com] - C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin
C:\Program Files (x86)\VideoDownloadConverter_4z
C:\Program Files (x86)\ver5BlockAndSurf
C:\Program Files (x86)\Allin1Convert_8h
C:\ProgramData\AVG Secure Search
BHO-x32: Toolbar BHO -> {fbcbc43a-dca9-4192-a4c8-b57fd0f77d4d} -> C:\PROGRA~2\ALLIN1~2\bar\1.bin\8hbar.dll No File
URLSearchHook: HKU\S-1-5-21-3596678123-563365736-238587739-1000 - (No Name) - {5bcf818d-78c8-41b8-ba89-65c5fdac4fc4} - C:\Program Files (x86)\Allin1Convert_8h\bar\1.bin\8hSrcAs.dll No File
HKU\S-1-5-21-3596678123-563365736-238587739-1000\...\Run: [bddafffffbecbc] => "C:\ProgramData\bddafffffbecbc.exe"
HKU\S-1-5-21-3596678123-563365736-238587739-1000\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-3596678123-563365736-238587739-1000\$dd68e21f7ab636dd14d9852afa13c41a\n.ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-3596678123-563365736-238587739-1000\...\Run: [Adobe CSS5.1 Manager] => C:\Users\Anna\AppData\Local\b56dd0a0-2810-4f80-8f95-f3ffb7e921cbad\bddafffffbecbad.exe <===== ATTENTION
C:\Users\Anna\AppData\Local\b56dd0a0-2810-4f80-8f95-f3ffb7e921cbad
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
HKLM\...\Run: [Allin1Convert Home Page Guard 64 bit] => "C:\PROGRA~2\ALLIN1~2\bar\1.bin\AppIntegrator64.exe"
Task: C:\Windows\Tasks\{271FC8F2-3068-4517-A5D2-DE0F32FABD26}.job => C:\Users\Anna\AppData\Local\b56dd0a0-2810-4f80-8f95-f3ffb7e921cbad\bddafffffbecbad.exe
Task: {0CACD429-9E47-4A1E-A19B-CA909FC3E59E} - System32\Tasks\{271FC8F2-3068-4517-A5D2-DE0F32FABD26} => C:\Users\Anna\AppData\Local\b56dd0a0-2810-4f80-8f95-f3ffb7e921cbad\bddafffffbecbad.exe
CustomCLSID: HKU\S-1-5-21-3596678123-563365736-238587739-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 -> C:\$Recycle.Bin ()c:\Users\Anna\AppData\Roaming\Microsoft\Windows\SendTo\Desk 365.lnk
ListPermissions: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc
ListPermissions: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters
ListPermissions: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\SecurityFile: C:\Windows\System32\nlasvc.dll
Reg: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc" /s
Reg: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters" /s
Reg: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Security" /sEmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.3) Zrób nowe logi FRST.
4) Zrób log z Farbar Service Scanner >http://download.bleepingcomputer.com/farbar/FSS.exe (do skanowania zaznacz wszystko).
jessi
-
Otwórz Notatnik i wklej w nim:
C:\Windows\Minidump\*.dmp
FF Extension: No Name - C:\Users\Piotr\AppData\Roaming\Mozilla\Firefox\Profiles\ifukcu1k.default\extensions\deskCutv2@gmail.com [not found]
C:\ProgramData\boost_interprocess
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.Potem kończymy:
Otwórz Notatnik i wklej w nim:
DeleteQuarantine:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix.
przez SHIFT+DEL usuń pozostały folder C:\FRST.
W Adw-Cleaner kliknij na przycisk Odinstaluj (UNINSTALL).jessi
-
i spróbuje z ZA removal tool.
EDIT@: Link nie działa.
Tak, rzeczywiście, strona przestała istnieć.
Spróbuj odinstalowac jakimś ogólnym deinstalatorem, np. Revo Uninstaller.
W logu GMER - nic podejrzanego.
jessi
-
W nowym logu nie widzę niczego podejrzanego.
Może przeinstaluj Zone Alarm?
przy pomocy ZoneAlarm Removal Tool - http://www.zonealarm.com.au/main/kb_display.asp?KBID=1870
jessi
-
Logi są sprzed tygodnia.
