picasso

W systemie są także inne obiekty adware niedokładnie wcześniej wyczyszczone. I używałeś wątpliwy skaner-naciągacz SpyHunter. Działania do przeprowadzenia: 1. Klawisz z flagą Windows + X > Programy i funkcje > odinstaluj Lenovo Experience Improvement (zbędny program), Shared C Run-time for x64 (odpadek po odinstalowanym McAfee), Visual Studio 2012 x64 Redistributables, Visual Studio 2012 x86 Redistributables (odpadki po odinstalowanym AVG), WinZipper (adware). 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2015-12-15] () R2 EMUpdateCerter; C:\WINDOWS\SysWOW64\acmphelper.dll [413312 2015-08-11] () R2 IhPul; C:\Users\Paweł Górniak\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-08] (tsvr.com) R2 SSFK; C:\Program Files (x86)\SFK\SSFK.exe [170144 2015-11-27] (TODO: ) R2 WdMan; C:\ProgramData\FWdMF\WdMan.exe [333312 2015-12-04] (TFuns LIMITED) [brak podpisu cyfrowego] S2 Update Mgr StrongSignal; "C:\Program Files (x86)\Common Files\0780f478-67ce-4ec3-98db-39a65f4618ce\updater.exe" [X] ShortcutWithArgument: C:\Users\Paweł Górniak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP ShortcutWithArgument: C:\Users\Paweł Górniak\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP ShortcutWithArgument: C:\Users\Paweł Górniak\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\69639df789022856\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP&q={searchTerms} HKU\S-1-5-21-720095144-239407429-1005869762-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP HKU\S-1-5-21-720095144-239407429-1005869762-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP HKU\S-1-5-21-720095144-239407429-1005869762-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP&q={searchTerms} SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP&q={searchTerms} SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP&q={searchTerms} SearchScopes: HKU\S-1-5-21-720095144-239407429-1005869762-1001 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP&q={searchTerms} SearchScopes: HKU\S-1-5-21-720095144-239407429-1005869762-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP&q={searchTerms} BHO-x32: Outrageous Deal -> {4e2d2bf0-159f-4257-acf0-b1f29b376fa0} -> C:\Program Files (x86)\Outrageous Deal\Extensions\4e2d2bf0-159f-4257-acf0-b1f29b376fa0.dll => Brak pliku StartMenuInternet: IEXPLORE.EXE - C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE hxxp://www.yoursites123.com/?type=sc&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP Edge HomeButtonPage: HKU\S-1-5-21-720095144-239407429-1005869762-1001 -> hxxp://www.yoursites123.com/?type=hp&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\istartsurf.xml [2015-11-08] FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yoursites123.xml [2015-12-14] CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2015-10-12] CHR HKLM-x32\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.yoursites123.com/?type=sc&ts=1450098558&z=0dcc66ecc53dc5d9e42c5dfg7z4w6e8e4t4b5w1q2c&from=wpm07173&uid=ST500LT012-1DG142_S3PA77MPXXXXS3PA77MP HKLM-x32\...\Run: [mcui_exe] => "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey HKLM\...\Policies\Explorer\Run: [btvStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => Brak pliku Task: {0021258B-87B2-4F60-AA08-6B40B964CC7C} - System32\Tasks\060184C3-9766-46a0-B258-F4518A0B2633 => Cscript.exe "C:\ProgramData\Baidu Security\Duplicaterecord.js" Task: {0BC296D3-82FF-45DB-8D3A-BBFD7690404D} - System32\Tasks\{34DD01EF-567E-42A1-BFCB-306A9D310B5E} => pcalua.exe -a E:\cda_menu.exe -d E:\ Task: {32CCA36A-2803-4FE0-999C-130809AA7FF1} - System32\Tasks\{42ACF313-65EB-4EF1-AA36-445592C23BA6} => pcalua.exe -a "C:\Program Files (x86)\Picexa\uninstall.exe" Task: {406853A0-5944-48C2-B288-498562E1001F} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> Brak pliku Task: {49DFFE06-333D-43DB-8CA9-470FAF3C3171} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> Brak pliku Task: {5600E372-75E4-4B05-AEDB-23419BC5EB8E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> Brak pliku Task: {5D3345B5-BAAE-4320-B0BE-C559B863B13F} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> Brak pliku Task: {5FEC6432-3CFE-4328-B956-63AA674D9793} - System32\Tasks\GridinSoft Anti-Malware => C:\Program Files\GridinSoft Anti-Malware\gsam.exe Task: {6836728A-07B3-42AD-A58B-63E244555E9B} - System32\Tasks\{17621E5A-F836-408A-832B-DBE288A9BA20} => Chrome.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&ver=7.1.0.105&LastError=404 Task: {7463128C-F39E-4110-9989-FED9BDDC526C} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Brak pliku Task: {75BD2D36-66CD-4341-B908-D08894DAAE07} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> Brak pliku Task: {771EF641-DC2B-404A-99CC-0624ECB5113A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Brak pliku Task: {A7E8226C-4FA3-46C9-8F54-7A061589846A} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> Brak pliku Task: {AC165305-C41A-4C67-9B3A-7DF095193A74} - System32\Tasks\{EB8E6220-3EE5-4D1E-9323-A2EBF73BFE10} => pcalua.exe -a "C:\Program Files (x86)\Intel\OpenCL SDK\2.0\Uninstall\setup.exe" -c -uninstall Task: {AD03708F-9706-455C-B753-BAE3731B572D} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> Brak pliku Task: {B75CC2E1-4FE8-46A4-B89B-9FE02B7FA729} - System32\Tasks\{AF520519-AF68-49F7-A239-84C1AC1ED8AA} => pcalua.exe -a E:\Uruchom.EXE -d E:\ Task: {C9117321-AE5B-4792-A0D9-28CB53066E75} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> Brak pliku Task: {DA013BC4-3717-4FE8-9977-BAAB986F2A52} - System32\Tasks\{CADBE078-04E5-4119-B7CF-8EF9194BC924} => pcalua.exe -a E:\AutoRun.exe -d E:\ Task: {E4091DD4-C60C-43FF-8A5F-320ED28DDCC5} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 => C:\Program Files (x86)\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2014-11-21] (Lenovo) Task: {FB743EF0-CF80-45E1-92A1-3A7ACF20769A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Brak pliku Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedHomepages /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedSearchScopes /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OpenSearch" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\yoursites123.com" /f DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software DeleteKey: HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes DeleteKey: HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes DeleteKey: HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes RemoveDirectory: C:\Program Files (x86)\AVG RemoveDirectory: C:\Program Files (x86)\FreeCodecPack RemoveDirectory: C:\Program Files (x86)\Freemake RemoveDirectory: C:\Program Files (x86)\SFK RemoveDirectory: C:\Program Files (x86)\WinZipper RemoveDirectory: C:\ProgramData\5WMiniPro5 RemoveDirectory: C:\ProgramData\AVAST Software RemoveDirectory: C:\ProgramData\Freemake RemoveDirectory: C:\ProgramData\FWdMF RemoveDirectory: C:\ProgramData\GridinSoft RemoveDirectory: C:\ProgramData\UWdMU RemoveDirectory: C:\ProgramData\Microsoft\Windows\GameExplorer\{00EBCA8F-FF3C-44B7-A40E-C23676199D2C} RemoveDirectory: C:\ProgramData\Microsoft\Windows\GameExplorer\{33AF943B-79FC-404D-85D1-77B66DAACAF9} RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZipper RemoveDirectory: C:\Users\Paweł Górniak\AppData\Local\4kdownload.com RemoveDirectory: C:\Users\Paweł Górniak\AppData\Local\Avg RemoveDirectory: C:\Users\Paweł Górniak\AppData\Local\AvgSetupLog RemoveDirectory: C:\Users\Paweł Górniak\AppData\Roaming\AVG RemoveDirectory: C:\Users\Paweł Górniak\AppData\Roaming\DVDVideoSoft RemoveDirectory: C:\Users\Paweł Górniak\AppData\Roaming\RPEng RemoveDirectory: C:\Users\Paweł Górniak\AppData\Roaming\TSv RemoveDirectory: C:\Users\Paweł Górniak\AppData\Roaming\WinZipper RemoveDirectory: C:\Users\Paweł Górniak\AppData\Roaming\YoutubeToMp3Converter C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\ProgramData\hash.dat C:\ProgramData\rxsmznjf.zcp C:\ProgramData\mntemp C:\Users\Paweł Górniak\AppData\Roaming\trace_FilterInstaller.* C:\Users\Paweł Górniak\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\WarThunder.lnk C:\Users\Paweł Górniak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Play Games Online.url C:\Users\Paweł Górniak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WarThunder.lnk C:\Users\Paweł Górniak\Downloads\SpyHunter-Installer (1).exe C:\Users\Paweł Górniak\Downloads\SpyHunter-Installer.exe C:\WINDOWS\System32\Drivers\EsgScanner.sys C:\WINDOWS\System32\Tasks\GridinSoft Anti-Malware C:\WINDOWS\SysWOW64\acmphelper.dll C:\WINDOWS\SysWOW64\data.bin CMD: netsh advfirewall reset EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Wyczyść przeglądarki: Firefox: Odłącz synchronizację (o ile włączona): KLIK. Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone. Menu Historia > Wyczyść całą historię przeglądania. Google Chrome: Zresetuj synchronizację (o ile włączona): KLIK. Ustawienia > karta Ustawienia > Osoby > usuń poprzedni nieużywany profil, o ile widać więcej niż dwie "Osoby". 4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale bez Shortcut. Dołącz też plik fixlog.txt. Potwierdź, że problemu nie ma także w przeglądarce Edge.

