jessica
-
Postów
4 099 -
Dołączył
-
Ostatnia wizyta
Odpowiedzi opublikowane przez jessica
-
-
https://www.fixitpc.pl/topic/27096-nowy-moderator-w-dziale-malware/
Nie wiem, kiedy @Picasso lub @Naathim zacznie pomagać na forum.
Otwórz Notatnik i wklej w nim:
File: C:\Program Files\A09WD3KS.exePlik zapisz pod nazwą fixlist.txt i umieść obok FRST.
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.Uruchom FRST.
W polu SEARCH wklej:A09WD3KS.exekliknij na przycisk "Search Registry".
Raport z tego będzie tam, gdzie jest FRST.Otwórz Notatnik i wklej w nim:
HKU\S-1-5-21-2962128431-3766831332-2638231919-1000\...\CurrentVersion\Windows: [Load] C:\ProgramData\msbxucljo.exe <===== ATTENTION
C:\ProgramData\msbxucljo.exe
C:\Program Files\A09WD3KS.exe
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
BHO-x32: No Name -> {DF925EF3-7A87-44E4-9CAF-8D7B280BF616} -> No File
R3 KProcessHacker2; \??\C:\Program Files\kprocesshacker.sys [X]
S3 usb6xxxk; \??\C:\Windows\system32\drivers\usb6xxxkl.sys [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
EmptyTemp:Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.Zrób nowe logi FRST.
Zrób log z Farbar Service Scanner >http://download.bleepingcomputer.com/farbar/FSS.exe (do skanowania zaznacz wszystko).
Jeśli nie sformatowałeś jeszcze pendrive, to zrobisz log z USBFix z opcji LISTING https://www.fixitpc.pl/topic/8-dezynfekcja-zbi%C3%B3r-narz%C4%99dzi-usuwaj%C4%85cych/?do=findComment&comment=74
jessi
-
https://www.fixitpc.pl/topic/27096-nowy-moderator-w-dziale-malware/
Nie wiem, kiedy @Picasso lub @Naathim zaczną pomagać na forum.
Log FRST nie jest cały, poza tym FRST robi 3 logi - brak Additional.txt i Shortcut.txt.
Być może nie zrobiły się z powodu restartu komputera.
A te restarty sugerują, że komputer po prostu może być zepsuty.
jessi
-
https://www.fixitpc.pl/topic/27096-nowy-moderator-w-dziale-malware/
nie wiem, kiedy @Picasso lub @Naathim zaczną pomagać na forum.
Otwórz Notatnik i wklej w nim:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2900515442-1923707137-538422430-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://hi.ru/search/?q={searchTerms}
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll No File
S3 ALSysIO; \??\C:\Users\mRn\AppData\Local\Temp\ALSysIO64.sys [X]
S3 cpuz137; \??\C:\Users\mRn\AppData\Local\Temp\cpuz137\cpuz137_x64.sys [X]
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.EDIT:.
Okazało sie False Positive proszę o zamknięcie tematuaha, to wyjaśnia sprawę.
jessi
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\腾讯软件
C:\Users\Korek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\腾讯软件
C:\Program Files\gmsd_pl_005010010
Te się nie usunęły.
Spróbuj ręcznie poprzez SHIFT+DEL
C:\Users\Korek\Desktop\PROGRAMY\Optimizer Pro.lnkTeż ręcznie.
jessi
-
Otwórz Notatnik i wklej w nim:
HKU\S-1-5-21-669934448-3564392166-1087876309-1001\...\Run: [bparse] => C:\Users\Cezary\AppData\Roaming\WinKun\winkun.exe [106834 2015-06-22] ()
C:\Users\Cezary\AppData\Roaming\WinKun
HKU\S-1-5-21-669934448-3564392166-1087876309-1001\...\Run: [{B207AD06-2E17-B7AE-DDC4-9BEB3C8557B4}] => C:\ProgramData\Microsoft\Performance\Monitor\temp\tmpD71D.exe <===== ATTENTION
C:\ProgramData\Microsoft\Performance\Monitor\temp\tmpD71D.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKU\S-1-5-21-669934448-3564392166-1087876309-1001\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
FF Plugin-x32: @tencent.com/npQQMailWebKit,version=1.0.0.1 -> C:\Program Files (x86)\QQMailPlugin\npQQMailWebKit.dll [2013-04-25] (Tencent)
FF Plugin-x32: @tencent.com/nptxftnWebKit,version=1.0.0.1 -> C:\Program Files (x86)\QQMailPlugin\nptxftnWebKit.dll [2013-04-08] (Tencent Technology (Shenzhen) Company Limited)
C:\ProgramData\SetStretch.exe
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.Czy dalej wykrywany jest GAMARUE?
jessi
-
Tcpip\Parameters: [DhcpNameServer] 5.104.175.153 8.8.8.8
Jeśli używasz routera, to:
Zaloguj się do routera:
- Zmień ustawienia DNS. Jeśli nie wiesz na jakie, możesz ustawić adresy Google: 8.8.8.8 + 8.8.4.4
- Zabezpiecz router: zmień hasło oraz zamknij dostęp do panelu zarządzania od strony Internetu. Porównaj z tymi artykułami:
http://multimo.telestrada.pl/uwaga1
Po konfiguracji uruchom ten test mający potwierdzić zabezpieczenie:
http://cert.orange.pl/modemscan/
Do Notatnika wklej:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "DhcpNameServer"=- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "DhcpNameServer"="8.8.8.8"
Z Menu Notatnika >> Plik >> Zapisz jako >> Ustaw rozszerzenie na Wszystkie pliki >> Zapisz jako> FIX.REG >>plik uruchom (dwuklik i OK).
