Elektroda.pl
Elektroda.pl
X
CControls
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Usunięcie Safe Finder i innych - logi z FRST

xneta 30 Lis 2015 00:02 948 9
  • CControls
  • #2 30 Lis 2015 00:20
    wawrzyc
    Poziom 12  

    Adwcleaner i sprawdź dodatki/wtyczki w przegladarkach.

    0
  • Pomocny post
    #3 30 Lis 2015 08:54
    Acorus 20
    Spec od komputerów

    Otwórz notatnik systemowy i wklej:

    Cytat:
    Task: {2FD5376E-F12C-45E8-A859-5FA5F2349A7B} - System32\Tasks\Funmoods => C:\Users\hp\AppData\Roaming\Funmoods\UpdateProc\UpdateTask.exe [2013-04-12] () <==== UWAGA
    Task: {DCA24B16-C5D2-40FA-85A2-A187AA154105} - System32\Tasks\{AF989FAD-449E-4D5D-8E0D-5A4151892CE5} => pcalua.exe -a C:\Users\Anecia.hp-Komputer\AppData\Roaming\istartsurf\UninstallManager.exe -c -ptid=cornl
    Task: {EF2F0335-C71F-407A-AC09-8FF62479EF01} - System32\Tasks\DigitalSite => C:\Users\hp\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== UWAGA
    Task: C:\Windows\Tasks\DigitalSite.job => C:\Users\hp\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== UWAGA
    Task: C:\Windows\Tasks\Funmoods.job => C:\Users\hp\AppData\Roaming\Funmoods\UPDATE~1\UPDATE~1.EXE <==== UWAGA
    HKLM\...\Run: [mobilegeni daemon] => C:\Program Files\Mobogenie\DaemonProcess.exe
    HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
    Winlogon\Notify\ScCertProp: wlnotify.dll [X]
    HKU\S-1-5-21-4015417252-89177193-1713280116-1011\...\CurrentVersion\Windows: [Load] C:\ProgramData\msxecre.exe <===== UWAGA
    AppInit_DLLs: C:\ProgramData\AppxelnatneerG\TempLight.dll => C:\ProgramData\AppxelnatneerG\TempLight.dll [320512 2015-11-22] ()
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll Brak pliku
    GroupPolicy: Ograniczenia - Chrome <======= UWAGA
    CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.omniboxes.com/?type=hp&ts=1448...mp;uid=TOSHIBAXMK8032GAX_Y6LNT0PGTXXY6LNT0PGT
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.omniboxes.com/web/?type=ds&ts=...TOSHIBAXMK8032GAX_Y6LNT0PGTXXY6LNT0PGT&q={searchTerms}
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.omniboxes.com/?type=hp&ts=1448...mp;uid=TOSHIBAXMK8032GAX_Y6LNT0PGTXXY6LNT0PGT
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.omniboxes.com/web/?type=ds&ts=...TOSHIBAXMK8032GAX_Y6LNT0PGTXXY6LNT0PGT&q={searchTerms}