1. Przepraszam, rzeczywiście przeciąganie adresów na ekran Aplikacji tworzy rozszrzenia o unikatowych ID. 2. Fix FRST wykonany. Usuń pobrany FRST i jego logi z folderu C:\Users\Szymek\Downloads\Programs + skasuj folder C:\FRST.

Podstawowa sprawa już rozwiązana, ale nie można zostawić kont w takim stanie. Kolejne podejście z poborem danych, tym razem z kontekstu konta administracyjnego. Warunkiem muszą być zalogowane wszystkie konta po kolei, a jako ostatnie administracyjne. Czyli zaloguj Paulinę > opcja Przełącz użytkownika > zaloguj Zbigniewa > opcja Przełącz użytkownika > zaloguj Arka i na Arku wykonaj fixlist.txt o zawartości: ListPermissions: HKU\S-1-5-21-74317436-289575424-2793545732-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ListPermissions: HKU\S-1-5-21-74317436-289575424-2793545732-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ListPermissions: HKU\S-1-5-21-74317436-289575424-2793545732-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ListPermissions: HKU\S-1-5-21-74317436-289575424-2793545732-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ListPermissions: HKU\S-1-5-21-74317436-289575424-2793545732-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ListPermissions: HKU\S-1-5-21-74317436-289575424-2793545732-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Reg: reg query "HKU\S-1-5-21-74317436-289575424-2793545732-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" Reg: reg query "HKU\S-1-5-21-74317436-289575424-2793545732-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" Reg: reg query "HKU\S-1-5-21-74317436-289575424-2793545732-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" Reg: reg query "HKU\S-1-5-21-74317436-289575424-2793545732-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" Reg: reg query "HKU\S-1-5-21-74317436-289575424-2793545732-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" Reg: reg query "HKU\S-1-5-21-74317436-289575424-2793545732-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" Dostarcz wynikowy fixlog.txt.

