jessica

czy mogę zainstalować już na spokojnie program antywirusowy?

Oczywiscie możesz.

Wg mnie w tych nowych logach nie ma już niczego istotnie szkodliwego.

Ale to powinna przejrzeć jeszcze @Picasso.

Jeśli przez kilka najbliższych dni @Picasso nie przejrzy, to zrobisz przynajmniej to:

Otwórz Notatnik i wklej w nim:

Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
FF Extension: No Name - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\558swsb8.default\extensions\fftoolbar2014@etech.com [Not Found]
FF Extension: No Name - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\558swsb8.default\extensions\istart_ffnt@gmail.com [Not Found]
FF Extension: No Name - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\558swsb8.default\extensions\searchengine@gmail.com [Not Found]
S2 nicorygo; C:\Users\Andrew\AppData\Roaming\D0D66880-1428240119-11E2-B2A5-317CD4B82100\nssEB3.tmp [X]
S3 esgiguard; \??\C:\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [X]
EmptyTemp:

Najważniejsze, że nie masz już problemu z Microsoftem.

jessi

Otwórz Notatnik i wklej w nim:

Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YAC\YAC.lnk -> C:\Program Files (x86)\Elex-tech\YAC\iStart.exe
C:\Program Files (x86)\Elex-tech
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YAC
Shortcut: C:\Users\Andrew\Desktop\SpyHunter.lnk -> C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe
C:\Program Files (x86)\Enigma Software Group
Shortcut: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter\SpyHunter.lnk -> C:\Program Files (x86)\Enigma Software Group\SpyHunter\SpyHunter4.exe
C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter
ShortcutWithArgument: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter\Uninstall SpyHunter.lnk -> C:\Windows\SysWOW64\msiexec.exe (Microsoft Corporation) -> /X {4FC9DA9D-F608-454E-8191-D7EFFDCC5726}
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iSafe" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}" /f
Shortcut: C:\Users\Public\Desktop\YAC.lnk -> C:\Program Files (x86)\Elex-tech\YAC\iStart.exe (Elex do Brasil Participações Ltda)
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YAC\uninstall.lnk -> C:\Program Files (x86)\Elex-tech\YAC\uninstall.exe (Elex do Brasil Participações Ltda) -> -uninst
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YAC\YAC Desktop.lnk -> C:\Program Files (x86)\Elex-tech\YAC\iDesk.exe () -> -lnk
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YAC\YAC Wifi.lnk -> C:\Program Files (x86)\Elex-tech\YAC\YacWifi.exe (Elex do Brasil Participações Ltda) -> /startmenu
Task: {402ECAC4-453D-42F2-8C79-CA32FFEEB95A} - System32\Tasks\SpyHunter4Startup => C:\Program Files (x86)\Enigma Software Group\SpyHunter\Spyhunter4.exe [2015-04-05] (Enigma Software Group USA, LLC.)
Task: {635A788E-667E-42D2-9D69-3A66F62EC223} - \SomotoUpdateCheckerAutoStart No Task File <==== ATTENTION
Task: {8855519E-1F9A-4E4C-909A-906FFCDF41D5} - \NAPSTAT No Task File <==== ATTENTION
Task: {96A75282-A1A9-4385-A637-943097F9CB99} - System32\Tasks\{F78427F7-D0C9-4161-9312-7B7E9B82A122} => pcalua.exe -a C:\Users\Andrew\AppData\Roaming\istartsurf\UninstallManager.exe -c  -ptid=obw
Task: {E4432BE5-2117-4949-AB43-A67596F33A8B} - \FoxTab No Task File <==== ATTENTION
C:\Users\Andrew\AppData\Roaming\D0D66880-1428240119-11E2-B2A5-317CD4B82100\nsk62DD.tmp
C:\Users\Andrew\AppData\Roaming\D0D66880-1428240119-11E2-B2A5-317CD4B82100\jnsmD2AD.tmp
C:\Users\Andrew\AppData\Roaming\D0D66880-1428240119-11E2-B2A5-317CD4B82100
R1 iSafeKrnl; C:\Program Files (x86)\Elex-tech\YAC\iSafeKrnl.sys [249000 2015-03-20] (Elex do Brasil Participações Ltda)
S3 iSafeKrnlBoot; C:\Windows\System32\DRIVERS\iSafeKrnlBoot.sys [45224 2015-03-20] (Elex do Brasil Participações Ltda)
R1 iSafeKrnlKit; C:\Program Files (x86)\Elex-tech\YAC\iSafeKrnlKit.sys [99496 2015-03-20] (Elex do Brasil Participações Ltda)
R1 iSafeKrnlMon; C:\Program Files (x86)\Elex-tech\YAC\iSafeKrnlMon.sys [42152 2015-03-20] (Elex do Brasil Participações Ltda)
R1 iSafeKrnlR3; C:\Program Files (x86)\Elex-tech\YAC\iSafeKrnlR3.sys [93352 2015-03-20] (Elex do Brasil Participações Ltda)
R1 iSafeNetFilter; C:\Windows\System32\DRIVERS\iSafeNetFilter.sys [52392 2015-02-15] (Elex do Brasil Participações Ltda)
S1 innfd_1_10_0_13; system32\drivers\innfd_1_10_0_13.sys [X]
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
C:\WINDOWS\system32\Drivers\iSafeKrnlBoot.sys
C:\WINDOWS\system32\Drivers\iSafeNetFilter.sys
C:\Users\Andrew\AppData\Roaming\Elex-tech
C:\Program Files (x86)\Elex-tech
C:\Users\Andrew\AppData\Roaming\eCyber
C:\Users\Andrew\Downloads\yet_another_cleaner_sk_3047707.exe
C:\WINDOWS\System32\Tasks\SpyHunter4Startup
C:\spyhunter.fix
C:\Users\Andrew\AppData\Local\nsqB51.tmp
C:\Users\Andrew\AppData\Roaming\AnyProtectEx
C:\sh4ldr
C:\Users\Andrew\AppData\Local\foxtab_speeddial.crx
C:\Users\Andrew\AppData\Local\nsf11A3.tmp
C:\Users\Andrew\AppData\Local\nsq73D0.tmp
C:\Users\Andrew\AppData\Local\nsqB51.tmp
R2 iSafeService; C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe
R3 riwijelo; C:\Users\Andrew\AppData\Roaming\D0D66880-1428240119-11E2-B2A5-317CD4B82100\nsk62DD.tmp
S3 SpyHunter 4 Service; C:\Program Files (x86)\Enigma Software Group\SpyHunter\SH4Service.exe
R3 xyhigysy; C:\Users\Andrew\AppData\Roaming\D0D66880-1428240119-11E2-B2A5-317CD4B82100\jnsmD2AD.tmp
FF Extension: FF Toolbar - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\558swsb8.default\Extensions\fftoolbar2014@etech.com [2015-04-05]
FF Extension: Fast Start - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\558swsb8.default\Extensions\istart_ffnt@gmail.com [2015-04-05]
FF Extension: Search Enginer - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\558swsb8.default\Extensions\searchengine@gmail.com [2015-04-05]
FF HKLM-x32\...\Firefox\Extensions: [searchengine@gmail.com] - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\558swsb8.default\extensions\searchengine@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [istart_ffnt@gmail.com] - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\558swsb8.default\extensions\istart_ffnt@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [fftoolbar2014@etech.com] - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\558swsb8.default\extensions\fftoolbar2014@etech.com
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{11aac89e-b2d9-4b81-bbed-d6f784098f3a} <======= ATTENTION (Policy Restriction on IP)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
IFEO\bpsvc.exe: [Debugger] tasklist.exe
IFEO\browsersafeguard.exe: [Debugger] tasklist.exe
IFEO\dprotectsvc.exe: [Debugger] tasklist.exe
IFEO\jumpflip: [Debugger] tasklist.exe
IFEO\protectedsearch.exe: [Debugger] tasklist.exe
IFEO\searchinstaller.exe: [Debugger] tasklist.exe
IFEO\searchprotection.exe: [Debugger] tasklist.exe
IFEO\searchprotector.exe: [Debugger] tasklist.exe
IFEO\searchsettings.exe: [Debugger] tasklist.exe
IFEO\searchsettings64.exe: [Debugger] tasklist.exe
IFEO\snapdo.exe: [Debugger] tasklist.exe
IFEO\stinst32.exe: [Debugger] tasklist.exe
IFEO\stinst64.exe: [Debugger] tasklist.exe
IFEO\umbrella.exe: [Debugger] tasklist.exe
IFEO\utiljumpflip.exe: [Debugger] tasklist.exe
IFEO\volaro: [Debugger] tasklist.exe
IFEO\vonteera: [Debugger] tasklist.exe
IFEO\websteroids.exe: [Debugger] tasklist.exe
IFEO\websteroidsservice.exe: [Debugger] tasklist.exe
HKU\S-1-5-21-1735395495-2726210869-181527219-1002\...\Run: [Akamai NetSession Interface] => "C:\Users\Andrew\AppData\Local\Akamai\netsession_win.exe"
C:\Users\Andrew\AppData\Local\Akamai\netsession_win.exe
EmptyTemp:

Teraz użyj Adw-Cleaner.

Potem zrób nowe logi FRST.

jessi

Poczekaj, przejrzę log Shortcut ...

Natomiast:

YAC(Yet Another Cleaner!) (HKLM-x32\...\iSafe)

noemalnie, poprzez Dodaj\Usuń programy.

Zresztą, jak użyjesz Adw-Cleaner, to on też usunie tego YAC.

Nie sądzę, by był tu Conficker (nie dostrzegam tu żadnego jego obiektu) - to raczej wina któregoś tych programów:

YAC(Yet Another Cleaner!) (HKLM-x32\...\iSafe) (Version:  - ELEX DO BRASIL PARTICIPAÇÕES LTDA) <==== ATTENTION

SpyHunter (HKLM-x32\...\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}) (Version: 4.1.11 - Enigma Software Group USA, LLC)

lub tych świństw:

Process  C:\Users\Andrew\AppData\Roaming\D0D66880-1428240119-11E2-B2A5-317CD4B82100\nsk62DD.tmp (*** suspicious ***) @ C:\Users\Andrew\AppData\Roaming\D0D66880-1428240119-11E2-B2A5-317CD4B82100\nsk62DD.tmp [2632](2015-04-05 17:43:45)    00000000008f0000

Process  C:\Users\Andrew\AppData\Roaming\D0D66880-1428240119-11E2-B2A5-317CD4B82100\jnsmD2AD.tmp (*** suspicious ***) @ C:\Users\Andrew\AppData\Roaming\D0D66880-1428240119-11E2-B2A5-317CD4B82100\jnsmD2AD.tmp [3016](2015-04-05 13:22:25)  00000000003a0000

Process  C:\Users\Andrew\AppData\Local\Temp\Rar$EXa0.883\jhnmqgsg.exe (*** suspicious ***) @ C:\Users\Andrew\AppData\Local\Temp\Rar$EXa0.883\jhnmqgsg.exe [6688](2015-02-04 12:59:56)   0000000000400000 - to akurat GMER, więc odpada!

Odinstaluj te oba podejrzane programy, przy czym Spy Hunter  odinstaluj w ten sposób:

kliknij na tę ikonkę C:\Users\nazwa Użytkownika\Start Menu\Programs\SpyHunter\Uninstall.lnk

wyskoczy okienko, ale zamiast klikać wielki zielony guzik "continue" kliknij "no, thanks". To drugie odinstalowuje  

Potem użyj AdwCleaner

najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.

Otwórz Notatnik i wklej w nim:

Task: {009BDCB0-351E-4E68-8BA2-FABA6D5135F1} - System32\Tasks\ec4299ac-8e7b-4eab-86c1-396bb8483af0-4 => C:\Program Files\GoHD\ec4299ac-8e7b-4eab-86c1-396bb8483af0-4.exe <==== ATTENTION
C:\Program Files\GoHD
Task: {0B6481D1-40BA-423E-9626-D92A3BC1B6FA} - System32\Tasks\Yahoo! Search Updater => C:\Users\compaq\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.15.4\dsrsetup.exe <==== ATTENTION
C:\Users\compaq\AppData\Local\Pay-By-Ads
Task: {15E89723-D5D9-45A1-810D-D234764D70BD} - System32\Tasks\temp_6f9fb53a-ba53-4fc6-a768-2e101a4518cc-2 => C:\Users\compaq\AppData\Local\Temp\nsu8604.tmp\6f9fb53a-ba53-4fc6-a768-2e101a4518cc-2.exe <==== ATTENTION
C:\Users\compaq\AppData\Local\Temp\nsu8604.tmp
Task: {1DEF2FF8-1F46-47D4-A338-24A60EB5FB39} - System32\Tasks\6f9fb53a-ba53-4fc6-a768-2e101a4518cc-1 => C:\Program Files\GoHD\GoHD-codedownloader.exe <==== ATTENTION
Task: {21B29F95-7F26-43D8-AAFD-33805111126F} - System32\Tasks\ec4299ac-8e7b-4eab-86c1-396bb8483af0-2 => C:\Program Files\GoHD\ec4299ac-8e7b-4eab-86c1-396bb8483af0-2.exe <==== ATTENTION
Task: {2A9BB356-16AD-4601-B365-EEA6D3015595} - System32\Tasks\ec4299ac-8e7b-4eab-86c1-396bb8483af0-7 => C:\Program Files\GoHD\ec4299ac-8e7b-4eab-86c1-396bb8483af0-7.exe <==== ATTENTION
Task: {31B06DCB-0A5C-4997-BCDD-6CD6B613BAA3} - System32\Tasks\Yahoo! Search => C:\Users\compaq\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.15.4\dsrlte.exe <==== ATTENTION
Task: {37EEF7E0-A742-448E-987B-8E8CEB97F96F} - System32\Tasks\6f9fb53a-ba53-4fc6-a768-2e101a4518cc-7 => C:\Program Files\GoHD\6f9fb53a-ba53-4fc6-a768-2e101a4518cc-7.exe <==== ATTENTION
Task: {41C35A7A-E85E-4DE6-9718-2DCB13F7A525} - System32\Tasks\RegClean Pro => C:\Program Files\RCP\RegCleanPro.exe <==== ATTENTION
C:\Program Files\RCP
Task: {431331AE-1C26-4C47-AFD3-C72DD8607BF1} - System32\Tasks\globalUpdateUpdateTaskMachineCore => C:\Program Files\globalUpdate\Update\GoogleUpdate.exe <==== ATTENTION
C:\Program Files\globalUpdate
Task: {58FC9189-9DA6-4531-B0DB-FCB6AFC93FB7} - System32\Tasks\temp_6f9fb53a-ba53-4fc6-a768-2e101a4518cc-6 => C:\Program Files\GoHD\6f9fb53a-ba53-4fc6-a768-2e101a4518cc-6.exe <==== ATTENTION
Task: {7265A253-D4A0-48A6-8FFF-27CDEC342DB8} - System32\Tasks\6f9fb53a-ba53-4fc6-a768-2e101a4518cc-6 => C:\Program Files\GoHD\6f9fb53a-ba53-4fc6-a768-2e101a4518cc-6.exe <==== ATTENTION
Task: {7C74D717-D81F-4B44-9C4D-4BE00D1B6DF7} - System32\Tasks\ec4299ac-8e7b-4eab-86c1-396bb8483af0-1 => C:\Program Files\GoHD\GoHD-codedownloader.exe <==== ATTENTION
Task: {856A6148-D343-40F2-9933-2E50B5F6FA39} - System32\Tasks\RegClean Pro_UPDATES => C:\Program Files\RCP\RegCleanPro.exe <==== ATTENTION
Task: {925BA358-F8F6-44C5-9973-DC5FE8D4670F} - System32\Tasks\temp_ec4299ac-8e7b-4eab-86c1-396bb8483af0-6 => C:\Program Files\GoHD\ec4299ac-8e7b-4eab-86c1-396bb8483af0-6.exe <==== ATTENTION
Task: {A357115B-1F74-4DFC-B206-D76340E1A884} - System32\Tasks\temp_ec4299ac-8e7b-4eab-86c1-396bb8483af0-2 => C:\Users\compaq\AppData\Local\Temp\nsy9EC0.tmp\ec4299ac-8e7b-4eab-86c1-396bb8483af0-2.exe <==== ATTENTION
C:\Users\compaq\AppData\Local\Temp\nsy9EC0.tmp
Task: {A9C9E33D-AB9C-4D7A-A84A-73038784722A} - System32\Tasks\ec4299ac-8e7b-4eab-86c1-396bb8483af0-5_user => C:\Program Files\GoHD\ec4299ac-8e7b-4eab-86c1-396bb8483af0-5.exe <==== ATTENTION
Task: {B4342DEB-909B-4094-9FFA-9C4774D1ABE5} - System32\Tasks\ec4299ac-8e7b-4eab-86c1-396bb8483af0-11 => C:\Program Files\GoHD\ec4299ac-8e7b-4eab-86c1-396bb8483af0-11.exe <==== ATTENTION
Task: {C182599F-E494-4BB0-A886-AC68C922D7AF} - System32\Tasks\RegClean Pro_DEFAULT => C:\Program Files\RCP\RegCleanPro.exe <==== ATTENTION
Task: {C45CDB15-9C99-4F30-BF52-AAAE5CBD8E86} - System32\Tasks\6f9fb53a-ba53-4fc6-a768-2e101a4518cc-5 => C:\Program Files\GoHD\6f9fb53a-ba53-4fc6-a768-2e101a4518cc-5.exe <==== ATTENTION
Task: {C6DEA7B4-313B-4AD9-BA12-2C686F3F1C59} - System32\Tasks\ec4299ac-8e7b-4eab-86c1-396bb8483af0-5 => C:\Program Files\GoHD\ec4299ac-8e7b-4eab-86c1-396bb8483af0-5.exe <==== ATTENTION
Task: {D3C71EA0-12F6-4C3E-94A5-860CE7215C88} - System32\Tasks\6f9fb53a-ba53-4fc6-a768-2e101a4518cc-11 => C:\Program Files\GoHD\6f9fb53a-ba53-4fc6-a768-2e101a4518cc-11.exe <==== ATTENTION
Task: {E023266E-A692-4017-A5BB-2056A96B9400} - System32\Tasks\ec4299ac-8e7b-4eab-86c1-396bb8483af0-6 => C:\Program Files\GoHD\ec4299ac-8e7b-4eab-86c1-396bb8483af0-6.exe <==== ATTENTION
Task: {EA93C9E3-52B7-4E88-91B7-D6B3688F5AF3} - System32\Tasks\6f9fb53a-ba53-4fc6-a768-2e101a4518cc-2 => C:\Program Files\GoHD\6f9fb53a-ba53-4fc6-a768-2e101a4518cc-2.exe <==== ATTENTION
Task: {F176D55F-51AE-41E7-B7AA-140EFBBADEE7} - System32\Tasks\globalUpdateUpdateTaskMachineUA => C:\Program Files\globalUpdate\Update\GoogleUpdate.exe <==== ATTENTION
Task: {FD757DC5-2080-4291-ACD6-54801D7C6D10} - System32\Tasks\6f9fb53a-ba53-4fc6-a768-2e101a4518cc-4 => C:\Program Files\GoHD\6f9fb53a-ba53-4fc6-a768-2e101a4518cc-4.exe <==== ATTENTION
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\removeSearchqudatamngr" /f
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2610713279-1768236827-747832540-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
BHO: No Name -> {7E853D72-626A-48EC-A868-BA8D5E23E045} ->  No File
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
CHR Plugin: (AVG Internet Security) - C:\Users\compaq\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\plugins/avgnpss.dll No File
S3 HWDeviceService.exe; "C:\ProgramData\DatacardService\HWDeviceService.exe" -/service [X]
S3 axsaki; system32\DRIVERS\axsaki.sys [X]
S3 catchme; \??\C:\Users\compaq\AppData\Local\Temp\catchme.sys [X]
S1 ccnfd_1_10_0_4; system32\drivers\ccnfd_1_10_0_4.sys [X]
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 HTCAND32; System32\Drivers\ANDROIDUSB.sys [X]
S3 huawei_cdcacm; system32\DRIVERS\ew_jucdcacm.sys [X]
S3 huawei_cdcecm; system32\DRIVERS\ew_jucdcecm.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 huawei_ext_ctrl; system32\DRIVERS\ew_juextctrl.sys [X]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S0 PxHelp20; System32\Drivers\PxHelp20.sys [X]
C:\Users\compaq\{e79a3988-4a01-4644-a81f-c71a22dc3c6c}
C:\Users\compaq\AppData\Local\Temp*.html
C:\Users\compaq\SUPERsetup.exe
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.
Uruchom FRST i kliknij przycisk Fix.
Powstanie plik fixlog.txt.
Daj ten log.

