jessica

1) Otwórz Notatnik i wklej w nim:

CustomCLSID: HKU\S-1-5-21-1314707758-3757759569-2420262139-1001_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\icmp.dll (Windows ® Codename Longhorn DDK provider) <==== ATTENTION
C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
HKLM\...\Run: [] => [X]
Task: {222AC5F9-A1A7-4713-94BF-A3EC30EA51EC} - System32\Tasks\{1D0606FA-F570-4A6F-B831-F8D99D6EBA88} => pcalua.exe -a "C:\Program Files (x86)\InstallShield Installation Information\{6C5F3BDC-0A1B-4436-A696-5939629D5C31}\setup.exe" -c -runfromtemp -l0x0009 -ADDREMOVE -removeonly
Task: {FBD543A8-7503-4B75-92E5-E1A6FDA660E0} - System32\Tasks\{3B22EF72-97CC-48BB-8EDE-3C99B1580FD2} => pcalua.exe -a D:\setup.exe -d D:\
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
GroupPolicyUsers\S-1-5-21-1314707758-3757759569-2420262139-1000\User: Group Policy Restriction detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
BHO-x32: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Programy\Java 7\bin\ssv.dll No File
Toolbar: HKLM - avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.

2) Napisz, czy problem znikł?

jessi

bez jakiś większych postępów...

teraz zostawiam temat fachowcom z tego działu forum - mam nadzieję, że któryś zajrzy do Twego tematu.

jessi

Nie wszystko się usunęło - brak logu Shortcut.TXT, więc improwizowałam, ale to nie udało się. To mało ważne, więc zostawiamy to w spokoju.

Wg mnie powinno już być OK.

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

jessi

tak z ciekawości: ta infekcja zawsze szyfruje pliki Użytkownika (zdjęcia, dokumenty) - czy u Ciebie nie zaszyfrowała?

jessi

1) Odinstaluj ten program:

Update for PriceFountain (HKU\S-1-5-21-1603798188-3409358739-4023605629-1001\...\Price Fountain) (Version:  - Update for PriceFountain) <==== ATTENTION

2) Otwórz Notatnik i wklej w nim:

HKLM-x32\...\Run: [CMD] => cmd.exe /c start http://zivlingamer.org&& exit
HKU\S-1-5-21-1603798188-3409358739-4023605629-1001\...\Run: [EpicScale] => [X]
IFEO\adwcleaner_4.204.exe: [Debugger] svchost.exe
IFEO\AnVir.exe: [Debugger] svchost.exe
IFEO\AutoLogger.exe: [Debugger] svchost.exe
IFEO\avz.exe: [Debugger] svchost.exe
IFEO\CCleaner.exe: [Debugger] svchost.exe
IFEO\CCleaner64.exe: [Debugger] svchost.exe
IFEO\FRST.exe: [Debugger] svchost.exe
IFEO\FRST64.exe: [Debugger] svchost.exe
IFEO\HiJackThis.exe: [Debugger] svchost.exe
IFEO\regedit.exe: [Debugger] svchost.exe
IFEO\RegWorks.exe: [Debugger] svchost.exe
IFEO\RSIT.exe: [Debugger] svchost.exe
IFEO\RSITx64.exe: [Debugger] svchost.exe
ShortcutTarget: Registration Brothers In Arms.LNK -> D:\Users\Albert\Downloads\[ DARMOWE-TORENTY.PL ] Brothers In Arms Road To Hill 30 [PL]\BIA\Support\Register\RegistrationReminder.exe (No File)
ShortcutTarget: Registration Heroes of Might & Magic 5 - Hammers of Fate.LNK -> D:\Program Files (x86)\Ubisoft\Heroes of Might and Magic V Collector Edition\registrationa1\RegistrationReminder.exe (No File)
ShortcutTarget: Registration Heroes of Might & Magic 5 - Tribes of the East.LNK -> D:\Program Files (x86)\Ubisoft\Heroes of Might and Magic V - Dzikie Hordy\registration\RegistrationReminder.exe (No File)
ShortcutTarget: Registration Heroes of Might & Magic 5.LNK -> D:\Program Files (x86)\Ubisoft\Heroes of Might and Magic V Collector Edition\registration\RegistrationReminder.exe (No File)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.omiga-plus.com/?type=hppp&ts=1420906686&from=cor&uid=WDCXWD1600AAJS-00PSA0_WD-WMAP9184929449294
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://isearch.omiga-plus.com/web/?type=ds&ts=1420906610&from=cor&uid=WDCXWD1600AAJS-00PSA0_WD-WMAP9184929449294&q={searchTerms}
Task: {0881D68E-8B47-4413-8A55-A56B955A6A21} - System32\Tasks\YTAHelper => C:\Program Files (x86)\YTAHelper\YTAHelper.exe <==== ATTENTION
Task: {0D7CF67F-9FFC-4D8F-A780-6ECC2EA58DAA} - System32\Tasks\Installer_shopperpro => C:\Users\Albert\AppData\Local\Installer\Installshopperpro_25350\DCytaiesmt_smtyc_setup.exe <==== ATTENTION
Task: {83802072-3D81-4B14-909A-F58285014A37} - System32\Tasks\YTAUpdate_logon => C:\PROGRA~2\YOUTUB~1\Updater.exe <==== ATTENTION
Task: {91A579AE-5DBA-48CE-BF70-CBA20335DF6F} - System32\Tasks\SMW_UpdateTask_Time_343139353431323131382d5a4a6c414a34572a506c415a => Wscript.exe //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0 <==== ATTENTION
Task: {A986801E-259D-45FF-80DA-9FE130563DA9} - System32\Tasks\{6829FEB9-37F4-4DBB-B852-0E9B1EF731B3} => pcalua.exe -a "C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe" -c /AppMode=SETUP /Uninstall /UDS=1
Task: {CE847ECB-1E4F-4C36-86C7-0E3DDE85B25A} - System32\Tasks\SMWUpd => C:\Program Files\Common Files\Goobzo\GBUpdate\updater.exe <==== ATTENTION
Task: {E526EF94-64BF-42E4-B16F-C366E681CAE7} - System32\Tasks\YTAUpdate => C:\PROGRA~2\YOUTUB~1\Updater.exe <==== ATTENTION
C:\Program Files\Common Files\Goobzo
C:\ProgramData\SearchModule
C:\PROGRA~2\YOUTUB~1
C:\Users\Albert\AppData\Local\Installer\Installshopperpro_25350
Reg: reg delete HKU\S-1-5-21-1603798188-3409358739-4023605629-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v GoobzoYouTubeAccelerator /f
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/?type=hppp&ts=1420906686&from=cor&uid=WDCXWD1600AAJS-00PSA0_WD-WMAP9184929449294
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1420906610&from=cor&uid=WDCXWD1600AAJS-00PSA0_WD-WMAP9184929449294&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1603798188-3409358739-4023605629-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=dspp&ts=1420906686&from=cor&uid=WDCXWD1600AAJS-00PSA0_WD-WMAP9184929449294&q={searchTerms}
BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} ->  No File
BHO: YTAHelper -> {FCE3FA8B-BA81-467C-81D8-E43C00D1BC71} ->  No File
BHO-x32: No Name -> {3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C} ->  No File
BHO-x32: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} ->  No File
BHO-x32: No Name -> {b608cc98-54de-4775-96c9-097de398500c} ->  No File
FF SelectedSearchEngine: AVG Secure Search
FF Keyword.URL: hxxp://www-searches.com/search.aspx?s=F1Ezdefytd1,6b6268af-3076-4d9c-a5b6-1edc0b59a364,&q=
FF SearchPlugin: C:\Users\Albert\AppData\Roaming\Mozilla\Firefox\Profiles\t1dq93ol.default\searchplugins\omiga-plus.xml [2015-01-10]
FF HKLM-x32\...\Firefox\Extensions: [fftoolbar2014@etech.com] - C:\Users\Albert\AppData\Roaming\Mozilla\Firefox\Profiles\t1dq93ol.default\extensions\fftoolbar2014@etech.com
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> E:\VLC\npvlc.dll No File
FF SearchPlugin: C:\Users\Albert\AppData\Roaming\Mozilla\Firefox\Profiles\t1dq93ol.default\searchplugins\omiga-plus.xml [2015-01-10]
FF HKLM-x32\...\Firefox\Extensions: [fftoolbar2014@etech.com] - C:\Users\Albert\AppData\Roaming\Mozilla\Firefox\Profiles\t1dq93ol.default\extensions\fftoolbar2014@etech.com
S2 YouTubeAcceleratorService; C:\PROGRA~2\YOUTUB~1\YouTubeAcceleratorService.exe -start -scm [X]
S3 SMUpdd; \??\C:\Program Files\Common Files\Goobzo\GBUpdate\smw.sys [X]
S3 xhunter1; \??\C:\WINDOWS\xhunter1.sys [X]
EmptyTemp:

3) Zrób nowe logi FRST

jessi

W Rejestrze jest widoczna infekcja, ale FRST nie pokazuje, czy jest aktywna, czy pozostał po niej tylko klucz.

Otwórz Notatnik i wklej w nim:

HKU\S-1-5-21-577312002-1100195492-3471646395-1000\...\Run: [NextLive] => C:\Windows\SysWOW64\rundll32.exe "C:\Users\Józek\AppData\Roaming\newnext.me\nengine.dll",EntryPoint -m l
C:\Users\Józek\AppData\Roaming\newnext.me
C:\Windows\SysWOW64\AI_RecycleBin
S3 BRDriver64_1_3_3_E02B25FC; \??\C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRDriver64.sys [X]
S3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]
S3 GPUZ; \??\C:\Users\JZEK~1\AppData\Local\Temp\GPUZ.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
HKLM\...\Run: [] => [X]
Task: {14997039-7103-4FE6-B471-90369E6A7B6E} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask No Task File <==== ATTENTION
Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification No Task File <==== ATTENTION
Task: {A1F906E1-6A75-4800-B131-6E71D6193184} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline No Task File <==== ATTENTION
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent No Task File <==== ATTENTION
Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector No Task File <==== ATTENTION
Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector No Task File <==== ATTENTION
EmptyTemp:

jessi

1)

Wander Burst (HKLM-x32\...\Wander Burst) (Version: 2.0.5691.2480 - Wander Burst) <==== ATTENTION

Spróbuj odinstalować ten program.

2) Użyj >Adw-cleaner
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt

3)

EDIT:

Czy temat jest w ogole jeszcze aktualny (pomoc na innym forum)?

jessi

1) Użyj >>RogueKiller (aby pobrać kliknij na obrazek x64 po Lien de téléchargement :)
Kliknij w nim SCAN, a po wyszukaniu szkodliwych rzeczy kliknij DELETE. Pokaż oba raporty z niego.