    HKU\S-1-5-21-4015417252-89177193-1713280116-1011\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...a3wKmbkN2P5glSF6pZSBrGQHBtz-W1YIYNPiM,&q={searchTerms}
    SearchScopes: HKLM -> DefaultScope {ielnksrch} URL =
    SearchScopes: HKLM -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...a3wKmbkN2P5glSF6pZSBrGQHBtz-W1YIYNPiM,&q={searchTerms}
    SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.omniboxes.com/web/?type=ds&ts=...TOSHIBAXMK8032GAX_Y6LNT0PGTXXY6LNT0PGT&q={searchTerms}
    StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.delta-homes.com/?type=sc&ts=14...mp;uid=TOSHIBAXMK8032GAX_Y6LNT0PGTXXY6LNT0PGT
    FF NewTab: C:\\ProgramData\\AppxelnatneerGs\\ff.NT
    CHR HomePage: Default -> hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F..._2F4DqHLCXtgLd9dblxkQFPvnB5XBpqLlbp_MC-F3_hM,,
    CHR HKLM\...\Chrome\Extension: [hbcennhacfaagdopikcegfcobcadeocj] - C:\Program Files\Common Files\Spigot\GC\saebay_1.1.crx [2013-10-14]
    CHR HKLM\...\Chrome\Extension: [icdlfehblmklkikfigmjhbmmpmkmpooj] - C:\Program Files\Common Files\Spigot\GC\ErrorAssistant_1.3.crx [2013-12-27]
    CHR HKLM\...\Chrome\Extension: [mhkaekfpcppmmioggniknbnbdbcigpkk] - C:\Program Files\Common Files\Spigot\GC\coupons_2.4.crx [2013-04-26]
    CHR HKLM\...\Chrome\Extension: [pfndaklgolladniicklehhancnlgocpp] - C:\Program Files\Common Files\Spigot\GC\saamazon_1.0.crx [2012-11-22]
    R2 IhPul; C:\Users\Anecia.hp-Komputer\AppData\Roaming\TSv\TSvr.exe [580752 2015-11-23] (tsvr.com)
    R2 WdsManPro; C:\ProgramData\3WMiniPro3\WMiniPro.exe [295424 2015-10-30] (DTools LIMITED) [Brak podpisu cyfrowego]
    S2 Update BrowseSmart; "C:\Program Files\BrowseSmart\updateBrowseSmart.exe" [X]
    S2 Util BrowseSmart; "C:\Program Files\BrowseSmart\bin\utilBrowseSmart.exe" [X]
    S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
    S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
    S3 VGPU; System32\drivers\rdvgkmd.sys [X]
    S1 wfdrvr_vt_1_10_0_28; system32\drivers\wfdrvr_vt_1_10_0_28.sys [X]
    2015-11-24 09:11 - 2015-11-24 09:12 - 00000000 ____D C:\ProgramData\3WMiniPro3
    2015-11-24 09:11 - 2015-11-24 09:11 - 00000000 ____D C:\Users\Anecia.hp-Komputer\AppData\Roaming\TSv
    2015-11-24 09:11 - 2015-11-24 09:11 - 00000000 ____D C:\Program Files\SFK
    2015-11-22 23:55 - 2015-11-29 23:03 - 00002381 _____ C:\Windows\system32\findit.xml
    2015-11-22 23:55 - 2015-11-22 23:56 - 00000000 ____D C:\ProgramData\AppxelnatneerGs
    2015-11-22 14:39 - 2015-11-22 17:00 - 00000000 ____D C:\Users\Anecia.hp-Komputer\AppData\Roaming\istartsurf
    2015-11-22 14:39 - 2015-11-22 14:40 - 00000000 ____D C:\ProgramData\yWMiniProy
    C:\ProgramData\msxecre.exe
    C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
    EmptyTemp:


    Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.
    Uruchom jako administrator FRST i kliknij w Fix/Napraw.
    Pobierz i uruchom jako administrator AdwCleaner https://toolslib.net/downloads/finish/1/ Kliknij Scan i później Cleaning.

    0
  • CControls
  • #4 30 Lis 2015 09:28
    xneta
    Poziom 6  

    Uruchomiłam skanowanie w FRST oraz cleanera później, i wciąż przeglądarka jest zawirusowana (wyszukiwarka safefinder -mimo że w ustawieniach zmieniana na google.pl oraz reklamy)


    :(

    0
  • #6 30 Lis 2015 12:03
    xneta
    Poziom 6  

    Zrobiłam wszystko, odinstalowałam geekiem chroma i wciąż wirus jest w przeglądarkach...

    0
  • #7 30 Lis 2015 12:08
    Acorus 20
    Spec od komputerów

    Pokaż nowe logi z FRST. Shortcut też.