Zrestartuj komputer.
jessi
-
Adw-Cleaner: najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Otwórz Notatnik i wklej w nim:
Task: {0F81CA6D-D925-4977-BC10-67E27D1304D2} - \Microsoft\7ea61278dfbad65ae31e707ffe019711 No Task File <==== ATTENTION
Task: {4AA4ABFA-EA2D-4DDD-94E1-4B962CCCE545} - System32\Tasks\AVG_SYS_TASK_0215pit_DELETE => C:\ProgramData\Avg_Update_0215pit\AVG-Secure-Search-Update_0215pit.exe
Task: {828D10E7-22C6-4EE6-9DBE-6B09AB2F8FAD} - System32\Tasks\{995EF597-E97A-4D77-B93E-6F73E670047E} => pcalua.exe -a "c:\program files\relevantknowledge\rlvknlg.exe" -c -bootremove -uninst:RelevantKnowledge
c:\program files\relevantknowledge
Task: {AEF8DD22-BFCB-48EE-8428-BCBE83D3817B} - System32\Tasks\VuuPCUpdateLogin => C:\Program Files\VuuPC\VuuPCUpdater.exe
Task: {BF741268-AF2B-4634-A2C6-7924F1F33FBC} - System32\Tasks\AVG_SYS_TASK_0215pit => C:\ProgramData\Avg_Update_0215pit\AVG-Secure-Search-Update_0215pit.exe
C:\Program Files\VuuPC
Task: {D8578A9A-D6FC-49AA-9E39-28E9A75F1F85} - System32\Tasks\AVG-Secure-Search-Update_0215pit_RML => C:\Users\Korek\AppData\Roaming\Avg_Update_0215pit\AVG-Secure-Search-Update_0215pit.exe
Task: {E4E9CAF5-C0F7-458F-8452-3B942340804E} - \Microsoft\a31793b172d999844ffe0dae25111557 No Task File <==== ATTENTION
Task: {F2D5C3DF-1B8C-41C3-9CBE-BF5BE47D7BD0} - \VuuPCUpdate No Task File <==== ATTENTION
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_0215pit_RML.job => C:\Users\Korek\AppData\Roaming\Avg_Update_0215pit\AVG-Secure-Search-Update_0215pit.exe
Task: C:\Windows\Tasks\AVG_SYS_TASK_0215pit.job => C:\ProgramData\Avg_Update_0215pit\AVG-Secure-Search-Update_0215pit.exe
Task: C:\Windows\Tasks\AVG_SYS_TASK_0215pit_DELETE.job => C:\ProgramData\Avg_Update_0215pit\AVG-Secure-Search-Update_0215pit.exe
FirewallRules: [{4258B452-BF46-4BC2-8894-C88FDE5BE49A}] => (Allow) C:\Program Files\RelevantKnowledge\rlvknlg.exe
FirewallRules: [{CA0B9061-03BE-42D4-81DE-90C89C406CD6}] => (Allow) C:\Program Files\RelevantKnowledge\rlvknlg.exe
FirewallRules: [{0F4BE469-0D60-44EB-AEBC-D81236F99C60}] => (Allow) C:\Program Files\RelevantKnowledge\rlvknlg.exe
FirewallRules: [{9F5272E5-81E6-4488-A664-8A6ABA97223D}] => (Allow) C:\Program Files\RelevantKnowledge\rlvknlg.exe
FirewallRules: [{38D6371A-3F08-45D8-BDF5-F569B88F2952}] => (Allow) C:\Program Files\VuuPC\RemoteEngine.exe
FirewallRules: [{64275D43-AC69-49EE-973D-D877FFFAF0D4}] => (Allow) C:\Program Files\VuuPC\Connectivity.exe
FirewallRules: [{A42257C4-9A3B-4BB1-9E41-F64607376713}] => (Allow) C:\program files\common files\tencent\qqdownload\130\tencentdl.exe
FirewallRules: [{E224ABA7-FCAC-445D-9D86-CF8A02D4D782}] => (Allow) C:\program files\common files\tencent\qqdownload\130\bugreport_xf.exe
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3568612267-3032798025-2432032161-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
S3 TSSK; C:\Windows\System32\tssk.sys [67896 2015-06-22] (电脑管家)
C:\Windows\system32\Drivers\TS888.sys
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\腾讯软件
C:\Users\Korek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\腾讯软件
C:\Windows\system32\TSSK.sys
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.jessi
-
Otwórz Notatnik i wklej w nim:
FF Extension: No Name - C:\Users\Grzesiek\AppData\Roaming\Mozilla\Firefox\Profiles\kdxrja3a.default\extensions\quick_searchff@gmail.com [not found]
C:\ProgramData\WindowsMangerProtect
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.Potem kończymy:
Otwórz Notatnik i wklej w nim:
DeleteQuarantine:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix.
przez SHIFT+DEL usuń pozostały folder C:\FRST.Java 6 Update 26 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216026FF}) (Version: 6.0.260 - Oracle)Zainstaluj nowszą wersję Javy, wg https://www.fixitpc.pl/topic/5-dezynfekcja-kroki-finalizuj%C4%85ce-temat/?do=findComment&comment=43590
jessi
-
https://www.fixitpc.pl/topic/27096-nowy-moderator-w-dziale-malware/
Nie wiem kiedy @Picaso lub @Naathim zaczną pomagać na forum.
