prosba o pomoc :)

Gość: Kolobos Re: prosba o pomoc :) IP: *.zask.pl 21.11.15, 13:55

Odinstaluj: Adobe Reader 9.1 - Polish, zmien na najnowsza wersje: ninite.com/reader/ lub foxit: ninite.com/foxit/

Obok frst.exe utworz plik fixlist.txt z zawartoscia:
Task: {A0610F07-A333-4778-A272-29B1B1AC452D} - System32\Tasks\{A1AD96A3-1F4A-4DF0-8BAC-6630F88B10F8} => pcalua.exe -a C:\Users\Ola\Downloads\SpyHunter-Installer.exe -d C:\Users\Ola\Downloads
Task: {F653CC42-579C-4102-99BA-89C6501BFC54} - System32\Tasks\Follow Plugin => Rundll32.exe "C:\Users\Ola\AppData\Local\Follow Plugin\xBin\FollowPlugin.dll",#3 <==== UWAGA
(TODO: <公司名>) C:\Program Files (x86)\Blazers\Watsvc.exe
() C:\Program Files (x86)\Blazers\wac.exe
AppInit_DLLs: C:\ProgramData\Zonsoft\ScotDubhome.dll => C:\ProgramData\Zonsoft\ScotDubhome.dll [518656 2015-11-20] ()
AppInit_DLLs-x32: C:\ProgramData\Zonsoft\Rezap.dll => C:\ProgramData\Zonsoft\Rezap.dll [320512 2015-11-20] ()
ShellIconOverlayIdentifiers: [GGDriveOverlay1] -> {E68D0A50-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll Brak pliku
ShellIconOverlayIdentifiers: [GGDriveOverlay2] -> {E68D0A51-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll Brak pliku
ShellIconOverlayIdentifiers: [GGDriveOverlay3] -> {E68D0A52-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll Brak pliku
ShellIconOverlayIdentifiers: [GGDriveOverlay4] -> {E68D0A53-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll Brak pliku
GroupPolicy: Ograniczenia - Chrome <======= UWAGA
CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
HKU\S-1-5-21-1480235242-2075340924-4091109271-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGIjVkxlyLkSna9LUifgub-Gw0L2dco_LI4jRWr-AcEO1IOT4Q2eVy1Jg0seBABnOEqoF771fgZeCly_CDdixOAqwYgbNPX8jMldHKVn6MwQcJMtG9mm7hBt0Oy4qMqFsZ4iMrv1yzZSMZF5DzBm7C6bFvYCZ4R4MOJVC5njHagk5gvo,&q={searchTerms}
HKU\S-1-5-21-1480235242-2075340924-4091109271-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGIjVkxlyLkSna9LUifgub-Gw0L2dco_LI4jRWr-AcEO1IOT4Q2eVy1Jg0seBABnOEqoF771fgZeCly_CDdixOAqwYgbNPX8jMldHKVn6MwQcJMtG9mm7hBt0Oy4qMqFsZ4iMrv1yzZSMZF5DzBm7C6bFvYCZ4R4MOJVC5njHagk5gvo,&q={searchTerms}
HKU\S-1-5-21-1480235242-2075340924-4091109271-1001\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGIjVkxlyLkSna9LUifgub-Gw0L2dco_LI4jRWr-AcEO1IOT4Q2eVy1Jg0seBABnOEqoF771fgZeCly_CDdixOAqwYgbNPX8jMldHKVn6MwQcJMtG9mm7hBt0Oy4qMqFsZ4iMrv1yzZSMZF5DzBm7C6bFvYCZ4R4MOJVC5njHagk5gvo,&q={searchTerms}
SearchScopes: HKLM -> DefaultScope {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKLM -> {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKLM-x32 -> {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1480235242-2075340924-4091109271-1001 -> DefaultScope {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1480235242-2075340924-4091109271-1001 -> {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
FF SearchPlugin: C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\nx34phz8.default\searchplugins\google-.xml [2015-11-20]