2) Otwórz Notatnik i wklej w nim:

C:\Users\Anna\googleupdate.exe
C:\Users\Anna\jucheck.exe
C:\Users\Anna\notepad.exe
C:\Windows\Tasks\{271FC8F2-3068-4517-A5D2-DE0F32FABD26}.job
C:\$Recycle.Bin\S-1-5-21-3596678123-563365736-238587739-1000\$dd68e21f7ab636dd14d9852afa13c41a
C:\ProgramData\bddafffffbecbc.cfg
C:\ProgramData\birweksqwuqfndl
C:\ProgramData\poxfvcupxfporbe
C:\ProgramData\umisvraysicuqwx
C:\Users\Anna\AppData\Local\nsa478D.tmp
C:\ProgramData\InstallMate
FF HKLM-x32\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG Secure Search\FireFoxExt\17.3.0.49
FF HKLM-x32\...\Firefox\Extensions: [8hffxtbr@Allin1Convert_8h.com] - C:\Program Files (x86)\Allin1Convert_8h\bar\1.bin
FF HKU\S-1-5-21-3596678123-563365736-238587739-1000\...\Firefox\Extensions: [{7FF62C02-5B5D-CE36-F37E-D2B63C8A2E4F}] - C:\Program Files (x86)\ver5BlockAndSurf\187.xpi
FF HKLM-x32\...\Firefox\Extensions: [4zffxtbr@VideoDownloadConverter_4z.com] - C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin
C:\Program Files (x86)\VideoDownloadConverter_4z
C:\Program Files (x86)\ver5BlockAndSurf
C:\Program Files (x86)\Allin1Convert_8h
C:\ProgramData\AVG Secure Search
BHO-x32: Toolbar BHO -> {fbcbc43a-dca9-4192-a4c8-b57fd0f77d4d} -> C:\PROGRA~2\ALLIN1~2\bar\1.bin\8hbar.dll No File
URLSearchHook: HKU\S-1-5-21-3596678123-563365736-238587739-1000 - (No Name) - {5bcf818d-78c8-41b8-ba89-65c5fdac4fc4} - C:\Program Files (x86)\Allin1Convert_8h\bar\1.bin\8hSrcAs.dll No File
HKU\S-1-5-21-3596678123-563365736-238587739-1000\...\Run: [bddafffffbecbc] => "C:\ProgramData\bddafffffbecbc.exe"
HKU\S-1-5-21-3596678123-563365736-238587739-1000\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-3596678123-563365736-238587739-1000\$dd68e21f7ab636dd14d9852afa13c41a\n.ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-3596678123-563365736-238587739-1000\...\Run: [Adobe CSS5.1 Manager] => C:\Users\Anna\AppData\Local\b56dd0a0-2810-4f80-8f95-f3ffb7e921cbad\bddafffffbecbad.exe <===== ATTENTION
C:\Users\Anna\AppData\Local\b56dd0a0-2810-4f80-8f95-f3ffb7e921cbad
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
HKLM\...\Run: [Allin1Convert Home Page Guard 64 bit] => "C:\PROGRA~2\ALLIN1~2\bar\1.bin\AppIntegrator64.exe"
Task: C:\Windows\Tasks\{271FC8F2-3068-4517-A5D2-DE0F32FABD26}.job => C:\Users\Anna\AppData\Local\b56dd0a0-2810-4f80-8f95-f3ffb7e921cbad\bddafffffbecbad.exe
Task: {0CACD429-9E47-4A1E-A19B-CA909FC3E59E} - System32\Tasks\{271FC8F2-3068-4517-A5D2-DE0F32FABD26} => C:\Users\Anna\AppData\Local\b56dd0a0-2810-4f80-8f95-f3ffb7e921cbad\bddafffffbecbad.exe
CustomCLSID: HKU\S-1-5-21-3596678123-563365736-238587739-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 -> C:\$Recycle.Bin ()

c:\Users\Anna\AppData\Roaming\Microsoft\Windows\SendTo\Desk 365.lnk

ListPermissions: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc
ListPermissions: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters
ListPermissions: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Security

File: C:\Windows\System32\nlasvc.dll

Reg: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc" /s
Reg: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters" /s
Reg: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Security" /s

EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.

3) Zrób nowe logi FRST.

4) Zrób log z Farbar Service Scanner >http://download.bleepingcomputer.com/farbar/FSS.exe (do skanowania zaznacz wszystko).
 

jessi

Otwórz Notatnik i wklej w nim:

C:\Windows\Minidump\*.dmp
FF Extension: No Name - C:\Users\Piotr\AppData\Roaming\Mozilla\Firefox\Profiles\ifukcu1k.default\extensions\deskCutv2@gmail.com [not found]
C:\ProgramData\boost_interprocess
EmptyTemp:

Potem kończymy:

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

jessi

 i spróbuje z ZA removal tool.

 

EDIT@: Link nie działa.

Tak, rzeczywiście, strona przestała istnieć.

Spróbuj odinstalowac jakimś ogólnym deinstalatorem, np. Revo Uninstaller.

W logu GMER - nic podejrzanego.

jessi

W nowym logu nie widzę niczego podejrzanego.

Może przeinstaluj Zone Alarm?

przy pomocy ZoneAlarm Removal Tool - http://www.zonealarm.com.au/main/kb_display.asp?KBID=1870

jessi
 

Logi są sprzed tygodnia.