1) Odinstaluj te programy:
AnyProtect (HKLM-x32\...\AnyProtect) (Version: 1.0.0.4 - CMI Limited) <==== ATTENTION
AVG Security Toolbar (HKLM-x32\...\AVG Secure Search) (Version: 18.7.0.147 - AVG Technologies)
BlockAndSurf (HKLM-x32\...\9D200663-F70D-D1AA-E633-EEBDBC95D7E5) (Version: - BlockAndSurf-software) <==== ATTENTION
ConvertAd (HKLM-x32\...\ConvertAd) (Version: 1.0.0.0 - ConvertAd) <==== ATTENTION
Delta Chrome Toolbar (HKLM-x32\...\Delta Chrome Toolbar) (Version: - Visual Tools) <==== ATTENTION
Delta toolbar (HKLM-x32\...\delta) (Version: 1.8.21.5 - Delta) <==== ATTENTION
iLivid (HKLM-x32\...\iLivid) (Version: 4.0.0.2624 - Bandoo Media Inc) <==== ATTENTION
MagniPic (HKLM\...\{6DE35347-47DF-4DD6-AF3D-0FFDB60071B1}) (Version: 1.0 - ) <==== ATTENTION
omiga-plus uninstall (HKLM-x32\...\omiga-plus uninstall) (Version: - omiga-plus) <==== ATTENTION
Remote Desktop Access (VuuPC) (HKLM-x32\...\VOPackage) (Version: 1.0.0.0 - CMI Limited) <==== ATTENTION
Search Protect (HKLM-x32\...\SearchProtect) (Version: 2.23.60.24 - Client Connect LTD) <==== ATTENTION
toolbar on IE and Chrome (HKLM-x32\...\privitize) (Version: 1.8.16.22 - Industriya)
Video Download Converter version 1.0.0.0 (HKLM-x32\...\VDC_is1) (Version: 1.0.0.0 - ) <==== ATTENTION
webssearches uninstall (HKLM-x32\...\webssearches uninstall) (Version: - webssearches) <==== ATTENTION
Picexa (HKLM-x32\...\Picexa) (Version: - Taiwan Shui Mu Chih Ching Technology Limited)
2)) Adw-Cleaner:
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt
3) Zrób nowe logi FRST.
jessi
-
1) Użyj >Adw-cleaner
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt2) Otwórz Notatnik i wklej w nim:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=ds&ts=1438025515&z=edfa5004c1046cfbbd8e761gcz5cab6efoewdzaqem&from=obw&uid=ADATAXSP920SS_14140C1147390C114739&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=ds&ts=1438025515&z=edfa5004c1046cfbbd8e761gcz5cab6efoewdzaqem&from=obw&uid=ADATAXSP920SS_14140C1147390C114739&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.istartsurf.com/web/?type=ds&ts=1438025515&z=edfa5004c1046cfbbd8e761gcz5cab6efoewdzaqem&from=obw&uid=ADATAXSP920SS_14140C1147390C114739&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.istartsurf.com/web/?type=ds&ts=1438025515&z=edfa5004c1046cfbbd8e761gcz5cab6efoewdzaqem&from=obw&uid=ADATAXSP920SS_14140C1147390C114739&q={searchTerms}
SearchScopes: HKU\S-1-5-21-948294637-126623534-2788625075-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=obw&utm_campaign=install_ie&utm_content=ds&from=obw&uid=ADATAXSP920SS_14140C1147390C114739&ts=1438025561&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-948294637-126623534-2788625075-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=obw&utm_campaign=install_ie&utm_content=ds&from=obw&uid=ADATAXSP920SS_14140C1147390C114739&ts=1438025561&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-948294637-126623534-2788625075-1000 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=obw&utm_campaign=install_ie&utm_content=ds&from=obw&uid=ADATAXSP920SS_14140C1147390C114739&ts=1438025561&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-948294637-126623534-2788625075-1000 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=obw&utm_campaign=install_ie&utm_content=ds&from=obw&uid=ADATAXSP920SS_14140C1147390C114739&ts=1438025561&type=default&q={searchTerms}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe http://www.istartsurf.com/?type=sc&ts=1438025515&z=edfa5004c1046cfbbd8e761gcz5cab6efoewdzaqem&from=obw&uid=ADATAXSP920SS_14140C1147390C114739
