Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Jak usunąć SafeFinder? Dokuczliwy wirus.

paiN. 08 Maj 2016 19:35 828 7
  • #1 08 Maj 2016 19:35
    paiN.
    Poziom 3  

    Witam od paru dni wkradł mi się z tego co wyczytałem wirus. Co jakiś czas zmienia mi wyszukiwarkę, przerabia zdjęcia na stronach www na banery reklamowe itd.
    Pomóżcie mi się tego pozbyć.
    SAFEFINDER

    Oto log z FRST, pomóżcie:

    0 7
  • #2 08 Maj 2016 21:28
    Acorus 20
    Spec od komputerów

    Odinstaluj SpyHunter4 wersja 4.21.10.4585. Otwórz notatnik systemowy i wklej:

    Cytat:
    Task: {0CD955B8-F95C-4BB8-9E07-2FCFE9C3064C} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-3751635448-2190551762-3516788110-1000UA => C:\Users\KRYSTIAN\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-07-10] (Facebook Inc.)
    Task: {8031A938-5648-495C-B036-D4725BB61540} - System32\Tasks\SpyHunter4Startup => C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe [2016-05-05] (Enigma Software Group USA, LLC.)
    Task: {8ADBEE37-5CFA-45BC-8287-69C47008124D} - System32\Tasks\Opera scheduled Autoupdate 1396139706 => C:\Program Files (x86)\Opera\launcher.exe [2015-10-30] (Opera Software)
    Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3751635448-2190551762-3516788110-1000Core.job => C:\Users\KRYSTIAN\AppData\Local\Facebook\Update\FacebookUpdate.exe
    Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3751635448-2190551762-3516788110-1000UA.job => C:\Users\KRYSTIAN\AppData\Local\Facebook\Update\FacebookUpdate.exe
    ShortcutWithArgument: C:\Users\KRYSTIAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
    ShortcutWithArgument: C:\Users\KRYSTIAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
    ShortcutWithArgument: C:\Users\KRYSTIAN\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
    ShortcutWithArgument: C:\Users\KRYSTIAN\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
    ShortcutWithArgument: C:\Users\KRYSTIAN\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> %SNF%
    ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
    AlternateDataStreams: C:\ProgramData:NT [40]
    AlternateDataStreams: C:\ProgramData:NT2 [322]
    AlternateDataStreams: C:\Users\All Users:NT [40]
    AlternateDataStreams: C:\Users\All Users:NT2 [322]
    AlternateDataStreams: C:\ProgramData\Application Data:NT [40]