    0
  • Pomocny post
    #9 30 Lis 2015 21:52
    Kolobos
    Spec od komputerów

    @Acorus 20 jak zwykle pominales infekcje.

    @xneta Fixlist.txt dla FRST:
    Task: {5881FD78-3CA9-414A-8541-400718025A34} - System32\Tasks\{513D632B-AEFE-46A4-AAAF-F7A9EB89E0FE} => pcalua.exe -a "C:\Program Files\Common Files\StanDax\uninstall.exe" -c -f "C:\Program Files\Common Files\StanDax\uninstall.dat" -a uninstallme BCB8F314-38B5-4C14-B801-EA3229BB7201 DeviceId=e13335e0-1ef6-cb74-5f12-fbbe7d3e9f4a BarcodeId=50036003 ChannelId=3 DistributerName=APSFCovus
    ShortcutWithArgument: C:\Users\Anecia.hp-Komputer\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.omniboxes.com/?type=sc&ts=1448...mp;uid=TOSHIBAXMK8032GAX_Y6LNT0PGTXXY6LNT0PGT <==== UWAGA
    AlternateDataStreams: C:\ProgramData\TEMP:373E1720
    () C:\ProgramData\ApplicationHosting\ApplicationHosting.exe
    () C:\ProgramData\AppxelnatneerG\AppxelnatneerG.exe
    () C:\ProgramData\AppxelnatneerG\AppxelnatneerG.exe
    HKU\S-1-5-21-4015417252-89177193-1713280116-1011\...\Run: [{E3A82678-FDD8-49CA-8AFD-660700B13F22}] => powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AfWhs').URSOUWGLFKLPGLK)));
    AppInit_DLLs: C:\ProgramData\AppxelnatneerG\TempLight.dll => C:\ProgramData\AppxelnatneerG\TempLight.dll [320512 2015-11-22] ()
    CHR HomePage: Default -> hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F..._2F4DqHLCXtgLd9dblxkQFPvnB5XBpqLlbp_MC-F3_hM,,
    CHR DefaultSearchURL: Default -> hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...QhgqLUoR2XIHTghr2c9pirs9CU4FKXvSYL0lc,&q={searchTerms}
    CHR DefaultSearchKeyword: Default -> feed.sonic-search.com
    CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command={searchTerms}
    OPR Extension: (Bronze Aid) - C:\Users\Anecia.hp-Komputer\AppData\Roaming\Opera Software\Opera Stable\Extensions\edamfkahdgenkgoojodfcjcijemfenpm [2015-11-22]
    R2 ApplicationHosting; C:\ProgramData\\ApplicationHosting\\ApplicationHosting.exe [450560 2015-11-17] () [Brak podpisu cyfrowego]
    R2 AppxelnatneerG; C:\ProgramData\\AppxelnatneerG\\AppxelnatneerG.exe [792576 2015-11-22] () [Brak podpisu cyfrowego]
    2015-11-25 17:22 - 2015-11-25 17:23 - 00243912 _____ C:\Users\Anecia.hp-Komputer\Downloads\Firefox Setup Stub 42.0 (1).exe
    2015-11-22 23:55 - 2015-11-30 20:27 - 00000000 ____D C:\ProgramData\AppxelnatneerG
    2015-11-22 14:35 - 2015-11-22 14:45 - 00000000 ____D C:\ProgramData\ApplicationHosting
    2015-11-22 14:35 - 2015-11-22 14:35 - 00000000 ____D C:\Program Files\Common Files\StanDax
    2015-11-22 14:31 - 2015-11-22 14:31 - 00000000 ____D C:\ProgramData\7b24ec7cc000461ebe26d116b88142c8
    EmptyTemp:

    0
  • #10 30 Lis 2015 22:41
    xneta
    Poziom 6  

    Serdecznie dziękuję za pomoc! Tym razem udało się usunąć wirusa :):)[/youtube]

    0