Wszystko zrobione. Poprawki: 1. Nie zauważyłam bardzo starego Adobe AIR. Odinstaluj. 2. Uruchom AdwCleaner. Wybierz opcję Skanuj i dostarcz log wynikowy z folderu C:\AdwCleaner.

Fix FRST wykonany. Jeśli chodzi o problemy limitowanych kont, to podaj mi eksporty rejestru jak są skonfigurowane ścieżki specjalnych folderów powłoki. Na kontach Paulina i Zbigniew zrób i wykonaj fixlist.txt o tej samej zawartości: Reg: reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" Reg: reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" Dostarcz oba pliki fixlog.txt. To tylko pobór danych, a nie naprawa.

Działania do wykonania: 1. Odinstaluj stare wersje i zbędniki Adobe AIR, Adobe Flash Player 18 NPAPI, Akamai NetSession Interface, Java 7 Update 45 oraz adware WinZipper. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: R2 IhPul; C:\Users\Piotrek\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-14] (tsvr.com) R2 WdMan; C:\ProgramData\JWdMJ\WdMan.exe [333312 2015-12-14] (TFuns LIMITED) [brak podpisu cyfrowego] ShortcutWithArgument: C:\Users\Piotrek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 ShortcutWithArgument: C:\Users\Piotrek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 ShortcutWithArgument: C:\Users\Piotrek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 ShortcutWithArgument: C:\Users\Piotrek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 ShortcutWithArgument: C:\Users\Piotrek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 ShortcutWithArgument: C:\Users\Piotrek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 ShortcutWithArgument: C:\Users\Piotrek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> D:\Programy\mozilla\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> D:\Programy\mozilla\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = HKU\S-1-5-21-4237668962-1813254712-1803451927-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653&q={searchTerms} HKU\S-1-5-21-4237668962-1813254712-1803451927-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653&q={searchTerms} HKU\S-1-5-21-4237668962-1813254712-1803451927-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 HKU\S-1-5-21-4237668962-1813254712-1803451927-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 SearchScopes: HKLM -> DefaultScope - brak wartości SearchScopes: HKLM-x32 -> DefaultScope - brak wartości SearchScopes: HKU\S-1-5-21-4237668962-1813254712-1803451927-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653&q={searchTerms} SearchScopes: HKU\S-1-5-21-4237668962-1813254712-1803451927-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653&q={searchTerms} SearchScopes: HKU\S-1-5-21-4237668962-1813254712-1803451927-1000 -> {8EEAC88A-079B-4b2c-80C1-7836F79EB40A} URL = hxxp://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms} BHO-x32: Brak nazwy -> {1F91A9A1-01BA-4c81-863D-3BA0751E1419} -> Brak pliku DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe hxxp://start.qone8.com/?type=sc&ts=1382388326&from=cor&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 FF HKLM-x32\...\Firefox\Extensions: [faststartff@gmail.com] - C:\Users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\1ognvtv4.default\extensions\faststartff@gmail.com FF HKLM-x32\...\Firefox\Extensions: [shortcutff@gmail.com] - C:\Users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\1ognvtv4.default\extensions\shortcutff@gmail.com FF HKLM-x32\...\Firefox\Extensions: [detgdp@gmail.com] - C:\Users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\1ognvtv4.default\extensions\detgdp@gmail.com FF HKLM-x32\...\Firefox\Extensions: [quick_searchff@gmail.com] - C:\Users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\1ognvtv4.default\extensions\quick_searchff@gmail.com FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\1ognvtv4.default\extensions\default_newtabff@gmail.com FF HKLM-x32\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\1ognvtv4.default\extensions\defsearchp@gmail.com FF HKLM-x32\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\1ognvtv4.default\extensions\deskCutv2@gmail.com FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\1ognvtv4.default\extensions\yahooprotected@gmail.com StartMenuInternet: FIREFOX.EXE - D:\Programy\mozilla\firefox.exe hxxp://www.yoursites123.com/?type=sc&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.yoursites123.com/?type=sc&ts=1450109518&z=6dbe7adc9a19de03ca1bf37g0z5w4e2g5ect8w7gem&from=wpm07173&uid=ST1000LM024XHN-M101MBB_S2U5J9DD420653 Task: {3AA83FDB-0F15-4FC7-A0F2-853FE4EB40CB} - System32\Tasks\{0D70EE84-6874-4319-8E63-BDEFCD5905B6} => F:\setup.exe [2007-10-17] () Task: {5310A72B-6DC6-4BA4-ACA8-FFEECCE21800} - System32\Tasks\{5F32A1CA-989A-4F4C-8AF4-E7D2AD7191BF} => pcalua.exe -a C:\Users\Piotrek\Downloads\converter.exe -d C:\Users\Piotrek\Downloads Task: {B575AA88-14D4-444D-918F-5843BAC78B5A} - System32\Tasks\Launch HTC Sync Loader => C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe Task: {B82B445E-1EB6-4D94-9C1E-518320FFF168} - System32\Tasks\{BEDB08B8-0195-49A2-85D5-C609C4EA6BA8} => pcalua.exe -a C:\Users\Piotrek\Desktop\htc\RUU_Leo_S_TMO_PL_3.14.118.1_Radio_15.42.50.11U_2.15.50.14_LEO_S_Ship.exe -d C:\Users\Piotrek\Desktop\htc Task: {BAFC77E9-A984-484A-B5C1-F20193993AE3} - System32\Tasks\{E80E4FFC-C212-4AD0-BEC8-15E1BFE37ED4} => pcalua.exe -a F:\setup.exe -d F:\ Task: {CA955A90-5704-4D11-8BDD-690E6D6D3D52} - System32\Tasks\{2EA9D6FD-E4BC-48A4-B4D8-0113D4B626EA} => pcalua.exe -a F:\directx\dxsetup.exe -d F:\directx HKU\S-1-5-21-4237668962-1813254712-1803451927-1000\...\Policies\Explorer: [] S3 AthBTPort; system32\DRIVERS\btath_flt.sys [X] S3 BTATH_A2DP; system32\drivers\btath_a2dp.sys [X] S3 btath_avdt; system32\drivers\btath_avdt.sys [X] S3 BTATH_BUS; system32\DRIVERS\btath_bus.sys [X] S3 BTATH_HCRP; system32\DRIVERS\btath_hcrp.sys [X] S3 BTATH_LWFLT; system32\DRIVERS\btath_lwflt.sys [X] S3 BTATH_RCP; system32\DRIVERS\btath_rcp.sys [X] S3 BtFilter; system32\DRIVERS\btfilter.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] S1 {55685567-4840-4a91-962b-49a412e9485a}Gw64; system32\drivers\{55685567-4840-4a91-962b-49a412e9485a}Gw64.sys [X] S1 {9edd0ea8-2819-47c2-8320-b007d5996f8a}Gw64; system32\drivers\{9edd0ea8-2819-47c2-8320-b007d5996f8a}Gw64.sys [X] DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKCU\Software\Google\Chrome\Extensions DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 DeleteKey: HKLM\SOFTWARE\Google\Chrome\Extensions DeleteKey: HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 29.0.1 (x86 pl) DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software RemoveDirectory: C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins RemoveDirectory: C:\Program Files (x86)\Opera RemoveDirectory: C:\ProgramData\6WMiniPro6 RemoveDirectory: C:\ProgramData\JWdMJ RemoveDirectory: C:\ProgramData\yWdMy RemoveDirectory: C:\Users\Piotrek\AppData\Local\Opera Software RemoveDirectory: C:\Users\Piotrek\AppData\Roaming\.ACEStream RemoveDirectory: C:\Users\Piotrek\AppData\Roaming\ACEStream RemoveDirectory: C:\Users\Piotrek\AppData\Roaming\istartsurf RemoveDirectory: C:\Users\Piotrek\AppData\Roaming\Opera Software RemoveDirectory: C:\Users\Piotrek\AppData\Roaming\Shortcut RemoveDirectory: C:\Users\Piotrek\AppData\Roaming\TSv C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CWK.lnk C:\Users\Piotrek\Desktop\CWK.lnk C:\Windows\SysWOW64\pl.html CMD: netsh advfirewall reset EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Wyłącz COMODO, by nie zablokował FRST i FRST nie może działać w piaskownicy, gdyż w ogóle nic nie wykona. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Wyczyść przeglądarki z adware: Firefox: Odłącz synchronizację (o ile włączona): KLIK. Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone, ale Adblock Plus trzeba będzie odinstalować. Menu Historia > Wyczyść całą historię przeglądania. Google Chrome:Ustawienia > karta Ustawienia > Pokaż ustawienia zaawansowane > zjedź na sam spód i uruchom opcję Resetowanie ustawień. Zakładki i hasła nie zostaną naruszone. 4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt.

