Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Problem Ads by Albireo - wyskakujące reklamy przekierowania

eldisteroo 12 Kwi 2016 23:58 792 6
  • #1 12 Kwi 2016 23:58
    eldisteroo
    Poziom 2  

    Witam wszystkich

    Właśnie przeczytałem kilka tematów, że nie tylko ja mam problem z Albireo. To zainfekowalo komputer mojej dziewczyny i nie możemy sobie poradzić. Wildze ze szanowni użytkownicy pomagają w usunięciu problemu przy pomocy raportów z FRST. Byłbym wdzięczny za pomoc. Załączam raport.

    Moderowany przez RADU23:

    Posty wydzieliłem jako nowy temat.
    Nie podpinaj się pod cudze wątki. Powoduje to bałagan na forum.

    0 6
  • #2 13 Kwi 2016 00:05
    RADU23
    Moderator - Komputery Serwis

    Zamieść jeszcze log z Addition.txt

    0
  • #3 13 Kwi 2016 00:10
    eldisteroo
    Poziom 2  

    Przepraszam za podpinanie, nie chcialem robic balaganu kolejnym podobnym tematem Plik addition ponizej;) Korzystajac w tej chwili z kompa dziewczyny widze jakie to denerwujace ustrojstwo.

    0
  • #4 13 Kwi 2016 05:13
    krzychupar
    Poziom 40  

    Odimstaluj Java 7 Update 60 a zainstaluj https://ninite.com/java8/
    Zmien Adobe Reader 10 - Polish na najnowsza wersje 11.0 lub na foxit reader: https://ninite.com/foxit/

    Otwórz notatnik i wklej:
    Task: {17FEDD45-5CF1-41EA-819A-62929ABC0B02} - \Program aktualizacji online firmy Adobe. -> Brak pliku <==== UWAGA
    Task: {A9937238-6F27-4F62-AE1F-A0D1A1CC532B} - System32\Tasks\Nuafti => C:\PROGRA~1\OVHGUH~1\Iropufur.bat
    Task: {B5D5DE6C-6AC1-44FB-B088-CCD3B8A46ED2} - System32\Tasks\{88E7D9AC-25CE-4F5A-8976-64A57E990233} => pcalua.exe -a C:\Users\Magda\AppData\Roaming\yoursearching\UninstallManager.exe -c -ptid=face
    Hosts:
    Winlogon\Notify\ScCertProp: wlnotify.dll [X]
    BootExecute: autocheck autochk * sdnclean64.exe
    CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
    AutoConfigURL: [S-1-5-21-158269772-2323263166-173429767-1001] => hxxp://un-stop.org/wpad.dat?d4fde9055db043450a49d21eec83d8d48278562
    ManualProxies: 0hxxp://un-stop.org/wpad.dat?d4fde9055db043450a49d21eec83d8d48278562
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
    HKU\S-1-5-21-158269772-2323263166-173429767-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = search.mpc.am/?geo=pl
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = search.mpc.am/?geo=pl
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = search.mpc.am/?geo=pl
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = search.mpc.am/?geo=pl
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
    HKU\S-1-5-21-158269772-2323263166-173429767-1001\Software\Microsoft\Internet Explorer\Main,Start Page = search.mpc.am/?geo=pl
    SearchScopes: HKLM -> DefaultScope {0644EE93-D778-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM -> {8C9612C7-9C94-41FA-B584-0AED24097C93} URL = hxxp://www.bing.com/search?q={searchTerms}&form=TSHMDF&pc=MATM&src=IE-SearchBox