Zrób log z Adw-Cleaner https://www.fixitpc.pl/topic/8-dezynfekcja-zbi%C3%B3r-narz%C4%99dzi-usuwaj%C4%85cych/?do=findComment&comment=118323

Zrób nowe logi z FRST

przed skanem zaznacz: Shortcut, Additional

jessi

Otwórz Notatnik i wklej w nim:

Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\Service Mgr StrongSignal" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\Update Mgr StrongSignal" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\WindowsMangerProtect" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\SpyHunter 4 Service" /f
Task: {A49B4FCA-B368-4A04-9DA3-08C64084A8BA} - System32\Tasks\{9C861266-D862-4855-801B-8B4D90C3842D} => pcalua.exe -a C:\Users\Asus\AppData\Roaming\do-search\UninstallManager.exe -c  -ptid=cor
C:\Users\Asus\AppData\Roaming\do-search
C:\Program Files (x86)\XTab
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2514297185-695947203-224707951-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://do-search.com/?type=hppp&ts=1426454337&from=cor&uid=3219913727_67194_0044D7FB
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://do-search.com/?type=hppp&ts=1426454337&from=cor&uid=3219913727_67194_0044D7FB
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://do-search.com/web/?type=ds&ts=1426454266&from=cor&uid=3219913727_67194_0044D7FB&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://do-search.com/web/?type=ds&ts=1426454266&from=cor&uid=3219913727_67194_0044D7FB&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://do-search.com/?type=hppp&ts=1426454337&from=cor&uid=3219913727_67194_0044D7FB
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://do-search.com/?type=hppp&ts=1426454337&from=cor&uid=3219913727_67194_0044D7FB
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://do-search.com/web/?type=ds&ts=1426454266&from=cor&uid=3219913727_67194_0044D7FB&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://do-search.com/web/?type=ds&ts=1426454266&from=cor&uid=3219913727_67194_0044D7FB&q={searchTerms}
HKU\S-1-5-21-2514297185-695947203-224707951-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://do-search.com/web/?type=dspp&ts=1426454337&from=cor&uid=3219913727_67194_0044D7FB&q={searchTerms}
HKU\S-1-5-21-2514297185-695947203-224707951-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://do-search.com/?type=hppp&ts=1426454337&from=cor&uid=3219913727_67194_0044D7FB
HKU\S-1-5-21-2514297185-695947203-224707951-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://do-search.com/web/?type=dspp&ts=1426454337&from=cor&uid=3219913727_67194_0044D7FB&q={searchTerms}
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://do-search.com/web/?type=dspp&ts=1426454337&from=cor&uid=3219913727_67194_0044D7FB&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://do-search.com/web/?type=dspp&ts=1426454337&from=cor&uid=3219913727_67194_0044D7FB&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2514297185-695947203-224707951-1000 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://do-search.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=3219913727_67194_0044D7FB&ts=1426454354&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2514297185-695947203-224707951-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://do-search.com/web/?type=dspp&ts=1426454337&from=cor&uid=3219913727_67194_0044D7FB&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2514297185-695947203-224707951-1000 -> {7378FD6F-E357-4D2A-8FBF-27BBBACC2449} URL = http://www.search.ask.com/web?tpid=SGT1-SP&o=APN11004&pf=V7&p2=^B3Q^YYYYYY^YY^PL&gct=&itbv=12.25.0.244&apn_uid=8A7B36AF-E747-4923-9070-50AB49B22EFC&apn_ptnrs=^B3Q&apn_dtid=^YYYYYY^YY^PL&apn_dbr=ff_36.0&doi=2015-03-15&trgb=FF&q={searchTerms}&psv=&pt=tb
SearchScopes: HKU\S-1-5-21-2514297185-695947203-224707951-1000 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://do-search.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=3219913727_67194_0044D7FB&ts=1426454354&type=default&q={searchTerms}
BHO-x32: IETabPage Class -> {3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C} -> C:\Program Files (x86)\XTab\SupTab.dll [2015-03-10] (Thinknice Co. Limited)
BHO-x32: Strong Signal -> {c723a437-2eaf-466d-a95b-3fa0966bf88c} -> C:\Program Files (x86)\Strong Signal\Extensions\c723a437-2eaf-466d-a95b-3fa0966bf88c.dll [2015-03-15] ()
C:\Program Files (x86)\Strong Signal
Toolbar: HKU\S-1-5-21-2514297185-695947203-224707951-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
FF DefaultSearchEngine: webssearches
FF SelectedSearchEngine: webssearches
FF SearchPlugin: C:\Users\Asus\AppData\Roaming\Mozilla\Firefox\Profiles\skuv2ji8.default\searchplugins\do-search.xml [2015-03-30]
FF SearchPlugin: C:\Users\Asus\AppData\Roaming\Mozilla\Firefox\Profiles\skuv2ji8.default\searchplugins\webssearches.xml [2015-03-31]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\.xml [2015-03-22]
FF Extension: Search Enginer - C:\Users\Asus\AppData\Roaming\Mozilla\Firefox\Profiles\skuv2ji8.default\Extensions\searchengine@gmail.com [2015-03-15]
FF Extension: Zoom It - C:\Users\Asus\AppData\Roaming\Mozilla\Firefox\Profiles\skuv2ji8.default\Extensions\zzoomit@zoom.com [2015-03-15]
FF HKLM-x32\...\Firefox\Extensions: [searchengine@gmail.com] - C:\Users\Asus\AppData\Roaming\Mozilla\Firefox\Profiles\skuv2ji8.default\extensions\searchengine@gmail.com
R2 IHProtect Service; C:\Program Files (x86)\XTab\ProtectService.exe [158816 2015-03-10] (XTab system)
S4 Service Mgr StrongSignal; C:\ProgramData\0780f478-67ce-4ec3-98db-39a65f4618ce\plugincontainer.exe [639224 2015-03-24] ()
S4 Update Mgr StrongSignal; C:\Program Files (x86)\Common Files\0780f478-67ce-4ec3-98db-39a65f4618ce\updater.exe [559864 2015-03-24] ()
S4 WindowsMangerProtect; C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [493712 2015-03-15] (SysTool PasSame LIMITED)
C:\Program Files\Enigma Software Group
C:\Users\Asus\Downloads\SpyHunter-installer.exe
C:\Windows\System32\Tasks\{9C861266-D862-4855-801B-8B4D90C3842D}
C:\Users\Asus\Downloads\YTD-Video-Downloader(27896)-dp.exe
C:\ProgramData\WindowsMangerProtect
C:\ProgramData\IHProtectUpDate
 C:\ProgramData\0780f478-67ce-4ec3-98db-39a65f4618ce
EmptyTemp:

Zrób log z Adw-Cleaner https://www.fixitpc.pl/topic/8-dezynfekcja-zbi%C3%B3r-narz%C4%99dzi-usuwaj%C4%85cych/?do=findComment&comment=118323

Zrób nowe logi FRST.

jessi

Otwórz Notatnik i wklej w nim:

Task: {0468BAC2-894E-413F-8FF0-A82AE61F22AC} - System32\Tasks\SPBIW_UpdateTask_Time_323633323531303231352d344a414155342a2a236c6c5a => Wscript.exe //B "C:\ProgramData\ShopperPro\spbihe.js" spbiu.exe /invoke /f:check_services /l:0 <==== ATTENTION
C:\ProgramData\ShopperPro
Task: {477F8897-DCA5-4AF6-B6FD-48D6DB9ADEFB} - System32\Tasks\{8EEC7BDB-B69F-476E-91C6-A6AF8FBDA7C5} => pcalua.exe -a "C:\Program Files\YouTube Accelerator\YTAUninstall.exe"
C:\Program Files\YouTube Accelerator
Task: {8C721B13-32D4-402D-8A8B-E84BEB4AF4B7} - System32\Tasks\GFXWRHAD => C:\Users\Acer\AppData\Roaming\GFXWRHAD.exe <==== ATTENTION
C:\Users\Acer\AppData\Roaming\GFXWRHAD.exe
Task: {B9E439CF-81E0-4676-B5BC-8293FE14B0C0} - System32\Tasks\XSQFBT => C:\Users\Acer\AppData\Roaming\XSQFBT.exe <==== ATTENTION
C:\Users\Acer\AppData\Roaming\XSQFBT.exe
Task: {E4AA6030-1E43-48E2-9F72-1D216F270410} - System32\Tasks\YTAUpdate => C:\PROGRA~1\YOUTUB~1\Updater.exe <==== ATTENTION
Task: C:\Windows\Tasks\12d6c2af-d25b-4e93-a355-4b2280c4a46c-1-6.job => C:\Program Files\GoHD\12d6c2af-d25b-4e93-a355-4b2280c4a46c-1-6.exe <==== ATTENTION
Task: C:\Windows\Tasks\12d6c2af-d25b-4e93-a355-4b2280c4a46c-1-7.job => C:\Program Files\GoHD\12d6c2af-d25b-4e93-a355-4b2280c4a46c-1-7.exe <==== ATTENTION
Task: C:\Windows\Tasks\12d6c2af-d25b-4e93-a355-4b2280c4a46c-10_user.job => C:\Program Files\GoHD\12d6c2af-d25b-4e93-a355-4b2280c4a46c-10.exe <==== ATTENTION
Task: C:\Windows\Tasks\12d6c2af-d25b-4e93-a355-4b2280c4a46c-11.job => C:\Program Files\GoHD\12d6c2af-d25b-4e93-a355-4b2280c4a46c-11.exe <==== ATTENTION
Task: C:\Windows\Tasks\12d6c2af-d25b-4e93-a355-4b2280c4a46c-4.job => C:\Program Files\GoHD\12d6c2af-d25b-4e93-a355-4b2280c4a46c-4.exe <==== ATTENTION
Task: C:\Windows\Tasks\12d6c2af-d25b-4e93-a355-4b2280c4a46c-5.job => C:\Program Files\GoHD\12d6c2af-d25b-4e93-a355-4b2280c4a46c-5.exe <==== ATTENTION
Task: C:\Windows\Tasks\12d6c2af-d25b-4e93-a355-4b2280c4a46c-5_user.job => C:\Program Files\GoHD\12d6c2af-d25b-4e93-a355-4b2280c4a46c-5.exe <==== ATTENTION
Task: C:\Windows\Tasks\12d6c2af-d25b-4e93-a355-4b2280c4a46c-6.job => C:\Program Files\GoHD\12d6c2af-d25b-4e93-a355-4b2280c4a46c-6.exe <==== ATTENTION
Task: C:\Windows\Tasks\12d6c2af-d25b-4e93-a355-4b2280c4a46c-7.job => C:\Program Files\GoHD\12d6c2af-d25b-4e93-a355-4b2280c4a46c-7.exe <==== ATTENTION
Task: C:\Windows\Tasks\208aafe1-78bc-4f7b-a972-7c08a40c1a91-1.job => C:\Program Files\SensePlus\SensePlus-codedownloader.exe <==== ATTENTION
Task: C:\Windows\Tasks\208aafe1-78bc-4f7b-a972-7c08a40c1a91-2.job => C:\Program Files\SensePlus\208aafe1-78bc-4f7b-a972-7c08a40c1a91-2.exe <==== ATTENTION
Task: C:\Windows\Tasks\208aafe1-78bc-4f7b-a972-7c08a40c1a91-4.job => C:\Program Files\SensePlus\208aafe1-78bc-4f7b-a972-7c08a40c1a91-4.exe <==== ATTENTION
Task: C:\Windows\Tasks\208aafe1-78bc-4f7b-a972-7c08a40c1a91-5.job => C:\Program Files\SensePlus\208aafe1-78bc-4f7b-a972-7c08a40c1a91-5.exe <==== ATTENTION
Task: C:\Windows\Tasks\208aafe1-78bc-4f7b-a972-7c08a40c1a91-5_user.job => C:\Program Files\SensePlus\208aafe1-78bc-4f7b-a972-7c08a40c1a91-5.exe <==== ATTENTION
Task: C:\Windows\Tasks\604196a1-9f5f-48e2-9c11-cb6cb22d19de-1-6.job => C:\Program Files\PlusHD Cinema 2.1cV03.02\604196a1-9f5f-48e2-9c11-cb6cb22d19de-1-6.exe <==== ATTENTION
Task: C:\Windows\Tasks\604196a1-9f5f-48e2-9c11-cb6cb22d19de-1-7.job => C:\Program Files\PlusHD Cinema 2.1cV03.02\604196a1-9f5f-48e2-9c11-cb6cb22d19de-1-7.exe <==== ATTENTION
Task: C:\Windows\Tasks\604196a1-9f5f-48e2-9c11-cb6cb22d19de-11.job => C:\Program Files\PlusHD Cinema 2.1cV03.02\604196a1-9f5f-48e2-9c11-cb6cb22d19de-11.exe <==== ATTENTION