DelFix wykonał zadanie. Skasuj z dysku plikC:\delfix.txt. Problemem był niezabezpieczony router. Po to podawałam to: I po też była aktualizacja firmware, która powinna zamknąć lukę związaną z panelem zarządzania, ale upewnij się, że jest skonfigurowane jak podałam. I założyłam, że zmieniłeś login, bo domyślny nie może zostać (jest powszechnie znany).

Prawdopodobnie chodzi o rejestrację WMI w Centrum zabezpieczeń (jakoś umknęło mi to w FRST Addition): ==================== Centrum zabezpieczeń ======================== AV: Avira AntiVir PersonalEdition (Disabled - Out of date) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE} Widzę, że były próby z instalacjami Avast + Comodo i ich szczątki też będziemy usuwać, przy czym wypięcie Comodo z Dziennika zdarzeń wymaga tymczasowego wyłączenia Dziennika, czyli aż dwóch skryptów. Poprawki: 1. Uruchom AdwCleaner ponownie, tym razem wybierz kombinację opcji Skanuj + Usuń. Gdy program ukończy czyszczenie: 2. Otwórz Notatnik i wklej w nim: AV: Avira AntiVir PersonalEdition (Disabled - Out of date) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE} S3 xhunter1; \??\C:\WINDOWS\xhunter1.sys [X] S3 xspirit; \??\C:\WINDOWS\xspirit.sys [X] DeleteKey: HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes DeleteKey: HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes DeleteKey: HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes RemoveDirectory: C:\AdwCleaner RemoveDirectory: C:\Documents and Settings\All Users\Dane aplikacji\AVAST Software RemoveDirectory: C:\Documents and Settings\All Users\Dane aplikacji\Comodo RemoveDirectory: C:\Documents and Settings\Administrator\Dane aplikacji\Sun RemoveDirectory: C:\Documents and Settings\radeczek\Ustawienia lokalne\Dane aplikacji\Comodo RemoveDirectory: C:\Program Files\Comodo CMD: sc config Eventlog start= disabled Reboot: Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Nastąpi restart. Przekopiuj gdzieś indziej wynikowy fixlog.txt. 3. Otwórz Notatnik i wklej w nim: C:\WINDOWS\system32\config\COMODO I.evt CMD: sc config Eventlog start= auto Reboot: Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Również nastąpi restart. Powstanie kolejny fixlog.txt. Dostarcz oba pliki fixlog.txt.