1) Otwórz Notatnik i wklej w nim:
C:\Users\Korek\AppData\Roaming\00000000-1434998750-0000-0000-406186C562FA
C:\ProgramData\Avg_Update_0215pit\AVG-Secure-Search-Update_0215pit.exe
HKLM\...\Run: [ap] => C:\Program Files\Application Assistance\ap.exe [249856 2015-06-22] ()
C:\Program Files\Application Assistance
HKU\S-1-5-21-3568612267-3032798025-2432032161-1000\...\Run: [AVG-Secure-Search-Update_0215pit] => C:\Users\Korek\AppData\Roaming\Avg_Update_0215pit\AVG-Secure-Search-Update_0215pit.exe [2794520 2015-02-17] ()
C:\Users\Korek\AppData\Roaming\Avg_Update_0215pit\AVG-Secure-Search-Update_0215pit.exe
Startup: C:\Users\Korek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crossbrowse.lnk [2015-06-22]
ShortcutTarget: crossbrowse.lnk -> C:\Program Files\Crossbrowse\Crossbrowse\Application\crossbrowse.exe (No File)
C:\Program Files\Crossbrowse
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hao123.com/?tn=91539763_hao_pg
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
HKU\S-1-5-21-3568612267-3032798025-2432032161-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hao123.com/?tn=91539763_hao_pg
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files\IObit\IObit Uninstaller\UninstallExplorer32.dll No File
BHO: Ó¦Óñ¦Ň»Ľü°˛×°˛ĺĽţ -> {50F4150A-48B2-417A-BE4C-C83F580FB904} -> C:\Program Files\Common Files\Tencent\QQPhoneManager\2.0.201.3198\npQQPhoneManagerExt.dll [2014-05-30] (腾讯公司)
BHO: PriceFountain -> {b608cc98-54de-4775-96c9-097de398500c} -> C:\Users\Korek\AppData\Local\PriceFountain\PriceFountainIE.dll No File
C:\Users\Korek\AppData\Local\PriceFountain
FF Homepage: hxxp://gotut.ru/?from=ic3ua
FF Plugin: @qq.com/npAndroidAssistant -> C:\Program Files\Common Files\Tencent\QQPhoneManager\2.0.201.3198\npQQPhoneManagerExt.dll [2014-05-30] (腾讯公司)
OPR Extension: (CinemaP-1.4) - C:\Users\Korek\AppData\Roaming\Opera Software\Opera Stable\Extensions\mnanplinmmnjhobaliikmelmmjpoogkb [2014-08-11]
R2 hoviwuqo; C:\Users\Korek\AppData\Roaming\00000000-1434998750-0000-0000-406186C562FA\knse2DFB.tmpfs [X]
R2 kysykiti; C:\Users\Korek\AppData\Local\00000000-1435006139-0000-0000-406186C562FA\snspF87D.tmp [X]
R2 RemoteEngineService; C:\Program Files\VuuPC\remoteengine.exe [X]
S2 VuuPCConnectivity; C:\Program Files\VuuPC\Connectivity.exe [X]
R2 xoperoze; C:\Users\Korek\AppData\Roaming\00000000-1434998750-0000-0000-406186C562FA\jnsb4DFC.tmp [X]
R2 zedepory; C:\Users\Korek\AppData\Roaming\00000000-1434998750-0000-0000-406186C562FA\hnst6D3E.tmp [X]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 EverestDriver; \??\C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [X]
R1 QMUdisk; \??\C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMUdisk.sys [X]
R4 TAOKernelDriver; System32\Drivers\TAOKernel.sys [X]
R3 TS888; \??\C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TS888.sys [X]
R4 TsFltMgr; system32\drivers\TsFltMgr.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\Korek\AppData\Local\gmsd_pl_005010010
C:\Program Files\VuuPC
C:\Users\Korek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VuuPC
C:\Users\Korek\AppData\Local\nsjD296.tmp
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.2) Zrób log z Adw-Cleaner https://www.fixitpc.pl/topic/8-dezynfekcja-zbi%C3%B3r-narz%C4%99dzi-usuwaj%C4%85cych/?do=findComment&comment=118323
3) Zrób nowe logi FRST.
jessi
-
https://www.fixitpc.pl/topic/27096-nowy-moderator-w-dziale-malware/
Nie wiem, kiedy @Picasso lub @Naathim zaczną pomagać na forum.
W logach nie widzę infekcji, choć całkiem czysto też nie jest:
Otwórz Notatnik i wklej w nim:
C:\Documents and Settings\CL\My Documents\Opera(12614)-dp.exe
StartMenuInternet: (HKLM) Opera.exe - C:\Program Files\Opera\Opera.exe http://www.qvo6.com/?utm_source=b&utm_medium=cor&utm_campaign=&utm_content=sc&from=cor&uid=HitachiXHTS541040G9AT00_MPB2PAX2F0194MF0194MX&ts=1377785095
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - No Path Or update_url value
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
Task: C:\WINDOWS\Tasks\At1.job => C:\DOCUME~1\CL\APPLIC~1\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
SearchScopes: HKU\S-1-5-21-2154615204-4275496255-3731553294-1006 -> ${searchCLSID} URL = http://search.yahoo.com/search?ei=ISO-8859-1&fr=megaup&q={searchTerms}
HKU\S-1-5-21-2154615204-4275496255-3731553294-1006\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\...\Run: [MSConfig] => C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [169984 2008-04-14] (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2154615204-4275496255-3731553294-1006_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-2154615204-4275496255-3731553294-1006_Classes\CLSID\{D5A55D2D-C59D-42C3-A5BF-4C08EEE74339}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-2154615204-4275496255-3731553294-1006_Classes\CLSID\{BB6410D8-F879-4184-9C5C-6A02D16AE0B3}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-2154615204-4275496255-3731553294-1006_Classes\CLSID\{CA1073A2-5F3F-4445-8E5E-7109BDCEDDBE}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-2154615204-4275496255-3731553294-1006_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}\InprocServer32 -> No Filepath
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.Na wszelki wypadek zrób nowe logi FRST - może w końcu kiedyś @Picasso tu zajrzy ...
jessi
-
Dodać logi GMER ?