FF Extension: xRocket Toolbar - C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\nx34phz8.default\extensions\arthurj8283@gmail.com [2015-11-20] [Brak podpisu cyfrowego]
FF Extension: YahooToolsProtected - C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\nx34phz8.default\extensions\yahooprotected@gmail.com [2015-11-20] [Brak podpisu cyfrowego]
FF Extension: Treasure Track - C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\nx34phz8.default\Extensions\{0dca81b2-27b9-4928-8549-5570d7d8b65e}.xpi [2015-10-18] [Brak podpisu cyfrowego]
FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\nx34phz8.default\extensions\yahooprotected@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [arthurj8283@gmail.com] - C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\nx34phz8.default\extensions\arthurj8283@gmail.com
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\!75BB7BC0C032F178909D082ABC1F03A775BB.js [2015-11-17]
CHR HomePage: Default -> hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGIjVkxlyLkSna9LUifgub-Gw0L2dco_LI4jRWr-AcEO1IOT4Q2eVy1Jg0seBABnOEqoF771fgZeCly_CDdixOAqwYgbNPX8jMkyQ3f47nRvia1kJQVCaz9L9L6S1hr5jCi5YIHu6ypNPhFC3aBMbXfHarSqha6PbtkqG08zRIV1_eOY,
CHR DefaultSearchURL: Default -> hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGIjVkxlyLkSna9LUifgub-Gw0L2dco_LI4jRWr-AcEO1IOT4Q2eVy1Jg0seBABnOEqoF771fgZeCly_CDdixOAqwYgbNPX8jMkBJbMdOIgqnJRsPEhIqCzMyyNxXnLQxN0C22hyG-Oe44Uy2GGjpeUlzV0DOpUMxn__c_Jf9yjvjXvE,&q={searchTerms}
CHR DefaultSearchKeyword: Default -> feed.sonic-search.com
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command={searchTerms}
CHR HKLM-x32\...\Chrome\Extension: [edfhabmbbhdcdpnoilchepfojmdeannd] - hxxps://clients2.google.com/service/update2/crx
R2 Watsvc; C:\Program Files (x86)\Blazers\Watsvc.exe [107160 2015-04-16] (TODO: <公司名>)
S2 Zonsoft; C:\ProgramData\\Zonsoft\\Zonsoft.exe -f "C:\ProgramData\\Zonsoft\\Zonsoft.dat" -l -a
S1 {41762469-d88f-478c-9684-72ed23ef7b22}Gw64; system32\drivers\{41762469-d88f-478c-9684-72ed23ef7b22}Gw64.sys [X]
2015-11-21 00:00 - 2015-11-21 00:00 - 00121394 _____ C:\Users\Ola\Downloads\Extras.Txt
2015-11-20 23:59 - 2015-11-20 23:59 - 00178272 _____ C:\Users\Ola\Downloads\OTL.Txt
2015-11-20 23:52 - 2015-11-20 23:52 - 00602112 _____ (OldTimer Tools) C:\Users\Ola\Downloads\OTL_www.INSTALKI.pl.exe
2015-11-20 19:22 - 2015-11-20 23:26 - 00000000 ____D C:\AdwCleaner
2015-11-20 19:10 - 2015-11-20 19:17 - 00000000 ____D C:\Users\Ola\AppData\Local\gmsd_pl_005010152
2015-11-20 18:37 - 2015-11-20 22:45 - 00000000 ____D C:\ProgramData\Zonsoft
2015-11-20 18:37 - 2015-11-20 18:37 - 00000000 ____D C:\ProgramData\Zonsofts
2015-11-20 00:26 - 2015-11-20 19:09 - 00000098 _____ C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
2015-04-14 17:28 - 2015-04-14 17:28 - 0004387 _____ () C:\Users\Ola\AppData\Roaming\hX7ZankMqLimp
2015-04-19 13:20 - 2015-04-19 13:20 - 0005872 _____ () C:\Users\Ola\AppData\Roaming\jqZEzX0s
2015-04-14 17:28 - 2015-04-14 17:28 - 0004387 _____ () C:\Users\Ola\AppData\Roaming\wm3fvsI1ucr
2015-04-19 13:20 - 2015-04-19 13:20 - 0005872 _____ () C:\Users\Ola\AppData\Roaming\YylF0I90PJs
EmptyTemp:

W FRST wybierz Napraw.

Po wykonaniu usun katalog C:\FRST.

Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
www.bleepingcomputer.com/download/malwarebytes-anti-malware/

Drzewko
Od najstarszego
Od najnowszego

Gość: bart Re: prosba o pomoc :) IP: *.dynamic.chello.pl 21.11.15, 00:17

dodatek wklej.org/id/1851398/
Gość: Kolobos Re: prosba o pomoc :) IP: *.zask.pl 21.11.15, 13:55

Odinstaluj: Adobe Reader 9.1 - Polish, zmien na najnowsza wersje: ninite.com/reader/ lub foxit: ninite.com/foxit/

Obok frst.exe utworz plik fixlist.txt z zawartoscia:
Task: {A0610F07-A333-4778-A272-29B1B1AC452D} - System32\Tasks\{A1AD96A3-1F4A-4DF0-8BAC-6630F88B10F8} => pcalua.exe -a C:\Users\Ola\Downloads\SpyHunter-Installer.exe -d C:\Users\Ola\Downloads
Task: {F653CC42-579C-4102-99BA-89C6501BFC54} - System32\Tasks\Follow Plugin => Rundll32.exe "C:\Users\Ola\AppData\Local\Follow Plugin\xBin\FollowPlugin.dll",#3 <==== UWAGA
(TODO: <公司名>) C:\Program Files (x86)\Blazers\Watsvc.exe
() C:\Program Files (x86)\Blazers\wac.exe
AppInit_DLLs: C:\ProgramData\Zonsoft\ScotDubhome.dll => C:\ProgramData\Zonsoft\ScotDubhome.dll [518656 2015-11-20] ()
AppInit_DLLs-x32: C:\ProgramData\Zonsoft\Rezap.dll => C:\ProgramData\Zonsoft\Rezap.dll [320512 2015-11-20] ()
ShellIconOverlayIdentifiers: [GGDriveOverlay1] -> {E68D0A50-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll Brak pliku
ShellIconOverlayIdentifiers: [GGDriveOverlay2] -> {E68D0A51-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll Brak pliku
ShellIconOverlayIdentifiers: [GGDriveOverlay3] -> {E68D0A52-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll Brak pliku
ShellIconOverlayIdentifiers: [GGDriveOverlay4] -> {E68D0A53-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll Brak pliku
GroupPolicy: Ograniczenia - Chrome <======= UWAGA
CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
HKU\S-1-5-21-1480235242-2075340924-4091109271-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGIjVkxlyLkSna9LUifgub-Gw0L2dco_LI4jRWr-AcEO1IOT4Q2eVy1Jg0seBABnOEqoF771fgZeCly_CDdixOAqwYgbNPX8jMldHKVn6MwQcJMtG9mm7hBt0Oy4qMqFsZ4iMrv1yzZSMZF5DzBm7C6bFvYCZ4R4MOJVC5njHagk5gvo,&q={searchTerms}
HKU\S-1-5-21-1480235242-2075340924-4091109271-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGIjVkxlyLkSna9LUifgub-Gw0L2dco_LI4jRWr-AcEO1IOT4Q2eVy1Jg0seBABnOEqoF771fgZeCly_CDdixOAqwYgbNPX8jMldHKVn6MwQcJMtG9mm7hBt0Oy4qMqFsZ4iMrv1yzZSMZF5DzBm7C6bFvYCZ4R4MOJVC5njHagk5gvo,&q={searchTerms}
HKU\S-1-5-21-1480235242-2075340924-4091109271-1001\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGIjVkxlyLkSna9LUifgub-Gw0L2dco_LI4jRWr-AcEO1IOT4Q2eVy1Jg0seBABnOEqoF771fgZeCly_CDdixOAqwYgbNPX8jMldHKVn6MwQcJMtG9mm7hBt0Oy4qMqFsZ4iMrv1yzZSMZF5DzBm7C6bFvYCZ4R4MOJVC5njHagk5gvo,&q={searchTerms}
SearchScopes: HKLM -> DefaultScope {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKLM -> {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKLM-x32 -> {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1480235242-2075340924-4091109271-1001 -> DefaultScope {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1480235242-2075340924-4091109271-1001 -> {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
FF SearchPlugin: C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\nx34phz8.default\searchplugins\google-.xml [2015-11-20]
FF Extension: xRocket Toolbar - C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\nx34phz8.default\extensions\arthurj8283@gmail.com [2015-11-20] [Brak podpisu cyfrowego]