Tutaj z kolei takie akcje: 1. Odinstaluj adware TubeSaver oraz stare wersje i zbędniki Adobe Flash Player 15 ActiveX, Adobe Shockwave Player 12.1, AVG Web TuneUp, McAfee Security Scan Plus, OpenOffice.org 3.4.1, Pando Media Booster. Później będzie do instalacji najnowszy OpenOffice. 2. Otwórz Notatnik i wklej w nim: CreateRestorePoint: ShortcutWithArgument: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 ShortcutWithArgument: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 ShortcutWithArgument: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 ShortcutWithArgument: C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 ShortcutWithArgument: C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 ShortcutWithArgument: C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.yoursites123.com/?type=sc&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1420481840&from=cor&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1420481840&from=cor&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1420481840&from=cor&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1420481840&from=cor&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996&q={searchTerms} HKU\S-1-5-21-3039114009-1155605666-1411358329-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://isearch.omiga-plus.com/web/?type=dspp&ts=1420481926&from=cor&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996&q={searchTerms} HKU\S-1-5-21-3039114009-1155605666-1411358329-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 HKU\S-1-5-21-3039114009-1155605666-1411358329-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://isearch.omiga-plus.com/?type=hppp&ts=1420481926&from=cor&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 hxxp://www.google.com HKU\S-1-5-21-3039114009-1155605666-1411358329-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 HKU\S-1-5-21-3039114009-1155605666-1411358329-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://isearch.omiga-plus.com/web/?type=dspp&ts=1420481926&from=cor&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996&q={searchTerms} SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1420481840&from=cor&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996&q={searchTerms} SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1420481840&from=cor&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1420481840&from=cor&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996&q={searchTerms} SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1420481840&from=cor&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996&q={searchTerms} SearchScopes: HKU\S-1-5-21-3039114009-1155605666-1411358329-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996&q={searchTerms} SearchScopes: HKU\S-1-5-21-3039114009-1155605666-1411358329-1000 -> 0281489786C7498697C490711A678FEF URL = hxxp://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms} SearchScopes: HKU\S-1-5-21-3039114009-1155605666-1411358329-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms} SearchScopes: HKU\S-1-5-21-3039114009-1155605666-1411358329-1000 -> {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = hxxp://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms} SearchScopes: HKU\S-1-5-21-3039114009-1155605666-1411358329-1000 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = hxxp://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms} SearchScopes: HKU\S-1-5-21-3039114009-1155605666-1411358329-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996&q={searchTerms} SearchScopes: HKU\S-1-5-21-3039114009-1155605666-1411358329-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=U270DF&PC=U270&q={searchTerms}&src=IE-SearchBox SearchScopes: HKU\S-1-5-21-3039114009-1155605666-1411358329-1000 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = hxxp://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms} SearchScopes: HKU\S-1-5-21-3039114009-1155605666-1411358329-1002 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = SearchScopes: HKU\S-1-5-21-3039114009-1155605666-1411358329-1004 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = Toolbar: HKLM - Brak nazwy - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - Brak pliku Toolbar: HKU\S-1-5-21-3039114009-1155605666-1411358329-1000 -> Brak nazwy - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Brak pliku Toolbar: HKU\S-1-5-21-3039114009-1155605666-1411358329-1002 -> Brak nazwy - {D4027C7F-154A-4066-A1AD-4243D8127440} - Brak pliku DPF: HKLM {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe hxxp://www.yoursearching.com/?type=sc&ts=1448833131&z=98c25157628e2e2f2c72918gczez1b0b8c2c3g7oct&from=cornl&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 FF HKLM-x32\...\Firefox\Extensions: [fftoolbar2014@etech.com] - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfwrh5pz.default\extensions\fftoolbar2014@etech.com FF HKLM-x32\...\Firefox\Extensions: [faststartff@gmail.com] - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfwrh5pz.default\extensions\faststartff@gmail.com FF HKLM-x32\...\Firefox\Extensions: [quick_searchff@gmail.com] - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfwrh5pz.default\extensions\quick_searchff@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [sweetsearch@gmail.com] - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfwrh5pz.default\extensions\sweetsearch@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfwrh5pz.default\extensions\deskCutv2@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfwrh5pz.default\extensions\yahooprotected@gmail.com FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfwrh5pz.default\extensions\default_newtabff@gmail.com FF HKU\S-1-5-21-3039114009-1155605666-1411358329-1000\...