    AlternateDataStreams: C:\ProgramData\Application Data:NT2 [322]
    AlternateDataStreams: C:\ProgramData\Dane aplikacji:NT [40]
    AlternateDataStreams: C:\ProgramData\Dane aplikacji:NT2 [322]
    AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT [40]
    AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT2 [322]
    AlternateDataStreams: C:\Users\KRYSTIAN\Dane aplikacji:NT [40]
    AlternateDataStreams: C:\Users\KRYSTIAN\Dane aplikacji:NT2 [322]
    AlternateDataStreams: C:\Users\KRYSTIAN\AppData\Roaming:NT [40]
    AlternateDataStreams: C:\Users\KRYSTIAN\AppData\Roaming:NT2 [322]
    HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8783616 2016-03-24] (Realtek Semiconductor)
    HKLM-x32\...\Run: [] => [X]
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\Run: [GalaxyClient] => [X]
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: K - K:\Setup.bat
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {02fce676-bf7a-11e4-ac15-9ded3057be0c} - K:\AutoRun.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {0f1087a7-c9f1-11e4-91ad-becd28baa302} - G:\Setup.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {1c5d31d2-4324-11e3-a64b-cce353869f1f} - H:\AutoRun.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {40a60267-d1ee-11e4-aa66-9770915d5b68} - K:\Setup.bat
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {450be024-723b-11e4-a4ef-e628321cf504} - F:\AutoRun.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {4730dc00-cb55-11e4-a610-f599a890ae01} - J:\Setup.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {62d75639-c3a4-11e5-9ed9-be6873794c01} - F:\HTC_Sync_Manager_PC.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {63f688f5-417f-11e3-ac7f-bce7430f4263} - G:\AutoRun.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {7ce030e3-5c55-11e4-bf07-bfa1f2048f3c} - F:\AutoRun.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {8934b7c3-32c0-11e4-a5e2-c299b8adaf04} - H:\AutoRun.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {893c4e7b-7150-11e3-8bc1-fffb0135c11e} - G:\AutoRun.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {b95a086c-f2f9-11e2-ac4a-647002c6f94b} - G:\AutoRun.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {b95a0877-f2f9-11e2-ac4a-647002c6f94b} - G:\AutoRun.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {d2d8afa5-eb8d-11e5-b2c0-d10c928c6301} - F:\HTC_Sync_Manager_PC.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {d2d8afa9-eb8d-11e5-b2c0-d10c928c6301} - E:\HTC_Sync_Manager_PC.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {df969c9a-58e2-11e4-9dcb-8c81697ca405} - F:\AutoRun.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {dfbf6491-f2ef-11e2-8bc4-806e6f6e6963} - E:\Nokia_N70.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {fc98069f-2cae-11e3-bfc2-fd31cb63a86a} - G:\AutoRun.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {fc9806b0-2cae-11e3-bfc2-fd31cb63a86a} - G:\AutoRun.exe
    AppInit_DLLs: C:\ProgramData\AppnormanetouQ\Tinkeyla.dll => C:\ProgramData\AppnormanetouQ\Tinkeyla.dll [361984 2016-05-05] ()