FF NewTab: hxxp://www.istartsurf.com/newtab/?type=nt&ts=1438025515&z=edfa5004c1046cfbbd8e761gcz5cab6efoewdzaqem&from=obw&uid=ADATAXSP920SS_14140C1147390C114739
FF SearchPlugin: C:\Users\Piotr\AppData\Roaming\Mozilla\Firefox\Profiles\ifukcu1k.default\searchplugins\istartsurf.xml [2015-07-27]
FF Extension: deskCut - C:\Users\Piotr\AppData\Roaming\Mozilla\Firefox\Profiles\ifukcu1k.default\Extensions\deskCutv2@gmail.com [2015-07-27]
FF HKLM-x32\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\Piotr\AppData\Roaming\Mozilla\Firefox\Profiles\ifukcu1k.default\extensions\deskCutv2@gmail.com
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
2015-07-27 21:34 - 2015-07-27 21:34 - 00000000 ____D C:\ProgramData\8982373780703246254
2015-07-27 21:34 - 2015-07-27 21:34 - 00000000 ____D C:\Program Files (x86)\RSS Subscription Extension by
2015-07-27 21:34 - 2015-07-27 21:34 - 00000000 ____D C:\Program Files (x86)\CutThePrice
2015-07-27 21:34 - 2015-07-27 21:34 - 00000000 ____D C:\Program Files (x86)\CuatThePruice
2015-07-27 21:34 - 2015-07-27 21:34 - 00000000 ____D C:\Program Files (x86)\bestadblocker
2015-07-27 21:33 - 2015-07-28 22:19 - 00000000 ____D C:\ProgramData\ahphcahnkamaapjichgaamkckohjfcac
2015-07-27 21:32 - 2015-07-29 20:07 - 00000000 ____D C:\Users\Piotr\AppData\Roaming\istartsurf
2015-07-27 21:32 - 2015-07-28 22:25 - 00000000 ____D C:\ProgramData\{22f70bc9-6994-e68d-22f7-70bc96992f25}
2015-07-27 21:32 - 2015-07-27 21:43 - 00000000 ____D C:\ProgramData\tWinManProt
2015-07-27 21:32 - 2015-07-27 21:43 - 00000000 ____D C:\Program Files (x86)\MiuiTab
2015-07-27 21:32 - 2015-07-27 21:36 - 00000000 ____D C:\Users\Piotr\AppData\Local\ospd_us_013010043
2015-07-27 21:32 - 2015-07-27 21:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ONESOFTPERDAY
2015-07-27 21:32 - 2015-07-27 21:32 - 00000000 ____D C:\ProgramData\IHProtectUpDate
2015-07-27 21:32 - 2015-07-27 21:32 - 00000000 ____D C:\Program Files (x86)\ospd_us_013010043
EmptyTemp:Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.3)
CHR dev: Chrome dev build detected! <======= ATTENTION
Odinstaluj tę dziurawą wersję Google Chrome.
Zainstaluj stąd > http://www.google.com/chrome/4) Zrób nowe logi FRST
5)Napisz,. czy zmieniło to sytuację?
jessi
-
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{54BDED8A-D40D-44FF-9BDD-D509FE5D5B73}: [NameServer] 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
Tcpip\..\Interfaces\{B521B25A-E08D-482E-8F75-4676802405F9}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{FDCE7034-8F07-4CB0-94DE-A0D7F8BF0608}: [NameServer] 82.163.143.134,82.163.142.136
Tcpip\..\Interfaces\{FDCE7034-8F07-4CB0-94DE-A0D7F8BF0608}: [DhcpNameServer] 194.168.4.100 194.168.8.100
Mieszkasz w USA i Wielkiej Brytanii?
Może trzeba wyrzucić router na śmieci?
jessi
-
Nie widzę tu żadnej infekcji.