    SearchScopes: HKLM-x32 -> DefaultScope - brak wartości
    SearchScopes: HKLM-x32 -> {8C9612C7-9C94-41FA-B584-0AED24097C93} URL = hxxp://www.bing.com/search?q={searchTerms}&form=TSHMDF&pc=MATM&src=IE-SearchBox
    SearchScopes: HKU\S-1-5-21-158269772-2323263166-173429767-1001 -> DefaultScope {0644EE93-D778-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-158269772-2323263166-173429767-1001 -> {8C9612C7-9C94-41FA-B584-0AED24097C93} URL =
    SearchScopes: HKU\S-1-5-21-158269772-2323263166-173429767-1001 -> {EA7302FC-E33B-4EB8-9825-CAC0B8D6EE7D} URL = hxxp://www.bing.com/search?q={searchTerms}&form=TSHMDF&pc=MATM&src=IE-SearchBox
    BHO: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2014-01-24] (McAfee, Inc.)
    BHO-x32: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2014-01-24] (McAfee, Inc.)
    Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2014-01-24] (McAfee, Inc.)
    Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2014-01-24] (McAfee, Inc.)
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2014-01-24] (McAfee, Inc.)
    Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2014-01-24] (McAfee, Inc.)
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2014-01-24] (McAfee, Inc.)
    Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2014-01-24] (McAfee, Inc.)
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Brak pliku
    StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe hxxp://www.yoursearching.com/?type=sc&ts=...HitachiXHTS545050B9A300_110209PBN403M7F5YW3EX
    FF NewTab: hxxp://www.istartpageing.com/newtab/?type=nt&...HitachiXHTS545050B9A300_110209PBN403M7F5YW3EX
    FF Homepage: search.mpc.am
    FF SearchPlugin: C:\Users\Magda\AppData\Roaming\Mozilla\Firefox\Profiles\kojps1qg.default\searchplugins\google-avast.xml [2016-04-08]
    FF Extension: Brak nazwy - C:\Users\Magda\AppData\Roaming\Mozilla\Firefox\Profiles\kojps1qg.default\Extensions\deskCutv2@gmail.com [2016-04-08] [Brak podpisu cyfrowego]
    FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor
    FF Extension: McAfee SiteAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor [2014-02-15] [Brak podpisu cyfrowego]
    StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.yoursearching.com/?type=sc&ts=...HitachiXHTS545050B9A300_110209PBN403M7F5YW3EX
    CHR HomePage: Default -> msn.com/?pc=__PARAM__&ocid=__PARAM__DHP&osmkt=pl-pl
    CHR StartupUrls: Default -> "hxxp://www.google.pl/","hxxp://www.yoursearching.com/?type=hp&ts=1459513365&z=8decae05c99d74c298f57bdg7zdwft5wbgccaceqcw&from=face&uid=HitachiXHTS545050B9A300_110209PBN403M7F5YW3EX","search.mpc.am"
    CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Magda\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.866\_platform_specific\win_x86\widevinecdmadapter.dll (Google Inc.)
    CHR Plugin: (Shockwave Flash) - C:\Users\Magda\AppData\Local\Google\Chrome\User Data\PepperFlash\21.0.0.213\pepflashplayer.dll => Brak pliku
    CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2014-02-11]
    CHR HKLM-x32\...\Chrome\Extension: [jgfiigbceilbmpdiadbpbefabgccebkf] - C:\ProgramData\wxDownload\jgfiigbceilbmpdiadbpbefabgccebkf.crx <nie znaleziono>
    R2 MPCProtectService; C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe [350688 2016-04-01] (DotC United Inc)
    R1 MPCKpt; C:\Windows\System32\DRIVERS\MPCKpt.sys [60136 2016-04-01] (DotC United Inc)
    S3 S3XXx64; C:\Windows\System32\DRIVERS\S3XXx64.sys [73856 2015-02-17] (Identiv)
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
    S3 massfilter; system32\DRIVERS\massfilter.sys [X]
    S3 ZTEusbmdm6k; system32\DRIVERS\ZTEusbmdm6k.sys [X]
    S3 ZTEusbnet; system32\DRIVERS\ZTEusbnet.sys [X]
    S3 ZTEusbnmea; system32\DRIVERS\ZTEusbnmea.sys [X]