1) Odinstaluj te programy:
 

AnyProtect (HKLM-x32\...\AnyProtect) (Version: 1.0.0.4 - CMI Limited) <==== ATTENTION

AVG Security Toolbar (HKLM-x32\...\AVG Secure Search) (Version: 18.7.0.147 - AVG Technologies)

BlockAndSurf (HKLM-x32\...\9D200663-F70D-D1AA-E633-EEBDBC95D7E5) (Version: - BlockAndSurf-software) <==== ATTENTION

ConvertAd (HKLM-x32\...\ConvertAd) (Version: 1.0.0.0 - ConvertAd) <==== ATTENTION

Delta Chrome Toolbar (HKLM-x32\...\Delta Chrome Toolbar) (Version: - Visual Tools) <==== ATTENTION

Delta toolbar (HKLM-x32\...\delta) (Version: 1.8.21.5 - Delta) <==== ATTENTION

iLivid (HKLM-x32\...\iLivid) (Version: 4.0.0.2624 - Bandoo Media Inc) <==== ATTENTION

MagniPic (HKLM\...\{6DE35347-47DF-4DD6-AF3D-0FFDB60071B1}) (Version: 1.0 - ) <==== ATTENTION

omiga-plus uninstall (HKLM-x32\...\omiga-plus uninstall) (Version: - omiga-plus) <==== ATTENTION

Remote Desktop Access (VuuPC) (HKLM-x32\...\VOPackage) (Version: 1.0.0.0 - CMI Limited) <==== ATTENTION

Search Protect (HKLM-x32\...\SearchProtect) (Version: 2.23.60.24 - Client Connect LTD) <==== ATTENTION

toolbar on IE and Chrome (HKLM-x32\...\privitize) (Version: 1.8.16.22 - Industriya)

Video Download Converter version 1.0.0.0 (HKLM-x32\...\VDC_is1) (Version: 1.0.0.0 - ) <==== ATTENTION

webssearches uninstall (HKLM-x32\...\webssearches uninstall) (Version: - webssearches) <==== ATTENTION

Picexa (HKLM-x32\...\Picexa) (Version: - Taiwan Shui Mu Chih Ching Technology Limited)

2)) Adw-Cleaner:

najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.

Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt

3) Zrób nowe logi FRST.

jessi

1) Użyj >Adw-cleaner
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt

2) Otwórz Notatnik i wklej w nim:

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=ds&ts=1438025515&z=edfa5004c1046cfbbd8e761gcz5cab6efoewdzaqem&from=obw&uid=ADATAXSP920SS_14140C1147390C114739&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=ds&ts=1438025515&z=edfa5004c1046cfbbd8e761gcz5cab6efoewdzaqem&from=obw&uid=ADATAXSP920SS_14140C1147390C114739&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.istartsurf.com/web/?type=ds&ts=1438025515&z=edfa5004c1046cfbbd8e761gcz5cab6efoewdzaqem&from=obw&uid=ADATAXSP920SS_14140C1147390C114739&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.istartsurf.com/web/?type=ds&ts=1438025515&z=edfa5004c1046cfbbd8e761gcz5cab6efoewdzaqem&from=obw&uid=ADATAXSP920SS_14140C1147390C114739&q={searchTerms}
SearchScopes: HKU\S-1-5-21-948294637-126623534-2788625075-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=obw&utm_campaign=install_ie&utm_content=ds&from=obw&uid=ADATAXSP920SS_14140C1147390C114739&ts=1438025561&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-948294637-126623534-2788625075-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=obw&utm_campaign=install_ie&utm_content=ds&from=obw&uid=ADATAXSP920SS_14140C1147390C114739&ts=1438025561&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-948294637-126623534-2788625075-1000 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=obw&utm_campaign=install_ie&utm_content=ds&from=obw&uid=ADATAXSP920SS_14140C1147390C114739&ts=1438025561&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-948294637-126623534-2788625075-1000 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=obw&utm_campaign=install_ie&utm_content=ds&from=obw&uid=ADATAXSP920SS_14140C1147390C114739&ts=1438025561&type=default&q={searchTerms}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe http://www.istartsurf.com/?type=sc&ts=1438025515&z=edfa5004c1046cfbbd8e761gcz5cab6efoewdzaqem&from=obw&uid=ADATAXSP920SS_14140C1147390C114739
FF NewTab: hxxp://www.istartsurf.com/newtab/?type=nt&ts=1438025515&z=edfa5004c1046cfbbd8e761gcz5cab6efoewdzaqem&from=obw&uid=ADATAXSP920SS_14140C1147390C114739
FF SearchPlugin: C:\Users\Piotr\AppData\Roaming\Mozilla\Firefox\Profiles\ifukcu1k.default\searchplugins\istartsurf.xml [2015-07-27]
FF Extension: deskCut - C:\Users\Piotr\AppData\Roaming\Mozilla\Firefox\Profiles\ifukcu1k.default\Extensions\deskCutv2@gmail.com [2015-07-27]
FF HKLM-x32\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\Piotr\AppData\Roaming\Mozilla\Firefox\Profiles\ifukcu1k.default\extensions\deskCutv2@gmail.com
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
2015-07-27 21:34 - 2015-07-27 21:34 - 00000000 ____D C:\ProgramData\8982373780703246254
2015-07-27 21:34 - 2015-07-27 21:34 - 00000000 ____D C:\Program Files (x86)\RSS Subscription Extension by
2015-07-27 21:34 - 2015-07-27 21:34 - 00000000 ____D C:\Program Files (x86)\CutThePrice
2015-07-27 21:34 - 2015-07-27 21:34 - 00000000 ____D C:\Program Files (x86)\CuatThePruice
2015-07-27 21:34 - 2015-07-27 21:34 - 00000000 ____D C:\Program Files (x86)\bestadblocker
2015-07-27 21:33 - 2015-07-28 22:19 - 00000000 ____D C:\ProgramData\ahphcahnkamaapjichgaamkckohjfcac
2015-07-27 21:32 - 2015-07-29 20:07 - 00000000 ____D C:\Users\Piotr\AppData\Roaming\istartsurf
2015-07-27 21:32 - 2015-07-28 22:25 - 00000000 ____D C:\ProgramData\{22f70bc9-6994-e68d-22f7-70bc96992f25}
2015-07-27 21:32 - 2015-07-27 21:43 - 00000000 ____D C:\ProgramData\tWinManProt
2015-07-27 21:32 - 2015-07-27 21:43 - 00000000 ____D C:\Program Files (x86)\MiuiTab
2015-07-27 21:32 - 2015-07-27 21:36 - 00000000 ____D C:\Users\Piotr\AppData\Local\ospd_us_013010043
2015-07-27 21:32 - 2015-07-27 21:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ONESOFTPERDAY
2015-07-27 21:32 - 2015-07-27 21:32 - 00000000 ____D C:\ProgramData\IHProtectUpDate
2015-07-27 21:32 - 2015-07-27 21:32 - 00000000 ____D C:\Program Files (x86)\ospd_us_013010043
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.