\Firefox\Extensions: [Tubesaver@istqt.co] - C:\Program Files (x86)\TubeSaver\133.xpi StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.yoursites123.com/?type=sc&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 CHR HKU\S-1-5-21-3039114009-1155605666-1411358329-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-3039114009-1155605666-1411358329-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mlkikmimdmmkcokjpbhmlphimiefgeol] - C:\Users\Admin\AppData\Local\CRE\mlkikmimdmmkcokjpbhmlphimiefgeol.crx [2013-12-15] CHR HKLM-x32\...\Chrome\Extension: [mlkikmimdmmkcokjpbhmlphimiefgeol] - C:\Users\Admin\AppData\Local\CRE\mlkikmimdmmkcokjpbhmlphimiefgeol.crx [2013-12-15] CHR HKLM-x32\...\Chrome\Extension: [ojcdnngpmbenohhjlickdajclhbcaada] - C:\Program Files (x86)\TubeSaver\133.crx [2013-09-11] StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.yoursites123.com/?type=sc&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 StartMenuInternet: (HKLM) OperaStable - C:\Program Files (x86)\Opera\Launcher.exe hxxp://www.yoursites123.com/?type=sc&ts=1450111534&z=c37fdeea2e46336e0d2fce4g7z5w4ecg5gcg2wcc2c&from=wpm07173&uid=WDCXWD1600BEVT-75ZCT2_WD-WXEX08VXN996XN996 Task: {50BE3B3C-90E8-4B6F-94A9-D7449F558153} - System32\Tasks\{B3A0E177-E3FE-4924-BA5E-6875D1A43CD5} => pcalua.exe -a "C:\Program Files (x86)\InstallShield Installation Information\{C12631C6-804D-4B32-B0DD- Task: {86B71BD9-4E79-4A5F-B0D9-5A11E7903C84} - System32\Tasks\{849B4DE6-046F-496E-9401-6EA81629CCE2} => pcalua.exe -a C:\Users\Admin\AppData\Roaming\omiga-plus\UninstallManager.exe -c -ptid=cor Task: {CE8D2B9A-005F-4822-9DE0-5EC4CCA7AF2E} - System32\Tasks\Run RoboForm TaskBar Icon => C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe HKLM-x32\...\Run: [MFARestart] => "C:\ProgramData\MFAData\pack\avgrunasx.exe" /usereg HKU\S-1-5-21-3039114009-1155605666-1411358329-1000\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" HKU\S-1-5-21-3039114009-1155605666-1411358329-1000\...\Run: [Tiny download manager] => "C:\Users\Admin\AppData\Local\DM\TinyDM.exe" /M ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => Brak pliku ShellIconOverlayIdentifiers: [GGDriveOverlay1] -> {E68D0A50-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll Brak pliku ShellIconOverlayIdentifiers: [GGDriveOverlay2] -> {E68D0A51-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll Brak pliku ShellIconOverlayIdentifiers: [GGDriveOverlay3] -> {E68D0A52-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll Brak pliku ShellIconOverlayIdentifiers: [GGDriveOverlay4] -> {E68D0A53-3C40-4712-B90D-DCFA93FF2534} => C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll Brak pliku S1 wafd_1_10_0_18; system32\drivers\wafd_1_10_0_18.sys [X] DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\AdobeARMservice DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\AdobeFlashPlayerUpdateSvc DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Admin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.4.1.lnk DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^grzegorz xd^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.4.1.lnk DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe ARM DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IPLA! DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ooVoo.exe DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\swg DeleteKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\omiga-plus uninstall DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software RemoveDirectory: C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins RemoveDirectory: C:\Program Files (x86)\SFK RemoveDirectory: C:\Program Files (x86)\TubeSaver RemoveDirectory: C:\Program Files (x86)\WinZipper RemoveDirectory: C:\ProgramData\9WMiniPro9 RemoveDirectory: C:\ProgramData\BWdMB RemoveDirectory: C:\ProgramData\DWdMD RemoveDirectory: C:\Users\Admin\AppData\Local\CRE RemoveDirectory: C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\{E4756413-BFF8-47AB-8063-83699A5C6FA2} RemoveDirectory: C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\{7042C1F1-53C4-4E5B-B2CD-2BBBFFC16C98} RemoveDirectory: C:\Users\Admin\AppData\Roaming\TSv RemoveDirectory: C:\Users\Admin\AppData\Roaming\WarThunder RemoveDirectory: C:\Users\Admin\AppData\Roaming\WinZipper RemoveDirectory: C:\Users\Admin\AppData\Roaming\yoursearching RemoveDirectory: C:\Users\grzegorz xd\AppData\Local\Microsoft\Windows\GameExplorer\{B759CD57-0D6B-46A4-8A9D-1946AD287257} C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\WarThunder.lnk C:\Users\Admin\AppData\Roaming\Microsoft\Office\Niedawny\*.LNK C:\Users\Admin\Desktop\pliki\pliki\Malwarebytes Anti-Malware.lnk C:\Users\Admin\Desktop\pliki\pliki\McAfee Security Scan Plus.lnk C:\Users\Admin\Desktop\Zawoja 2\Krakus\CENNIK.lnk C:\Users\Admin\Favorites\GG dysk (*).lnk C:\Users\Admin\Links\GG dysk (*).lnk C:\Users\UpdatusUser\Desktop\*.lnk C:\Windows\pss\OpenOffice.org 3.4.1.lnk.Startup C:\Windows\SysWOW64\pl.html EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Wyczyść przeglądarki z adware: Firefox: Odłącz synchronizację (o ile włączona): KLIK. Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone. Menu Historia > Wyczyść całą historię przeglądania. Google Chrome: Zresetuj synchronizację (o ile włączona): KLIK. Jeśli potrzebne, wyeksportuj zakładki: CTRL+SHIFT+O > Organizuj > Eksportuj zakładki do pliku HTML. Ustawienia > karta Ustawienia > Osoby > załóż nowy profil i się na niego zaloguj + zaimportuj zakładki, a stary usuń całkowicie. 4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, już bez Shortcut. Dołącz też plik fixlog.txt.