Ale skutki infekcji widać:
IFEO\adwcleaner_4.207.exe: [Debugger] svchost.exe
IFEO\adwcleaner_4.208.exe: [Debugger] svchost.exe
IFEO\AnVir.exe: [Debugger] svchost.exe
IFEO\AutoLogger.exe: [Debugger] svchost.exe
IFEO\CCleaner64.exe: [Debugger] svchost.exe
IFEO\FRST.exe: [Debugger] svchost.exe
IFEO\FRST64.exe: [Debugger] svchost.exe
IFEO\RegWorks.exe: [Debugger] svchost.exe
IFEO\RSITx64.exe: [Debugger] svchost.exeNie widzę natomiast zablokowania "regedit".
Otwórz Notatnik i wklej w nim:
IFEO\adwcleaner_4.207.exe: [Debugger] svchost.exe
IFEO\adwcleaner_4.208.exe: [Debugger] svchost.exe
IFEO\AnVir.exe: [Debugger] svchost.exe
IFEO\AutoLogger.exe: [Debugger] svchost.exe
IFEO\CCleaner64.exe: [Debugger] svchost.exe
IFEO\FRST.exe: [Debugger] svchost.exe
IFEO\FRST64.exe: [Debugger] svchost.exe
IFEO\RegWorks.exe: [Debugger] svchost.exe
IFEO\RSITx64.exe: [Debugger] svchost.exe
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
S0 ulkfbuht; C:\Windows\SysWOW64\drivers\krts.sys
C:\Windows\SysWOW64\drivers\krts.sys
IFEO\regedit.exe: [Debugger] svchost.exe
S0 yddg; C:\Windows\SysWOW64\drivers\fbmnvb.sys [61440 2015-03-09] () [File not signed]
C:\Windows\SysWOW64\drivers\fbmnvb.sys
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.Zrób nowy log z FRST - już bez Additional, i bez Shortcut.
Sprawdź: co nie działa dalej?
na dysku c pojawiły się jakieś dodatkowe foldery i skróty, których nie było a do których jest odmowa dostępu„$RECYCLE.BIN”. Np.: „$RECYCLE.BIN” a w środku plik o nazwie kosz z kłódeczką prowadzący do pustego folderu, Config.Msi – odmowa dostępu, System Volume Information - odmowa dostępu,Te obiekty zawsze były, tyle, że były ukryte!
„$RECYCLE.BIN” - to naprawdę systemowa nazwa Kosza.
"System Volume Information" - to folder, w którym przechowywane są kopie plików potrzebne do "Przywracania Systemu"
"Config.Msi" - obiekt Systemowy.
Do tych wszystkich obiektów Użytkownik nie ma dostępu, więc u Ciebie oczywiście też nie masz dostępu.
w „użytkownicy” folder „Default User” z kłódeczką – odmowa dostępu. Dodatkowo w folderze o nazwie użytkownika jakieś skróty do folderów „cookies” – odmowa dostępu po klinięciu oczywiście, „dane aplikacji” – odmowa, w folderze „Default” to samo, dodatkowe skrótyWszyscy tak mamy, to normalne. Domyślnie te obiekty są ukryte.
jessi
-
Czy teraz mam spróbować wykonać log gmerem?
podejrzewam, że i tym razem to się nie uda
Czy problem z reklamami delta homes znikł?
.
-
Te programy co wymieniłaś mają ten sam problem co origin.
W takim razie, tak na próbę, odinstaluj AVG Tune Up.
Zobaczymy, czy to cokolwiek da ...
-
Najprawdopodobniej WIN 10 nie nadaje się na razie do użytku, ale to musieliby potwierdzić inni właściciele tego nowego Systemu.