3)

CHR dev: Chrome dev build detected! <======= ATTENTION

4) Zrób nowe logi FRST

5)Napisz,. czy zmieniło to sytuację?

jessi

Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100

Tcpip\..\Interfaces\{54BDED8A-D40D-44FF-9BDD-D509FE5D5B73}: [NameServer] 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1

Tcpip\..\Interfaces\{B521B25A-E08D-482E-8F75-4676802405F9}: [DhcpNameServer] 192.168.1.1 192.168.1.1

Tcpip\..\Interfaces\{FDCE7034-8F07-4CB0-94DE-A0D7F8BF0608}: [NameServer] 82.163.143.134,82.163.142.136

Tcpip\..\Interfaces\{FDCE7034-8F07-4CB0-94DE-A0D7F8BF0608}: [DhcpNameServer] 194.168.4.100 194.168.8.100

Mieszkasz w USA i Wielkiej Brytanii?

Może trzeba wyrzucić router na śmieci?

jessi

Nie widzę tu żadnej infekcji.

Ale skutki infekcji widać:

IFEO\adwcleaner_4.207.exe: [Debugger] svchost.exe
IFEO\adwcleaner_4.208.exe: [Debugger] svchost.exe
IFEO\AnVir.exe: [Debugger] svchost.exe
IFEO\AutoLogger.exe: [Debugger] svchost.exe
IFEO\CCleaner64.exe: [Debugger] svchost.exe
IFEO\FRST.exe: [Debugger] svchost.exe
IFEO\FRST64.exe: [Debugger] svchost.exe
IFEO\RegWorks.exe: [Debugger] svchost.exe
IFEO\RSITx64.exe: [Debugger] svchost.exe

Nie widzę natomiast zablokowania "regedit".

Otwórz Notatnik i wklej w nim:

IFEO\adwcleaner_4.207.exe: [Debugger] svchost.exe
IFEO\adwcleaner_4.208.exe: [Debugger] svchost.exe
IFEO\AnVir.exe: [Debugger] svchost.exe
IFEO\AutoLogger.exe: [Debugger] svchost.exe
IFEO\CCleaner64.exe: [Debugger] svchost.exe
IFEO\FRST.exe: [Debugger] svchost.exe
IFEO\FRST64.exe: [Debugger] svchost.exe
IFEO\RegWorks.exe: [Debugger] svchost.exe
IFEO\RSITx64.exe: [Debugger] svchost.exe
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
S0 ulkfbuht; C:\Windows\SysWOW64\drivers\krts.sys
C:\Windows\SysWOW64\drivers\krts.sys
IFEO\regedit.exe: [Debugger] svchost.exe
S0 yddg; C:\Windows\SysWOW64\drivers\fbmnvb.sys [61440 2015-03-09] () [File not signed]
C:\Windows\SysWOW64\drivers\fbmnvb.sys
EmptyTemp:

Zrób nowy log z FRST - już bez Additional, i bez Shortcut.

Sprawdź: co nie działa dalej?

na dysku c pojawiły się jakieś dodatkowe foldery i skróty, których nie było a do których jest odmowa dostępu„$RECYCLE.BIN”. Np.: „$RECYCLE.BIN” a w środku plik o nazwie kosz z kłódeczką prowadzący do pustego folderu, Config.Msi – odmowa dostępu, System Volume Information -  odmowa dostępu,

Te obiekty zawsze były, tyle, że były ukryte!

„$RECYCLE.BIN” - to naprawdę systemowa nazwa Kosza.

"System Volume Information" - to folder, w którym przechowywane są kopie plików potrzebne do "Przywracania Systemu"

"Config.Msi" - obiekt Systemowy.

Do tych wszystkich obiektów Użytkownik nie ma dostępu, więc u Ciebie oczywiście też nie masz dostępu.

w  „użytkownicy” folder „Default User” z kłódeczką – odmowa dostępu. Dodatkowo w folderze o nazwie użytkownika jakieś skróty do folderów „cookies” – odmowa dostępu po klinięciu oczywiście, „dane aplikacji” – odmowa, w folderze „Default” to samo, dodatkowe skróty

Wszyscy tak mamy, to normalne. Domyślnie te obiekty są ukryte.

jessi

Czy teraz mam spróbować wykonać log gmerem?

podejrzewam, że i tym razem to się nie uda

Czy problem z reklamami delta homes znikł?

.

Te programy co wymieniłaś mają ten sam problem co origin.