    S3 ZTEusbser6k; system32\DRIVERS\ZTEusbser6k.sys [X]
    2016-04-08 23:52 - 2016-04-08 23:52 - 00001696 _____ C:\Users\Public\Desktop\MPC Cleaner.lnk
    2016-04-08 23:52 - 2016-04-08 23:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MPC
    2016-04-04 21:44 - 2016-04-04 21:44 - 00111536 _____ C:\Users\Magda\AppData\Local\GDIPFONTCACHEV1.DAT
    2016-04-01 19:06 - 2016-04-01 19:24 - 00000000 ____D C:\Users\Magda\AppData\Roaming\MCorp
    2016-04-01 14:23 - 2016-04-01 14:23 - 00000000 ____D C:\uninst
    2016-04-01 14:22 - 2016-04-01 19:01 - 00000000 ____D C:\Program Files (x86)\MPC Cleaner
    2016-04-01 14:22 - 2016-04-01 15:24 - 00000000 ____D C:\Users\Magda\AppData\Roaming\Ducnia
    2016-04-01 14:22 - 2016-04-01 14:58 - 00000000 ____D C:\Users\Magda\AppData\Local\Tempfolder
    2016-04-01 14:22 - 2016-04-01 14:58 - 00000000 ____D C:\Program Files\Ovhguhjogponoce
    2016-04-01 14:22 - 2016-04-01 14:22 - 00060136 ____N (DotC United Inc) C:\Windows\system32\Drivers\MPCKpt.sys
    2016-04-01 14:22 - 2016-04-01 14:22 - 00000000 ____D C:\Users\Magda\AppData\Local\csdi_monetize_120160330
    2016-04-01 14:22 - 2016-04-01 14:22 - 00000000 _____ C:\Windows\SysWOW64\Number of results
    2016-04-01 13:45 - 2016-04-01 13:45 - 06504960 _____ C:\Users\Magda\AppData\Roaming\agent.dat
    2016-04-01 13:45 - 2016-04-01 13:45 - 01626416 _____ C:\Users\Magda\AppData\Roaming\OverString.tst
    2016-04-01 13:45 - 2016-04-01 13:45 - 00848437 _____ C:\Users\Magda\AppData\Roaming\Tipplus.bin
    2016-04-01 13:45 - 2016-04-01 13:45 - 00126464 _____ C:\Users\Magda\AppData\Roaming\noah.dat
    2016-04-01 13:45 - 2016-04-01 13:45 - 00126464 _____ C:\Users\Magda\AppData\Roaming\lobby.dat
    2016-04-01 13:45 - 2016-04-01 13:45 - 00072699 _____ C:\Users\Magda\AppData\Roaming\Air-Tam.tst
    2016-04-01 13:45 - 2016-04-01 13:45 - 00065424 _____ C:\Users\Magda\AppData\Roaming\Config.xml
    2016-04-01 13:45 - 2016-04-01 13:45 - 00054272 _____ C:\Users\Magda\AppData\Roaming\ApplicationHosting.dat
    2016-04-01 13:45 - 2016-04-01 13:45 - 00018432 _____ C:\Users\Magda\AppData\Roaming\Main.dat
    2016-04-01 13:45 - 2016-04-01 13:45 - 00005568 _____ C:\Users\Magda\AppData\Roaming\md.xml
    2016-04-01 13:45 - 2016-04-01 13:44 - 00961024 _____ C:\Users\Magda\AppData\Roaming\OverString.exe
    2016-04-01 13:45 - 2016-04-01 13:44 - 00961024 _____ C:\Users\Magda\AppData\Roaming\Air-Tam.exe
    2016-04-01 13:44 - 2016-04-01 13:45 - 00015840 _____ C:\Users\Magda\AppData\Roaming\InstallationConfiguration.xml
    2016-04-01 13:44 - 2016-04-01 13:44 - 00127488 _____ C:\Users\Magda\AppData\Roaming\Installer.dat
    2016-04-01 13:44 - 2016-04-01 13:44 - 00062220 _____ C:\Users\Magda\AppData\Roaming\inst.lat
    2016-04-08 23:50 - 2014-03-23 21:30 - 00000000 ____D C:\AdwCleaner
    2016-04-08 22:56 - 2014-03-23 19:57 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
    2016-04-08 22:54 - 2014-03-23 19:57 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2016-04-01 19:01 - 2014-01-31 20:59 - 00000008 __RSH C:\ProgramData\ntuser.pol
    2016-04-01 13:45 - 2016-04-01 13:44 - 0961024 _____ () C:\Users\Magda\AppData\Roaming\OverString.exe
    2016-04-01 13:45 - 2016-04-01 13:45 - 1626416 _____ () C:\Users\Magda\AppData\Roaming\OverString.tst
    2013-03-28 08:59 - 2013-03-28 08:59 - 0000132 _____ () C:\Users\Magda\AppData\Roaming\Preferencje Adobe CS5 dla formatu PNG
    2016-04-01 13:45 - 2016-04-01 13:45 - 0848437 _____ () C:\Users\Magda\AppData\Roaming\Tipplus.bin
    2016-04-01 13:45 - 2016-04-01 13:45 - 0032038 _____ () C:\Users\Magda\AppData\Roaming\uninstall_temp.ico
    2012-01-10 23:15 - 2012-01-10 23:15 - 0000056 _____ () C:\ProgramData\ezsidmv.dat
    C:\Users\Magda\AppData\Local\Temp\ALLRemote.exe
    EmptyTemp:

    Plik zapisz pod nazwą fixlist.txt i umieść w folderze gdzie znajduje się FRST.exe
    Uruchom FRST i kliknij w Fix/Napraw.

    W przypadku gdy MPC Cleaner nie zostanie usunięty w normalnym trybie wykonaj to:
    Uruchom WinRe http://www.fixitpc.pl/topic/4414-diagnostyka-infekcji-na-niestartuj%C4%85cych-windows/ i tam wykonaj taki skrypt:

    R2 MPCProtectService; C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe [350688 2016-04-01] (DotC United Inc)
    R1 MPCKpt; C:\Windows\System32\DRIVERS\MPCKpt.sys [60136 2016-04-01] (DotC United Inc)
    2016-04-08 23:52 - 2016-04-08 23:52 - 00001696 _____ C:\Users\Public\Desktop\MPC Cleaner.lnk
    2016-04-08 23:52 - 2016-04-08 23:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MPC
    2016-04-01 19:06 - 2016-04-01 19:24 - 00000000 ____D C:\Users\Magda\AppData\Roaming\MCorp
    2016-04-01 14:22 - 2016-04-01 19:01 - 00000000 ____D C:\Program Files (x86)\MPC Cleaner
    2016-04-01 14:22 - 2016-04-01 15:24 - 00000000 ____D C:\Users\Magda\AppData\Roaming\Ducnia
    2016-04-01 14:22 - 2016-04-01 14:58 - 00000000 ____D C:\Users\Magda\AppData\Local\Tempfolder
    2016-04-01 14:22 - 2016-04-01 14:58 - 00000000 ____D C:\Program Files\Ovhguhjogponoce
    2016-04-01 14:22 - 2016-04-01 14:22 - 00060136 ____N (DotC United Inc) C:\Windows\system32\Drivers\MPCKpt.sys
    2016-04-01 14:22 - 2016-04-01 14:22 - 00000000 ____D C:\Users\Magda\AppData\Local\csdi_monetize_120160330
    2016-04-01 14:22 - 2016-04-01 14:22 - 00000000 _____ C:\Windows\SysWOW64\Number of results

    0
  • #5 13 Kwi 2016 10:18
    Kolobos
    Spec od komputerów

    Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    0
  • #6 08 Maj 2016 21:44
    eldisteroo
    Poziom 2  

    Witam,

    troche to trwalo zanim zabralem sie za "naprawienie". Do dzis. W miedzyczasie dziewczyna zrobila przypadkowo upgrade automatyczny systemu. Wyglada jednak na to, ze zniknelo i problem zostal rozwiązany. Dziekuje BARDZO za pomoc.

    Dodano po 4 [minuty]:

    I plik o ktory proszono. Jeszcze raz dzieki.

    0
  • #7 08 Maj 2016 21:51
    Kolobos
    Spec od komputerów

    Fixlist.txt dla FRST:
    HKU\S-1-5-21-158269772-2323263166-173429767-1001\...\RunOnce: [ALLPlayer Remote Update] => C:\Users\Magda\AppData\Local\Temp\ALLRemote.exe [2152872 2016-05-08] (ALLPlayer ) <===== UWAGA
    FF Extension: Cash Kitten - C:\Users\Magda\AppData\Roaming\Mozilla\Firefox\Profiles\kojps1qg.default\Extensions\{df82c73a-d1d9-4aea-b18a-18274a04178f}.xpi [2016-03-31] [Brak podpisu cyfrowego]
    CHR StartupUrls: Default -> "hxxp://www.google.pl/","hxxp://www.yoursearching.com/?type=hp&ts=1459513365&z=8decae05c99d74c298f57bdg7zdwft5wbgccaceqcw&from=face&uid=HitachiXHTS545050B9A300_110209PBN403M7F5YW3EX","search.mpc.am"
    CHR HKU\S-1-5-21-158269772-2323263166-173429767-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bbjllphbppobebmjpjcijfbakobcheof] - hxxps://clients2.google.com/service/update2/crx
    StartMenuInternet: (HKLM) OperaStable - C:\Program Files (x86)\Opera\Launcher.exe hxxp://www.yoursearching.com/?type=sc&ts=...HitachiXHTS545050B9A300_110209PBN403M7F5YW3EX
    EmptyTemp:

    Po wykonaniu usun katalog C:\FRST.

    0