vs. Ustawiłeś ręcznie w Windows DNS strony użytkownika, dlatego reklamy ustały tylko w Windows, ale zaznaczyłam wyraźnie, że źródłem jest router i każde urządzenie podpinane w Twoją sieć byłoby natychmiast infekowane. Dokładnie tak jak z telefonem. Wszystko zrobione, adresy DNS pobierane z routera już poprawne. Na koniec zastosuj DelFix oraz wyczyść foldery Przywracania systemu: KLIK.

No ale ja właśnie mówię, że skoro zrobiłeś Detach, to teraz zrób Assign wskazując ten sam folder C:\Users\user.

Jakoś nie zauważyłam, że go odinstalowałeś, gdyż deinstalacja nie usuwa profilu i na koncie Arek siedzi profil FF. Jeśli chodzi o problem z brakiem dostępu do folderów, to może wystąpił reset uprawnień, tylko nie wiem dlaczego. W związku z tym spróbuj odblokować te katalogi + pozostałe poprawki: 1. Z poziomu konta AREK (pozostałe konta całkowicie wylogowane). Otwórz Notatnik i wklej w nim: DeleteKey: HKCU\Software\V9 DeleteKey: HKCU\Software\PRODUCTSETUP DeleteKey: HKCU\Software\WEBAPP DeleteKey: HKCU\Software\Reg\Clean DeleteKey: HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} DeleteKey: HKLM\SOFTWARE\Wow6432Node\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} DeleteKey: HKLM\SOFTWARE\Wow6432Node\delta-homesSoftware DeleteKey: HKLM\SOFTWARE\Wow6432Node\FFPluginHp DeleteKey: HKLM\SOFTWARE\Wow6432Node\hdcode DeleteKey: HKLM\SOFTWARE\Wow6432Node\mystartsearchSoftware DeleteKey: HKLM\SOFTWARE\Wow6432Node\omniboxesSoftware DeleteKey: HKLM\SOFTWARE\Wow6432Node\V9 DeleteKey: HKLM\SOFTWARE\Wow6432Node\WdsManPro DeleteKey: HKLM\SOFTWARE\Wow6432Node\TSv DeleteKey: HKLM\SOFTWARE\Wow6432Node\Reg\Clean DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\ForeceRemove DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3CCC052E-BDEE-408A-BEA7-90914EF2964B} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{61F47056-E400-43D3-AF1E-AB7DFFD4C4AD} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E2B98EEA-EE55-4E9B-A8C1-6E5288DF785A} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{066D89E6-B457-4A57-888A-B0AEB11D5BF1} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{0E8990F4-2FC9-403C-883B-535D6271E740} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{1644E2E1-E15E-4E9E-9B25-5668536DD6A7} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{2BA83048-8B7C-4186-843B-D97FC1A6AE95} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{469960F8-8172-4386-BBB1-DF3590027D58} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{753C5ED0-B9AB-4F1E-8DAC-668E701CA569} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{80995911-5CF2-483F-A260-C736E8D0C691} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{821ED2B3-866E-4177-870E-52D995D123D0} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9B4E4BF6-9346-4969-8428-C3CB81CD7A30} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9BAC5A3B-33FD-4DB9-A4F1-B749498D4017} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{A6670033-7A4B-4F59-B8A9-A7CEBF3CE960} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{B1285825-F24F-4651-9F8A-2012460AD2FC} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{B3D38AE9-C808-4811-8417-F114839D6392} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{B8E64931-27EF-42BC-AF3B-0E2B25D17567} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{BE952BDF-6FDF-4A62-B318-E15D4487A2EF} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C0233F6C-3110-4AEA-A798-C81DA43CED9E} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{CC5B7648-AAF8-4642-B53D-B7B5E4AE7241} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{D325B617-D6F9-4C72-90B2-A38E6D15C16E} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{DF51AD29-5239-441A-B921-E655C8162060} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E515494B-7548-462A-B7E7-A3E6F8C4899C} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E9ECFFF9-2011-439F-92EB-BE145ACD87DA} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{FBB92627-0DAA-4B69-97CC-9879236FE039} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\SOFTWARE\Microsoft\Internet Explorer\Main DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\SOFTWARE\Microsoft\Internet Explorer\Search DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchURI DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchUrl DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchURI DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchUrl DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F1796B2-BEC6-427B-B734-F9C75ED94A80} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{8C338DDB-19FC-4C1F-B74D-6931EE55F7A1} DeleteKey: HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WdsManPro DeleteKey: HKU\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} DeleteKey: HKU\S-1-5-18\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\iWebar DeleteKey: HKU\S-1-5-18\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\_CrossriderRegNamePlaceHolder_ RemoveDirectory: C:\Program Files (x86)\Google Drive Quick Create RemoveDirectory: C:\ProgramData\BeostSavEForYeou RemoveDirectory: C:\ProgramData\DiGGiCOupon RemoveDirectory: C:\ProgramData\FindBeistDeal RemoveDirectory: C:\ProgramData\JoNiCouupon RemoveDirectory: C:\ProgramData\ReugulaRDeAls RemoveDirectory: C:\ProgramData\aWdsManProa RemoveDirectory: C:\Users\AREK\AppData\Local\Installer RemoveDirectory: C:\Users\AREK\AppData\Local\Mozilla RemoveDirectory: C:\Users\AREK\AppData\Roaming\Mozilla RemoveDirectory: C:\Users\AREK\AppData\Roaming\WinZipper RemoveDirectory: C:\Users\Paulina\AppData\Local\Mozilla RemoveDirectory: C:\Users\Paulina\AppData\Roaming\Elex-tech RemoveDirectory: C:\Users\Paulina\AppData\Roaming\Mozilla RemoveDirectory: C:\Users\Zbigniew\AppData\Local\Mozilla RemoveDirectory: C:\Users\Zbigniew\AppData\Roaming\Elex-tech RemoveDirectory: C:\Users\Zbigniew\AppData\Roaming\Mozilla RemoveDirectory: C:\Windows\system32\log Unlock: C:\Users\Paulina Unlock: C:\Users\Zbigniew CMD: del /q C:\Windows\launcher.exe Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Przedstaw wynikowy fixlog.txt. 2. Po kolei zaloguj się na Paulinę i Zbigniewa i podaj co widzisz.