1) Odinstaluj te programy:
Swift Record (HKLM\...\Swift Record) (Version: 2015.06.05.063310 - Swift Record) <==== ATTENTION
oursurfing uninstall (HKLM-x32\...\oursurfing uninstall) (Version: - oursurfing) <==== ATTENTION
2) Użyj >Adw-cleaner (nie wiem, czy może działać na WIN 10)
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt3) Otwórz Notatnik i wklej w nim:
Task: {0063E258-2276-4EAC-8462-088BE4D79233} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d No Task File <==== ATTENTION
Task: {078E29BA-7A4A-4639-BC28-8C4472591377} - System32\Tasks\WINshell Event Logging => C:\Users\Figo\AppData\Local\Temp\Dscp1.exe <==== ATTENTION
Task: {08EDA4D1-DA72-458A-8542-FD3DD3F0E833} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d No Task File <==== ATTENTION
TTask: {2C15334C-B4A2-4022-9995-B896AE6B94F4} - \Microsoft\Windows\File Classification Infrastructure\Property Definition Sync No Task File <==== ATTENTION
Task: {4CABC4F8-B5E8-48EA-BA05-622E618A11FD} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd No Task File <==== ATTENTION
Task: {52279677-8374-4A9C-B7A2-32D5DA41F1A7} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d No Task File <==== ATTENTION
Task: {6C6BD1F8-89DB-4FF1-821A-5086F6AE6914} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B No Task File <==== ATTENTION
Task: {6F6985AD-E55C-46C9-BB08-C3D688A39256} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig No Task File <==== ATTENTION
Task: {A514892A-42F6-4BCB-827C-98FE95667D8B} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent No Task File <==== ATTENTION
Task: {B649D2B9-E07B-498B-9942-92E4C83A81C0} - \Microsoft\Windows\Setup\gwx\launchtrayprocess No Task File <==== ATTENTION
Task: {BF8EB137-4656-4C6B-AF10-D0DD0776B728} - System32\Tasks\WINshell Event Notification => C:\Users\Figo\AppData\Local\Temp\SBCint2.exe <==== ATTENTION
Task: {C19FDC78-75A7-4EE7-A21D-602F11229DE2} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d No Task File <==== ATTENTION
Task: {DEDDDCD5-3959-4624-85E6-6D3876FC7E19} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d No Task File <==== ATTENTION
Task: {F21E9182-51EB-47F6-AD7E-0D2DE2E90EEE} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent No Task File <==== ATTENTION
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
C:\Program Files (x86)\MiuiTab
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oursurfing.com/?type=hp&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oursurfing.com/web/?type=ds&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oursurfing.com/?type=hp&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oursurfing.com/web/?type=ds&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322&q={searchTerms}
HKU\S-1-5-21-2705386953-3286083312-722412902-1050\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.delta-homes.com/web/?type=ds&ts=1437055478&z=746f9b6f87ffc4d4fec4216g8zec8mde2wewbz0mfm&from=wpm07163&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322&q={searchTerms}
HKU\S-1-5-21-2705386953-3286083312-722412902-1050\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oursurfing.com/?type=hp&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322
HKU\S-1-5-21-2705386953-3286083312-722412902-1050\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.delta-homes.com/web/?type=ds&ts=1437055478&z=746f9b6f87ffc4d4fec4216g8zec8mde2wewbz0mfm&from=wpm07163&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322&q={searchTerms}
