picasso

1. Nadal widzę w Google Chrome tę niepożądaną stronę startową oraz adware w Opera. Czy na pewno poniższe działania zostały wykonane? Wykonaj te akcje. Dopiero gdy je przeprowadzisz: 2. Uruchom AdwCleaner. Wybierz opcję Skanuj i dostarcz log wynikowy z folderu C:\AdwCleaner.

Wszystko zrobione. Drobne poprawki, nie zauważyłam, że Bonjour jest odinstalowany, a nadal siedzi w systemie jego wpis w łańcuchu sieciowym. Otwórz Notatnik i wklej w nim: Winsock: Catalog5 06 C:\Program Files\Bonjour\mdnsNSP.dll [94208 2006-02-28] (Apple Computer, Inc.) Toolbar: HKU\S-1-5-21-1690032049-1338340778-4026156367-1006 -> Brak nazwy - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Brak pliku RemoveDirectory: C:\FRST\Quarantine RemoveDirectory: C:\MATS RemoveDirectory: C:\Program Files\Bonjour CMD: netsh advfirewall reset Reboot: Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Nastąpi restart. Przedstaw wynikowy fixlog.txt.

Kończymy: 1. Zastosuj narzędzie Fix-it usuwające drobny błąd WMI: KLIK. 2. Zastosuj DelFix oraz wyczyść foldery Przywracania systemu: KLIK. 3. Do czytania na co uważać, by ograniczyć podobne problemy: KLIK.

Kończymy: 1. Uruchom AdwCleaner ponownie, tym razem wybierz opcje Skanuj + Usuń. Gdy program ukończy czyszczenie: 2. Zastosuj DelFix oraz wyczyść foldery Przywracania systemu: KLIK. 3. Do czytania na co uważać, by ograniczyć podobne problemy: KLIK.

Proszę nie tworzyć podwójnych tematów, bo to nic nie przyśpieszy, pomagający się nie rozdwoi. To spam, za to można dostać bana na forum. Duplikat usunięty. System był już czyszczony AdwCleaner, ale zostały odpadki adware (w tym aktywna usługa przywracająca modyfikację). Akcje do przeprowadzenia: 1. Odinstaluj stare wersje Adobe Flash Player 19 NPAPI, Adobe Reader XI - Polish. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: R2 WdMan; C:\ProgramData\6WdM6\WdMan.exe [333312 2015-12-04] (TFuns LIMITED) [brak podpisu cyfrowego] HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450112493&z=2677ff89147de80d7885a90gczaw5e0g7g4ofz2tco&from=wpm07173&uid=WDCXWD2502ABYS-02B7A0_WD-WCAT1F21497114971&q={searchTerms} SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450112493&z=2677ff89147de80d7885a90gczaw5e0g7g4ofz2tco&from=wpm07173&uid=WDCXWD2502ABYS-02B7A0_WD-WCAT1F21497114971&q={searchTerms} FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\firefox-branding.js [2009-12-02] FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\firefox-l10n.js [2009-12-02] FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\firefox.js [2009-12-02] FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\reporter.js [2009-12-02] DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software RemoveDirectory: C:\AdwCleaner RemoveDirectory: C:\ProgramData\4WdM4 RemoveDirectory: C:\ProgramData\gWdMg RemoveDirectory: C:\ProgramData\ZWdMZ RemoveDirectory: C:\ProgramData\6WdM6 RemoveDirectory: C:\ProgramData\OWdMO RemoveDirectory: C:\ProgramData\HWdMH C:\Windows\SysWOW64\pl.html EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Wyczyść Firefox z adware: Odłącz synchronizację (o ile włączona): KLIK. Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone. Menu Historia > Wyczyść całą historię przeglądania. 4. Napraw niepoprawnie wyczyszczony (przypuszczalnie przez AdwCleaner) specjalny skrót IE. W pasku eksploratora wklej poniższą ścieżkę i ENTER: C:\Users\Lola\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools Prawoklik na zlokalizowany tam skrót Internet explorer (bez dodatków) > Właściwości > w polu Element docelowy po ścieżce "C:\Program Files (x86)\Internet Explorer\iexplore.exe" dopisz dwie spacje i -extoff 5. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt.

Działania do przeprowadzenia: 1. Deinstalacje: - Przez Panel sterowania odinstaluj staroć Adobe AIR. - Uruchom narzędzie Microsoftu: KLIK. Zaakceptuj > Wykryj problemy i pozwól mi wybrać poprawki do zastosowania > Odinstalowywanie > zaznacz na liście wpis Metric Collection SDK > Dalej. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: R2 IhPul; C:\Users\tomicher\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-08] (tsvr.com) R2 SSFK; C:\Program Files (x86)\SFK\SSFK.exe [170144 2015-11-27] (TODO: ) R2 WdMan; C:\ProgramData\iWdMi\WdMan.exe [333312 2015-12-04] (TFuns LIMITED) [File not signed] ShortcutWithArgument: C:\Users\tomicher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C ShortcutWithArgument: C:\Users\tomicher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C ShortcutWithArgument: C:\Users\tomicher\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C ShortcutWithArgument: C:\Users\tomicher\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} HKU\S-1-5-21-4200013936-444429621-2781623297-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.bing.com/search?q={searchTerms} HKU\S-1-5-21-4200013936-444429621-2781623297-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C HKU\S-1-5-21-4200013936-444429621-2781623297-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.bing.com/search?q={searchTerms} HKU\S-1-5-21-4200013936-444429621-2781623297-1000\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://www.bing.com/search?q={searchTerms} HKU\S-1-5-21-4200013936-444429621-2781623297-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://www.bing.com/search?q={searchTerms} SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} SearchScopes: HKU\S-1-5-21-4200013936-444429621-2781623297-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} SearchScopes: HKU\S-1-5-21-4200013936-444429621-2781623297-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} SearchScopes: HKU\S-1-5-21-4200013936-444429621-2781623297-1000 -> {ielnksrch} URL = hxxp://www.bing.com/search?q={searchTerms} StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.yoursites123.com/?type=sc&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\tomicher\AppData\Roaming\Mozilla\Firefox\Profiles\mc66johb.default\extensions\default_newtabff@gmail.com FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\tomicher\AppData\Roaming\Mozilla\Firefox\Profiles\mc66johb.default\extensions\yahooprotected@gmail.com StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.yoursites123.com/?type=sc&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C HKU\S-1-5-21-4200013936-444429621-2781623297-1000\...\Run: [AdobeBridge] => [X] Task: {A62E85D1-C694-4B85-BE5C-661C6B6B8AAC} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 => C:\Program Files (x86)\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2015-07-08] (Lenovo) Task: {F6517F2F-4C90-41C3-BFE4-8F4B27BABBA4} - System32\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4} => C:\Users\tomicher\AppData\Local\Temp\is-RBU16.tmp\XRD Manager.exe Task: C:\Windows\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}.job => C:\Users\tomicher\AppData\Local\Temp\is-RBU16.tmp\XRD Manager.exeȈ/exenoupdates /exelang 0 /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE B:\ AI_PREREQFILES=C:\Users\tomicher\AppData\Local\Temp\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}\drivers64.msi AI_PREREQDIRS=C:\Users\tomicher\AppData\Local\Temp AI_SETUPEXEPATH=C:\Users\tomicher\AppData\Local\Temp\is-RBU16.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\tomicher\AppData\Local\Temp\is-RBU16.tmp AlternateDataStreams: C:\Users\tomicher\Local Settings:zhhH3GwtGql4nb023w AlternateDataStreams: C:\Users\tomicher\AppData\Local:zhhH3GwtGql4nb023w AlternateDataStreams: C:\Users\tomicher\AppData\Local\Application Data:zhhH3GwtGql4nb023w AlternateDataStreams: C:\Users\tomicher\AppData\Local\Temporary Internet Files:ZwIF55s4FoSaLBgyRBV62vD0 DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Lenovo DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software RemoveDirectory: C:\Program Files (x86)\Lenovo RemoveDirectory: C:\Program Files (x86)\SFK RemoveDirectory: C:\ProgramData\iWdMi RemoveDirectory: C:\ProgramData\XWMiniProX RemoveDirectory: C:\Users\tomicher\AppData\Local\Lenovo RemoveDirectory: C:\Users\tomicher\AppData\Roaming\eCyber RemoveDirectory: C:\Users\tomicher\AppData\Roaming\TSv RemoveDirectory: C:\Users\tomicher\Desktop\FRST-OlderVersion RemoveDirectory: C:\Windows\System32\Tasks\Lenovo C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\ProgramData\T23J7 C:\ProgramData\V93GE C:\Users\tomicher\Desktop\SpyHunter-installer.exe C:\Windows\SysWOW64\pl.html Hosts: EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Wyczyść Firefox z adware: Odłącz synchronizację (o ile włączona): KLIK. Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone, ale używane rozszerzenia trzeba będzie przeinstalować. Menu Historia > Wyczyść całą historię przeglądania. 4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale bez Shortcut. Dołącz też plik fixlog.txt.