Przypuszczam, że jak tylko @Picasso zajmie się Twoim tematem (nie wiem kiedy), to upomni się o log z GMER, więc na wszelki wypadek zrób go.
czy istnieje ryzyko zainfekowania serwera FTP poprzez wysyłanie plików w formacie ZIP i RAR przy aktualnym stanie komputera ??
Już pisałam, że w ogóle nie znam tej wersji infekcji MSIL/injector.*, więc trudno mi określić zagrożenie.
Na forum była infekcja o trochę podobnej nazwie, ale innej wersji. Tam infekcja zmieniała Rejestr.
Być może ta wersja też?
Na wszelki wypadek:
Otwórz Notatnik i wklej w nim:
Reg: reg query HKLM\SYSTEM\CurrentControlSet\Services\Schedule
Reg: reg query "HKCU\Software\Microsoft\Windows Script" /s
Reg: reg query "HKCU\Software\Microsoft\Windows Script Host" /s
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.
Potem pozostanie tylko czekanie na @Picasso.
jessi
-
W logach nie widzę niczego podejrzanego, więc prawdopodobnie infekcja została już usunięta (był użyty m.in. RoqueKiller, MBAM).
Ale być może są jakieś uszkodzenia w Systemie - niestety nic nie wiem o tej konkretnej infekcji, więc nawet nie wiem, jakich uszkodzeń szukać.
Odinstaluj niepotrzebny do niczego Akamai NetSession Interface
Kosmetyka:
Otwórz Notatnik i wklej w nim:
HKU\S-1-5-21-4021329644-3063707683-3167850359-1001\...\Run: [Akamai NetSession Interface] => C:\Users\Kajczos\AppData\Local\Akamai\netsession_win.exe
HKU\S-1-5-21-4021329644-3063707683-3167850359-1001\...\Run: [AdobeBridge] => [X]
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC64Loader.dll File not found
AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC32Loader.dll => "C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC32Loader.dll" File not found
FF SelectedSearchEngine: delta-homes
FF Extension: No Name - C:\Users\Kajczos\AppData\Roaming\Mozilla\Firefox\Profiles\898pbxb0.default\extensions\quick_searchff@gmail.com [not found]
FF Extension: No Name - C:\Users\Kajczos\AppData\Roaming\Mozilla\Firefox\Profiles\898pbxb0.default\extensions\sweetsearch@gmail.com [not found]
S3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]
S3 cpuz137; \??\C:\Users\Kajczos\AppData\Local\Temp\cpuz137\cpuz137_x64.sys [X]
Task: {6126F895-4D57-451A-9B91-613BD1E63422} - \avabvbxvh No Task File <==== ATTENTION
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
jessi
-
https://www.fixitpc.pl/topic/27096-nowy-moderator-w-dziale-malware/
Nie wiem, kiedy @Picasso lub @Naathim zaczną pomagać na forum.
Tylko kosmetyka:
Otwórz Notatnik i wklej w nim:
Task: {3EBD2EF1-F269-4A00-8D82-42AC3BBF81FE} - \Web Protector Plus No Task File <==== ATTENTION
Task: {814699EB-06F0-4847-BCA7-8EF5A827466A} - \Web Protector Plus Server No Task File <==== ATTENTION
BHO-x32: Bing Bar BHO -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll No File
Toolbar: HKLM-x32 - @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll No File
S3 EverestDriver; \??\D:\!Archiwum\Everest 4.5\Everest v4.5\kerneld.amd64 [X]
C:\Windows\Minidump\062215-44912-01.dmp
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.jessi
-
https://www.fixitpc.pl/topic/27096-nowy-moderator-w-dziale-malware/
Nie wiem, kiedy @Picasso lub @Naathim zaczną pomagać na forum.
Szkoda, że masz zepsuty komputer (bluescreeny), bo byłoby łatwiej usuwać śmieci.
1) Odinstaluj te programy:
EpicScale Application (HKU\S-1-5-21-592060492-1902354033-4240126978-1000\...\EpicScaleApp) (Version: - EpicScale, Inc.) <==== ATTENTION
Faster Light (HKLM\...\Faster Light) (Version: 2014.12.27.152306 - Faster Light) <==== ATTENTION
omiga-plus uninstall (HKLM-x32\...\omiga-plus uninstall) (Version: - omiga-plus) <==== ATTENTION2) Otwórz Notatnik i wklej w nim:
Task: {3C17F78A-6C00-4C88-B810-A93C1201D7AD} - System32\Tasks\Yahoo! Search => C:\Users\internet\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.25.0\dsrlte.exe [2015-05-10] (Pay By Ads LTD) <==== ATTENTION
C:\Users\internet\AppData\Local\Pay-By-Ads
Task: {ED9CBCE7-CFB4-4B2F-94AF-64CC92996357} - System32\Tasks\Yahoo! Search Updater => C:\Users\internet\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.25.0\dsrsetup.exe [2015-05-10] (Pay By Ads LTD) <==== ATTENTION
C:\Program Files (x86)\Faster Light
C:\ProgramData\WindowsMangerProtect
C:\Program Files (x86)\XTab
C:\Program Files (x86)\MiuiTab
C:\ProgramData\EpicScale
C:\ProgramData\IHProtectUpDate
HKU\S-1-5-21-592060492-1902354033-4240126978-1000\...\Run: [EpicScale] => C:\ProgramData\EpicScale\10\EpicScale.exe EpicScale StartMinimized
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.delta-homes.com/?type=hp&ts=1433410501&z=1409fed43b5baa9938766efg3z3ccc6zagfeaw9e4g&from=wpm06043&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.delta-homes.com/?type=hp&ts=1433410501&z=1409fed43b5baa9938766efg3z3ccc6zagfeaw9e4g&from=wpm06043&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://isearch.omiga-plus.com/web/?type=ds&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://isearch.omiga-plus.com/web/?type=ds&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.delta-homes.com/?type=hp&ts=1433410501&z=1409fed43b5baa9938766efg3z3ccc6zagfeaw9e4g&from=wpm06043&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.delta-homes.com/?type=hp&ts=1433410501&z=1409fed43b5baa9938766efg3z3ccc6zagfeaw9e4g&from=wpm06043&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902&q={searchTerms}