    AppInit_DLLs-x32: C:\ProgramData\AppnormanetouQ\VaiaFix.dll => C:\ProgramData\AppnormanetouQ\VaiaFix.dll [257536 2016-05-05] ()
    GroupPolicy: Ograniczenia - Chrome <======= UWAGA
    CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...-kT8-NyU7VDSbyTXjCXYVMwhd86Ru7fbQzXbYf&q={searchTerms}
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%68%65%6C%70%65%72%62%61%...X-jsdHsLHpPwPx6zsniotEUY2g3EPl4xuWMYYoABEDoH8
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...-kT8-NyU7VDSbyTXjCXYVMwhd86Ru7fbQzXbYf&q={searchTerms}
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...-kT8-NyU7VDSbyTXjCXYVMwhd86Ru7fbQzXbYf&q={searchTerms}
    SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
    SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
    SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...-kT8-NyU7VDSbyTXjCXYVMwhd86Ru7fbQzXbYf&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3751635448-2190551762-3516788110-1000 -> DefaultScope {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...-kT8-NyU7VDSbyTXjCXYVMwhd86Ru7fbQzXbYf&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3751635448-2190551762-3516788110-1000 -> {8EEAC88A-079B-4b2c-80C1-7836F79EB40A} URL = hxxp://pl.search.yahoo.com/search?p={searchTerms}&fr=chr-comodo
    SearchScopes: HKU\S-1-5-21-3751635448-2190551762-3516788110-1000 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...-kT8-NyU7VDSbyTXjCXYVMwhd86Ru7fbQzXbYf&q={searchTerms}
    FF NewTab: C:\ProgramData\AppnormanetouQs\ff.NT
    FF Homepage: C:\ProgramData\AppnormanetouQs\ff.HP
    CHR HomePage: Default -> hxxp://%66%65%65%64.%68%65%6C%70%65%72%62%61%...GvOWea-5msPQfVPUr9wABs-wIOiDu2XSent1Ja-5oL-a_
    CHR DefaultSearchURL: Default -> hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...J8Pf6B71GVZl_Owkbu7O1zHxJ96IKYM7ehTvkQ&q={searchTerms}
    CHR DefaultSearchKeyword: Default -> feed.sonic-search.com
    CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command={searchTerms}
    CHR HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [joepfemoahndhaicaeaimohjnehakggf] - <Brak Path/update_url>
    CHR HKLM-x32\...\Chrome\Extension: [jidkebcigjgheaahopdnlfaohgnocfai] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [joepfemoahndhaicaeaimohjnehakggf] - <Brak Path/update_url>
    OPR StartupUrls: "hxxp://www.istartsurf.com/?type=hp&ts=1437147796&z=80ce8fae80f0b1e139c7a7agez9cbm7g3zam1m4q0w&from=cornl&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S456069760697"
    R2 AppnormanetouQ; C:\ProgramData\\AppnormanetouQ\\AppnormanetouQ.exe [692736 2016-05-05] () [Brak podpisu cyfrowego]
    S2 SpyHunter 4 Service; d:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [784256 2015-12-16] (Enigma Software Group USA, LLC.)
    S3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [15920 2016-05-05] (Enigma Software Group USA, LLC.)
    S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [19984 2015-12-16] ()
    R1 {55dce8ba-9dec-4013-937e-adbf9317d990}Gw64; C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}Gw64.sys [61120 2014-07-18] (StdLib)