Task: C:\Windows\Tasks\604196a1-9f5f-48e2-9c11-cb6cb22d19de-4.job => C:\Program Files\PlusHD Cinema 2.1cV03.02\604196a1-9f5f-48e2-9c11-cb6cb22d19de-4.exe <==== ATTENTION
Task: C:\Windows\Tasks\604196a1-9f5f-48e2-9c11-cb6cb22d19de-5.job => C:\Program Files\PlusHD Cinema 2.1cV03.02\604196a1-9f5f-48e2-9c11-cb6cb22d19de-5.exe <==== ATTENTION
Task: C:\Windows\Tasks\604196a1-9f5f-48e2-9c11-cb6cb22d19de-5_user.job => C:\Program Files\PlusHD Cinema 2.1cV03.02\604196a1-9f5f-48e2-9c11-cb6cb22d19de-5.exe <==== ATTENTION
Task: C:\Windows\Tasks\604196a1-9f5f-48e2-9c11-cb6cb22d19de-6.job => C:\Program Files\PlusHD Cinema 2.1cV03.02\604196a1-9f5f-48e2-9c11-cb6cb22d19de-6.exe <==== ATTENTION
Task: C:\Windows\Tasks\604196a1-9f5f-48e2-9c11-cb6cb22d19de-7.job => C:\Program Files\PlusHD Cinema 2.1cV03.02\604196a1-9f5f-48e2-9c11-cb6cb22d19de-7.exe <==== ATTENTION
C:\Program Files\PlusHD Cinema 2.1cV03.02
Task: C:\Windows\Tasks\GFXWRHAD.job => C:\Users\Acer\AppData\Roaming\GFXWRHAD.exe <==== ATTENTION
Task: C:\Windows\Tasks\Price Fountain.job => C:\Users\Acer\AppData\Roaming\PRICEF~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\XSQFBT.job => C:\Users\Acer\AppData\Roaming\XSQFBT.exe <==== ATTENTION
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
FF DefaultSearchEngine: webssearches
FF SelectedSearchEngine: webssearches
FF Extension: 158d7cb370394a758e0b3bd0a464edd2 - C:\Users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\k8a17bfg.default\Extensions\{158d7cb3-7039-4a75-8e0b-3bd0a464edd2} [2015-01-31]
FF Extension: No Name - C:\Users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\k8a17bfg.default\extensions\fftoolbar2014@etech.com [Not Found]
FF Extension: No Name - C:\Users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\k8a17bfg.default\extensions\{4C59F3E5-BBD0-4344-8DD2-30866FA0B31E} [Not Found]
FF Extension: No Name - C:\Users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\k8a17bfg.default\extensions\{746505DC-0E21-4667-97F8-72EA6BCF5EEF} [Not Found]
FF Extension: No Name - C:\Users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\k8a17bfg.default\extensions\OIBMBKA115048682@HYKFIU97176590.com [Not Found]
FF Extension: No Name - C:\Users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\k8a17bfg.default\extensions\e9d197d59f2f45f382b1aa5c14d82@8706aaed9b904554b5cb7984e9.com [Not Found]
CHR Extension: (Solution Real) - C:\Users\Acer\AppData\Local\Google\Chrome\User Data\Default\Extensions\gajmlbhaikobfinipefjoonopbfdkpcl [2015-02-01]
CHR Extension: (No Name) - C:\Users\Acer\AppData\Local\Google\Chrome\User Data\Default\Extensions\idmleblnjffpliebomfhmbhimioibfjm [2015-02-03]
OPR Extension: (GoHD) - C:\Users\Acer\AppData\Roaming\Opera Software\Opera Stable\Extensions\bokijhalndhhhikpnaniimagniglonke [2015-02-03]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\Acer\AppData\Local\nsa7183.tmp
C:\Users\Acer\AppData\Local\nsoFE3.tmp
C:\Users\Acer\AppData\Local\nsqDF26.tmp
EmptyTemp:

CHR dev: Chrome dev build detected! <======= ATTENTION

Zrób nowe logi FRST - już bez Shortcut.

Napisz, czy te działania poprawiły sytuację?

jessi

Jeśli w ciągu kilku najbliższych godzin @Picasso tu nie zajrzy, to zrobisz to:

1) Adw-Cleaner:

najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt

2) 

BrickAmplifier (HKLM\...\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{dd693f9b}) (Version:  - BrickAmplifier) <==== ATTENTION

Odinstaluj ten program.

3)

Mavenlink Project Manager (HKLM\...\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}) (Version:  - ) <==== ATTENTION

Co do tego, to mam wątpliwości, czy go też usuwać, więc na razie zostawiamy go w spokoju.

4) Zrób nowe logi FRST

jessi

Po podłączeniu do internetu nie mogę otwierać żadnych stron.

