Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Jak usunąć Yeadesktop? - Mam logi FRST

Gromadka 11 Maj 2017 15:14 549 5
  • Pomocny post
    #2 11 Maj 2017 15:32
    Kolobos
    Spec od komputerów

    Zgraj zakladki z Chrome, w ustawieniach zmien profil na Profile 2, a utworzony przez infekcje ChromeDefaultData usun.

    Wykonaj Fixlist.txt dla FRST:
    Task: {04CBF8B6-0EDF-44F4-95C0-590DCA4038A2} - System32\Tasks\{B1905018-7BF6-4D67-BE84-DC6874A0E375} => D:\Gry\Steam\Steam.exe
    Task: {107BA303-D844-4ACF-A6BA-D096058E439E} - System32\Tasks\{094EDF18-7143-7D59-07B1-295C7DB4263E} => Regsvr32.exe /s /n /i:"/rt" "C:\PROGRA~3\b391a7c\8dff76f.dll" <==== UWAGA
    Task: {26081082-ABEC-4726-B99F-F6A373086774} - System32\Tasks\DllKitPRO => C:\Program Files (x86)\DllKitPRO\dllkitpro.exe
    Task: {5AA386B7-1F6A-42FF-901D-E7D5BA83B2ED} - System32\Tasks\{02D13B8B-AC57-422E-BF3B-C934EFCE7374} => pcalua.exe -a "C:\Program Files (x86)\Common Files\Alphalam\uninstall.exe" -c shuz -f "C:\Program Files (x86)\Common Files\Alphalam\uninstall.dat" -a uninstallme E8BBB8F2-6BBB-4A5A-BB31-74EBA3AACE82 DeviceId=cb23643f-2277-2ba7-f8a3-f4f312449ccf BarcodeId=51557003 ChannelId=3 DistributerName=APSFWemonetize
    Task: {933667D1-7826-4FDB-9A18-93D04C6BDB6D} - System32\Tasks\{159F545F-51AA-4335-863E-FF7EF942AE65} => D:\Gry\Steam\Steam.exe
    Task: {CF75D8D8-976B-44FE-9257-0C629CF95FB1} - System32\Tasks\Preptionthicight Helper => C:\Program Files (x86)\Aterleryromaent\arohersh.exe [2017-05-11] (Google Inc.)
    Task: {DF373936-22EC-4F41-9D5A-3E2F5DF41471} - System32\Tasks\{A268453B-15C3-F290-DB9A-3895DD3E745E} => C:\ProgramData\{8EA35351-3908-E4FA-3D33-85A79754E10D}\8296708D-353D-C726-749D-8FEE6E8EA9E5.exe <==== UWAGA
    Task: {FDA48DC5-54D2-4A32-9725-15AB2B65A700} - System32\Tasks\{60D917D1-AC04-4381-99FC-E16531A3BE83} => D:\Gry\Steam\Steam.exe
    (Nico Mak Computing) C:\Program Files\WinZip\FAH\FAHWindow64.exe
    HKU\S-1-5-21-1611190212-3073975219-2512841664-1000\...\Run: [H7Z2VMP4N9QPR6O] => "C:\Program Files (x86)\BestZiper\WTT05.exe"
    HKU\S-1-5-21-1611190212-3073975219-2512841664-1000\...\MountPoints2: F - F:\Bin\Instv2.exe
    HKU\S-1-5-21-1611190212-3073975219-2512841664-1000\...\MountPoints2: {8b8177ab-1dd9-11e7-aed0-806e6f6e6963} - F:\Bin\Instv2.exe
    HKLM\...\Providers\iterz1kp: C:\Program Files (x86)\Preptionthicight Helper\local64spl.dll [315392 2017-05-11] ()
    ShellExecuteHooks: Brak nazwy - {4D257ED2-3170-11E7-ACF1-64006A5CFC23} - C:\Program Files (x86)\Aterleryromaent\Nekiing.dll [150016 2017-05-11] ()
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FAH.lnk [2017-04-10]
    ShortcutTarget: FAH.lnk -> C:\Program Files\WinZip\FAH\FAHConsole.exe (Nico Mak Computing)
    AutoConfigURL: [S-1-5-21-1611190212-3073975219-2512841664-1000] => hxxp://unstopaccess.net/wpad.dat?b1cbcf5c2b9ba1c7212b53a12a9bea5830963879
    Hosts:
    RemoveProxy:
    Tcpip\Parameters: [NameServer] 82.163.143.157 82.163.142.159
    ManualProxies: 0hxxp://unstopaccess.net/wpad.dat?b1cbcf5c2b9ba1c7212b53a12a9bea5830963879