HKU\S-1-5-21-592060492-1902354033-4240126978-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.delta-homes.com/web/?type=ds&ts=1431099740&z=ca2f74e1113b104620d088dg8z7ceg6e5t1tbm3c3q&from=wpm05083&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902&q={searchTerms}
HKU\S-1-5-21-592060492-1902354033-4240126978-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.delta-homes.com/?type=hp&ts=1433410501&z=1409fed43b5baa9938766efg3z3ccc6zagfeaw9e4g&from=wpm06043&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
HKU\S-1-5-21-592060492-1902354033-4240126978-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.delta-homes.com/?type=hp&ts=1433410501&z=1409fed43b5baa9938766efg3z3ccc6zagfeaw9e4g&from=wpm06043&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
HKU\S-1-5-21-592060492-1902354033-4240126978-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.delta-homes.com/web/?type=ds&ts=1431099740&z=ca2f74e1113b104620d088dg8z7ceg6e5t1tbm3c3q&from=wpm05083&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902&q={searchTerms}
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902&q={searchTerms}
SearchScopes: HKU\S-1-5-21-592060492-1902354033-4240126978-1000 -> DefaultScope {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-592060492-1902354033-4240126978-1000 -> OldSearch URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-592060492-1902354033-4240126978-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-592060492-1902354033-4240126978-1000 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-592060492-1902354033-4240126978-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-592060492-1902354033-4240126978-1000 -> {DF1F2225-AF5F-4778-9649-3F4B619A8E46} URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-592060492-1902354033-4240126978-1000 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
BHO-x32: LuckyTab Class -> {51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F} -> C:\Program Files (x86)\MiuiTab\SupTab.dll [2015-06-03] (Thinknice Co. Limited)
BHO-x32: Faster Light 1.0.0.7 -> {950ef4df-b9dd-4b97-9e34-5c7d25a5eb88} -> C:\Program Files (x86)\Faster Light\FasterLightBHO.dll [2015-01-27] ()
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe http://isearch.omiga-plus.com/?type=sc&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
FF NewTab: hxxp://www.delta-homes.com/newtab/?type=nt&ts=1433410501&z=1409fed43b5baa9938766efg3z3ccc6zagfeaw9e4g&from=wpm06043&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
FF DefaultSearchEngine: delta-homes
FF SelectedSearchEngine: delta-homes
FF Homepage: hxxp://www.delta-homes.com/?type=hp&ts=1433410501&z=1409fed43b5baa9938766efg3z3ccc6zagfeaw9e4g&from=wpm06043&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
FF Keyword.URL: hxxp://search.yahoo.com/yhs/search?hspart=ddc&hsimp=yhs-ddc_bd&type=pr__alt__ddc_dss_bd_com&p=
FF Extension: No Name - C:\Users\Grzesiek\AppData\Roaming\Mozilla\Firefox\Profiles\kdxrja3a.default\Extensions\faststartff@gmail.com [2014-12-27]
FF Extension: No Name - C:\Users\Grzesiek\AppData\Roaming\Mozilla\Firefox\Profiles\kdxrja3a.default\Extensions\quick_searchff@gmail.com [2015-05-08]
FF HKLM-x32\...\Firefox\Extensions: [faststartff@gmail.com] - C:\Users\Grzesiek\AppData\Roaming\Mozilla\Firefox\Profiles\kdxrja3a.default\extensions\faststartff@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [quick_searchff@gmail.com] - C:\Users\Grzesiek\AppData\Roaming\Mozilla\Firefox\Profiles\kdxrja3a.default\extensions\quick_searchff@gmail.com
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [not found]
StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe http://isearch.omiga-plus.com/?type=sc&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
CHR Extension: (No Name) - C:\Users\Grzesiek\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpjaeedhlmcojmmhngnbankkodcdlenh [2015-06-22]
OPR Extension: (No Name) - C:\Users\Grzesiek\AppData\Roaming\Opera Software\Opera Stable\Extensions\jpjaeedhlmcojmmhngnbankkodcdlenh [2015-06-21]
OPR Extension: (No Name) - C:\Users\Grzesiek\AppData\Roaming\Opera Software\Opera Stable\Extensions\pbgbdinkchdlbniomfkieilppkmmfimc [2015-04-20]
R2 IHProtect Service; C:\Program Files (x86)\XTab\ProtectService.exe [158816 2015-05-08] (XTab system)
R2 Update Faster Light; C:\Program Files (x86)\Faster Light\updateFasterLight.exe [462064 2015-06-22] ()
R2 Util Faster Light; C:\Program Files (x86)\Faster Light\bin\utilFasterLight.exe [462064 2015-06-22] ()
R2 WindowsMangerProtect; C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [347136 2015-06-04] (SysTool PasSame LIMITED) [File not signed] <==== ATTENTION
R1 {2c7e9044-6b3b-4ecc-9224-8b8c893f6fc1}Gw64; C:\Windows\System32\drivers\{2c7e9044-6b3b-4ecc-9224-8b8c893f6fc1}Gw64.sys [48792 2014-12-30] (StdLib)
R1 {5fa86e60-a54d-4e77-b1f1-f7bc1e215749}Gw64; C:\Windows\System32\drivers\{5fa86e60-a54d-4e77-b1f1-f7bc1e215749}Gw64.sys [48784 2015-01-30] (StdLib)
R1 {5fa86e60-a54d-4e77-b1f1-f7bc1e215749}w64; C:\Windows\System32\drivers\{5fa86e60-a54d-4e77-b1f1-f7bc1e215749}w64.sys [48784 2015-02-07] (StdLib)
R1 {82adbb5d-7d8c-4f2d-9936-53071e499858}Gw64; C:\Windows\System32\drivers\{82adbb5d-7d8c-4f2d-9936-53071e499858}Gw64.sys [48792 2015-01-03] (StdLib)
R1 {8fb4e628-35c6-4275-89be-ce3462febcc4}Gw64; C:\Windows\System32\drivers\{8fb4e628-35c6-4275-89be-ce3462febcc4}Gw64.sys [48792 2014-12-27] (StdLib)