 

Może sytuacja poprawi się po odinstalowaniu tych programów:

YouTube Accelerator (HKLM\...\YouTube Accelerator) (Version: 3394(build_88) - Goobzo Ltd.) <==== ATTENTION

youtubeadblocker (HKLM\...\{4820778D-AB0D-6D18-C316-52A6A0E1D507}) (Version:  - ) <==== ATTENTION

webssearches uninstall (HKLM\...\webssearches uninstall) (Version:  - webssearches) <==== ATTENTION

unissalles (HKLM\...\{4CEE92A3-9F0C-51AB-ADC0-34EC24AD7B7E}) (Version:  - ) <==== ATTENTION

Update Service YourFileDownloader (HKU\S-1-5-21-1269757778-2498391830-3713489346-1000\...\Update Service YourFileDownloader) (Version: 2.15.06 - http://www.yourfile-downloader.com.com)<==== ATTENTION

Solution Real (HKLM\...\Solution Real) (Version: 2015.01.28.132354 - Solution Real) <==== ATTENTION

Super Optimizer v3.2 (HKLM\...\Super Optimizer_is1) (Version: 3.2.0.1 - Super PC Tools ltd) <==== ATTENTION

SensePlus (HKLM\...\SensePlus) (Version: 1.36.01.22 - Sense+) <==== ATTENTION

Shopper-Pro (HKLM\...\ShopperPro) (Version:  - ) <==== ATTENTION

SmartWeb (HKLM\...\SmartWeb) (Version: 8.0.7 - SoftBrain Technologies Ltd.) <==== ATTENTION

YourFileDownloader (HKU\S-1-5-21-1269757778-2498391830-3713489346-1000\...\YourFileDownloader) (Version: 2.15.06 - http://www.yourfile-downloader.com.com)<==== ATTENTION

RegClean-Pro (HKLM\...\RegClean-Pro_is1) (Version: 6.21 - systweak.com) <==== ATTENTION

Remote Desktop Access (VuuPC) (HKLM\...\VOPackage) (Version: 1.0.0.0 - CMI Limited) <==== ATTENTION

PriceFountain (remove only) (HKU\S-1-5-21-1269757778-2498391830-3713489346-1000\...\PriceFountain) (Version: 1.1.0.2 - Price Fountain) <==== ATTENTION!

PlusHD Cinema 2.1cV03.02 (HKLM\...\PlusHD Cinema 2.1cV03.02) (Version: 1.36.01.22 - Plus HDV03.02) <==== ATTENTION!

Phrase Finder 1.10.0.8 (HKLM\...\PhraseFinder_1.10.0.8) (Version: 1.10.0.8 - Phrase Finder)

IGS (HKLM\...\IGS) (Version:  - ) <==== ATTENTION!

igsc (HKLM\...\igsc) (Version: 1.0.0.0 - igs) <==== ATTENTION!

GoHD (HKLM\...\GoHD) (Version: 1.36.01.22 - InstallMoon) <==== ATTENTION

ConvertAd (HKLM\...\ConvertAd) (Version: 1.0.0.0 - ConvertAd) <==== ATTENTION

BlockAndSurf (HKLM\...\41A807AF-0A57-29D6-33A1-363DC8C6F07F) (Version:  - BlockAndSurf-software) <==== ATTENTION

AnyProtect (HKLM\...\AnyProtect) (Version: 1.0.0.4 - CMI Limited) <==== ATTENTION

 

Śmieci jest więcej, ale pozostałymi zajmie się już @Picasso.

Po odinstalowaniu powyższych programów zrób:

1) log z Adw-Cleaner  https://www.fixitpc.pl/topic/8-dezynfekcja-zbi%C3%B3r-narz%C4%99dzi-usuwaj%C4%85cych/?do=findComment&comment=118323

2) logi z FRST.

jessi

Wiem, że każda sprawa infekcji dla każdego jest ważna, proszę jednak o odpowiedź i udzielenie pomocy

Inni Użytkownicy czekają na odpowiedx juz ok. dwóch tygodni, i nie wiadomo, kiedy dostaną tę odpowiedź. Pewnie wielu zrezygnowało z czekania i sformatowało dysk.

Nic na to nie można poradzić, bo @Picasso nie ma teraz możliwości zajęcia sie pomaganiem.

Wg mnie, to wykrycie Sirefef jest fałszywe, bo w logach nie widzę żadnych oznak obecności tej infekcji.

Natomiast za przekierowania odpowiedzialne jest to rozszerzenie w Firefoxie:

FF Extension: Roll Around - C:\Users\HP\AppData\Roaming\Mozilla\Firefox\Profiles\iyizz6tj.default\Extensions\{c9c8f370-8dff-4fc1-99e4-8495d1aa79c4}.xpi [2015-03-12]

jessi

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 195.238.181.164 8.8.8.8 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B4C8380F-38F3-44F7-9869-0C8636F71FC4}: DhcpNameServer = 195.238.181.164 8.8.8.8

Zmieniły się zasady obowiązkowych logów - zamiast OTL trzeba dać FRST https://www.fixitpc.pl/topic/61-diagnostyka-ogólne-raporty-systemowe/

Ukraińskie DNS'y.

Jeśli korzystasz z routera, to:

Zaloguj się do routera:

- Zmień ustawienia DNS. Jeśli nie wiesz na jakie, możesz ustawić adresy Google: 8.8.8.8 + 8.8.4.4

- Zabezpiecz router: zmień hasło oraz zamknij dostęp do panelu zarządzania od strony Internetu.

Przejrzyj te artykuły:

http://multimo.telestrada.pl/uwaga1

http://www.pcworld.pl/artykuly/394764_3/Zmasowany.atak.na.routery.polskich.uzytkownikow.Orange.blokuje.falszywe.DNS.y.html

Po konfiguracji uruchom ten test mający potwierdzić zabezpieczenie:

http://cert.orange.pl/modemscan/

Potem oczywiście daj wymagane logi, bo z OTL @Picasso nawet nie zechce obejrzeć.

Poproszę o log FRST niefitrowany, tzn. dla pola Services odznacz opcję Whitelist.

Nie wykonałeś tego zalecenia. (czyli nowy log z FRST z powyższą opcją)

Panowie moge liczyć na jakąś ekspertyze ?

W oczekiwaniu na Jej pomoc:

Odinstaluj:

Click Caption 1.10.0.5 (HKLM\...\ClickCaption_1.10.0.5) (Version: 1.10.0.5 - ClickCaption) <==== ATTENTION

S2 WindowsMangerProtect; C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [473088 2015-01-01] (Fuyu LIMITED) [File not signed]

C:\Users\Agnieszka\AppData\Roaming\omiga-plus

Tych nie ma na liście Twoich (żony) programów, więc będzie konieczne użycie Adw-Cleaner.

Możesz już ściągnąć go >Adw-cleaner

ale z użyciem go wstrzymaj się do czasu zalecenia przez @Picasso, ewentualnie zrób tylko z niego log bez usuwania (opcja SZUKAJ)

jessi

Na @Picasso będziesz pewnie dość długo czekał, więc na razie zrób logi w Trybie Awaryjnym, a jeśli okaże się , że konieczne są w Trybie Normalnym, to dopiero wtedy je zrobisz - przecież i tak czekasz na odpowiedź.