    U3 a2na94b3; C:\Windows\System32\Drivers\a2na94b3.sys [0 ] (Advanced Micro Devices) <==== UWAGA (zerobajtowy plik/folder)
    2016-05-05 12:50 - 2016-05-05 12:50 - 00000871 _____ C:\Users\KRYSTIAN\Desktop\SpyHunter4.lnk
    2016-05-05 12:50 - 2016-05-05 12:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpyHunter4
    2016-05-05 12:17 - 2016-05-05 12:59 - 00001131 _____ C:\Users\KRYSTIAN\Desktop\SpyHunter.lnk
    2016-05-05 12:17 - 2016-05-05 12:17 - 00003326 _____ C:\Windows\System32\Tasks\SpyHunter4Startup
    2016-05-05 12:17 - 2016-05-05 12:17 - 00000000 ____D C:\Users\KRYSTIAN\AppData\Roaming\Enigma Software Group
    2016-05-05 12:17 - 2016-05-05 12:17 - 00000000 _____ C:\autoexec.bat
    2016-05-05 12:16 - 2016-05-05 12:16 - 00000000 ____D C:\sh4ldr
    2016-05-05 12:15 - 2016-05-05 12:15 - 00000000 ____D C:\ProgramData\AppnormanetouQs
    2016-05-05 12:14 - 2016-05-08 19:22 - 00000000 ____D C:\ProgramData\AppnormanetouQ
    2016-05-05 12:13 - 2016-05-05 12:13 - 00000000 ____D C:\Program Files\Enigma Software Group
    2016-05-05 12:13 - 2015-12-16 10:38 - 00019984 _____ C:\Windows\system32\Drivers\EsgScanner.sys
    2016-05-05 12:12 - 2016-05-05 12:12 - 03286400 _____ (Enigma Software Group USA, LLC.) C:\Users\KRYSTIAN\Downloads\Niepotwierdzony 297479.crdownload
    2016-05-05 12:12 - 2016-05-05 12:12 - 00003246 _____ C:\Windows\System32\Tasks\ASC Task (One-Time)
    2016-05-05 12:08 - 2016-05-05 12:09 - 03286400 _____ (Enigma Software Group USA, LLC.) C:\Users\KRYSTIAN\Downloads\Niepotwierdzony 702214.crdownload
    2016-05-05 12:08 - 2016-05-05 12:08 - 03286400 _____ (Enigma Software Group USA, LLC.) C:\Users\KRYSTIAN\Downloads\Niepotwierdzony 45603.crdownload
    2016-05-05 15:36 - 2014-05-28 17:18 - 00000000 ____D C:\AdwCleaner
    2016-03-23 19:24 - 2016-03-23 19:24 - 6493696 _____ () C:\Users\KRYSTIAN\AppData\Roaming\agent.dat
    2016-03-23 19:24 - 2016-03-23 19:24 - 0065232 _____ () C:\Users\KRYSTIAN\AppData\Roaming\Config.xml
    2016-03-23 19:24 - 2016-03-23 19:24 - 0402905 _____ () C:\Users\KRYSTIAN\AppData\Roaming\DomDom.bin
    2016-03-23 19:23 - 2016-03-23 19:23 - 0091044 _____ () C:\Users\KRYSTIAN\AppData\Roaming\inst.lat
    2016-03-23 19:23 - 2016-03-23 19:23 - 0014208 _____ () C:\Users\KRYSTIAN\AppData\Roaming\InstallationConfiguration.xml
    2016-03-23 19:23 - 2016-03-23 19:23 - 0127488 _____ () C:\Users\KRYSTIAN\AppData\Roaming\Installer.dat
    2016-03-23 19:24 - 2016-03-23 19:24 - 0018432 _____ () C:\Users\KRYSTIAN\AppData\Roaming\Main.dat
    2016-03-23 19:24 - 2016-03-23 19:24 - 0005568 _____ () C:\Users\KRYSTIAN\AppData\Roaming\md.xml
    2016-03-23 19:24 - 2016-03-23 19:24 - 0126464 _____ () C:\Users\KRYSTIAN\AppData\Roaming\noah.dat
    2016-03-23 19:24 - 2016-03-23 19:23 - 0865280 _____ () C:\Users\KRYSTIAN\AppData\Roaming\Strongzunfind.exe
    2016-03-23 19:24 - 2016-03-23 19:24 - 1621055 _____ () C:\Users\KRYSTIAN\AppData\Roaming\Strongzunfind.tst
    2016-03-23 19:24 - 2016-03-23 19:24 - 0032038 _____ () C:\Users\KRYSTIAN\AppData\Roaming\uninstall_temp.ico
    EmptyTemp:


    Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.
    Uruchom jako administrator FRST i kliknij w Fix/Napraw.
    Pobierz i uruchom jako administrator AdwCleaner https://toolslib.net/downloads/finish/1/ Kliknij Scan i później Cleaning.

    0
  • #3 08 Maj 2016 23:02
    paiN.
    Poziom 3  

    Problem powrócił. Przez chwile było ok.

    0
  • #4 09 Maj 2016 07:43
    Kolobos
    Spec od komputerów

    Zamiesc nowe logi z FRST, ze skanowania.

    0
  • Pomocny post
    #6 09 Maj 2016 18:31
    Acorus 20
    Spec od komputerów

    Otwórz notatnik systemowy i wklej:

    Cytat:
    Task: {20734143-C468-4E1C-A08F-EFAC74840B2E} - \ASC Task (One-Time) -> Brak pliku <==== UWAGA
    Task: {70CD0003-43DC-4BDE-86DA-29B0534BECE0} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-3751635448-2190551762-3516788110-1000Core => C:\Users\KRYSTIAN\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-07-10] (Facebook Inc.)
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {40a60267-d1ee-11e4-aa66-9770915d5b68} - K:\Setup.bat
    AppInit_DLLs: C:\ProgramData\AppnormanetouQ\Jaylux.dll => C:\ProgramData\AppnormanetouQ\Jaylux.dll [363008 2016-05-08] ()
    AppInit_DLLs-x32: C:\ProgramData\AppnormanetouQ\Sailis.dll => C:\ProgramData\AppnormanetouQ\Sailis.dll [257536 2016-05-08] ()
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...adoHCdEgfMcCuekeAA1K2Bou2vkwN2tNMAfDMm&q={searchTerms}
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%68%65%6C%70%65%72%62%61%...R2Nc50GJ3f40CoVMyT2thok0aWwXfnByjV1a9We76dRrp
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...adoHCdEgfMcCuekeAA1K2Bou2vkwN2tNMAfDMm&q={searchTerms}
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...adoHCdEgfMcCuekeAA1K2Bou2vkwN2tNMAfDMm&q={searchTerms}
    SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
    SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...adoHCdEgfMcCuekeAA1K2Bou2vkwN2tNMAfDMm&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3751635448-2190551762-3516788110-1000 -> DefaultScope {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...adoHCdEgfMcCuekeAA1K2Bou2vkwN2tNMAfDMm&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3751635448-2190551762-3516788110-1000 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...adoHCdEgfMcCuekeAA1K2Bou2vkwN2tNMAfDMm&q={searchTerms}
    FF NewTab: C:\ProgramData\AppnormanetouQs\ff.NT
    FF Homepage: C:\ProgramData\AppnormanetouQs\ff.HP
    FF SearchPlugin: C:\Users\KRYSTIAN\AppData\Roaming\Mozilla\Firefox\Profiles\thvde6zc.default\searchplugins\findit.xml [2016-05-08]
    FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\findit.xml [2016-05-08]
    CHR HomePage: Default -> hxxp://%66%65%65%64.%68%65%6C%70%65%72%62%61%...GvOWea-5msPQfVPUr9wABs-wIOiDu2XSent1Ja-5oL-a_
    CHR DefaultSearchURL: Default -> hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...J8Pf6B71GVZl_Owkbu7O1zHxJ96IKYM7ehTvkQ&q={searchTerms}
    CHR DefaultSearchKeyword: Default -> feed.sonic-search.com
    CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command={searchTerms}
    CHR Extension: (InnoGames Polska) - C:\Users\KRYSTIAN\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\joepfemoahndhaicaeaimohjnehakggf [2016-02-22] [UpdateUrl: hxxp://autoupdate.chromewebtb.conduit-services.com/sb/?productId=CT2832599&extensionData=\u003Cextension_data>] <==== UWAGA
    R2 AppnormanetouQ; C:\ProgramData\\AppnormanetouQ\\AppnormanetouQ.exe [692736 2016-05-08] () [Brak podpisu cyfrowego]
    U3 ava3zz0l; C:\Windows\System32\Drivers\ava3zz0l.sys [0 ] (Intel Corporation) <==== UWAGA (zerobajtowy plik/folder)
    2016-05-08 21:49 - 2016-05-09 17:22 - 00000000 ____D C:\ProgramData\AppnormanetouQ
    2016-05-08 21:49 - 2016-05-08 21:49 - 00000000 ____D C:\ProgramData\AppnormanetouQs
    2016-05-08 19:32 - 2016-05-09 17:31 - 00000000 ____D C:\Users\KRYSTIAN\Downloads\FRST-OlderVersion
    2016-05-05 12:11 - 2016-03-23 19:24 - 00000000 ____D C:\ProgramData\Quotenamron
    EmptyTemp:


    Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.
    Uruchom jako administrator FRST i kliknij w Fix/Napraw.

    0
  • Pomocny post
    #7 09 Maj 2016 18:32
    Kolobos
    Spec od komputerów

    Odinstaluj: SpyHunter4 wersja 4.21.10.4585

    Fixlist.txt dla FRST:
    Task: {1C43D5C7-3B95-414E-8038-B167CD83C9FA} - System32\Tasks\{BD368810-1FD3-4DFD-A473-500929D60096} => pcalua.exe -a C:\Users\KRYSTIAN\Downloads\minecraft(2).exe -d C:\Users\KRYSTIAN\Downloads
    Task: {20734143-C468-4E1C-A08F-EFAC74840B2E} - \ASC Task (One-Time) -> Brak pliku <==== UWAGA
    Task: {422127CD-8206-42C0-826C-84D17DDB0B80} - System32\Tasks\{49AA576A-7AFC-4804-9E50-E8905C9438B9} => pcalua.exe -a C:\Users\KRYSTIAN\Desktop\minecraft(2).exe -d C:\Users\KRYSTIAN\Desktop
    Task: {5145E6DC-848D-4308-BD8A-767C459DB73C} - System32\Tasks\{DA80D0B9-1CCF-4EBD-9374-857158709AD0} => D:\Program Files\Gothic III\Gothic3.exe [2006-10-19] (Pluto 13 GmbH)
    Task: {6A329636-964E-417D-A75B-09B2ACAA92E7} - System32\Tasks\{35198C27-EEC5-4A7D-80B3-999B28AE1913} => pcalua.exe -a "D:\Program Files\TeamSpeak 3 Client\package_inst.exe" -d C:\Users\KRYSTIAN\AppData\Local\Temp -c "C:\Users\KRYSTIAN\AppData\Local\Temp\ts3_overlay-v3.4.15.ts3_plugin"
    Task: {70CD0003-43DC-4BDE-86DA-29B0534BECE0} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-3751635448-2190551762-3516788110-1000Core => C:\Users\KRYSTIAN\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-07-10] (Facebook Inc.)
    Task: {959CC790-185B-404E-9DF0-D3CD7AE1224C} - System32\Tasks\{6620F417-113C-4EB1-8350-C002A5A341FB} => D:\Program Files (x86)\Origin\Origin.exe [2016-02-05] (Electronic Arts)
    Task: {A54369D7-B5C1-4112-8242-CD3AC2E2FDBC} - System32\Tasks\{E627E3D4-6AB4-43C9-8FB6-CA9558215A00} => D:\Program Files (x86)\Origin\Origin.exe [2016-02-05] (Electronic Arts)
    Task: {C0D319B1-213A-42CF-B17E-DAD3E5F199D2} - System32\Tasks\{6205459E-4516-4351-9517-E5F33C87EB97} => pcalua.exe -a "C:\Users\KRYSTIAN\Desktop\sdasdas\Dragon Age Redesigned Version 7.3d\Dragon Age Origins\Non-companion NPCs (contains Dracomies True Textures)\Dragon Age Redesigned Version 7.3c.exe" -d "C:\Users\KRYSTIAN\Desktop\sdasdas\Dragon Age Redesigned Version 7.3d\Dragon Age Origins\Non-companion NPCs (co (dane wartości zawierają 32 znaków więcej).
    Task: {DB5B20C8-27D5-4334-B3ED-6FDDCA8749F9} - System32\Tasks\{944316E9-8601-4D02-A5FE-34CAFACBDF6D} => pcalua.exe -a "C:\Users\KRYSTIAN\Desktop\sdasdas\Dragon Age Redesigned Version 7.3d\Dragon Age Origins\Companion NPCs for Origins\Leliana\Dragon Age Redesigned- Leliana.exe" -d "C:\Users\KRYSTIAN\Desktop\sdasdas\Dragon Age Redesigned Version 7.3d\Dragon Age Origins\Companion NPCs for Origins\Leliana"
    Task: {E13B1619-6BD1-41F3-9897-4486284AE24A} - System32\Tasks\{20540E7D-F419-4408-9473-9598260F9538} => D:\Program Files (x86)\Origin\Origin.exe [2016-02-05] (Electronic Arts)
    Task: {FCECBD8D-B85E-4791-B5C1-69EBAA350E6A} - System32\Tasks\{25B74513-324A-4BBE-8118-1B3235A12A01} => D:\Program Files (x86)\Counter-Strike 1.6\cstrike.exe [2007-01-30] (DigitalZone )
    2016-05-08 21:49 - 2016-05-08 21:35 - 00692736 _____ () C:\ProgramData\AppnormanetouQ\AppnormanetouQ.exe
    2016-04-12 19:07 - 2016-04-12 17:35 - 00400384 _____ () C:\ProgramData\DCHP\DCHP.exe
    2016-05-08 21:49 - 2016-05-08 21:49 - 00363008 _____ () C:\ProgramData\AppnormanetouQ\Jaylux.dll
    2016-05-08 21:39 - 2016-05-09 17:21 - 00619840 _____ () C:\Users\KRYSTIAN\AppData\Local\Temp\0Kraken0502DevProps.dll
    2016-05-09 17:24 - 2016-05-09 17:24 - 00155232 ___HT () C:\Users\KRYSTIAN\AppData\Local\Temp\~6325.tmp
    () C:\ProgramData\AppnormanetouQ\AppnormanetouQ.exe
    () C:\ProgramData\DCHP\DCHP.exe
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\...\MountPoints2: {40a60267-d1ee-11e4-aa66-9770915d5b68} - K:\Setup.bat
    AppInit_DLLs: C:\ProgramData\AppnormanetouQ\Jaylux.dll => C:\ProgramData\AppnormanetouQ\Jaylux.dll [363008 2016-05-08] ()