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.oursurfing.com/web/?type=ds&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.oursurfing.com/web/?type=ds&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.oursurfing.com/web/?type=ds&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.oursurfing.com/web/?type=ds&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2705386953-3286083312-722412902-1050 -> DefaultScope {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2705386953-3286083312-722412902-1050 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2705386953-3286083312-722412902-1050 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2705386953-3286083312-722412902-1050 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2705386953-3286083312-722412902-1050 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
BHO-x32: GoodTab Class -> {1F91A9A1-01BA-4c81-863D-3BA0751E1419} -> C:\Program Files (x86)\MiuiTab\SupTab.dll [2015-07-15] (Thinkgood Co. Limited)
BHO-x32: Swift Record 1.0.0.7 -> {2247a894-1cf2-41be-b39a-beaba7cadcdc} -> C:\Program Files (x86)\Swift Record\SwiftRecordbho.dll [2015-06-05] (Swift Record)
BHO-x32: LuckyTab Class -> {51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F} -> C:\Program Files (x86)\MiuiTab\SupTab.dll [2015-07-15] (Thinkgood Co. Limited)
C:\Program Files (x86)\Swift Record
FF NewTab: chrome://quick_start/content/index.html
FF DefaultSearchEngine: delta-homes
FF SelectedSearchEngine: delta-homes
FF SearchPlugin: C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\searchplugins\delta-homes.xml [2015-07-30]
FF SearchPlugin: C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\searchplugins\oursurfing.xml [2015-07-16]
FF Extension: Default NewTab - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\Extensions\default_newtabff@gmail.com [2015-07-16]
FF Extension: Default SearchProtected - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\Extensions\defsearchp@gmail.com [2015-07-16]
FF Extension: QuickSearch - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\Extensions\searchffv2@gmail.com [2015-06-05]
FF Extension: Search Enginer - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\Extensions\sweetsearch@gmail.com [2015-06-05]
FF Extension: Swift Record 1.0.1 - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\Extensions\firefox@theswiftrecord.com.xpi [2015-06-05]
FF HKLM-x32\...\Firefox\Extensions: [searchengine@gmail.com] - C:\Users\Figo\AppData\Roaming\Mozilla\Firefox\Profiles\s02jb548.default\extensions\searchengine@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [searchffv2@gmail.com] - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\extensions\searchffv2@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [sweetsearch@gmail.com] - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\extensions\sweetsearch@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\extensions\default_newtabff@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\extensions\defsearchp@gmail.com
R2 IHProtect Service; C:\Program Files (x86)\MiuiTab\ProtectService.exe [125112 2015-07-15] (XTab system)
S3 VBoxNetFlt; \SystemRoot\system32\DRIVERS\VBoxNetFlt.sys [X]
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
C:\ProgramData\boost_interprocess
EmptyTemp:Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.IFEO\origin.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"Origin jest uruchamiany przy pomocy AVG Tune UP.
Sprawdź, czy inne programy uruchamiane też w ten sposób dzialają, np:
IFEO\skype.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\ccleaner64.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\napisy24.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
jessi
-
a ten plik Fixlog.txt, mam tu dołączyć?
nie
-
OK, wykonane.
Otwórz Notatnik i wklej w nim:
DeleteQuarantine:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix.
przez SHIFT+DEL usuń pozostały folder C:\FRSTjessi
-
lecz komputer nadal muli.
na to nie mam lekarstwa.
Może, tak na wszelki wypadek, użyj jeszcze > MBAM
Podczas instalacji usuń zaznaczenie z okienka przy "Uruchom okres testowy Malwarebytes Anti-Malware Premium".
jessi
-
1) Odinstaluj ten program:
SecurityUtility (HKLM-x32\...\SecurityUtility) (Version: - ) <==== ATTENTION2) Otwórz Notatnik i wklej w nim:
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
AppInit_DLLs: C:\ProgramData\SecurityUtility\SecurityUtility64.dll => C:\ProgramData\SecurityUtility\SecurityUtility64.dll [978944 2015-07-29] (SecurityUtility)
AppInit_DLLs-x32: C:\ProgramData\SecurityUtility\SecurityUtility32.dll => C:\ProgramData\SecurityUtility\SecurityUtility32.dll [784896 2015-07-29] (SecurityUtility)
Task: {0427B3E3-3FEE-4871-8F77-AFD137F52C93} - System32\Tasks\{8677B996-FCE6-4F54-885C-93E7FF6C2567} => pcalua.exe -a C:\Users\Agata\AppData\Roaming\sweet-page\UninstallManager.exe -c -ptid=cor
Task: {05E23C15-8EA3-4439-91C3-6DF4EA18D4DC} - System32\Tasks\{784998BD-9782-43A0-8144-2A24F015D57C} => pcalua.exe -a C:\Windows\COREL\UNINST32.EXE
C:\Users\Agata\AppData\Roaming\sweet-page\
Task: {288418E6-D1DC-46FF-AF49-4CDE00F62B18} - System32\Tasks\{2832CF76-0316-497A-866E-AE880A48B69F} => pcalua.exe -a C:\Users\Agata\Desktop\Easy_Display_Manager_3.2.5.0\setup.exe -d C:\Users\Agata\Desktop\Easy_Display_Manager_3.2.5.0
Task: {42B0AD6E-AE06-4001-A811-2C4768D28BE1} - System32\Tasks\{A804097A-2F3B-426F-A49C-F8BDB1ED6BC1} => pcalua.exe -a C:\Users\Agata\Desktop\Easy_Display_Manager_3.1.5.0\setup.exe -d C:\Users\Agata\Desktop\Easy_Display_Manager_3.1.5.0
Task: {5572AC11-9D13-4526-953B-A4A7E7ED6BCA} - System32\Tasks\{81EA23D6-C2B6-4641-9AB4-D08EFEBA95E9} => pcalua.exe -a D:\MOVIE_MAKER_PL_INSTALLER.exe -d D:\
Task: {56B5ED1C-7BC6-4731-BDCB-0D380B75809C} - System32\Tasks\{6013FD13-7A16-4B35-9804-A6DD4F370CEC} => pcalua.exe -a C:\Users\Agata\Downloads\Swf2Avi_Setup(2).exe -d "C:\Program Files (x86)\Mozilla Firefox"
Task: {65E6C50E-3833-4439-AAC4-AF32BDB11DE8} - System32\Tasks\DZTRCFHC1 => C:\ProgramData\SecurityUtility\SecurityUtility.exe [2015-07-29] (SecurityUtility) <==== ATTENTION
Task: {9547888E-55BA-4118-AE36-D14F4626A577} - System32\Tasks\{285166DF-E7B7-43A5-9DDC-B955D2373709} => pcalua.exe -a "C:\Program Files (x86)\Corel\Corel Painter 11\Setup\Setup.exe" -d "C:\Program Files (x86)\Corel\Corel Painter 11\Setup"
Task: {97221805-52A6-4150-B485-4B03825C5ED1} - System32\Tasks\{1C186B48-74E2-42FE-8B7E-DA4AD8436A7D} => pcalua.exe -a E:\setup.exe -d E:\
Task: {9B8B34FC-DEA9-4B7F-9925-777A05981026} - System32\Tasks\{EA218B42-D195-4AB2-BA5F-13DABA1E4740} => pcalua.exe -a C:\Users\Agata\Desktop\FontLab\FLS5WinFull.exe -d C:\Users\Agata\Desktop\FontLab
Task: {B2B82C1D-AA83-43B8-B947-3F6DF9D9744E} - System32\Tasks\{6576076C-4EE9-49CF-A169-DFC4AD9F2C1D} => pcalua.exe -a "C:\Users\Agata\Desktop\Natural Ilusion Studio\Crack Nufsoft.Nature.Illusion.Studio.v2.20 «Ô www.zaza.net.ua.exe" -d "C:\Users\Agata\Desktop\Natural Ilusion Studio"
Task: {D67DAF37-19AC-457D-BD26-51B760E6F834} - System32\Tasks\{CA557465-BAF3-4EA9-A3E6-F6DF57A1EFF5} => pcalua.exe -a "C:\Users\Agata\Desktop\Crack Nufsoft.Nature.Illusion.Studio.v2.20 «Ô www.zaza.net.ua.exe" -d C:\Users\Agata\Desktop
Task: {DE8AD3B5-9977-402F-B401-2FFF9B7363B1} - System32\Tasks\{0395B830-924C-4B93-8D95-484AA276CD7D} => pcalua.exe -a C:\Users\Agata\Downloads\FLS5WinDemo.exe -d "C:\Program Files (x86)\Mozilla Firefox"
Task: {E1F518D0-822F-4BAC-A97F-942B015BF2E5} - System32\Tasks\{C5AB39F4-056E-4882-8D03-FCCF41263DF9} => pcalua.exe -a C:\Users\Agata\Downloads\HijackThis_v1.99.1.exe -d C:\Users\Agata\Downloads
Task: C:\Windows\Tasks\DZTRCFHC1.job => C:\ProgramData\SecurityUtility\SecurityUtility.exe <==== ATTENTION
C:\ProgramData\SecurityUtility
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\firefox.cfg [2015-07-03] <==== ATTENTION
S3 WsDrvInst; "C:\Program Files (x86)\Wondershare\MobileGo\DriverInstall.exe" [X]
C:\Windows\System32\Tasks\DZTRCFHC1
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log."Głośna praca wiatraka w laptopie"Problem sprzętowy to chyba nie do tego działu forum.