Kończymy: 1. Przez SHIFT+DEL (omija Kosz) usuń z Pulpitu folder Stare dane programu Firefox. Następnie popraw jeszcze za pomocą DelFix oraz wyczyść foldery Przywracania systemu: KLIK. 2. Do czytania artykuł poglądowy czego unikać, by ograniczyć podobne nieszczęścia w przyszłości: KLIK.

Kończymy: 1. Przez SHIFT+DEL (omija Kosz) usuń FRST i jego logi z folderu Y:\Nowy folder. Następnie popraw jeszcze za pomocą DelFix oraz wyczyść foldery Przywracania systemu: KLIK. 2. Czego unikać, by ograniczyć podobne nieszczęścia w przyszłości: KLIK.

Wszystko zrobione. Teraz: Uruchom AdwCleaner. Wybierz opcję Skanuj i dostarcz log wynikowy z folderu C:\AdwCleaner.

Wszystko zrobione, za wyjątkiem punktu dwa (nadal widać te rozszerzenia w obu przeglądarkach). Jak mówiłam, sugeruję deinstalację, rozszerzenia niezaufane. Na koniec: Zastosuj DelFix oraz wyczyść foldery Przywracania systemu: KLIK.

Uruchom ponownie AdwCleaner, tym razem wybierz opcje Skanuj + Usuń i przedstaw wynikowy log z usuwania.

Kończymy: 1. Zastosuj DelFix oraz wyczyść foldery Przywracania systemu: KLIK. 2. Materiał do czytania na co uważać, by ograniczyć podobne nieszczęścia: KLIK.