R1 {a081059f-4e06-4f49-9a1e-4b92e171ba25}Gw64; C:\Windows\System32\drivers\{a081059f-4e06-4f49-9a1e-4b92e171ba25}Gw64.sys [48792 2015-01-05] (StdLib)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
C:\Windows\System32\drivers\{2c7e9044-6b3b-4ecc-9224-8b8c893f6fc1}Gw64.sys
C:\Windows\System32\drivers\{5fa86e60-a54d-4e77-b1f1-f7bc1e215749}Gw64.sys
C:\Windows\System32\drivers\{5fa86e60-a54d-4e77-b1f1-f7bc1e215749}w64.sys
C:\Windows\System32\drivers\{82adbb5d-7d8c-4f2d-9936-53071e499858}Gw64.sys
C:\Windows\System32\drivers\{8fb4e628-35c6-4275-89be-ce3462febcc4}Gw64.sys
C:\Windows\System32\drivers\{a081059f-4e06-4f49-9a1e-4b92e171ba25}Gw64.sys
C:\Users\Grzesiek\Downloads\p792bbbd6a3a60e297c50.html
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picexa
C:\Program Files (x86)\Picexa
C:\Users\Grzesiek\AppData\Roaming\omiga-plus
C:\Program Files (x86)\SupTab
C:\ProgramData\IePluginServices
C:\Users\Public\Desktop\Picexa.lnk
S2 PicexaService; C:\Program Files (x86)\Picexa\PicexaSvc.exe [393880 2015-05-06] () [File not signed]
C:\Users\Grzesiek\AppData\Roaming\Picexa Viewer
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picexa\Picexa.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picexa\uninstall.lnk
C:\Users\Grzesiek\Desktop\pierdoły\gry itd\Gimnazjum moduł 3 - Biologia.lnk
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.delta-homes.com/?type=sc&ts=1431099740&z=ca2f74e1113b104620d088dg8z7ceg6e5t1tbm3c3q&from=wpm05083&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox\Mozilla Firefox (Tryb awaryjny).lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://isearch.omiga-plus.com/?type=sc&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://isearch.omiga-plus.com/?type=sc&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.delta-homes.com/?type=sc&ts=1431099740&z=ca2f74e1113b104620d088dg8z7ceg6e5t1tbm3c3q&from=wpm05083&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
ShortcutWithArgument: C:\Users\Grzesiek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://isearch.omiga-plus.com/?type=sc&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
ShortcutWithArgument: C:\Users\Grzesiek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://isearch.omiga-plus.com/?type=sc&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
ShortcutWithArgument: C:\Users\Grzesiek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://isearch.omiga-plus.com/?type=sc&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
ShortcutWithArgument: C:\Users\Grzesiek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.delta-homes.com/?type=sc&ts=1431099740&z=ca2f74e1113b104620d088dg8z7ceg6e5t1tbm3c3q&from=wpm05083&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
ShortcutWithArgument: C:\Users\Grzesiek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://isearch.omiga-plus.com/?type=sc&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
ShortcutWithArgument: C:\Users\Grzesiek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://isearch.omiga-plus.com/?type=sc&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
ShortcutWithArgument: C:\Users\Grzesiek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.delta-homes.com/?type=sc&ts=1431099740&z=ca2f74e1113b104620d088dg8z7ceg6e5t1tbm3c3q&from=wpm05083&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
ShortcutWithArgument: C:\Users\Grzesiek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.delta-homes.com/?type=sc&ts=1431099740&z=ca2f74e1113b104620d088dg8z7ceg6e5t1tbm3c3q&from=wpm05083&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
ShortcutWithArgument: C:\Users\internet\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://isearch.omiga-plus.com/?type=sc&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.delta-homes.com/?type=sc&ts=1431099740&z=ca2f74e1113b104620d088dg8z7ceg6e5t1tbm3c3q&from=wpm05083&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://isearch.omiga-plus.com/?type=sc&ts=1419707919&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
ShortcutWithArgument: C:\Users\Public\Desktop\Opera.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.delta-homes.com/?type=sc&ts=1431099740&z=ca2f74e1113b104620d088dg8z7ceg6e5t1tbm3c3q&from=wpm05083&uid=ST1000LM024XHN-M101MBB_S2U5J9CC956902
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.3) Zrób nowe logi z FRST.
jessi
-
Jak tylko @Picasso zacznie pomagać, to przesunie temat do odpowiedniego działu forum.
(nie sądzę, by ten problem miał cokolwiek wspólnego z usuwaniem, tym bardziej, że wystąpił dopiero po 3 dniach)
jessi
-
Otwórz Notatnik i wklej w nim:
OPR Extension: (Filter Results) - C:\Users\euro rtv agd\AppData\Roaming\Opera Software\Opera Stable\Extensions\lfoohfdpkhfkpelighpnldnoobbkldoj [2015-06-21]
FF Extension: Filter Results - C:\Users\euro rtv agd\AppData\Roaming\Mozilla\Firefox\Profiles\ugyon9j2.default\Extensions\{27400994-36cd-48cb-a3d1-3ad5c9cea524}.xpi [2015-06-21]
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
Toolbar: HKU\S-1-5-21-2100001416-2170443706-2230923172-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
FF Extension: Real Summer Sale - C:\Users\euro rtv agd\AppData\Roaming\Mozilla\Firefox\Profiles\ugyon9j2.default\Extensions\realsummersale1@realsummersale.com
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.