    AppInit_DLLs-x32: C:\ProgramData\AppnormanetouQ\Sailis.dll => C:\ProgramData\AppnormanetouQ\Sailis.dll [257536 2016-05-08] ()
    ProxyServer: [S-1-5-21-3751635448-2190551762-3516788110-1000] => 188.166.208.218:8888
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...adoHCdEgfMcCuekeAA1K2Bou2vkwN2tNMAfDMm&q={searchTerms}
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%68%65%6C%70%65%72%62%61%...R2Nc50GJ3f40CoVMyT2thok0aWwXfnByjV1a9We76dRrp
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...adoHCdEgfMcCuekeAA1K2Bou2vkwN2tNMAfDMm&q={searchTerms}
    HKU\S-1-5-21-3751635448-2190551762-3516788110-1000\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...adoHCdEgfMcCuekeAA1K2Bou2vkwN2tNMAfDMm&q={searchTerms}
    SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
    SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...adoHCdEgfMcCuekeAA1K2Bou2vkwN2tNMAfDMm&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3751635448-2190551762-3516788110-1000 -> DefaultScope {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...adoHCdEgfMcCuekeAA1K2Bou2vkwN2tNMAfDMm&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-3751635448-2190551762-3516788110-1000 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...adoHCdEgfMcCuekeAA1K2Bou2vkwN2tNMAfDMm&q={searchTerms}
    FF NewTab: C:\ProgramData\AppnormanetouQs\ff.NT
    FF Homepage: C:\ProgramData\AppnormanetouQs\ff.HP
    FF SearchPlugin: C:\Users\KRYSTIAN\AppData\Roaming\Mozilla\Firefox\Profiles\thvde6zc.default\searchplugins\findit.xml [2016-05-08]
    FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\findit.xml [2016-05-08]
    FF Extension: Brak nazwy - C:\Users\KRYSTIAN\AppData\Roaming\Mozilla\Firefox\Profiles\thvde6zc.default\extensions\{b6a94784-0ffb-4121-88c6-435139067ee2}.xpi [nie znaleziono]
    FF Extension: Brak nazwy - C:\Users\KRYSTIAN\AppData\Roaming\Mozilla\Firefox\Profiles\thvde6zc.default\extensions\deskCutv2@gmail.com [nie znaleziono]
    FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\browser\defaults\preferences\!vitruvian-csp.js [2014-11-26]
    CHR HomePage: Default -> hxxp://%66%65%65%64.%68%65%6C%70%65%72%62%61%...GvOWea-5msPQfVPUr9wABs-wIOiDu2XSent1Ja-5oL-a_
    CHR StartupUrls: Default -> "hxxp://www.google.com/"
    CHR DefaultSearchURL: Default -> hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61...J8Pf6B71GVZl_Owkbu7O1zHxJ96IKYM7ehTvkQ&q={searchTerms}
    CHR DefaultSearchKeyword: Default -> feed.sonic-search.com
    CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command={searchTerms}
    CHR Extension: (InnoGames Polska) - C:\Users\KRYSTIAN\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\joepfemoahndhaicaeaimohjnehakggf [2016-02-22] [UpdateUrl: hxxp://autoupdate.chromewebtb.conduit-services.com/sb/?productId=CT2832599&extensionData=\u003Cextension_data>] <==== UWAGA
    OPR Extension: (Download Chrome Extension) - C:\Users\KRYSTIAN\AppData\Roaming\Opera Software\Opera Stable\Extensions\kipjbhgniklcnglfaldilecjomjaddfi [2015-08-08]
    R2 AppnormanetouQ; C:\ProgramData\\AppnormanetouQ\\AppnormanetouQ.exe [692736 2016-05-08] () [Brak podpisu cyfrowego]
    R2 DCHP; C:\ProgramData\\DCHP\\DCHP.exe [400384 2016-04-12] () [Brak podpisu cyfrowego]
    U3 ava3zz0l; C:\Windows\System32\Drivers\ava3zz0l.sys [0 ] (Intel Corporation) <==== UWAGA (zerobajtowy plik/folder)
    2016-05-08 21:49 - 2016-05-09 17:22 - 00000000 ____D C:\ProgramData\AppnormanetouQ
    2016-05-08 21:49 - 2016-05-08 21:49 - 00000000 ____D C:\ProgramData\AppnormanetouQs
    2016-05-08 19:32 - 2016-05-09 17:31 - 00000000 ____D C:\Users\KRYSTIAN\Downloads\FRST-OlderVersion
    2016-04-12 19:07 - 2016-05-05 12:14 - 00000000 ____D C:\ProgramData\DCHP
    2016-05-05 12:11 - 2016-03-23 19:24 - 00000000 ____D C:\ProgramData\Quotenamron
    EmptyTemp:


    @Acorus 20 poprzednim razem tak jak i teraz pominales () C:\ProgramData\DCHP\DCHP.exe dlatego infekcja wrocila.

    0
  • #8 09 Maj 2016 22:42
    paiN.
    Poziom 3  

    Dziękuję bardzo. Problem zniknął :)

    0