W takim razie, tak na próbę, odinstaluj AVG Tune Up.

Zobaczymy, czy to cokolwiek da ...

Najprawdopodobniej WIN 10 nie nadaje się na razie do użytku, ale to musieliby potwierdzić inni właściciele tego nowego Systemu.

1) Odinstaluj te programy:

Swift Record (HKLM\...\Swift Record) (Version: 2015.06.05.063310 - Swift Record) <==== ATTENTION

oursurfing uninstall (HKLM-x32\...\oursurfing uninstall) (Version:  - oursurfing) <==== ATTENTION

2) Użyj >Adw-cleaner (nie wiem, czy może działać na WIN 10)
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt

3) Otwórz Notatnik i wklej w nim:

Task: {0063E258-2276-4EAC-8462-088BE4D79233} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d No Task File <==== ATTENTION
Task: {078E29BA-7A4A-4639-BC28-8C4472591377} - System32\Tasks\WINshell Event Logging => C:\Users\Figo\AppData\Local\Temp\Dscp1.exe <==== ATTENTION
Task: {08EDA4D1-DA72-458A-8542-FD3DD3F0E833} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d No Task File <==== ATTENTION
TTask: {2C15334C-B4A2-4022-9995-B896AE6B94F4} - \Microsoft\Windows\File Classification Infrastructure\Property Definition Sync No Task File <==== ATTENTION
Task: {4CABC4F8-B5E8-48EA-BA05-622E618A11FD} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd No Task File <==== ATTENTION
Task: {52279677-8374-4A9C-B7A2-32D5DA41F1A7} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d No Task File <==== ATTENTION
Task: {6C6BD1F8-89DB-4FF1-821A-5086F6AE6914} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B No Task File <==== ATTENTION
Task: {6F6985AD-E55C-46C9-BB08-C3D688A39256} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig No Task File <==== ATTENTION
Task: {A514892A-42F6-4BCB-827C-98FE95667D8B} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent No Task File <==== ATTENTION
Task: {B649D2B9-E07B-498B-9942-92E4C83A81C0} - \Microsoft\Windows\Setup\gwx\launchtrayprocess No Task File <==== ATTENTION
Task: {BF8EB137-4656-4C6B-AF10-D0DD0776B728} - System32\Tasks\WINshell Event Notification => C:\Users\Figo\AppData\Local\Temp\SBCint2.exe <==== ATTENTION
Task: {C19FDC78-75A7-4EE7-A21D-602F11229DE2} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d No Task File <==== ATTENTION
Task: {DEDDDCD5-3959-4624-85E6-6D3876FC7E19} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d No Task File <==== ATTENTION
Task: {F21E9182-51EB-47F6-AD7E-0D2DE2E90EEE} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent No Task File <==== ATTENTION
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
C:\Program Files (x86)\MiuiTab
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oursurfing.com/?type=hp&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oursurfing.com/web/?type=ds&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oursurfing.com/?type=hp&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oursurfing.com/web/?type=ds&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322&q={searchTerms}
HKU\S-1-5-21-2705386953-3286083312-722412902-1050\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.delta-homes.com/web/?type=ds&ts=1437055478&z=746f9b6f87ffc4d4fec4216g8zec8mde2wewbz0mfm&from=wpm07163&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322&q={searchTerms}
HKU\S-1-5-21-2705386953-3286083312-722412902-1050\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oursurfing.com/?type=hp&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322
HKU\S-1-5-21-2705386953-3286083312-722412902-1050\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.delta-homes.com/web/?type=ds&ts=1437055478&z=746f9b6f87ffc4d4fec4216g8zec8mde2wewbz0mfm&from=wpm07163&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322&q={searchTerms}
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.oursurfing.com/web/?type=ds&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.oursurfing.com/web/?type=ds&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.oursurfing.com/web/?type=ds&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.oursurfing.com/web/?type=ds&ts=1433506898&z=25ad182c3fedb44d1ff63b6g5zbc9c9wdeaq7b1t1m&from=smt&uid=WDCXWD5000AAKB-00H8A0_WD-WCASY304032240322&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2705386953-3286083312-722412902-1050 -> DefaultScope {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2705386953-3286083312-722412902-1050 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2705386953-3286083312-722412902-1050 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2705386953-3286083312-722412902-1050 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2705386953-3286083312-722412902-1050 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
BHO-x32: GoodTab Class -> {1F91A9A1-01BA-4c81-863D-3BA0751E1419} -> C:\Program Files (x86)\MiuiTab\SupTab.dll [2015-07-15] (Thinkgood Co. Limited)
BHO-x32: Swift Record 1.0.0.7 -> {2247a894-1cf2-41be-b39a-beaba7cadcdc} -> C:\Program Files (x86)\Swift Record\SwiftRecordbho.dll [2015-06-05] (Swift Record)
BHO-x32: LuckyTab Class -> {51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F} -> C:\Program Files (x86)\MiuiTab\SupTab.dll [2015-07-15] (Thinkgood Co. Limited)
C:\Program Files (x86)\Swift Record
FF NewTab: chrome://quick_start/content/index.html
FF DefaultSearchEngine: delta-homes
FF SelectedSearchEngine: delta-homes
FF SearchPlugin: C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\searchplugins\delta-homes.xml [2015-07-30]
FF SearchPlugin: C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\searchplugins\oursurfing.xml [2015-07-16]
FF Extension: Default NewTab - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\Extensions\default_newtabff@gmail.com [2015-07-16]
FF Extension: Default SearchProtected  - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\Extensions\defsearchp@gmail.com [2015-07-16]
FF Extension: QuickSearch - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\Extensions\searchffv2@gmail.com [2015-06-05]
FF Extension: Search Enginer - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\Extensions\sweetsearch@gmail.com [2015-06-05]
FF Extension: Swift Record 1.0.1 - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\Extensions\firefox@theswiftrecord.com.xpi [2015-06-05]
FF HKLM-x32\...\Firefox\Extensions: [searchengine@gmail.com] - C:\Users\Figo\AppData\Roaming\Mozilla\Firefox\Profiles\s02jb548.default\extensions\searchengine@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [searchffv2@gmail.com] - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\extensions\searchffv2@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [sweetsearch@gmail.com] - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\extensions\sweetsearch@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\extensions\default_newtabff@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\Figo2\AppData\Roaming\Mozilla\Firefox\Profiles\swg4647o.default\extensions\defsearchp@gmail.com
R2 IHProtect Service; C:\Program Files (x86)\MiuiTab\ProtectService.exe [125112 2015-07-15] (XTab system)
S3 VBoxNetFlt; \SystemRoot\system32\DRIVERS\VBoxNetFlt.sys [X]
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
C:\ProgramData\boost_interprocess
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.

