jessica

1) Odinstaluj

WordAnchor 1.10.0.20 (HKLM-x32\...\WordAnchor_1.10.0.20) (Version: 1.10.0.20 - WordAnchor)

2) Otwórz Notatnik i wklej w nim:

Task: {7E0A1E98-510E-4204-BB29-93948B324787} - System32\Tasks\{82B159F4-CCC1-4B9C-ADE4-30B77CE13099} => pcalua.exe -a C:\Users\euro\AppData\Local\Temp\st926.tmp\uninstall.exe -d C:\Windows\system32 -c -install -s  -ptid=wpm05083 -s
Task: {35B3727B-42F8-407A-804C-70D4BA57B341} - System32\Tasks\{8EBCBF27-15A4-479E-A438-A6D421A5FF5A} => pcalua.exe -a C:\Users\euro\AppData\Local\Temp\Temp1_Audio_Realtek_v6.0.1.5628_XP.zip\04_Audio\5628_PG259_R194_UAAV10a-5013\Setup.exe
C:\Program Files (x86)\MiuiTab
C:\Program Files (x86)\WordAnchor_1.10.0.20
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3046815239-261040755-881543829-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.istartsurf.com/?type=hppp&ts=1436534132&z=b9d694e56d021158fa91613g0zac5q0w9c3z2g0e3m&from=cor&uid=TOSHIBAXMK5059GSXP_42OEC5MZTXX42OEC5MZT
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.istartsurf.com/?type=hppp&ts=1436534132&z=b9d694e56d021158fa91613g0zac5q0w9c3z2g0e3m&from=cor&uid=TOSHIBAXMK5059GSXP_42OEC5MZTXX42OEC5MZT
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.istartsurf.com/?type=hppp&ts=1436534132&z=b9d694e56d021158fa91613g0zac5q0w9c3z2g0e3m&from=cor&uid=TOSHIBAXMK5059GSXP_42OEC5MZTXX42OEC5MZT
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.istartsurf.com/?type=hppp&ts=1436534132&z=b9d694e56d021158fa91613g0zac5q0w9c3z2g0e3m&from=cor&uid=TOSHIBAXMK5059GSXP_42OEC5MZTXX42OEC5MZT
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v9.com?type=hp&ts=1436199827&from=mych123&uid=toshibaxmk5059gsxp_42oec5mztxx42oec5mzt&z=98c767a236e8bc3d484f0beg3z2c7q8gftdt7bbgdq
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v9.com?type=hp&ts=1436199827&from=mych123&uid=toshibaxmk5059gsxp_42oec5mztxx42oec5mzt&z=98c767a236e8bc3d484f0beg3z2c7q8gftdt7bbgdq
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v9.com?type=hp&ts=1436199827&from=mych123&uid=toshibaxmk5059gsxp_42oec5mztxx42oec5mzt&z=98c767a236e8bc3d484f0beg3z2c7q8gftdt7bbgdq
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v9.com?type=hp&ts=1436199827&from=mych123&uid=toshibaxmk5059gsxp_42oec5mztxx42oec5mzt&z=98c767a236e8bc3d484f0beg3z2c7q8gftdt7bbgdq
HKU\S-1-5-21-3046815239-261040755-881543829-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.istartsurf.com/?type=hppp&ts=1436534132&z=b9d694e56d021158fa91613g0zac5q0w9c3z2g0e3m&from=cor&uid=TOSHIBAXMK5059GSXP_42OEC5MZTXX42OEC5MZT
HKU\S-1-5-21-3046815239-261040755-881543829-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.istartsurf.com/?type=hppp&ts=1436534132&z=b9d694e56d021158fa91613g0zac5q0w9c3z2g0e3m&from=cor&uid=TOSHIBAXMK5059GSXP_42OEC5MZTXX42OEC5MZT
SearchScopes: HKU\S-1-5-21-3046815239-261040755-881543829-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=TOSHIBAXMK5059GSXP_42OEC5MZTXX42OEC5MZT&ts=1436534143&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3046815239-261040755-881543829-1000 -> OldSearch URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=TOSHIBAXMK5059GSXP_42OEC5MZTXX42OEC5MZT&ts=1436534143&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3046815239-261040755-881543829-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=TOSHIBAXMK5059GSXP_42OEC5MZTXX42OEC5MZT&ts=1436534143&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3046815239-261040755-881543829-1000 -> {1A2E0390-8654-4DBC-BEEA-F7AE98810725} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=TOSHIBAXMK5059GSXP_42OEC5MZTXX42OEC5MZT&ts=1436534143&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3046815239-261040755-881543829-1000 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=TOSHIBAXMK5059GSXP_42OEC5MZTXX42OEC5MZT&ts=1436534143&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3046815239-261040755-881543829-1000 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=TOSHIBAXMK5059GSXP_42OEC5MZTXX42OEC5MZT&ts=1436534143&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3046815239-261040755-881543829-1000 -> {szukaj.gazeta.pl} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=TOSHIBAXMK5059GSXP_42OEC5MZTXX42OEC5MZT&ts=1436534143&type=default&q={searchTerms}
OPR Extension: (Dynamo Combo) - C:\Users\euro\AppData\Roaming\Opera Software\Opera Stable\Extensions\cgohmfhlbipbcmmpdonacmkpibfghppn [2015-05-20]
R2 IHProtect Service; C:\Program Files (x86)\MiuiTab\ProtectService.exe [125112 2015-06-24] (XTab system)
R2 wasvc_1.10.0.20; C:\Program Files (x86)\WordAnchor_1.10.0.20\Service\wasvc.exe [300120 2015-07-06] (WA)
S2 Update Dynamo Combo; "C:\Program Files (x86)\Dynamo Combo\updateDynamoCombo.exe" [X]
S2 Util Dynamo Combo; "C:\Program Files (x86)\Dynamo Combo\bin\utilDynamoCombo.exe" [X]
C:\Program Files (x86)\Dynamo Combo
R1 wafd_vt_1_10_0_20; C:\Windows\System32\drivers\wafd_vt_1_10_0_20.sys [61312 2015-07-06] (WA)
S3 cpuz135; \??\C:\Users\euro\AppData\Local\Temp\cpuz135\cpuz135_x64.sys [X]
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.