FF Extension: Lyrmix - C:\Users\euro rtv agd\AppData\Roaming\Mozilla\Firefox\Profiles\ugyon9j2.default\Extensions\133 [2013-10-01]
Znasz to rozszerzenie w Firefoxie?
Zrób nowe logi FRST.
jessi
-
ale na razie nie wykonam Twojego skryptu, bo kieruję się tym: http://www.fixitpc.p...ieni-do-pomocy/
OK, nawet pochwalam Twój wybór.
jessi
-
Otwórz Notatnik i wklej w nim:
HKLM\...\Run: [gmsd_pl_132] => [X]
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
C:\Users\Kasia\AppData\Local\nssB66B.tmp
C:\found.000
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.Zrób nowe logi FRST.
Przed skanem zaznacz "Additional"
jessi
-
GMER i FRST również usunąć ?
Usunięcie FRST podałam.
GMER możesz zostawić sobie.
jessi
-
dopisałam jeszcze w swoim poprzednim poście
jessi
-
Wygląda to bardzo dobrze, aż mi się nie chce wierzyć - zaraz przejrzę te logi jeszcze raz, dokładniej.
W międzyczasie:
Otwórz Notatnik i wklej w nim:
C:\Windows\system32\Drivers\rsndisp.sys
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
C:\Users\nand\AppData\Local\70149b02515b3bb20dd492.47983420
EmptyTemp:Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.Przejrzałam logi dokładnie - wg mnie jest już OK.
Chyba możemy kończyć:
1) Odinstaluj:
Revo Uninstaller Pro 3.1.2 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 3.1.2 - VS Revo Group, Ltd.)2) Usuń ręcznie C:\Users\nand\Downloads\AppRemover.exe
3) W Adw-Cleaner kliknij na przycisk Odinstaluj (UNINSTALL).
4) Usuń ręcznie C:\Users\nand\Downloads\FIX.REG
5) Otwórz Notatnik i wklej w nim:
DeleteQuarantine:Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix.
przez SHIFT+DEL usuń pozostały folder C:\FRST6) MBAM - możesz albo odinstalować, albo sobie zostawić, by od czasu do czasu, po uprzedniej aktualizacji jego bazy wirusów, przeskanować komputer.
7) BlitzBlank - usuń ręcznie.
To chyba wszystko.
jessi
-
Nie instalowałem ich nawet , i nie widać ich w systemie jako zainstalowanych.
są na liście Twoich programów - log Additional.txt.
możesz też ponownie użyć Adw-Cleaner.
dodatkowo:
Do Notatnika wklej:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt] "DisplayName"="@%Systemroot%\\system32\\wbem\\wmisvc.dll,-205" "ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\ 74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\ 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\ 6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00 "Description"="@%Systemroot%\\system32\\wbem\\wmisvc.dll,-204" "ObjectName"="localSystem" "ErrorControl"=dword:00000000 "Start"=dword:00000002 "Type"=dword:00000020 "DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00 "ServiceSidType"=dword:00000001 "FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\ 00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters] "ServiceDllUnloadOnStop"=dword:00000001 "ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 77,00,62,00,65,00,6d,00,5c,00,57,00,4d,00,49,00,73,00,76,00,63,00,2e,00,64,\ 00,6c,00,6c,00,00,00 "ServiceMain"="ServiceMain"
Z Menu Notatnika >> Plik >> Zapisz jako >> Ustaw rozszerzenie na Wszystkie pliki >> Zapisz jako> FIX.REG >>plik uruchom (dwuklik i OK).
Zrestartuj komputer.
dopiero potem zrób nowe logi FRST.
jessi
-
1) Odinstaluj te programy:
bestadblocker (HKLM-x32\...\{4820778D-AB0D-6D18-C316-52A6A0E1D507}) (Version: - ) <==== ATTENTION
PriceMinus (HKLM-x32\...\{06B99631-BFA2-3B7A-F58B-D067C2BA59B7}) (Version: - ) <==== ATTENTION
2) Teraz sytuacja jest gorsza, bo Rejestr jest uszkodzony.