jessi
-
Otwórz Notatnik i wklej w nim:
Task: {0509FAF6-07A9-4F6E-90EC-783847EB937C} - System32\Tasks\PFExe => C:\Users\Sergiusz\AppData\Local\PriceFountain\pricefountain.exe
Task: {82EFEAAF-951A-42E9-812F-8B664530633C} - System32\Tasks\HealthBooster => c:\programdata\{39724e61-4869-7441-3972-24e614863985}\arksurvivalevolvedfreedownloadfullversionpcgame.exe-1437673382842.exe <==== ATTENTION
C:\Users\Sergiusz\AppData\Local\PriceFountain
c:\programdata\{39724e61-4869-7441-3972-24e614863985}
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
HKU\S-1-5-21-2962764545-2036589733-128886746-1000\...\Run: [bingSvc] => C:\Users\Sergiusz\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-04-07] (© 2015 Microsoft Corporation)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR Extension: (Sale Clipper) - C:\Users\Sergiusz\AppData\Local\Google\Chrome\User Data\Default\Extensions\odlhikpaegeblidjhkeefjdjegganhpg [2015-07-23]
OPR Extension: (Sale Clipper) - C:\Users\Sergiusz\AppData\Roaming\Opera Software\Opera Stable\Extensions\odlhikpaegeblidjhkeefjdjegganhpg [2015-07-23]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S2 wasvc_1.10.0.19; "C:\Program Files (x86)\WordAnchor_1.10.0.19\Service\wasvc.exe" [X]
C:\Program Files (x86)\WordAnchor_1.10.0.19
C:\{b6a94784-0ffb-4121-88c6-435139067ee2}.xpi
C:\ProgramData\14517000821272660046
C:\Windows\Tasks\HealthBooster.job
C:\ProgramData\f43a0a22-b5b9-43e4-9c6f-705bf4e40c7b
C:\Windows\System32\Tasks\HealthBooster
C:\Windows\Tasks\HealthBooster.job
EmptyTemp:Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.CHR dev: Chrome dev build detected! <======= ATTENTION
Odinstaluj tę dziurawą wersję Google Chrome.
Zainstaluj stąd > http://www.google.com/chrome/Napisz, czy problem reklam znikł?
jessi
-
Folder usunięto : C:\ProgramData\ytd video downloader
Folder usunięto : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ytd video downloader
Folder usunięto : C:\Program Files (x86)\GreenTree Applications
ale Adw-Cleaner jednak usunął YTD - nie wiem dlaczego uważa go za szkodliwy.
U mnie nie wyświetla żadnych reklam.
Otwórz Notatnik i wklej w nim:
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /fReg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
SearchScopes: HKU\S-1-5-21-469452061-1298869841-811214127-1000 -> {A308FDAE-E64A-4BC0-8CFE-EDB3904BA200} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=407453&p={searchTerms}
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Potem kończymy:
Otwórz Notatnik i wklej w nim:
DeleteQuarantine:Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix.
przez SHIFT+DEL usuń pozostały folder C:\FRST.
W Adw-Cleaner kliknij na przycisk Odinstaluj (UNINSTALL).
jessi
-
Chyba możemy kończyć:
Otwórz Notatnik i wklej w nim:
DeleteQuarantine:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix.
przez SHIFT+DEL usuń pozostały folder C:\FRST.
W Adw-Cleaner kliknij na przycisk Odinstaluj (UNINSTALL).
Laptop zwolnił i się przegrzewa
to może być problem sprzętowy
jessi
AVAST i URL:Mal
w Dział pomocy doraźnej
Opublikowano
1) Otwórz Notatnik i wklej w nim:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.
2) Napisz, czy problem znikł?
jessi