    HKU\S-1-5-21-1611190212-3073975219-2512841664-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%6...6UwiH9Qf41nH1b55_KYdmRtzBenYRPI3QzYg,,&q={searchTerms}
    HKU\S-1-5-21-1611190212-3073975219-2512841664-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61...jPvjnKsVLzMPMIMSeGxkg0i-xjGJ9z-5jrmBpqxCRuw,,,,
    SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
    SearchScopes: HKU\S-1-5-21-1611190212-3073975219-2512841664-1000 -> DefaultScope {ielnksrch} URL =
    CHR Profile: C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-05-11] <==== UWAGA
    C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\ChromeDefaultData
    CHR Extension: (Tables) - C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2017-05-11]
    CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
    R3 GLCKIO; \??\C:\Program Files (x86)\ASUS\GPU TweakII\690b33e1-0462-4e84-9bea-c7552b45432a.sys [X]
    R4 IOMap; \??\C:\Windows\system32\drivers\IOMap64.sys [X]
    2017-05-11 03:35 - 2017-05-11 03:39 - 00000000 ____D C:\AdwCleaner
    2017-05-11 02:04 - 2017-05-11 02:04 - 00000000 _____ C:\autoexec.bat
    2017-05-11 02:03 - 2017-05-11 02:03 - 05103792 _____ (Enigma Software Group USA, LLC.) C:\Users\Jakub\Downloads\SpyHunter-Installer.exe
    2017-05-11 02:03 - 2017-05-11 02:03 - 00000000 ____D C:\Users\Jakub\AppData\Roaming\Enigma Software Group
    2017-05-11 02:03 - 2017-05-11 02:03 - 00000000 ____D C:\sh4ldr
    2017-05-11 02:03 - 2017-05-11 02:03 - 00000000 ____D C:\Program Files\Enigma Software Group
    2017-05-11 01:58 - 2017-05-11 01:58 - 00000000 ____D C:\ProgramData\Microleaves
    2017-05-11 01:55 - 2017-05-11 01:55 - 00000000 ____D C:\Program Files (x86)\Microleaves
    2017-05-11 01:54 - 2017-05-11 02:36 - 00000000 ____D C:\Program Files\QN38JOKWPU
    2017-05-11 01:54 - 2017-05-11 02:36 - 00000000 ____D C:\Program Files\DHIATGOV5C
    2017-05-11 01:54 - 2017-05-11 02:26 - 00000000 ____D C:\Users\Jakub\AppData\Roaming\446501
    2017-05-11 01:54 - 2017-05-11 02:26 - 00000000 ____D C:\Users\Jakub\AppData\Roaming\237633
    2017-05-11 01:54 - 2017-05-11 01:54 - 00000000 ____D C:\Program Files (x86)\Aterleryromaent
    2017-05-11 01:53 - 2017-05-11 01:53 - 00003590 _____ C:\Windows\System32\Tasks\{02D13B8B-AC57-422E-BF3B-C934EFCE7374}
    2017-05-11 01:51 - 2017-05-11 02:36 - 00000000 ____D C:\Program Files\OTORCX991F
    2017-05-11 01:51 - 2017-05-11 02:36 - 00000000 ____D C:\Program Files\D56S1PTDWF
    2017-05-11 01:51 - 2017-05-11 02:36 - 00000000 ____D C:\Program Files\0EUFONIY1Y
    2017-05-11 01:51 - 2017-05-11 02:26 - 00000000 ____D C:\Users\Jakub\AppData\Roaming\565201
    2017-05-11 01:51 - 2017-05-11 02:26 - 00000000 ____D C:\Users\Jakub\AppData\Roaming\195478
    2017-05-11 01:51 - 2017-05-11 02:26 - 00000000 ____D C:\Users\Jakub\AppData\Roaming\184693
    2017-05-11 01:44 - 2017-05-11 02:42 - 00000000 ____D C:\ProgramData\b391a7c
    2017-05-11 01:44 - 2017-05-11 01:44 - 00004028 _____ C:\Windows\System32\Tasks\{A268453B-15C3-F290-DB9A-3895DD3E745E}
    2017-05-11 01:44 - 2017-05-11 01:44 - 00003722 _____ C:\Windows\System32\Tasks\{094EDF18-7143-7D59-07B1-295C7DB4263E}
    2017-05-11 01:44 - 2017-05-11 01:44 - 00000000 ____D C:\ProgramData\5c29b107-6715-0
    2017-05-11 01:43 - 2017-05-11 02:26 - 00000000 ____D C:\ProgramData\{8EA35351-3908-E4FA-3D33-85A79754E10D}
    2017-05-11 01:43 - 2017-05-11 01:44 - 00000000 ____D C:\ProgramData\{44ABA751-F300-10FA-4B07-FC98522D83C7}
    2017-05-11 01:43 - 2017-05-11 01:43 - 00000000 ____D C:\Users\Jakub\AppData\Local\Sepiiedstuzosh
    2017-05-11 01:43 - 2017-05-11 01:43 - 00000000 ____D C:\ProgramData\{625e6280-012c-0}
    2017-05-11 01:43 - 2017-05-11 01:43 - 00000000 ____D C:\ProgramData\{520c34eb-712c-1}
    2017-05-11 01:43 - 2017-05-11 01:43 - 00000000 ____D C:\Program Files (x86)\Fenspgrafogh
    2017-05-11 01:38 - 2017-05-11 02:36 - 00000000 ____D C:\Program Files (x86)\YeaDesktop
    2017-05-11 01:38 - 2017-05-11 01:38 - 00000000 ____D C:\Users\Jakub\AppData\Roaming\Mozilla