Posty dla porządku połączyłam, oczywiście odpowiadasz mi już w nowym poście. Jest tu więcej adware, czyli przejęcie domyślnych matrycy Firefoxa oraz fałszywe gry (StormFall, WorldofTanks). Posługiwałeś się archaicznym programem "Ad-Remover" - program nieaktualizowany od kilku lat i porzucony, jego następcą jest AdwCleaner. Operacje do przeprowadzenia: 1. Odinstaluj: - Adware: StormFall, WinZipper, WorldofTanks. - Stare wersje i zbędniki: Adobe Flash Player 10 ActiveX, Adobe Flash Player 13 Plugin, Adobe Reader XI - Polish, Ad-Remover par C_XX, Akamai NetSession Interface, Hotspot Shield 3.42 (wersja darmowa zawiera adware, reputacja ogólna słaba), HP Customer Participation Program 13.0, Java 8 Update 60 (64-bit), Java 8 Update 60, Opera Stable 18.0.1284.68, Pando Media Booster, Secure Download Manager, Spybot - Search & Destroy. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: ShortcutWithArgument: C:\Users\K.K\Desktop\Osoba 1 - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7 ShortcutWithArgument: C:\Users\K.K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7 ShortcutWithArgument: C:\Users\K.K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7 ShortcutWithArgument: C:\Users\K.K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7 ShortcutWithArgument: C:\Users\K.K\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7 ShortcutWithArgument: C:\Users\K.K\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7 ShortcutWithArgument: C:\Users\K.K\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7 ShortcutWithArgument: C:\Users\K.K\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7 ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://fr.msn.com/ HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\S-1-5-21-3868924982-3431921725-295582353-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://fr.msn.com/ HKU\S-1-5-21-3868924982-3431921725-295582353-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome HKU\S-1-5-21-3868924982-3431921725-295582353-1000\Software\Microsoft\Internet Explorer\Main,Default_search_url = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7&q={searchTerms} SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7&q={searchTerms} SearchScopes: HKU\S-1-5-21-3868924982-3431921725-295582353-1000 -> ${searchCLSID} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} SearchScopes: HKU\S-1-5-21-3868924982-3431921725-295582353-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7&q={searchTerms} Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll Brak pliku FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\K.K\AppData\Roaming\Mozilla\Firefox\Profiles\mst0lead.default\extensions\default_newtabff@gmail.com FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\K.K\AppData\Roaming\Mozilla\Firefox\Profiles\mst0lead.default\extensions\yahooprotected@gmail.com FF HKU\S-1-5-21-3868924982-3431921725-295582353-1000\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.yoursites123.com/?type=sc&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7 FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\!341B4DA552FC349BC0E45BCE21DB54EA341B.js [2015-10-28] FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\341B4DA552FC349BC0E45BCE21DB54EA341B [2015-10-28] CHR StartupUrls: Profile 1 -> "hxxp://www.google.pl/","hxxp://www.meteoprog.pl/pl/weather/Lubin/","hxxp://www.yoursites123.com/?type=hp&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7" CHR DefaultSearchURL: Profile 1 -> hxxp://www.yoursites123.com/web/?type=ds&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7&q={searchTerms} CHR DefaultSearchKeyword: Profile 1 -> yoursites123 StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.yoursites123.com/?type=sc&ts=1450108654&z=b5fb1acfbecafc7de1a5e2fgfz1wce1g2e6baq2wec&from=wpm07173&uid=ST1000DM003-1CH162_S1D8K4B7XXXXS1D8K4B7 StartMenuInternet: (HKLM) OperaStable - Opera.exe R2 IhPul; C:\Users\K.K\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-08] (tsvr.com) R2 SSFK; C:\Program Files (x86)\SFK\SSFK.exe [170144 2015-11-27] (TODO: ) R2 WdMan; C:\ProgramData\HWdMH\WdMan.exe [333312 2015-12-04] (TFuns LIMITED) [brak podpisu cyfrowego] S2 ASGT; C:\Windows\SysWOW64\ASGT.exe [X] S2 c2cautoupdatesvc; "C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe" /service [X] S2 c2cpnrsvc; "C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe" /service [X] S3 cleanhlp; \??\C:\Users\K.K\Downloads\EmsisoftEmergencyKit\Run\cleanhlp64.sys [X] S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X] S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X] S3 NTIOLib_1_0_C; \??\F:\NTIOLib_X64.sys [X] S3 xhunter1; \??\C:\Windows\xhunter1.sys [X] HKLM\...\Run: [Nvtmru] => "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X] HKU\S-1-5-21-3868924982-3431921725-295582353-1000\...\Run: [Akamai NetSession Interface] => C:\Users\K.K\AppData\Local\Akamai\netsession_win.exe [4691384 2015-09-10] (Akamai Technologies, Inc.) Task: {580287CD-FC20-4505-8CF4-980A2A46610A} - System32\Tasks\{5B1B5732-C3CA-48AF-962D-217DB6B5C5F5} => pcalua.exe -a "E:\Gry\Online\MU\ZhyperMU Season 6 Episode 3\Uninstall.exe" -d "E:\Gry\Online\MU\ZhyperMU Season 6 Episode 3" Task: {6AB952E9-004C-4F6A-A55D-460CB9EE2AE3} - System32\Tasks\{2752E7D2-F786-432D-9AE5-F345122DBE82} => pcalua.exe -a C:\Users\K.K\Downloads\Defraggler(13314).exe -d C:\Users\K.K\Downloads Task: {A97C6E31-7846-4154-B8BA-6E85A96159E1} - System32\Tasks\{F77D2B3E-2B5A-4488-96F8-A207F184BF9F} => pcalua.exe -a C:\Users\K.K\Downloads\WinSetupFromUSB-1-4_[www.programosy.pl].exe -d C:\Users\K.K\Downloads Task: {D38A9C2F-91E1-4492-B692-7F219DDEC60F} - System32\Tasks\{7CAA966A-1107-4306-A84D-DE96169C4017} => pcalua.exe -a C:\Users\K.K\Downloads\vcredist_x64.exe -d C:\Users\K.K\Downloads HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver" DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SDTray DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7ADF667E-E14D-4D2C-827C-B0108F0D93BC} DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software RemoveDirectory: C:\Program Files (x86)\SFK RemoveDirectory: C:\Program Files (x86)\WinZipper RemoveDirectory: C:\ProgramData\HWdMH RemoveDirectory: C:\ProgramData\JWdMJ RemoveDirectory: C:\ProgramData\ZWMiniProZ RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RAR Password Cracker RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZipper RemoveDirectory: C:\Users\K.K\AppData\Roaming\TSv RemoveDirectory: C:\Users\K.K\AppData\Roaming\WinZipper RemoveDirectory: C:\Users\K.K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StormFall RemoveDirectory: C:\Users\K.K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WorldofTanks C:\Program Files (x86)\GUTF660.tmp C:\ProgramData\*.bin C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TP-LINK\TP-LINK Wireless Configuration Utility.lnk C:\Users\K.K\AppData\Roaming\amV0WmQAtpkvd7j8GJSqaxH3EOZ C:\Users\K.K\AppData\Roaming\xHMF2bpf2C3tbii6zV9HPGxV C:\Users\K.K\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\StormFall.lnk C:\Users\K.K\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\WorldofTanks.lnk C:\Users\K.K\AppData\Roaming\Microsoft\Word\Rodion%20Romanowicz%20Raskolnikow303774011118245595\Rodion%20Romanowicz%20Raskolnikow.docx.lnk C:\Users\K.K\Documents\Sport\Dziennik Posilkow MR BIG v4.60.LNK C:\Users\Public\Desktop\TP-LINK Wireless Configuration Utility.lnk C:\Windows\SysWOW64\pl.html CMD: netsh advfirewall reset EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Wyczyść przeglądarki z adware: Firefox: Odłącz synchronizację (o ile włączona): KLIK. Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone. Menu Historia > Wyczyść całą historię przeglądania. Google Chrome: Zresetuj synchronizację (o ile włączona): KLIK. Ustawienia > karta Ustawienia > Pokaż ustawienia zaawansowane > zjedź na sam spód i uruchom opcję Resetowanie ustawień. Zakładki i hasła nie zostaną naruszone. Ustawienia > karta Ustawienia > sekcja Szukaj > klik w Zarządzanie wyszukiwarkami > skasuj z listy yoursites123 (o ile nadal będzie widoczny). 4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt.