3) Otwórz Notatnik i wklej w nim:
CustomCLSID: HKU\S-1-5-21-740415962-4211020823-285711137-1000_Classes\CLSID\{0215A4C0-5431-4FD0-9B06-46589B5C4939}\InprocServer32 -> axdb.dll No File
CustomCLSID: HKU\S-1-5-21-740415962-4211020823-285711137-1000_Classes\CLSID\{048ED0E0-12CF-4C0F-9FFA-947C2FBE8C8E}\InprocServer32 -> axdb.dll No File
CustomCLSID: HKU\S-1-5-21-740415962-4211020823-285711137-1000_Classes\CLSID\{071339A1-1946-44B2-B63E-50459B15DB86}\InprocServer32 -> axdb.dll No File
CustomCLSID: HKU\S-1-5-21-740415962-4211020823-285711137-1000_Classes\CLSID\{08A60FF7-BB37-44F4-9759-0ADA6C7B9CC9}\InprocServer32 -> axdb.dll No File
CustomCLSID: HKU\S-1-5-21-740415962-4211020823-285711137-1000_Classes\CLSID\{0B38CACA-3D3C-48EA-BEB5-7D95F4F6EE15}\InprocServer32 -> axdb.dll No File
CustomCLSID: HKU\S-1-5-21-740415962-4211020823-285711137-1000_Classes\CLSID\{0C3393F8-94F5-4B79-8C01-49A2D0CC0FE9}\InprocServer32 -> axdb.dll No File
CustomCLSID: HKU\S-1-5-21-740415962-4211020823-285711137-1000_Classes\CLSID\{0D555CE0-304A-47A6-858B-B145209A3982}\InprocServer32 -> axdb.dll No File
CustomCLSID: HKU\S-1-5-21-740415962-4211020823-285711137-1000_Classes\CLSID\{1D6DFD6A-9E16-435A-9327-6FFEC6BA372F}\InprocServer32 -> axdb.dll No File
CustomCLSID: HKU\S-1-5-21-740415962-4211020823-285711137-1000_Classes\CLSID\{1E5724EA-3423-4BD3-ABD6-46E650D2DC66}\InprocServer32 -> AcETransmit.dll No File
CustomCLSID: HKU\S-1-5-21-740415962-4211020823-285711137-1000_Classes\CLSID\{1E8A29BA-827D-4031-A4A3-AE7999B402F6}\InprocServer32 -> axdb.dll No File
CustomCLSID: HKU\S-1-5-21-740415962-4211020823-285711137-1000_Classes\CLSID\{1EA072EE-57FD-495E-889C-8243C3BDBDBC}\InprocServer32 -> axdb.dll No File
CustomCLSID: HKU\S-1-5-21-740415962-4211020823-285711137-1000_Classes\CLSID\{1FD7F53F-7ED5-439C-9A77-A3821CD09E98}\InprocServer32 -> axdb.dll No File
CustomCLSID: HKU\S-1-5-21-740415962-4211020823-285711137-1000_Classes\CLSID\{20E47D5B-529A-45BD-8E77-BF1A3064A008}\InprocServer32 -> axdb.dll No File
Task: {206BD9BA-3369-4EEA-9418-432E9ED4A72A} - \globalUpdateUpdateTaskMachineCore No Task File <==== ATTENTION
Task: {C9035508-4077-43DB-A39B-AB0CFB809E62} - \globalUpdateUpdateTaskMachineUA No Task File <==== ATTENTION
Task: C:\Windows\Tasks\Bidaily Synchronize Task[973b].job => c:\programdata\{a57a407d-0a1c-410c-a57a-a407d0a101f4}\f1_2014_pc__game (1).exe <==== ATTENTION
c:\programdata\{a57a407d-0a1c-410c-a57a-a407d0a101f4}
C:\Program Files (x86)\Rising
C:\program files (x86)\common files\baidu
HKLM\...\Run: [baidusdTray] => "C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\baidusdTray.exe" -stmd=3
C:\Program Files (x86)\Baidu
HKU\S-1-5-21-740415962-4211020823-285711137-1000\...\Run: [Akamai NetSession Interface] => "C:\Users\nand\AppData\Local\Akamai\netsession_win.exe"
C:\Users\nand\AppData\Local\Akamai\netsession_win.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-740415962-4211020823-285711137-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
BHO: PriceMinus -> {5AB30FD9-2AD4-49A7-AE9A-E5F4441922E5} -> C:\Program Files (x86)\PriceMinus\IiNVnZnl4GaN8a.x64.dll No File
BHO: bestadblocker -> {741C982F-4669-4217-86C1-686B4BCED847} -> C:\Program Files (x86)\bestadblocker\VuxJtDGlvspgrC.x64.dll [2015-06-19] ()
C:\Program Files (x86)\PriceMinus
C:\Program Files (x86)\bestadblocker
Locked "BFE" service could not be unlocked. <===== ATTENTION
U4 BaiduHips; C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe [X]
U4 RsRavMon; "C:\Program Files (x86)\Rising\RAV\ravmond.exe" [X]
U1 bd0001; C:\Windows\System32\DRIVERS\bd0001.sys [202576 2015-04-08] (Baidu)
U4 BDDefense; C:\Windows\System32\drivers\BDDefense.sys [103240 2015-04-08] (Baidu)
U1 bd0002; system32\DRIVERS\bd0002.sys [X]
U3 blzblk; \??\C:\Windows\system32\drivers\blzblk.sys [X]
U4 sysmon; system32\DRIVERS\sysmon.sys [X]
C:\Program Files (x86)\2db321c8-69b7-4dd1-acf8-4d551cdaf0f7
C:\Windows\system32\Drivers\bd0001.sys
C:\Windows\system32\Drivers\BDDefense.sys
C:\ProgramData\Baidu
C:\ProgramData\Rising
:\Windows\system32\Drivers\rsndisp.sys
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.
4) Zrób nowe logi FRST.
jessi
-
nie usuneło Google Chrome. Mam się bawić w ręczne usuwanie Chrome ?
Nie rozumiem, dlaczego tylko u Ciebie jest problem z odinstalowaniem Chrome? Na świecie jest tysiące użytkowników Chrome, i dotąd nie słyszałam, by któryś miał problem z odinstalowaniem. Ja też mam Chrome, i na próbę odinstalowałam - bez żadnych problemów. Dlaczego u Ciebie jest inaczej?
Do Notatnika wklej:
Windows Registry Editor Version 5.00 [HKEY_USERS\S-1-5-21-2689971262-685424931-2623737911-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store] "C:\Program Files (x86)\Razor Web\Uninstaller.exe"=-
Z Menu Notatnika >> Plik >> Zapisz jako >> Ustaw rozszerzenie na Wszystkie pliki >> Zapisz jako> FIX.REG >>
plik uruchom (dwuklik i OK).
Otwórz Notatnik i wklej w nim:
C:\Program Files (x86)\Razor Web\Uninstaller.exeC:\Program Files (x86)\Razor Web
EmptyTemp:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.
jessi
Worm:Win32/Gamarue
w Dział pomocy doraźnej
Opublikowano
prawdę mówiąc - ja też nie wiem.
Jeszcze jedno przeoczyłam w logach:
Otwórz Notatnik i wklej w nim:
Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.
jessi