3) Zrób nowe logi FRST

4) Zrób wymagany tu log GMER.

jessi

1) Odinstaluj program YAC (isafe)

2) Zrób logi z FRST https://www.fixitpc.pl/forum-38/announcement-3-wa%C5%BCne-zak%C5%82adanie-tematu-obowi%C4%85zkowe-logi/

3) Log GMER też będzie potrzebny, ale poniważ to długo trwa, to może przełożymy to na czas po obejrzeniu logów FRST.

jessi

Otwórz Notatnik i wklej w nim:

Task: C:\WINDOWS\Tasks\CIS_{81EFDD93-DBBE-415B-BE6E-49B9664E3E82}.job => C:\ProgramData\cisDBA0.exe <==== ATTENTION
C:\ProgramData\cisDBA0.exe
C:\Users\vardum\Downloads\Comodo-Personal-Firewall(20399)-dp.jse
EmptyTemp:

DeleteQuarantine:

OK, wykonane.

Mam, nadzieję, że usunięcie tych śmieci choć trochę poprawiło sytuację z muleniem.

W Adw-Cleaner kliknij na przycisk Odinstaluj (UNINSTALL).

jessi

Otwórz Notatnik i wklej w nim:

CustomCLSID: HKU\S-1-5-21-937016041-3120781582-518176832-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Piotr\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll No File
Task: {30DD190C-8669-40CD-A5A6-540774E3061A} - System32\Tasks\Installer_sense => C:\Users\Piotr\AppData\Local\Installer\Installsense_27251\ins_postInst.exe <==== ATTENTION
Task: {8D34E344-EBBE-4B8B-9602-370E0461276B} - System32\Tasks\Installer_iwebar => C:\Users\Piotr\AppData\Local\Installer\Installiwebar_27251\ins_postInst.exe <==== ATTENTION
Task: {CB49E92B-65D4-49F0-BA42-63D1A43C9D8B} - System32\Tasks\{D27A4CB7-5D45-4DD3-A1A0-6A8900B49665} => pcalua.exe -a C:\Users\Piotr\AppData\Roaming\mystartsearch\UninstallManager.exe -c  -ptid=smt
C:\Users\Piotr\AppData\Roaming\mystartsearch
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
StartMenuInternet: Google Chrome.6GMBEWATBMHSQEFHAYPHSUHGDI - C:\Users\Piotr\AppData\Local\Google\Chrome\Application\chrome.exe
S2 Update SourceApp; "C:\Program Files (x86)\SourceApp\updateSourceApp.exe" [X]
C:\Users\Piotr\Desktop\SpyHunter-Installer.exe
EmptyTemp:

jessi

Otwórz Notatnik i wklej w nim:

CustomCLSID: HKU\S-1-5-21-4111920011-2050148025-2919203244-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-4111920011-2050148025-2919203244-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-4111920011-2050148025-2919203244-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-4111920011-2050148025-2919203244-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-4111920011-2050148025-2919203244-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-4111920011-2050148025-2919203244-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File
Task: {03890EAD-A0A3-4D52-A1A9-FD646EDEA4C8} - System32\Tasks\ROC_JAN2013_TB_rmv => C:\Program Files (x86)\AVG Secure Search\PostInstall\ROC.exe
Task: {14B505BB-AACF-4A80-B25D-B3A499B29825} - System32\Tasks\{CA41BDDC-F78A-4C07-8115-1A850647619A} => pcalua.exe -a C:\ProgramData\7531CC92000D2207D8D45F0B4F147CE7\7531CC92000D2207D8D45F0B4F147CE7.exe -c -u
Task: {D1C1C6F0-B6D8-4981-BBDB-9E761A42ED12} - System32\Tasks\{74F6F4FB-AF95-467F-90DF-9CBA8A813EBA} => pcalua.exe -a "D:\Gry\Call of duty\steam.exe" -c steam://uninstall/42700
Task: C:\Windows\Tasks\ROC_JAN2013_TB_rmv.job => C:\Program Files (x86)\AVG Secure Search\PostInstall\ROC.exe
C:\Program Files (x86)\AVG Secure Search
HKU\S-1-5-21-4111920011-2050148025-2919203244-1000\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-4111920011-2050148025-2919203244-1001\...\Run: [ROC_JAN2013_TB] => "C:\Program Files (x86)\AVG Secure Search\ROC_JAN2013_TB.exe"  /PROMPT /CMPID=JAN2013_TB
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
StartMenuInternet: Google Chrome.JBT6LHHQ2TNMNYQP6YI5VJXTXM - C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
EmptyTemp:

Potem:

W Adw-Cleaner kliknij na przycisk Odinstaluj (UNINSTALL).
 

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

jessi

nie wiem, ale prawdopodobnie powstało to samo... 

usuń jeden z tych obiektów do Kosza, potem sprawdź, czy wszystkie programy dzialają prawidłowo.

Jeśli tak, to usuniesz wszystkie te obiekty.

jessi

C:\Program Files (x86)\MiuiTab

1) Użyj >Adw-cleaner

najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.

Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt

2) Zrób nowe logi FRST.

jessi

Co do wyskakujących okien:

1) Użyj >Adw-cleaner
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt

2) Zrób nowe logi FRST - już bez Shortcut.

jessi

Wg mnie - jest OK.

W USBFix kliknij na przycisk VACCINATE (powstaną obiekty zaporowe "autorun.inf", mające utrudniać przedostawanie się infekcji pendrivowych.

Potem:

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

W USBFix kliknij na przycisk UNINSTALL.

jessi

W tych logach nie widzę już niczego podejrzanego, więc powinno być OK.

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

jessi

1) Odinstaluj program Sale Clipper

2) Otwórz Notatnik i wklej w nim:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.
 