Akcje do wdrożenia: 1. Klawisz z flagą Windows + X > Programy i funkcje > odinstaluj stare wersje i zbędniki Adobe Flash Player 19 NPAPI, Adobe Flash Player 19 PPAPI, Adobe Shockwave Player 12.0, Akamai NetSession Interface, Java 8 Update 60 oraz adware WinZipper. Poza tym, czy program ScreenShooter5 to była celowa chciana instalacja? Pytam, gdyż w tym samym czasie co jego instalacja powstawały też obiekty adware, a konkretnie fałszywy WarThunder udający grę o tej samej nazwie. Następnie uruchom Zoek i w oknie wklej: Metric Collection SDK;u Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Klik w Run Script. Powstanie plik zoek-results.log. W eksploratorze Windows menu Widok > Opcje > Zmień opcje folderów i wyszukiwania > Widok > odznacz Ukryj rozszerzenia znanych plików > zmień nazwę pliku na zoek-results.txt, by dało się go wstawić jako załącznik forum. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: R2 IhPul; C:\Users\Dominika\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-08] (tsvr.com) R2 SSFK; C:\Program Files (x86)\SFK\SSFK.exe [170144 2015-11-27] (TODO: ) R2 WdMan; C:\ProgramData\BWdMB\WdMan.exe [333312 2015-12-04] (TFuns LIMITED) [brak podpisu cyfrowego] S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2015-12-14] () R1 wfdrvr_vw_1_10_0_28; C:\Windows\System32\drivers\wfdrvr_vw_1_10_0_28.sys [57712 2015-10-30] (WF) U3 aspnet_state; Brak ImagePath GroupPolicy: Ograniczenia - Chrome CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia ShortcutWithArgument: C:\Users\Dominika\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX ShortcutWithArgument: C:\Users\Dominika\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX ShortcutWithArgument: C:\Users\Dominika\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX ShortcutWithArgument: C:\Users\Dominika\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX&q={searchTerms} HKU\S-1-5-21-311275851-3967228346-481105067-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX HKU\S-1-5-21-311275851-3967228346-481105067-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX&q={searchTerms} SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX&q={searchTerms} SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX&q={searchTerms} SearchScopes: HKU\S-1-5-21-311275851-3967228346-481105067-1001 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX&q={searchTerms} SearchScopes: HKU\S-1-5-21-311275851-3967228346-481105067-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX&q={searchTerms} BHO: Brak nazwy -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> Brak pliku BHO-x32: Discovery App -> {ba32987d-db80-4ccb-a8bb-f812b5421c0f} -> C:\Program Files (x86)\Discovery App\Extensions\ba32987d-db80-4ccb-a8bb-f812b5421c0f.dll => Brak pliku StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.yoursearching.com/?type=sc&ts=1448904131&z=caa1fd377279ae24ff654cfg4zcz2b3t1e4z1geo7b&from=cornl&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX Edge HomeButtonPage: HKU\S-1-5-21-311275851-3967228346-481105067-1001 -> hxxp://www.yoursites123.com/?type=hp&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX CHR StartupUrls: Default -> "hxxp://www.google.pl/","hxxp://www.yoursites123.com/?type=hp&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX" StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.yoursites123.com/?type=sc&ts=1450107355&z=8ddcc4dd1a6ffdea73726c7gcz2w1e9g2e0m8c2wfo&from=wpm07173&uid=HGSTXHTS545050A7E680_RB250F1C00YUWK00YUWKX Task: {091E7DB0-6873-45F2-B708-07AA43B59698} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> Brak pliku Task: {0C7C3098-BB06-4D80-815A-0DCCB0D9A6D3} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Brak pliku Task: {0E4008DD-DFC0-445D-BFD6-95BED19E6361} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> Brak pliku Task: {13592E61-39CB-44FE-AF1E-936074AB30A3} - System32\Tasks\WordFly Auto Updater 1.10.0.28 Pending Update => C:\Program Files (x86)\WordFly_1.10.0.28\Update\WordflyAutoUpdateClient.exe Task: {313D44B9-3859-4BCB-BBD1-207881C84523} - System32\Tasks\{C17EA928-C302-4A78-80B1-48DEA0868AF8} => Chrome.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&ver=7.13.0.101&LastError=12002 Task: {3CBB5F8F-A27F-4184-B008-EADA6D1AD019} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> Brak pliku Task: {50DFE3E1-95FB-40C6-853B-56D9D4C873C7} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> Brak pliku Task: {7B231D4C-EAC6-45A7-85AC-9B58A3159017} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> Brak pliku Task: {825C4188-0751-43D8-860C-7DC7AB004B24} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Brak pliku Task: {89C6F224-B13F-47CE-A7CB-C527F3AF7E33} - System32\Tasks\WordFly Auto Updater 1.10.0.28 Core => C:\Program Files (x86)\WordFly_1.10.0.28\Update\WordflyAutoUpdateClient.exe Task: {8A9C5CA7-464F-4CA0-919D-080613E1A409} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> Brak pliku Task: {8DC2DC60-6C1F-4EAA-9D2D-C6197C2F1588} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 => C:\Program Files (x86)\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2015-07-08] (Lenovo) Task: {E3798A21-B908-4ED5-9598-9BEEA36751B8} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> Brak pliku Task: {EE2EE4AB-E57D-470D-86F8-AC746681FAEB} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> Brak pliku Task: {EFD27718-48E3-40B6-9F39-FB01BF1C7AA9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Brak pliku DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Lenovo DeleteKey: HKLM\SOFTWARE\Mozilla DeleteKey: HKLM\SOFTWARE\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Wow6432Node\Mozilla DeleteKey: HKLM\SOFTWARE\Wow6432Node\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software DeleteKey: HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main DeleteKey: HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main DeleteKey: HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedHomepages /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedSearchScopes /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OpenSearch" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\yoursites123.com" /f Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v Steam /f Reg: reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "BlueStacks Agent" /f RemoveDirectory: C:\Program Files (x86)\Lenovo RemoveDirectory: C:\Program Files (x86)\SFK RemoveDirectory: C:\Program Files (x86)\WinZipper RemoveDirectory: C:\Program Files (x86)\WordFly_1.10.0.28 RemoveDirectory: C:\ProgramData\BWdMB RemoveDirectory: C:\ProgramData\BWMiniProB RemoveDirectory: C:\ProgramData\nWdMn RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZipper RemoveDirectory: C:\Users\Dominika\AppData\Local\Lenovo RemoveDirectory: C:\Users\Dominika\AppData\Roaming\TSv RemoveDirectory: C:\Users\Dominika\AppData\Roaming\WarThunder RemoveDirectory: C:\Users\Dominika\AppData\Roaming\WinZipper RemoveDirectory: C:\Users\Dominika\AppData\Roaming\yoursearching RemoveDirectory: C:\Users\Dominika\REACHit RemoveDirectory: C:\Windows\System32\Tasks\Lenovo C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\Users\Dominika\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\WarThunder.lnk C:\Users\Dominika\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WarThunder.lnk C:\Windows\system32\Drivers\EsgScanner.sys C:\Windows\System32\Drivers\wfdrvr_vw_1_10_0_28.sys C:\Windows\SysWOW64\data.bin C:\Windows\SysWOW64\pl.html CMD: netsh advfirewall reset EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Wyczyść przeglądarki z adware: Google Chrome: Zresetuj synchronizację (o ile włączona): KLIK. Ustawienia > karta Ustawienia > Pokaż ustawienia zaawansowane > zjedź na sam spód i uruchom opcję Resetowanie ustawień. Zakładki i hasła nie zostaną naruszone. Opera: Odłącz synchronizację (o ile włączona): KLIK Ustawienia > karta Rozszerzenia > odinstaluj adware Discovery App 4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też pliki fixlog.txt + zoek-results.txt. Powierdź, że problem ustąpił także w przeglądarce Edge.