IFEO\origin.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"

Origin jest uruchamiany przy pomocy AVG Tune UP.

Sprawdź, czy inne programy uruchamiane też w ten sposób dzialają, np:

IFEO\skype.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"

IFEO\ccleaner64.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"

IFEO\napisy24.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"

jessi

a ten plik Fixlog.txt, mam tu dołączyć?

nie

OK, wykonane.

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

jessi

lecz komputer nadal muli.

na to nie mam lekarstwa.

Może, tak na wszelki wypadek, użyj jeszcze > MBAM

Podczas instalacji usuń zaznaczenie z okienka przy "Uruchom okres testowy Malwarebytes Anti-Malware Premium".

jessi

1) Odinstaluj ten program:

SecurityUtility (HKLM-x32\...\SecurityUtility) (Version:  - ) <==== ATTENTION   

2)  Otwórz Notatnik i wklej w nim:

Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
AppInit_DLLs: C:\ProgramData\SecurityUtility\SecurityUtility64.dll => C:\ProgramData\SecurityUtility\SecurityUtility64.dll [978944 2015-07-29] (SecurityUtility)
AppInit_DLLs-x32: C:\ProgramData\SecurityUtility\SecurityUtility32.dll => C:\ProgramData\SecurityUtility\SecurityUtility32.dll [784896 2015-07-29] (SecurityUtility)
Task: {0427B3E3-3FEE-4871-8F77-AFD137F52C93} - System32\Tasks\{8677B996-FCE6-4F54-885C-93E7FF6C2567} => pcalua.exe -a C:\Users\Agata\AppData\Roaming\sweet-page\UninstallManager.exe -c  -ptid=cor
Task: {05E23C15-8EA3-4439-91C3-6DF4EA18D4DC} - System32\Tasks\{784998BD-9782-43A0-8144-2A24F015D57C} => pcalua.exe -a C:\Windows\COREL\UNINST32.EXE
C:\Users\Agata\AppData\Roaming\sweet-page\
Task: {288418E6-D1DC-46FF-AF49-4CDE00F62B18} - System32\Tasks\{2832CF76-0316-497A-866E-AE880A48B69F} => pcalua.exe -a C:\Users\Agata\Desktop\Easy_Display_Manager_3.2.5.0\setup.exe -d C:\Users\Agata\Desktop\Easy_Display_Manager_3.2.5.0
Task: {42B0AD6E-AE06-4001-A811-2C4768D28BE1} - System32\Tasks\{A804097A-2F3B-426F-A49C-F8BDB1ED6BC1} => pcalua.exe -a C:\Users\Agata\Desktop\Easy_Display_Manager_3.1.5.0\setup.exe -d C:\Users\Agata\Desktop\Easy_Display_Manager_3.1.5.0
Task: {5572AC11-9D13-4526-953B-A4A7E7ED6BCA} - System32\Tasks\{81EA23D6-C2B6-4641-9AB4-D08EFEBA95E9} => pcalua.exe -a D:\MOVIE_MAKER_PL_INSTALLER.exe -d D:\
Task: {56B5ED1C-7BC6-4731-BDCB-0D380B75809C} - System32\Tasks\{6013FD13-7A16-4B35-9804-A6DD4F370CEC} => pcalua.exe -a C:\Users\Agata\Downloads\Swf2Avi_Setup(2).exe -d "C:\Program Files (x86)\Mozilla Firefox"
Task: {65E6C50E-3833-4439-AAC4-AF32BDB11DE8} - System32\Tasks\DZTRCFHC1 => C:\ProgramData\SecurityUtility\SecurityUtility.exe [2015-07-29] (SecurityUtility) <==== ATTENTION
Task: {9547888E-55BA-4118-AE36-D14F4626A577} - System32\Tasks\{285166DF-E7B7-43A5-9DDC-B955D2373709} => pcalua.exe -a "C:\Program Files (x86)\Corel\Corel Painter 11\Setup\Setup.exe" -d "C:\Program Files (x86)\Corel\Corel Painter 11\Setup"
Task: {97221805-52A6-4150-B485-4B03825C5ED1} - System32\Tasks\{1C186B48-74E2-42FE-8B7E-DA4AD8436A7D} => pcalua.exe -a E:\setup.exe -d E:\
Task: {9B8B34FC-DEA9-4B7F-9925-777A05981026} - System32\Tasks\{EA218B42-D195-4AB2-BA5F-13DABA1E4740} => pcalua.exe -a C:\Users\Agata\Desktop\FontLab\FLS5WinFull.exe -d C:\Users\Agata\Desktop\FontLab
Task: {B2B82C1D-AA83-43B8-B947-3F6DF9D9744E} - System32\Tasks\{6576076C-4EE9-49CF-A169-DFC4AD9F2C1D} => pcalua.exe -a "C:\Users\Agata\Desktop\Natural Ilusion Studio\Crack Nufsoft.Nature.Illusion.Studio.v2.20 «Ô www.zaza.net.ua.exe" -d "C:\Users\Agata\Desktop\Natural Ilusion Studio"
Task: {D67DAF37-19AC-457D-BD26-51B760E6F834} - System32\Tasks\{CA557465-BAF3-4EA9-A3E6-F6DF57A1EFF5} => pcalua.exe -a "C:\Users\Agata\Desktop\Crack Nufsoft.Nature.Illusion.Studio.v2.20 «Ô www.zaza.net.ua.exe" -d C:\Users\Agata\Desktop
Task: {DE8AD3B5-9977-402F-B401-2FFF9B7363B1} - System32\Tasks\{0395B830-924C-4B93-8D95-484AA276CD7D} => pcalua.exe -a C:\Users\Agata\Downloads\FLS5WinDemo.exe -d "C:\Program Files (x86)\Mozilla Firefox"
Task: {E1F518D0-822F-4BAC-A97F-942B015BF2E5} - System32\Tasks\{C5AB39F4-056E-4882-8D03-FCCF41263DF9} => pcalua.exe -a C:\Users\Agata\Downloads\HijackThis_v1.99.1.exe -d C:\Users\Agata\Downloads
Task: C:\Windows\Tasks\DZTRCFHC1.job => C:\ProgramData\SecurityUtility\SecurityUtility.exe <==== ATTENTION
C:\ProgramData\SecurityUtility
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\firefox.cfg [2015-07-03] <==== ATTENTION
S3 WsDrvInst; "C:\Program Files (x86)\Wondershare\MobileGo\DriverInstall.exe" [X]
C:\Windows\System32\Tasks\DZTRCFHC1
EmptyTemp:

"Głośna praca wiatraka w laptopie"

Problem sprzętowy to chyba nie do tego działu forum.

jessi

Otwórz Notatnik i wklej w nim:

Task: {0509FAF6-07A9-4F6E-90EC-783847EB937C} - System32\Tasks\PFExe => C:\Users\Sergiusz\AppData\Local\PriceFountain\pricefountain.exe
Task: {82EFEAAF-951A-42E9-812F-8B664530633C} - System32\Tasks\HealthBooster => c:\programdata\{39724e61-4869-7441-3972-24e614863985}\arksurvivalevolvedfreedownloadfullversionpcgame.exe-1437673382842.exe <==== ATTENTION
C:\Users\Sergiusz\AppData\Local\PriceFountain
c:\programdata\{39724e61-4869-7441-3972-24e614863985}
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
HKU\S-1-5-21-2962764545-2036589733-128886746-1000\...\Run: [bingSvc] => C:\Users\Sergiusz\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-04-07] (© 2015 Microsoft Corporation)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR Extension: (Sale Clipper) - C:\Users\Sergiusz\AppData\Local\Google\Chrome\User Data\Default\Extensions\odlhikpaegeblidjhkeefjdjegganhpg [2015-07-23]
OPR Extension: (Sale Clipper) - C:\Users\Sergiusz\AppData\Roaming\Opera Software\Opera Stable\Extensions\odlhikpaegeblidjhkeefjdjegganhpg [2015-07-23]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S2 wasvc_1.10.0.19; "C:\Program Files (x86)\WordAnchor_1.10.0.19\Service\wasvc.exe" [X]
C:\Program Files (x86)\WordAnchor_1.10.0.19
C:\{b6a94784-0ffb-4121-88c6-435139067ee2}.xpi
C:\ProgramData\14517000821272660046
 C:\Windows\Tasks\HealthBooster.job
C:\ProgramData\f43a0a22-b5b9-43e4-9c6f-705bf4e40c7b
C:\Windows\System32\Tasks\HealthBooster
C:\Windows\Tasks\HealthBooster.job
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.

CHR dev: Chrome dev build detected! <======= ATTENTION

Napisz, czy problem reklam znikł?

jessi

Folder usunięto : C:\ProgramData\ytd video downloader

Folder usunięto : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ytd video downloader

Folder usunięto : C:\Program Files (x86)\GreenTree Applications

ale Adw-Cleaner jednak usunął YTD - nie wiem dlaczego uważa go za szkodliwy.

U mnie nie wyświetla żadnych reklam.

Otwórz Notatnik i wklej w nim:

Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f

Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f

Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f

SearchScopes: HKU\S-1-5-21-469452061-1298869841-811214127-1000 -> {A308FDAE-E64A-4BC0-8CFE-EDB3904BA200} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=407453&p={searchTerms}

EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe

Uruchom FRST i kliknij przycisk Fix.

Potem kończymy:

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix.

przez SHIFT+DEL usuń pozostały folder C:\FRST.

W Adw-Cleaner kliknij na przycisk Odinstaluj (UNINSTALL).

jessi

Chyba możemy kończyć:

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix.

przez SHIFT+DEL usuń pozostały folder C:\FRST.

W Adw-Cleaner kliknij na przycisk Odinstaluj (UNINSTALL).

Laptop zwolnił i się przegrzewa

to może być problem sprzętowy

jessi