3) Zrób nowe logi FRST.

jessi

Otwórz Notatnik i wklej w nim:

testsigning: ==> testsigning is on. Check for possible unsigned rootkit driver <===== ATTENTION!
CustomCLSID: HKU\S-1-5-21-1576861816-666788470-2069471701-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\hlink.dll No File <==== ATTENTION
C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\26372838.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\50754455.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\26372838.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\50754455.sys => ""="Driver"
ShortcutTarget: TorpedoCopy.lnk -> C:\Users\BASIA\AppData\Local\Torpedo\Torpedo.exe (No File)
Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.

=======================================

Jeśli przywrócenie domyślnej (wyłączonej) postaci testsigning spowoduje problemy, skorzystasz z polecenia ponownie aktywującego ten tryb:

Otworz Notatnik i wkleisz w nim:

testsigning on:

Plik zapiszesz pod nazwą fixlist.txt i umieścisz obok FRST.exe
Uruchomisz FRST i klikniesz przycisk Fix.

Ale raczej tego nie będzie potrzeby robić.

===============================================

?        C:\Windows\system32\mssprxy.dll [2156] entry point in ".rdata" section      

 

  Otwórz Notatnik i wklej w nim:

File: C:\Windows\system32\mssprxy.dll

jessi

1) Otwórz Notatnik i wklej w nim:

D:\home.vbe
D:\*.lnk
CMD: attrib /d /s -s -h D:\*
G:\home.vbe
G:\*.lnk
CMD: attrib /d /s -s -h G:\*
H:\home.vbe
H:\*.lnk
CMD: attrib /d /s -s -h H:\*
C:\Users\Kanon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\home.vbe
EmptyTemp:

2) Zrób nowy log USBFiox LISTING

3) Uruchom FRST.
W polu SEARCH wklej:

home.vbe

jessi

1) Odinstaluj te programy:
 

AVG SafeGuard toolbar (HKLM-x32\...\AVG SafeGuard toolbar) (Version: 18.5.0.909 - AVG Technologies)

WordAnchor 1.10.0.19 (HKLM-x32\...\WordAnchor_1.10.0.19) (Version: 1.10.0.19 - WordAnchor)
Your Software Deals 1.0.0 (HKLM-x32\...\Your Software Deals_is1) (Version: 1.0.0 - Ashampoo GmbH & Co. KG) <==== ATTENTION

Search App by Ask (HKLM-x32\...\{4F524A2D-5350-4500-76A7-A758B70C1D00}) (Version: 12.29.0.197 - APN, LLC) <==== ATTENTION

2) Użyj >Adw-cleaner
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt

3) Otwórz Notatnik i wklej w nim:

Reg: reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "mobilegeni daemon" /f
Task: {6E464F98-91F3-487B-8DB1-F3F743F9BA9E} - System32\Tasks\{46F98AE4-1E7B-41B7-A3CE-C84F3C5FE982} => pcalua.exe -a E:\cda_menu.exe -d E:\
Task: {731A97F4-98AD-4626-9F26-6DDD6D29706F} - System32\Tasks\{956532CE-0351-4524-9B29-D96C64C5A41E} => pcalua.exe -a E:\cda_menu.exe -d E:\
Task: {8AF4703B-E7B4-4259-8DE8-FF8E76E7035B} - System32\Tasks\Right Backup_startup => C:\Program Files (x86)\Right Backup\RightBackup.exe <==== ATTENTION
Task: {E7C6BEB3-AECB-47E4-BC59-C86FBFE21595} - System32\Tasks\{E2F5657B-FE0C-4AF0-8BF2-41C736488113} => pcalua.exe -a E:\startuj.exe -d E:\
Task: {E87ECC42-BA4E-434B-9E53-604AB7E06309} - System32\Tasks\0415tbUpdateInfo => C:\ProgramData\Avg_Update_0415tb\0415tb_{B794EAB0-2EB1-4883-A0F1-74A26066A12C}.exe [2015-05-05] ()
Task: {FB4230DA-7BB5-4796-9E1F-7FEA4B8CBBAC} - \Program aktualizacji online firmy Adobe. No Task File <==== ATTENTION
Task: C:\WINDOWS\Tasks\0415tbUpdateInfo.job => C:\ProgramData\Avg_Update_0415tb\0415tb_{B794EAB0-2EB1-4883-A0F1-74A26066A12C}.exe
Task: C:\WINDOWS\Tasks\0615tbUpdateInfo.job => C:\ProgramData\Avg_Update_0615tb\0615tb_{F2C462E0-C2AA-414F-92A6-7510DE255EA4}.exe
Task: C:\WINDOWS\Tasks\Open Chrome.job => c:\program files (x86)\Google\Chrome\Application\chrome.exeF--new-window http:/toolbar.avg.com/
C:\Program Files (x86)\Common Files\AVG Secure Search
C:\Program Files (x86)\AVG SafeGuard toolbar
C:\Program Files (x86)\AskPartnerNetwork
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
C:\Program Files (x86)\MiuiTab
C:\Program Files (x86)\WordAnchor_1.10.0.19
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2510784 2015-05-14] ()
HKLM-x32\...\Run: [ApnTBMon] => C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1684360 2015-05-26] (APN)
HKU\S-1-5-18\...\RunOnce: [Adobe Speed Launcher] => 1418626302
IFEO\bitguard.exe: [Debugger] tasklist.exe
IFEO\bprotect.exe: [Debugger] tasklist.exe
IFEO\bpsvc.exe: [Debugger] tasklist.exe
IFEO\browserdefender.exe: [Debugger] tasklist.exe
IFEO\browserprotect.exe: [Debugger] tasklist.exe
IFEO\browsersafeguard.exe: [Debugger] tasklist.exe
IFEO\dprotectsvc.exe: [Debugger] tasklist.exe
IFEO\jumpflip: [Debugger] tasklist.exe
IFEO\protectedsearch.exe: [Debugger] tasklist.exe
IFEO\searchinstaller.exe: [Debugger] tasklist.exe
IFEO\searchprotection.exe: [Debugger] tasklist.exe
IFEO\searchprotector.exe: [Debugger] tasklist.exe
IFEO\searchsettings.exe: [Debugger] tasklist.exe
IFEO\searchsettings64.exe: [Debugger] tasklist.exe
IFEO\snapdo.exe: [Debugger] tasklist.exe
IFEO\stinst32.exe: [Debugger] tasklist.exe
IFEO\stinst64.exe: [Debugger] tasklist.exe
IFEO\umbrella.exe: [Debugger] tasklist.exe
IFEO\utiljumpflip.exe: [Debugger] tasklist.exe
IFEO\volaro: [Debugger] tasklist.exe
IFEO\vonteera: [Debugger] tasklist.exe
IFEO\websteroids.exe: [Debugger] tasklist.exe
IFEO\websteroidsservice.exe: [Debugger] tasklist.exe
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
CHR Extension: (Jump Flip) - C:\Users\vardum\AppData\Local\Google\Chrome\User Data\Default\Extensions\hphehadppenpmajgnkjdcopcfijjegaf [2014-01-17]
CHR HKLM-x32\...\Chrome\Extension: [hphehadppenpmajgnkjdcopcfijjegaf] - C:\Program Files (x86)\Jump Flip\hphehadppenpmajgnkjdcopcfijjegaf.crx [2014-01-16]
R2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [178568 2015-04-28] (APN LLC.)
R2 IHProtect Service; C:\Program Files (x86)\MiuiTab\ProtectService.exe [125112 2015-06-24] (XTab system)
R2 vToolbarUpdater18.5.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.5.0\ToolbarUpdater.exe [1812416 2015-05-14] (AVG Secure Search)
R2 wasvc_1.10.0.19; C:\Program Files (x86)\WordAnchor_1.10.0.19\Service\wasvc.exe [299096 2015-06-16] (WA)
R1 wafd_1_10_0_19; C:\Windows\System32\drivers\wafd_1_10_0_19.sys [57728 2015-06-16] (WA)
C:\ProgramData\IHProtectUpDate
C:\Users\vardum\AppData\Roaming\istartsurf
C:\ProgramData\SetStretch.VBS
EmptyTemp:

4) Zrób nowe logi FRST.

jessi

W logach nie widzę niczego podejrzanego, wiec temat pewnie zostanie przesunięty przez @Picasso do bardziej odpowiedniego dzialu forum.