Działania do przeprowadzenia: 1. Odinstaluj: - Adware/PUP: Findwide Toolbar, istartsurf uninstall, Lollipop, SupTab, VideoDownloadConverter Internet Explorer Toolbar. - Zbędniki: AVG Web TuneUp, STOPzilla AntiVirus 7. A StopZilla to skaner wątpliwej reputacji. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: ShortcutWithArgument: C:\Users\Enoszka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449645130&z=ef7773ddd7c932adf4ac290gaz3zft5qfzfw9gboeb&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018 ShortcutWithArgument: C:\Users\Enoszka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449645130&z=ef7773ddd7c932adf4ac290gaz3zft5qfzfw9gboeb&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018 ShortcutWithArgument: C:\Users\Enoszka\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449645130&z=ef7773ddd7c932adf4ac290gaz3zft5qfzfw9gboeb&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018 ShortcutWithArgument: C:\Users\Enoszka\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449645130&z=ef7773ddd7c932adf4ac290gaz3zft5qfzfw9gboeb&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018 ShortcutWithArgument: C:\Users\Enoszka\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.yoursites123.com/?type=sc&ts=1449645130&z=ef7773ddd7c932adf4ac290gaz3zft5qfzfw9gboeb&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449645130&z=ef7773ddd7c932adf4ac290gaz3zft5qfzfw9gboeb&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018 ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449645130&z=ef7773ddd7c932adf4ac290gaz3zft5qfzfw9gboeb&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449645130&z=ef7773ddd7c932adf4ac290gaz3zft5qfzfw9gboeb&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449645130&z=ef7773ddd7c932adf4ac290gaz3zft5qfzfw9gboeb&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.sweet-page.com/web/?type=ds&ts=1393168821&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.sweet-page.com/web/?type=ds&ts=1393168821&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449645130&z=ef7773ddd7c932adf4ac290gaz3zft5qfzfw9gboeb&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449645130&z=ef7773ddd7c932adf4ac290gaz3zft5qfzfw9gboeb&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.sweet-page.com/web/?type=ds&ts=1393168821&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.sweet-page.com/web/?type=ds&ts=1393168821&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018&q={searchTerms} HKU\S-1-5-21-2451096611-3267693537-2452564422-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://search.delta-homes.com/web/?utm_source=b&utm_medium=wpm0226&utm_campaign=installer&utm_content=ds&from=wpm0226&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018&ts=1393412115&type=default&q={searchTerms} HKU\S-1-5-21-2451096611-3267693537-2452564422-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449645130&z=ef7773ddd7c932adf4ac290gaz3zft5qfzfw9gboeb&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018 HKU\S-1-5-21-2451096611-3267693537-2452564422-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449645130&z=ef7773ddd7c932adf4ac290gaz3zft5qfzfw9gboeb&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018 HKU\S-1-5-21-2451096611-3267693537-2452564422-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://search.delta-homes.com/web/?utm_source=b&utm_medium=wpm0226&utm_campaign=installer&utm_content=ds&from=wpm0226&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018&ts=1393412115&type=default&q={searchTerms} SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.sweet-page.com/web/?type=ds&ts=1393168821&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018&q={searchTerms} SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.sweet-page.com/web/?type=ds&ts=1393168821&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.sweet-page.com/web/?type=ds&ts=1393168821&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018&q={searchTerms} SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.sweet-page.com/web/?type=ds&ts=1393168821&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018&q={searchTerms} SearchScopes: HKU\S-1-5-21-2451096611-3267693537-2452564422-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449645130&z=ef7773ddd7c932adf4ac290gaz3zft5qfzfw9gboeb&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018&q={searchTerms} SearchScopes: HKU\S-1-5-21-2451096611-3267693537-2452564422-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449645130&z=ef7773ddd7c932adf4ac290gaz3zft5qfzfw9gboeb&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018&q={searchTerms} SearchScopes: HKU\S-1-5-21-2451096611-3267693537-2452564422-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={5CC79DA6-A049-4B86-B4DF-727A7680429B}&mid=36c21e0f80c547d2acf1f15340c342aa-e8389853a5434d068050019316fa500eac390201&lang=pl&ds=AVG&coid=avgtbavg&cmpid=1015tb&pr=fr&d=2014-11-06 06:17:03&v=4.2.1.951&pid=wtu&sg=&sap=dsp&q={searchTerms} SearchScopes: HKU\S-1-5-21-2451096611-3267693537-2452564422-1000 -> {CE96B6D1-4EFD-49D9-923E-29E5DCF1FA83} URL = hxxp://search.findwide.com/serp?guid={45FA0583-43C6-49B7-817D-7C14EAE57F67}&action=default_search&k={searchTerms} SearchScopes: HKU\S-1-5-21-2451096611-3267693537-2452564422-1000 -> {EA6E9918-88A6-4CA4-9415-CD37008B69CF} URL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=tightropetb&type=11147 SearchScopes: HKU\S-1-5-21-2451096611-3267693537-2452564422-1000 -> {szukaj.gazeta.pl} URL = hxxp://szukaj.gazeta.pl/internet/0,0.html?slowo={searchTerms} StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.sweet-page.com/?type=sc&ts=1393168821&from=cor&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018 CustomCLSID: HKU\S-1-5-21-2451096611-3267693537-2452564422-1000_Classes\CLSID\{7DF5D666-B938-4BD3-8B73-5E0DEBDC744D}\InprocServer32 -> C:\Program Files (x86)\TNT2\Profiles\11147\passport64.dll (Freshy.com) FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.2.3\\npsitesafety.dll [brak pliku] FF Plugin-x32: @VideoDownloadConverter_4z.com/Plugin -> C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\NP4zStub.dll [brak pliku] FF Plugin-x32: @VideoDownloadConverter_ScriptHelper.com/Plugin -> C:\Program Files (x86)\VideoDownloadConverter\npVDCPlugin.dll [2013-08-26] (Mindspark) FF Plugin HKU\S-1-5-21-2451096611-3267693537-2452564422-1000: @tnt2npapi.com/Plugin -> C:\Users\Enoszka\AppData\Local\TNT2\2.0.0.1923\npTNT2.dll [2015-01-13] (Freshy.com) FF HKLM-x32\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\Enoszka\AppData\Roaming\Mozilla\Firefox\Profiles\v6fnz20q.default\extensions\defsearchp@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\Enoszka\AppData\Roaming\Mozilla\Firefox\Profiles\v6fnz20q.default\extensions\deskCutv2@gmail.com FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\Enoszka\AppData\Roaming\Mozilla\Firefox\Profiles\v6fnz20q.default\extensions\default_newtabff@gmail.com FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\Enoszka\AppData\Roaming\Mozilla\Firefox\Profiles\v6fnz20q.default\extensions\yahooprotected@gmail.com => nie znaleziono StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.yoursites123.com/?type=sc&ts=1449645130&z=ef7773ddd7c932adf4ac290gaz3zft5qfzfw9gboeb&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2SMJ9FD923018 ShellIconOverlayIdentifiers: [GGDriveOverlay1] -> {E68D0A50-3C40-4712-B90D-DCFA93FF2534} => Brak pliku ShellIconOverlayIdentifiers: [GGDriveOverlay2] -> {E68D0A51-3C40-4712-B90D-DCFA93FF2534} => Brak pliku ShellIconOverlayIdentifiers: [GGDriveOverlay3] -> {E68D0A52-3C40-4712-B90D-DCFA93FF2534} => Brak pliku ShellIconOverlayIdentifiers: [GGDriveOverlay4] -> {E68D0A53-3C40-4712-B90D-DCFA93FF2534} => Brak pliku Task: {173502A1-6F86-4EE4-89A5-AC7DC41828DA} - System32\Tasks\{F3BD1F4A-C9AB-4875-8562-60C9A38855B7} => pcalua.exe -a E:\programy\setup.exe -d E:\programy Task: {4722CF8A-CBB0-4261-99FB-F7F7337CAC82} - System32\Tasks\{910B1E20-64EF-4F3F-84C2-1906EBA37974} => pcalua.exe -a "E:\programy\stero druk\epson375127eu.exe" -d "E:\programy\stero druk" Task: {5FEDE2E3-8DA2-44BC-930A-9D725CA817A8} - System32\Tasks\{685968D5-C616-48AF-8C8F-5489EE55CF0B} => pcalua.exe -a C:\Users\Enoszka\AppData\Roaming\sweet-page\UninstallManager.exe Task: {E9ED5E3D-F30A-4859-9FF5-08D2F7C6F892} - System32\Tasks\{07DBBA80-20C4-42DF-8450-37D0126C9C47} => pcalua.exe -a "E:\programy\stero druk\epson375129eu (1).exe" -d "E:\programy\stero druk" S3 clwvd6; system32\DRIVERS\clwvd6.sys [X] HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SBAMSvc => ""="Service" DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software RemoveDirectory: C:\Program Files (x86)\SupTab RemoveDirectory: C:\Program Files (x86)\TNT2 RemoveDirectory: C:\Program Files (x86)\VideoDownloadConverter_4z RemoveDirectory: C:\ProgramData\7WdM7 RemoveDirectory: C:\ProgramData\BWMiniProB RemoveDirectory: C:\ProgramData\tWdMt RemoveDirectory: C:\ProgramData\Temp RemoveDirectory: C:\Users\Enoszka\AppData\Local\TNT2 RemoveDirectory: C:\Users\Enoszka\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} RemoveDirectory: C:\Users\Enoszka\AppData\Roaming\TSv C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\Windows\SysWOW64\pl.html CMD: netsh advfirewall reset EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Wyczyść Firefox z adware: Odłącz synchronizację (o ile włączona): KLIK. Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone. Menu Historia > Wyczyść całą historię przeglądania. 4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition ale już bez Shortcut. Dołącz też plik fixlog.txt.