    2017-05-11 01:38 - 2017-05-11 01:38 - 00000000 ____D C:\ProgramData\Voyasollams
    2017-05-11 01:38 - 2017-05-11 01:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YeaDesktop
    2017-05-11 01:37 - 2017-05-11 02:47 - 00000000 ____D C:\Users\Jakub\AppData\Roaming\vnlgp
    2017-05-11 01:37 - 2017-05-11 02:36 - 00000000 ____D C:\Program Files\I9GLFJIBVZ
    2017-05-11 01:37 - 2017-05-11 02:36 - 00000000 ____D C:\Program Files\FCQLVBNU5T
    2017-05-11 01:37 - 2017-05-11 02:26 - 00000000 ____D C:\Users\Jakub\AppData\Roaming\785133
    2017-05-11 01:37 - 2017-05-11 02:26 - 00000000 ____D C:\Users\Jakub\AppData\Roaming\310977
    2017-05-11 01:37 - 2017-05-11 02:26 - 00000000 ____D C:\ProgramData\PrefsSecure
    2017-05-11 01:37 - 2017-05-11 02:26 - 00000000 ____D C:\ProgramData\Logic Cramble
    2017-05-11 01:37 - 2017-05-11 01:37 - 07290368 _____ C:\Users\Jakub\AppData\Local\agent.dat
    2017-05-11 01:37 - 2017-05-11 01:37 - 01895383 _____ C:\Users\Jakub\AppData\Local\Lightdanbam.bin
    2017-05-11 01:37 - 2017-05-11 01:37 - 01894851 _____ C:\Users\Jakub\AppData\Local\BlackIs.tst
    2017-05-11 01:37 - 2017-05-11 01:37 - 00140800 _____ C:\Users\Jakub\AppData\Local\installer.dat
    2017-05-11 01:37 - 2017-05-11 01:37 - 00126464 _____ C:\Users\Jakub\AppData\Local\noah.dat
    2017-05-11 01:37 - 2017-05-11 01:37 - 00070800 _____ C:\Users\Jakub\AppData\Local\Config.xml
    2017-05-11 01:37 - 2017-05-11 01:37 - 00018432 _____ C:\Users\Jakub\AppData\Local\Main.dat
    2017-05-11 01:37 - 2017-05-11 01:37 - 00016176 _____ C:\Users\Jakub\AppData\Local\InstallationConfiguration.xml
    2017-05-11 01:37 - 2017-05-11 01:37 - 00005568 _____ C:\Users\Jakub\AppData\Local\md.xml
    2017-05-11 01:37 - 2017-05-11 01:37 - 00000000 ____D C:\Users\Jakub\AppData\Roaming\VDI
    2017-05-11 01:37 - 2017-05-11 01:37 - 00000000 ____D C:\Users\Jakub\AppData\Roaming\Microleaves
    2017-05-11 01:37 - 2017-05-11 01:37 - 00000000 ____D C:\Users\Jakub\AppData\Roaming\BrowserModule
    2017-05-11 01:37 - 2017-05-11 01:37 - 00000000 ____D C:\Users\Jakub\AppData\Local\AdvinstAnalytics
    2017-05-11 01:36 - 2017-05-11 02:36 - 00000000 ____D C:\Program Files\I3WCM3EAUL
    2017-05-11 01:36 - 2017-05-11 02:30 - 00000000 ____D C:\Program Files (x86)\BestZiper
    2017-05-11 01:36 - 2017-05-11 02:26 - 00000000 ____D C:\Users\Jakub\AppData\Roaming\220709
    2017-05-11 01:36 - 2017-05-11 02:26 - 00000000 ____D C:\Users\Jakub\AppData\Roaming\162117
    2017-05-11 01:35 - 2017-05-11 03:26 - 00000000 ____D C:\Users\Jakub\AppData\Roaming\Rifasatajuther
    2017-05-11 01:35 - 2017-05-11 02:36 - 00000000 ____D C:\Program Files (x86)\Windows Loader
    2017-05-11 01:35 - 2017-05-11 01:37 - 00000000 ____D C:\Users\Jakub\AppData\Local\Vutleghewipy
    2017-05-11 01:35 - 2017-05-11 01:35 - 00006064 _____ C:\Windows\System32\Tasks\Preptionthicight Helper
    2017-05-11 01:35 - 2017-05-11 01:35 - 00000000 ____D C:\Program Files (x86)\Preptionthicight Helper
    2017-05-11 01:37 - 2017-05-11 01:37 - 7290368 _____ () C:\Users\Jakub\AppData\Local\agent.dat
    2017-05-11 01:37 - 2017-05-11 01:37 - 1894851 _____ () C:\Users\Jakub\AppData\Local\BlackIs.tst
    2017-05-11 01:37 - 2017-05-11 01:37 - 0070800 _____ () C:\Users\Jakub\AppData\Local\Config.xml
    2017-05-11 01:37 - 2017-05-11 01:37 - 0016176 _____ () C:\Users\Jakub\AppData\Local\InstallationConfiguration.xml
    2017-05-11 01:37 - 2017-05-11 01:37 - 0140800 _____ () C:\Users\Jakub\AppData\Local\installer.dat
    2017-05-11 01:37 - 2017-05-11 01:37 - 1895383 _____ () C:\Users\Jakub\AppData\Local\Lightdanbam.bin
    2017-05-11 01:37 - 2017-05-11 01:37 - 0018432 _____ () C:\Users\Jakub\AppData\Local\Main.dat
    2017-05-11 01:37 - 2017-05-11 01:37 - 0005568 _____ () C:\Users\Jakub\AppData\Local\md.xml
    2017-05-11 01:37 - 2017-05-11 01:37 - 0126464 _____ () C:\Users\Jakub\AppData\Local\noah.dat
    2017-05-11 01:38 - 2017-05-11 01:38 - 0032038 _____ () C:\Users\Jakub\AppData\Local\uninstall_temp.ico
    EmptyTemp:

    Po wykonaniu zamiesc nowe logi z FRST, ze skanowania.

    0
  • #3 11 Maj 2017 16:13
    Gromadka
    Poziom 2  

    Ale po pierwszym skanowaniu mam kliknąć na napraw w FRST? Bo po pierwszym skanowaniu go nie wyłączyłem jeszcze..

    Dodano po 49 [sekundy]:

    Fixlist już zrobiłem i wstawiłem

    Dodano po 31 [minuty]:

    wstawiłem Fixlist, włączyłem adwcleaner scan i clear, następnie w FRST dałem napraw i usunąłem C:\FRST. To są nowe logi po tych działaniach, jeżeli możesz to sprawdź czy udało się oczyścić.

    0
  • #4 11 Maj 2017 16:30
    Gromadka
    Poziom 2  

    Przepraszam, że znowu zawracam głowę, ale przed tymi czynnościami zmieniłem w ustawieniach google chrome na nowe konto, a teraz logując się na swoje.. i w polu "wybierz wyszukiwarkę" jest "initialpage 123" którego nie da się usunąć. Więc zrobiłem nowe logi i prosiłbym o fixlist.

    0
  • Pomocny post
    #5 11 Maj 2017 16:38
    Kolobos
    Spec od komputerów

    W ustawieniach Chrome wylacz przywracanie zestawu stron po starcie przegladarki.

    Wykonaj kolejny Fixlist.txt dla FRST:
    CHR HomePage: Profile 3 -> hxxp://www.trovi.com/?gd=&ctid=CT3288691&octi...=SP5E43A09A-3CA7-46A2-AF71-45789446271D&SSPV=
    CHR StartupUrls: Profile 3 -> "hxxp://do-search.com/?type=hp&ts=1428842542&from=cor&uid=ST1000DM003-1ER162_W4Y0EL9QXXXXW4Y0EL9Q","hxxp://www.initialpage123.com/?z=1c08af0af5a8f5d1e42e538gezct6z8z1w0t8c5o4m&from=amz&uid=ST1000DM003-1ER162_W4Y0EL9QXXXXW4Y0EL9Q&type=hp"
    CHR DefaultSearchURL: Profile 3 -> hxxp://www.initialsite123.com/search/?q={searchTerms}&z=b325b514a9cce561a829671g1z6tez8z1q8e8z7w4c&from=isr2&uid=ST1000DM003-1ER162_W4Y0EL9QXXXXW4Y0EL9Q&type=sp
    CHR DefaultSearchKeyword: Profile 3 -> 81initialsite123
    CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
    R3 GLCKIO; \??\C:\Program Files (x86)\ASUS\GPU TweakII\690b33e1-0462-4e84-9bea-c7552b45432a.sys [X]
    R4 IOMap; \??\C:\Windows\system32\drivers\IOMap64.sys [X]


    Usun katalog C:\FRST i to wszystko.

    0
  • #6 11 Maj 2017 17:03
    Gromadka
    Poziom 2  

    Dzięki, pomogło :)

    0
  Szukaj w 5mln produktów