Drobne usuwanie:

Otwórz Notatnik i wklej w nim:

Task: {88149B21-DA0A-4257-93A3-8B68683439B9} - System32\Tasks\{38D7081F-5427-4011-81BB-BAB9AC44FE64} => pcalua.exe -a C:\AMD\WU-CCC2\ccc2_install\WULaunchApp.exe -c -uninstall
ShortcutTarget: Setup_product_13224.lnk -> C:\ProgramData\{5336e730-e936-bc88-5336-6e730e939cc3}\Setup_product_13224.exe (No File)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S3 cpuz138; \??\C:\Windows\TEMP\cpuz138\cpuz138_x64.sys [X]
S3 GPUZ; \??\C:\Windows\TEMP\GPUZ.sys [X]
C:\ProgramData\boost_interprocess
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
EmptyTemp:

jessi

 Na 2 pozostałych są dane.

ale usbfix ich nie widzi, wiec nie wiem, jaka jest sytuacja na tych penach.

jessi

1) Użyj >Adw-cleaner
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt
 

2) Otwórz Notatnik i wklej w nim:

Task: {026F0EB1-4DF4-4B4F-B378-2A6C371920C9} - System32\Tasks\{4B2FFD53-CEB4-433F-92C8-13575CBB1FA4} => pcalua.exe -a "C:\Program Files\PLAY ONLINE\uninst.exe"
Task: {0F692952-7E0F-4194-9F9E-42EE64428F6C} - System32\Tasks\{6717F9D9-475A-4171-A96B-682F21BBFDA1} => pcalua.exe -a "C:\Program Files\InstallShield Installation Information\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\setup.exe" -c /z-uninstall
Task: {6B02A7A4-038B-49A4-995F-95FD0E209A33} - System32\Tasks\SpyHunter4Startup => C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe
C:\Program Files\MiuiTab
SearchScopes: HKU\S-1-5-21-1205272132-2967772875-2806619080-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.istartsurf.com/web/?type=dspp&ts=1436344155&z=ffda066dbd873c007998078gazcc6q7cazcz7g0w2z&from=cor&uid=ST9250315AS_5VCAMZFZXXXX5VCAMZFZ&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1205272132-2967772875-2806619080-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST9250315AS_5VCAMZFZXXXX5VCAMZFZ&ts=1436344168&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1205272132-2967772875-2806619080-1000 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST9250315AS_5VCAMZFZXXXX5VCAMZFZ&ts=1436344168&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1205272132-2967772875-2806619080-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.istartsurf.com/web/?type=dspp&ts=1436344155&z=ffda066dbd873c007998078gazcc6q7cazcz7g0w2z&from=cor&uid=ST9250315AS_5VCAMZFZXXXX5VCAMZFZ&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1205272132-2967772875-2806619080-1000 -> {483830EE-A4CD-4b71-B0A3-3D82E62A6909} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST9250315AS_5VCAMZFZXXXX5VCAMZFZ&ts=1436344168&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1205272132-2967772875-2806619080-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST9250315AS_5VCAMZFZXXXX5VCAMZFZ&ts=1436344168&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1205272132-2967772875-2806619080-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST9250315AS_5VCAMZFZXXXX5VCAMZFZ&ts=1436344168&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1205272132-2967772875-2806619080-1000 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.istartsurf.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST9250315AS_5VCAMZFZXXXX5VCAMZFZ&ts=1436344168&type=default&q={searchTerms}
BHO: LuckyTab Class -> {51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F} -> C:\Program Files\MiuiTab\SupTab.dll [2015-06-24] (Thinknice Co. Limited)
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
Toolbar: HKU\S-1-5-21-1205272132-2967772875-2806619080-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF DefaultSearchEngine: istartsurf
FF SelectedSearchEngine: istartsurf
FF SearchPlugin: C:\Users\Samsung\AppData\Roaming\Mozilla\Firefox\Profiles\6ktw6af8.default\searchplugins\istartsurf.xml [2015-07-10]
FF Extension: Search Enginer - C:\Users\Samsung\AppData\Roaming\Mozilla\Firefox\Profiles\6ktw6af8.default\Extensions\sweetsearch@gmail.com [2015-07-10]
FF HKLM\...\Firefox\Extensions: [sweetsearch@gmail.com] - C:\Users\Samsung\AppData\Roaming\Mozilla\Firefox\Profiles\6ktw6af8.default\extensions\sweetsearch@gmail.com
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\
R2 IHProtect Service; C:\Program Files\MiuiTab\ProtectService.exe [125112 2015-06-24] (XTab system)
S3 ewusbnet; system32\DRIVERS\ewusbnet.sys [X]
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 ew_usbenumfilter; system32\DRIVERS\ew_usbenumfilter.sys [X]
S3 huawei_cdcacm; system32\DRIVERS\ew_jucdcacm.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 huawei_ext_ctrl; system32\DRIVERS\ew_juextctrl.sys [X]
S3 huawei_wwanecm; system32\DRIVERS\ew_juwwanecm.sys [X]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
C:\ProgramData\IHProtectUpDate
C:\Users\Samsung\Desktop\SpyHunter-Installer.exe
EmptyTemp:

2015-07-02 08:22 - 2015-07-02 08:22 - 00000000 _____ C:\Users\Samsung\Desktop\1609CE10
2015-07-02 08:22 - 2015-07-02 08:22 - 00000000 _____ C:\Users\Samsung\Desktop\15F8CE10
2015-07-02 08:22 - 2015-07-02 08:22 - 00000000 _____ C:\Users\Samsung\Desktop\15A8CE10
2015-07-02 08:22 - 2015-07-02 08:22 - 00000000 _____ C:\Users\Samsung\Desktop\1529CE10
2015-07-02 08:22 - 2015-07-02 08:22 - 00000000 _____ C:\Users\Samsung\Desktop\14F8CE10
2015-07-02 08:22 - 2015-07-02 08:22 - 00000000 _____ C:\Users\Samsung\Desktop\1429CE10
2015-07-02 08:22 - 2015-07-02 08:22 - 00000000 _____ C:\Users\Samsung\Desktop\13B8CE10
2015-07-02 08:22 - 2015-07-02 08:22 - 00000000 _____ C:\Users\Samsung\Desktop\1329CE10
2015-07-02 08:22 - 2015-07-02 08:22 - 00000000 _____ C:\Users\Samsung\Desktop\1319CE10
2015-07-02 08:22 - 2015-07-02 08:22 - 00000000 _____ C:\Users\Samsung\Desktop\12F8CE10
2015-07-02 08:22 - 2015-07-02 08:22 - 00000000 _____ C:\Users\Samsung\Desktop\1219CE10

 

co to jest, w tak dużej ilości?

jessi

Hmm, USBFix pokazuje, że na pamięciach przenośnych nic nie ma.

Czy tak jest w rzeczywistości?

Otwórz Notatnik i wklej w nim:

Startup: C:\Users\Kanon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\home.vbe [2015-06-30] ()
Task: {5C54FFA7-6551-4E01-B9BA-5AC9CBC71155} - System32\Tasks\060184C3-9766-46a0-B258-F4518A0B2633 => Cscript.exe "C:\ProgramData\Baidu Security\Duplicaterecord.js" <==== ATTENTION
Task: {728F3938-5794-46D5-B5ED-A6824FB9D953} - System32\Tasks\ProtectedSearch\Protected Search => C:\Program Files (x86)\Protected Search\ProtectedSearch.exe <==== ATTENTION
Task: {B047D52E-1CF4-4368-9EC6-A23671F85EEC} - System32\Tasks\{5D7B4AB3-B79A-4805-AD1B-6AAA7B6A16C8} => pcalua.exe -a F:\eFilmLt.exe -d F:\
Task: {C0E697CE-59A1-4B05-BB14-4E6087519B6E} - System32\Tasks\{17C61C70-09B5-429D-B5CC-1EE488D6D0B0} => pcalua.exe -a "C:\Program Files\AVAST Software\Avast\aswRunDll.exe" -c "C:\Program Files\AVAST Software\Avast\Setup\setiface.dll" RunSetup
C:\Users\Public\Desktop\Gimnazjum klasa 2 - Puls Ziemi.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Crossfire Europe\Crossfire Europe.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Crossfire Europe\crossfire-eu.com.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Crossfire Europe\Uninstall.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam\Steam.lnk
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
ShellIconOverlayIdentifiers: [baiduAntivirusIconLock] -> {0A93904A-BB1E-4a0c-9753-B57B9AE272CC} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-4258540652-3167376319-1349578961-1002 -> DefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://www.delta-search.com/?q={searchTerms}&affID=119535&babsrc=SP_ss&mntrId=B6BAE02A825A1C08
SearchScopes: HKU\S-1-5-21-4258540652-3167376319-1349578961-1002 -> {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://www.delta-search.com/?q={searchTerms}&affID=119535&babsrc=SP_ss&mntrId=B6BAE02A825A1C08
SearchScopes: HKU\S-1-5-21-4258540652-3167376319-1349578961-1002 -> {F3699528-160E-4C0D-A1B6-E1E8DDCAEB9A} URL =
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Bing Bar) - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2237.0\npwinext.dll No File
C:\windows\Minidump\*.dmp
C:\ProgramData\FileSplitUpLoad.dll
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
EmptyTemp:

jessi

I tutaj pojawia się problem, że nie pokazują się te programy jako zainstalowane :/.

w takim razie omiń ten punkt, i rób następne, z tym, że Adw-Cleaner:

najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.

jessi

Jeśli nie ma już problemu z reklamami, to chyba możemy kończyć:

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

TDSSKLiller - usuń recznie.

jessi

Log z TDSSKiller - nie jest cały.

Brak logów FRST "Additional.txt" i "Shortcut.txt".

Jak sytuacja z Avastem?

Necurs blokuje wszystkie sterowniki, więc Avasta pewnie też zablokował.

Spróbuj przeinstalować Awasta.

Zajrzyj do folderu C:\Windows\system32\drivers - czy nie widać tam kłódek na plikach?

Otwórz Notatnik i wklej w nim:

C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml [2012-12-05]
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
ShortcutTarget: TorpedoCopy.lnk -> C:\Users\BASIA\AppData\Local\Torpedo\Torpedo.exe (No File)
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.

jessi

1) Odinstaluj te programy:

IePluginService12.27.0.3326 (HKLM-x32\...\IePlugins) (Version: 12.27.0.3326 - Cherished Technololgy LIMITED) <==== ATTENTION

WinZipper (HKLM-x32\...\WinZipper) (Version: 1.5.29 - Taiwan Shui Mu Chih Ching Technology Limited.) <==== ATTENTION

2) Zrób log z USBFix https://www.fixitpc.pl/topic/8-dezynfekcja-zbior-narzedzi-usuwajacych/?do=findComment&comment=74z opcji LISTING.

3) Zrób log z Adw-Cleaner https://www.fixitpc.pl/topic/8-dezynfekcja-zbior-narzedzi-usuwajacych/?do=findComment&comment=118323

4) Zrób nowe logi FRST.

jessi

Powinno być już OK.

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

jessi

W logach nie widzę niczego podejrzanego.

Kosmetyka:

Otwórz Notatnik i wklej w nim:

Task: {8D389370-1468-4587-9BEA-7F722E26469F} - System32\Tasks\{34FF5849-260B-4C23-A54D-51937EF4BE7A} => pcalua.exe -a "C:\Users\Kacper\Desktop\Metin Bot NG 2.0 setup.exe" -d C:\Users\Kacper\Desktop
Task: {59428AFD-B558-43DB-A775-02183AA3E828} - System32\Tasks\{DD49F5F5-A4E4-4911-B909-2E1227C21CD9} => pcalua.exe -a "C:\Users\Kacper\Desktop\ROOT LG P940\3. Flash Tools\B2CAppSetup.exe" -d "C:\Users\Kacper\Desktop\ROOT LG P940\3. Flash Tools"
Task: {1CBA0F46-7594-44AB-865E-BA4324CD72D6} - \Driver Booster SkipUAC (Kacper) No Task File <==== ATTENTION
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
EmptyTemp:

jessi