Jest tu więcej adware, nie tylko tytułowy problem. Był tu używany ComboFix i na ten temat: KLIK. To obecnie nawet nie jest dobry program do usuwania adware, są inne bardziej specjalizowane. Akcje do przeprowadzenia: 1. Odinstaluj adware WordFly 1.10.0.25 oraz zbędny program Badanie mające na celu poprawę produktów HP Deskjet 1510 series. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: ShortcutWithArgument: C:\Users\Damian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 ShortcutWithArgument: C:\Users\Damian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 ShortcutWithArgument: C:\Users\Damian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 ShortcutWithArgument: C:\Users\Damian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 ShortcutWithArgument: C:\Users\Damian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia HKU\S-1-5-21-2426139859-1562633933-961591751-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms} HKU\S-1-5-21-2426139859-1562633933-961591751-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\S-1-5-21-2426139859-1562633933-961591751-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms} SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms} SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms} SearchScopes: HKU\S-1-5-21-2426139859-1562633933-961591751-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms} SearchScopes: HKU\S-1-5-21-2426139859-1562633933-961591751-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms} BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\IPS\IPSBHO.DLL => Brak pliku BHO-x32: Brak nazwy -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> Brak pliku FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2012-10-01] (Microsoft Corporation) FF HKLM-x32\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\2g6w3xar.default\extensions\defsearchp@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\2g6w3xar.default\extensions\deskCutv2@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [sidebarff@gmail.com] - C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\2g6w3xar.default\extensions\sidebarff@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\2g6w3xar.default\extensions\default_newtabff@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\2g6w3xar.default\extensions\yahooprotected@gmail.com => nie znaleziono StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 HKLM-x32\...\Run: [updReg] => C:\Windows\UpdReg.EXE HKLM-x32\...\Run: [] => [X] R2 IhPul; C:\Users\Damian\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-08] (tsvr.com) R2 SSFK; C:\Program Files (x86)\SFK\SSFK.exe [170144 2015-11-27] (TODO: ) S3 GVTDrv64; C:\Windows\GVTDrv64.sys [30528 2015-12-14] () S3 catchme; \??\C:\ComboFix\catchme.sys [X] DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software DeleteKey: HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main DeleteKey: HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main DeleteKey: HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main RemoveDirectory: C:\Program Files (x86)\Mozilla Firefox\plugins RemoveDirectory: C:\Program Files (x86)\SFK RemoveDirectory: C:\Program Files (x86)\WinZipper RemoveDirectory: C:\Qoobox RemoveDirectory: C:\Users\Damian\AppData\Roaming\RHEng RemoveDirectory: C:\Users\Damian\AppData\Roaming\TSv RemoveDirectory: C:\Users\Damian\Desktop\Stare dane programu Firefox C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt.