FF Extension: YahooToolsProtected - C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\nx34phz8.default\extensions\yahooprotected@gmail.com [2015-11-20] [Brak podpisu cyfrowego]
FF Extension: Treasure Track - C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\nx34phz8.default\Extensions\{0dca81b2-27b9-4928-8549-5570d7d8b65e}.xpi [2015-10-18] [Brak podpisu cyfrowego]
FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\nx34phz8.default\extensions\yahooprotected@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [arthurj8283@gmail.com] - C:\Users\Ola\AppData\Roaming\Mozilla\Firefox\Profiles\nx34phz8.default\extensions\arthurj8283@gmail.com
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\!75BB7BC0C032F178909D082ABC1F03A775BB.js [2015-11-17]
CHR HomePage: Default -> hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGIjVkxlyLkSna9LUifgub-Gw0L2dco_LI4jRWr-AcEO1IOT4Q2eVy1Jg0seBABnOEqoF771fgZeCly_CDdixOAqwYgbNPX8jMkyQ3f47nRvia1kJQVCaz9L9L6S1hr5jCi5YIHu6ypNPhFC3aBMbXfHarSqha6PbtkqG08zRIV1_eOY,
CHR DefaultSearchURL: Default -> hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGIjVkxlyLkSna9LUifgub-Gw0L2dco_LI4jRWr-AcEO1IOT4Q2eVy1Jg0seBABnOEqoF771fgZeCly_CDdixOAqwYgbNPX8jMkBJbMdOIgqnJRsPEhIqCzMyyNxXnLQxN0C22hyG-Oe44Uy2GGjpeUlzV0DOpUMxn__c_Jf9yjvjXvE,&q={searchTerms}
CHR DefaultSearchKeyword: Default -> feed.sonic-search.com
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command={searchTerms}
CHR HKLM-x32\...\Chrome\Extension: [edfhabmbbhdcdpnoilchepfojmdeannd] - hxxps://clients2.google.com/service/update2/crx
R2 Watsvc; C:\Program Files (x86)\Blazers\Watsvc.exe [107160 2015-04-16] (TODO: <公司名>)
S2 Zonsoft; C:\ProgramData\\Zonsoft\\Zonsoft.exe -f "C:\ProgramData\\Zonsoft\\Zonsoft.dat" -l -a
S1 {41762469-d88f-478c-9684-72ed23ef7b22}Gw64; system32\drivers\{41762469-d88f-478c-9684-72ed23ef7b22}Gw64.sys [X]
2015-11-21 00:00 - 2015-11-21 00:00 - 00121394 _____ C:\Users\Ola\Downloads\Extras.Txt
2015-11-20 23:59 - 2015-11-20 23:59 - 00178272 _____ C:\Users\Ola\Downloads\OTL.Txt
2015-11-20 23:52 - 2015-11-20 23:52 - 00602112 _____ (OldTimer Tools) C:\Users\Ola\Downloads\OTL_www.INSTALKI.pl.exe
2015-11-20 19:22 - 2015-11-20 23:26 - 00000000 ____D C:\AdwCleaner
2015-11-20 19:10 - 2015-11-20 19:17 - 00000000 ____D C:\Users\Ola\AppData\Local\gmsd_pl_005010152
2015-11-20 18:37 - 2015-11-20 22:45 - 00000000 ____D C:\ProgramData\Zonsoft
2015-11-20 18:37 - 2015-11-20 18:37 - 00000000 ____D C:\ProgramData\Zonsofts
2015-11-20 00:26 - 2015-11-20 19:09 - 00000098 _____ C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
2015-04-14 17:28 - 2015-04-14 17:28 - 0004387 _____ () C:\Users\Ola\AppData\Roaming\hX7ZankMqLimp
2015-04-19 13:20 - 2015-04-19 13:20 - 0005872 _____ () C:\Users\Ola\AppData\Roaming\jqZEzX0s
2015-04-14 17:28 - 2015-04-14 17:28 - 0004387 _____ () C:\Users\Ola\AppData\Roaming\wm3fvsI1ucr
2015-04-19 13:20 - 2015-04-19 13:20 - 0005872 _____ () C:\Users\Ola\AppData\Roaming\YylF0I90PJs
EmptyTemp:

W FRST wybierz Napraw.

Po wykonaniu usun katalog C:\FRST.

Zrob pelny skan przy pomocy Mbam i usun to co wykryje:
www.bleepingcomputer.com/download/malwarebytes-anti-malware/
- Gość: bart Re: prosba o pomoc :) IP: *.dynamic.chello.pl 21.11.15, 17:04
  
  dziekuje Dobry Czlowieku, pomogło :) Miłego dnia

Najnowsze z forum Wirusy, trojany, spyware

Zaloguj się