Log z GMER na pewno może być robiony w Trybie Awaryjnym.

jessi

W takim razie:

Użyj AdwCleaner

Najpierw kliknij na SZUKAJ, a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ, to kliknij na niego.

Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt

(pewnie potrzebne będą nowe logi, bo poprzednie staną się nieaktualne po użyciu AdwCleanera.)

Browsers Protector (HKLM\...\Browsers Protector) (Version: 1.0.0.0 - Publisher Name) <==== ATTENTION

Odinstaluj ten program.

Ask Toolbar Updater (HKU\S-1-5-21-1215798757-1829326793-2782969332-1000\...\{79A765E1-C399-405B-85AF-466F52E918B0}) (Version: 1.2.2.23821 - Ask.com) <==== ATTENTION

Ten też

Na pozostałe zalecenia musisz czekać na @Picasso

@Picasso zajęta jest sprawami administracyjnymi Forum, wiec na razie nie ma czasu na przeglądanie logów i pomaganie.

W logach nie widzę niczego podejrzanego.

Spróbuj, czy w Trybie Awaryjnym (F8 przed startem Systemu) też będzie problem z netem?

Kosmetyka:

Otwórz Notatnik i wklej w nim:

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\02259285.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\60688655.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\02259285.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\60688655.sys => ""="Driver"
EmptyTemp:

jessi

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"F:\DieFIoJ.EXe"="F:\DieFIoJ.EXe:*:Enabled:ipsec"

 

To kojarzy mi się z infekcją SALITY!

Musimy to sprawdzić:

Użyj Sality Killer -->http://support.kaspersky.com/downloads/utils/salitykiller.exe

Link zapasowy, gdyby wirus zablokował stronę narzędzia: > http://www.mediafire.com/?5e3b0870wm7xefk

Skan z podpiętym pendrive, bo to z niego wirus Sality.

Napisz, czy wykryje SALITY, czy nie.

a swoją drogą to ogromna ze mnie gapa, bo w logu Extras.txt było wyraźnie widać to ipsec

jessi

@Picasso na razie musi się zajmować sprawami administracyjnymi Forum, więc nie ma czasu na oglądanie logów.

Ja nie widzę w nowym logu niczego szkodliwego.

Czy teraz da się zainstalować Antywirusa?

jessi

W Adw-Cleaner kliknij na przycisk Odinstaluj (UNINSTALL).

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Fix.

przez SHIFT+DEL usuń pozostały folder C:\FRST

Być może potrzebne bedą logi z pozostałych komputerów.

jessi

@Picasso na razie nie ma czasu na pomaganie - musi zająć się sprawami organizacyjnymi Forum.

Ja w logach nie widzę żadnej infekcji.

Kosmetyka:

jessi

Nie widzę tu infekcji, zwłaszcza tej "MSIL"

Widać resztki śmieci, więc:

1. Użyj AdwCleaner. Najpierw kliknij na SZUKAJ, a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ, to kliknij na niego.

Pokaż raport z niego C:\AdwCleaner\AdwCleaner.txt

2. Otwórz Notatnik i wklej w nim:

C:\Users\wangzhisong

ShortcutWithArgument: C:\Users\ja\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.awesomehp.com/?type=sc&ts=1391967997&from=tugs&uid=HitachiXHTS543232L9A300_081003FB0440LEH7Y7HAX

ShortcutWithArgument: C:\Users\ja\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.awesomehp.com/?type=sc&ts=1391967997&from=tugs&uid=HitachiXHTS543232L9A300_081003FB0440LEH7Y7HAX

InternetURL: C:\Users\ja\Downloads\MSO 2010\WIĘCEJ PROGRAMÓW.url -> hxxp://adf.ly/kPnvX

InternetURL: C:\Users\ja\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\Mobogenie.url -> hxxp://www.voga360.com

Reg: reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes" /f

Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f

Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f

C:\Program Files\Bench

C:\Windows\system32\sru

S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X]

S2 PnkBstrB; C:\Windows\system32\PnkBstrB.exe [X]

HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.awesomehp.com/web/?type=ds&ts=1391967997&from=tugs&uid=HitachiXHTS543232L9A300_081003FB0440LEH7Y7HAX&q={searchTerms}

HKLM\...\Run: [mobilegeni daemon] => C:\Program Files\Mobogenie\DaemonProcess.exe

C:\Program Files\Mobogenie

EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix. Powstanie plik fixlog.txt. Daj ten log.

jessi

Jako, że nie doczekałem się pomocy przy moim poprzednim problemie ...

@Picasso, po długich problemach ze zdrowiem, na razie nie ma czasu na przeglądanie logów (zajmuje się ogólnymi sprawami administrowania Forum).

W logach nie widzę żadnej infekcji.

unknown MBR code

W logu GMER jest to powyższe, ale być może wynika to z tego:

64bit- An unknown product

Kosmetyka:

Otwórz Notatnik i wklej w nim:

Reg: reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes" /f

Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f

Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f

Reg: reg delete "HKU\S-1-5-21-1307058435-3298240008-994637700-1002\Software\Microsoft\Internet Explorer\SearchScopes" /f

EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok  FRST. Uruchom FRST i kliknij w Fix.

jessi

Czy wszystko już ok?

Nie, nie jest OK.

Otwórz Notatnik i wklej w nim:

HKU\S-1-5-21-1229272821-113007714-725345543-1003\...\Run: [xeaya] => C:\Documents and Settings\Admin\xeaya.exe

C:\Documents and Settings\Admin\xeaya.exe

DPF: {68282C51-9459-467B-95BF-3C0E89627E55} http://www.mks.com.pl/skaner/SkanerOnline.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

R3 WMI_MFC_TPSHOKER_80; \??\C:\WINDOWS\system32\drivers\gmsmsn.sys [X]

EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok  FRST. Uruchom FRST i kliknij w Fix.

Powstanie plik fixlog.txt. Daj ten log.

2)  Uruchom FRST.

W pole SEARCH wklej:

xeaya.exe;diefioj.exe;ciedeih.exe;ciedeih.*;diefioj.*;xeaya.* 

 

kliknij na przycisk "Search Files".

Wynikowy raport Search.txt zostaje zapisany w tym samym miejscu, w którym znajduje się FRST.exe. Daj go.

3) Uruchom FRST.

W pole SEARCH wklej:

xeaya;diefioj;ciedeih

 

kliknij na przycisk "Search Registry".

Wynikowy raport Search.txt zostaje zapisany w tym samym miejscu, w którym znajduje się FRST.exe. Daj go

4) Zrób nowe logi z FRST.

jessi