Operacje do przeprowadzenia: 1. Deinstalacje: - Klawisz z flagą Windows + X > Programy i funkcje > odinstaluj instalację sponsorowaną McAfee Security Scan Plus. - Uruchom narzędzie Microsoftu: KLIK. Zaakceptuj > Wykryj problemy i pozwól mi wybrać poprawki do zastosowania > Odinstalowywanie > zaznacz na liście wpis Metric Collection SDK > Dalej. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: ShortcutWithArgument: C:\Users\Lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 ShortcutWithArgument: C:\Users\Lenovo\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 ShortcutWithArgument: C:\Users\Lenovo\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.yoursites123.com/?type=sc&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 GroupPolicy: Restriction - Chrome CHR HKLM\SOFTWARE\Policies\Google: Restriction HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} HKU\S-1-5-21-157526072-1602897899-2300392595-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 HKU\S-1-5-21-157526072-1602897899-2300392595-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} SearchScopes: HKU\S-1-5-21-157526072-1602897899-2300392595-1001 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} SearchScopes: HKU\S-1-5-21-157526072-1602897899-2300392595-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} SearchScopes: HKU\S-1-5-21-157526072-1602897899-2300392595-1001 -> {776A0229-539F-4759-916F-4DB93673690E} URL = BHO-x32: No Name -> {c723a437-2eaf-466d-a95b-3fa0966bf88c} -> No File StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.istartsurf.com/?type=sc&ts=1443478259&z=9d78e11fa70e77f1fd603c7gbz1z6c3z8mebce1m2e&from=cor&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 FF HKLM-x32\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\noweppvz.default-1443478920222\extensions\defsearchp@gmail.com => not found FF HKLM-x32\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\6dfom8hu.default\extensions\deskCutv2@gmail.com => not found FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\noweppvz.default-1443478920222\extensions\default_newtabff@gmail.com => not found FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\noweppvz.default-1443478920222\extensions\yahooprotected@gmail.com => not found StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.yoursites123.com/?type=sc&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 StartMenuInternet: (HKLM) OperaStable - C:\Program Files (x86)\Opera\Launcher.exe hxxp://www.yoursites123.com/?type=sc&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-06-18] R2 WdMan; C:\ProgramData\lWdMl\WdMan.exe [333312 2015-12-04] (TFuns LIMITED) [File not signed] S3 ew_hwusbdev; \SystemRoot\system32\DRIVERS\ew_hwusbdev.sys [X] S3 ew_usbenumfilter; \SystemRoot\System32\drivers\ew_usbenumfilter.sys [X] S3 huawei_enumerator; \SystemRoot\System32\drivers\ew_jubusenum.sys [X] S3 hwusb_cdcacm; \SystemRoot\system32\DRIVERS\ew_cdcacm.sys [X] S3 hwusb_wwanecm; \SystemRoot\system32\DRIVERS\ew_wwanecm.sys [X] S1 tcfd_vw_1_10_0_24; system32\drivers\tcfd_vw_1_10_0_24.sys [X] Winlogon\Notify\igfxcui: igfxdev.dll [X] CustomCLSID: HKU\S-1-5-21-157526072-1602897899-2300392595-1001_Classes\CLSID\{E68D0A55-3C40-4712-B90D-DCFA93FF2534}\InprocServer32 -> C:\Users\Lenovo\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll => No File Task: {3B2C75AB-FE05-4D11-AE3E-D47DA131ED07} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 => C:\Program Files (x86)\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2015-07-01] (Lenovo) Task: {95CF3481-A7D8-4FC0-9B22-AE757935E22C} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program => C:\Program Files\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe Task: {D751D845-80F1-420A-A1A0-170F0C61A205} - System32\Tasks\{F5C4F0DB-A5CD-413A-A417-C93E61A11F36} => pcalua.exe -a C:\Users\Lenovo\AppData\Roaming\istartsurf\UninstallManager.exe -c -ptid=cor Task: {DABB7B13-FD63-4ACC-9515-297673B18FB3} - System32\Tasks\{C7F08F34-D94A-4615-8D58-ED50A0F85CE8} => Firefox.exe hxxp://ui.skype.com/ui/0/7.2.0.103/pl/abandoninstall?page=tsMain Task: {E961CE18-F48B-4866-BAFA-E11A65EADC4A} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 35 => C:\Program Files (x86)\Lenovo\Customer Feedback Program 35\Lenovo.TVT.CustomerFeedback.Agent35.exe [2015-08-17] (Lenovo) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""="" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""="" DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software RemoveDirectory: C:\ProgramData\lWdMl C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\windows\SysWOW64\pl.html CMD: netsh advfirewall reset EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Wyczyść przeglądarki z adware: Odłącz synchronizację (o ile włączona): KLIK. Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone. Menu Historia > Wyczyść całą historię przeglądania. Opera: Odłącz synchronizację (o ile włączona): KLIK Ustawienia > karta Rozszerzenia > odinstaluj adware Strong Signal 4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt.

Tu nie tylko jest hijacker yoursites123, ale też i Bitcoin Miner udający Steam i uruchamiający się via Harmonogram zadań, powinieneś notować wysokie obciążenie CPU: Task: {812F5055-02A6-4D10-9877-70B76FC83A95} - System32\Tasks\Steam-S-1-8-22-9865GUI => C:\Users\MAX\AppData\Roaming\WinRAR\Reversed\steam.exe [2015-08-06] () Działania do przeprowadzenia: 1. Odinstaluj firmowy zbędnik Browser Configuration Utility i starszą wersję Java 8 Update 51. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: R2 IhPul; C:\Users\MAX\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-08] (tsvr.com) R2 SSFK; C:\Program Files\SFK\SSFK.exe [170144 2015-11-27] (TODO: ) ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Euro Truck Simulator 2 Multiplayer\Play Euro Truck Simulator 2 Multiplayer.lnk -> C:\Program Files\Euro Truck Simulator 2 Multiplayer\launcher.exe (ETS2MP Team) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\Users\MAX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\Users\MAX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\Users\MAX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\Users\MAX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\Users\MAX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\Users\MAX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\Users\Public\Desktop\Play Euro Truck Simulator 2 Multiplayer.lnk -> C:\Program Files\Euro Truck Simulator 2 Multiplayer\launcher.exe (ETS2MP Team) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX HKU\S-1-5-21-1191921471-775121805-984144667-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX&q={searchTerms} HKU\S-1-5-21-1191921471-775121805-984144667-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX HKU\S-1-5-21-1191921471-775121805-984144667-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX HKU\S-1-5-21-1191921471-775121805-984144667-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX&q={searchTerms} SearchScopes: HKU\S-1-5-21-1191921471-775121805-984144667-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX&q={searchTerms} SearchScopes: HKU\S-1-5-21-1191921471-775121805-984144667-1000 -> {1925F7FA-8547-4c65-B51E-1AE3FD0AA2E2} URL = hxxp://www.google.com/custom?client=pub-3794288947762788&forid=1&channel=1975384696&ie=UTF-8&oe=UTF-8&safe=active&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A1&hl=pl&q={searchTerms} SearchScopes: HKU\S-1-5-21-1191921471-775121805-984144667-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX&q={searchTerms} SearchScopes: HKU\S-1-5-21-1191921471-775121805-984144667-1000 -> {B2F351CC-2D9A-4730-9C25-B8EBC6159D8C} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=IEBD FF HKLM\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\MAX\AppData\Roaming\Mozilla\Firefox\Profiles\be0qfrvt.default\extensions\defsearchp@gmail.com => nie znaleziono FF HKLM\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\MAX\AppData\Roaming\Mozilla\Firefox\Profiles\be0qfrvt.default\extensions\deskCutv2@gmail.com => nie znaleziono FF HKLM\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\MAX\AppData\Roaming\Mozilla\Firefox\Profiles\be0qfrvt.default\extensions\default_newtabff@gmail.com => nie znaleziono FF HKLM\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\MAX\AppData\Roaming\Mozilla\Firefox\Profiles\be0qfrvt.default\extensions\yahooprotected@gmail.com => nie znaleziono CHR HomePage: Default -> hxxp://www.yoursites123.com/?type=hp&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX CHR StartupUrls: Default -> "hxxp://www.yoursites123.com/?type=hp&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX" CHR DefaultSearchURL: Default -> hxxp://www.yoursites123.com/web/?type=ds&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX&q={searchTerms} CHR DefaultSearchKeyword: Default -> yoursites123 StartMenuInternet: Google Chrome - C:\Program Files\Google\Chrome\Application\chrome.exe hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX Task: {024D4797-B19C-4E19-AAB3-F5D34BF3606A} - System32\Tasks\{AE12B38F-49F8-4BB0-B43F-CA54CCB33DAA} => pcalua.exe -a C:\Users\MAX\Desktop\vcredist_x86.exe -d C:\Users\MAX\Desktop Task: {2D09B38F-D9A9-4D3B-8ADC-978B0E848446} - System32\Tasks\{B2625D08-42EF-4261-97C9-349BDD1B84BD} => pcalua.exe -a "I:\Farming Simulator 2015 [RePack]\Setup.exe" -d "I:\Farming Simulator 2015 [RePack]" Task: {812F5055-02A6-4D10-9877-70B76FC83A95} - System32\Tasks\Steam-S-1-8-22-9865GUI => C:\Users\MAX\AppData\Roaming\WinRAR\Reversed\steam.exe [2015-08-06] () Task: {D55EB98E-EE42-48EF-A3B8-986B4627E94E} - System32\Tasks\{655D4F00-57A7-472F-AAD5-8D53A8163551} => pcalua.exe -a C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe -c /M{9527A496-5DF9-412A-ADC7-168BA5379CA6} S3 FairplayKD; \??\C:\ProgramData\MTA San Andreas All\Common\temp\FairplayKD.sys [X] S3 gdrv; \??\C:\Windows\gdrv.sys [X] S1 wfdrvr_vt_1_10_0_28; system32\drivers\wfdrvr_vt_1_10_0_28.sys [X] DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 DeleteKey: HKLM\SOFTWARE\yoursites123Software RemoveDirectory: C:\Program Files\SFK RemoveDirectory: C:\Program Files\WinZipper RemoveDirectory: C:\ProgramData\2WdM2 RemoveDirectory: C:\ProgramData\OWdMO RemoveDirectory: C:\ProgramData\ZWMiniProZ RemoveDirectory: C:\Users\MAX\AppData\Local\Microsoft\Windows\GameExplorer\{8827CE3D-9D26-46B3-ADE9-1E8078799DB3} RemoveDirectory: C:\Users\MAX\AppData\Roaming\istartsurf RemoveDirectory: C:\Users\MAX\AppData\Roaming\TSv RemoveDirectory: C:\Users\MAX\AppData\Roaming\WinZipper RemoveDirectory: C:\Users\MAX\AppData\Roaming\WinRAR\Reversed C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\Users\MAX\Desktop\Foldery\muzyka\Music\msc2\Disco Polo 2014 - Spike - Weekendowy Szał - Official Video.lnk C:\Users\MAX\Desktop\Foldery\muzyka\mp3\Nowy folder\20.05.2015\Disco Polo 2014 - Spike - Weekendowy Szał - Official Video.lnk C:\Users\MAX\Desktop\Foldery\Stare nutki\Disco Polo 2014 - Spike - Weekendowy Szał - Official Video.lnk C:\Users\MAX\Desktop\Foldery\There is my dolphin\Aparat i prezentacja.lnk C:\Users\MAX\Desktop\Foldery\There is my dolphin\Karta roweromujwa.lnk EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Wyczyść przeglądarki z adware: Firefox: Odłącz synchronizację (o ile włączona): KLIK. Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone, ale Adblock Plus trzeba będzie przeinstalować. Menu Historia > Wyczyść całą historię przeglądania. Google Chrome: Zresetuj synchronizację (o ile włączona): KLIK. Ustawienia > karta Ustawienia > Pokaż ustawienia zaawansowane > zjedź na sam spód i uruchom opcję Resetowanie ustawień. Zakładki i hasła nie zostaną naruszone. Ustawienia > karta Ustawienia > sekcja Szukaj > klik w Zarządzanie wyszukiwarkami > skasuj z listy yousites123 (o ile nadal będzie). 4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt.

Wszystko zrobione. Poprawki: 1. Nie zauważyłam na liście zainstalowanych starego Nowego Gadu-Gadu oraz odpadka po odinstalowanym Nero VCRedistSetup. Ten pierwszy odinstaluj tradycyjnie. Ale ten drugi wpis jest ukryty, posłuż się tym samym narzędziem Microsoftu co poprzednio w celu jego usunięcia. 2. Otwórz Notatnik i wklej w nim: S2 IMFservice; C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.EXE [X] DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ALLUpdate DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG_UI DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CCleaner Monitoring DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vProt RemoveDirectory: C:\FRST\Quarantine RemoveDirectory: C:\MATS RemoveDirectory: C:\Program Files\Enigma Software Group RemoveDirectory: C:\Program Files\IObit RemoveDirectory: C:\Program Files\Java RemoveDirectory: C:\ProgramData\IObit RemoveDirectory: C:\Users\PHUFOTOSET\AppData\LocalLow\IObit RemoveDirectory: C:\Users\PHUFOTOSET\AppData\Roaming\IObit RemoveDirectory: C:\Users\PHUFOTOSET\AppData\Roaming\ProductData Hosts: CMD: del /q C:\spyhunter.fix CMD: del /q C:\Users\PHUFOTOSET\Desktop\isygl1k7.exe CMD: del /q C:\Users\PHUFOTOSET\Desktop\MicrosoftFixit.ProgramInstallUninstall.RNP.Run.exe Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Tym razem nie będzie restartu. Przedstaw wynikowy fixlog.txt. 3. Uruchom AdwCleaner. Wybierz opcję Skanuj i dostarcz log wynikowy z folderu C:\AdwCleaner.

Poprawki: 1. W Google Chrome nadal jest ten hijacker. Czy na pewno wykonałeś to: Wykonaj i to przed punktem dwa. 2. Uruchom AdwCleaner. Wybierz opcję Skanuj i dostarcz log wynikowy z folderu C:\AdwCleaner.

Kolejna porcja działań: 1. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: Task: C:\WINDOWS\Tasks\At1.job => C:\DOCUME~1\ADMINI~1\DANEAP~1\FoxTab\UPDATE~1\UPDATE~1.EXE ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => Brak pliku HKU\S-1-5-21-1957994488-2000478354-1417001333-500\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie DeleteKey: HKCU\Software\Mozilla DeleteKey: HKLM\SOFTWARE\Mozilla DeleteKey: HKLM\SOFTWARE\mozilla.org DeleteKey: HKLM\SOFTWARE\MozillaPlugins RemoveDirectory: C:\Program Files\BonanzaDeals EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. Przedstaw wynikowy fixlog.txt. 2. Uruchom AdwCleaner. Wybierz opcję Skanuj i dostarcz log wynikowy z folderu C:\AdwCleaner.

Wszystko pomyślnie wykonane. Już prawie kończymy. Ostatni skrypt do FRST. Otwórz Notatnik i wklej w nim: S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2015-12-11] () RemoveDirectory: C:\FRST\Quarantine RemoveDirectory: C:\MATS RemoveDirectory: C:\Users\lenovo\Downloads\FRST-OlderVersion CMD: del /q C:\Users\lenovo\Downloads\MicrosoftFixit.ProgramInstallUninstall.RNP.Run.exe CMD: del /q C:\WINDOWS\system32\Drivers\EsgScanner.sys Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Tym razem nie będzie restartu. Przedstaw wynikowy fixlog.txt.

Wszystko zrobione. Teraz: Uruchom AdwCleaner. Wybierz opcję Skanuj i dostarcz log wynikowy z folderu C:\AdwCleaner.

Poprawki: 1. Odinstaluj zbędnik Samsunga MyFreeCodec. 2. Następnie uruchom ponownie AdwCleaner, tym raze wybierz zestaw opcji Skanuj + Usuń i przedstaw wynikowy log z usuwania.

Wszystko zrobione. Teraz: Uruchom AdwCleaner. Wybierz opcję Skanuj i dostarcz log wynikowy z folderu C:\AdwCleaner.