Logi uzupełnione, więc mogę przejść do usuwania: 1. Klawisz z flagą Windows + X > Programy i funkcje > odinstaluj zbędny program HP Deskjet Ink Adv 2060 K110 — badanie mające na celu poprawę produktów oraz adware WinZipper. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: R2 IhPul; C:\Users\Zajcu\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-08] (tsvr.com) R2 SSFK; C:\Program Files (x86)\SFK\SSFK.exe [170144 2015-11-27] (TODO: ) R2 WdMan; C:\ProgramData\OWdMO\WdMan.exe [333312 2015-12-04] (TFuns LIMITED) [brak podpisu cyfrowego] R1 wfdrvr_vw_1_10_0_28; C:\Windows\System32\drivers\wfdrvr_vw_1_10_0_28.sys [57712 2015-10-30] (WF) ShortcutWithArgument: C:\Users\Zajcu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome\Program uruchamiający aplikacje Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 ShortcutWithArgument: C:\Users\Zajcu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 ShortcutWithArgument: C:\Users\Zajcu\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 ShortcutWithArgument: C:\Users\Zajcu\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.yoursites123.com/?type=sc&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872&q={searchTerms} HKU\S-1-5-21-108792187-3970147066-2546186400-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.bing.com/search?q={searchTerms} HKU\S-1-5-21-108792187-3970147066-2546186400-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 HKU\S-1-5-21-108792187-3970147066-2546186400-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.bing.com/search?q={searchTerms} HKU\S-1-5-21-108792187-3970147066-2546186400-1001\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://www.bing.com/search?q={searchTerms} HKU\S-1-5-21-108792187-3970147066-2546186400-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872&q={searchTerms} SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872&q={searchTerms} SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://www.bing.com/search?q={searchTerms} SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872&q={searchTerms} SearchScopes: HKU\S-1-5-21-108792187-3970147066-2546186400-1001 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872&q={searchTerms} SearchScopes: HKU\S-1-5-21-108792187-3970147066-2546186400-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872&q={searchTerms} SearchScopes: HKU\S-1-5-21-108792187-3970147066-2546186400-1001 -> {ielnksrch} URL = hxxp://www.bing.com/search?q={searchTerms} StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.istartsurf.com/?type=sc&ts=1447780180&z=63b9c9c17694e7c63dc0e46g5z2z9memam3t7b8b1g&from=cor&uid=GOODRAMXC40_1C9C074614D500571872 Edge HomeButtonPage: HKU\S-1-5-21-108792187-3970147066-2546186400-1001 -> hxxp://www.yoursites123.com/?type=hp&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 FF HKLM-x32\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\Zajcu\AppData\Roaming\Mozilla\Firefox\Profiles\1i2oka09.default\extensions\defsearchp@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\Zajcu\AppData\Roaming\Mozilla\Firefox\Profiles\1i2oka09.default\extensions\deskCutv2@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\Zajcu\AppData\Roaming\Mozilla\Firefox\Profiles\1i2oka09.default\extensions\default_newtabff@gmail.com FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\Zajcu\AppData\Roaming\Mozilla\Firefox\Profiles\1i2oka09.default\extensions\yahooprotected@gmail.com StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.yoursites123.com/?type=sc&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-08-05] StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.yoursites123.com/?type=sc&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 StartMenuInternet: (HKLM) OperaStable - C:\Program Files (x86)\Opera\Launcher.exe hxxp://www.yoursites123.com/?type=sc&ts=1450091433&z=63b01e0c44d89b9902b3448g7zfw3eeedtegfz4c7q&from=wpm07173&uid=GOODRAMXC40_1C9C074614D500571872 Task: {8A4F88D1-F17C-493D-A5FD-594E3E6137D7} - System32\Tasks\WordFly Auto Updater 1.10.0.28 Pending Update => C:\Program Files (x86)\WordFly_1.10.0.28\Update\WordflyAutoUpdateClient.exe Task: {A542D929-0022-4BE1-A15A-D3AB31892D6C} - System32\Tasks\WordFly Auto Updater 1.10.0.28 Core => C:\Program Files (x86)\WordFly_1.10.0.28\Update\WordflyAutoUpdateClient.exe HKLM-x32\...\Run: [] => [X] Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedHomepages /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedSearchScopes /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OpenSearch" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\yoursites123.com" /f DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software RemoveDirectory: C:\Program Files (x86)\SFK RemoveDirectory: C:\Program Files (x86)\WinZipper RemoveDirectory: C:\Program Files (x86)\WordFly_1.10.0.28 RemoveDirectory: C:\ProgramData\BSD RemoveDirectory: C:\ProgramData\gWMiniProg RemoveDirectory: C:\ProgramData\OWdMO RemoveDirectory: C:\ProgramData\TweakBit RemoveDirectory: C:\ProgramData\yWdMy RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZipper RemoveDirectory: C:\Users\Zajcu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Aplikacje Chrome RemoveDirectory: C:\Users\Zajcu\AppData\Roaming\istartsurf RemoveDirectory: C:\Users\Zajcu\AppData\Roaming\TSv RemoveDirectory: C:\Users\Zajcu\AppData\Roaming\WinZipper C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\Users\Zajcu\Downloads\Realtek-driver-updater.exe C:\WINDOWS\SysWOW64\data.bin C:\WINDOWS\SysWOW64\pl.html C:\Windows\System32\drivers\wfdrvr_vw_1_10_0_28.sys CMD: netsh advfirewall reset EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Wyczyść przeglądarki: Firefox: Odłącz synchronizację (o ile włączona): KLIK. Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone. Menu Historia > Wyczyść całą historię przeglądania. Google Chrome: Zresetuj synchronizację (o ile włączona): KLIK. Ustawienia > karta Ustawienia > Osoby > skasuj poprzedniśą nie używaną "Osobę", nie chodzi mi o zakładanie nowego profilu lecz usunięcie poprzedniego (wg raportu FRST są dwa na dysku). 4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt. Potwierdź, że problem ustąpił także w przeglądarce Edge.

Wszystko zrobione. Kończymy: 1. Zastosuj narzędzie Fix-it usuwające drobny błąd WMI: KLIK. 2. Zastosuj DelFix oraz wyczyść foldery Przywracania systemu: KLIK. PS. I wielkie dzięki za ewentualną dotację!

Zanim podam kolejne kroki objaśnij: O jakich folderach na kontach Paulina i Zbigniew mowa? I czy na pewno po restarcie komputera nadal jest problem z paskiem? Poza tym, widzę dziwną rzecz, zadałam do Odświeżenia Firefox na każdym z tych kont po kolei (co tworzy nowy folder profilu), a w wynikowym logu nie ma żadnego śladu nowego profilu Firefoxa na obu tych kontach. Czy Firefox tam w ogóle działa / jest dostępny? Czy jest używany? W przeciwnym wypadku skasuję wszystkie profile całkowicie.

Kończymy: Usuń pobrane skanery i ich logi z folderu C:\Users\Tomek\Desktop\Nowy folder. Następnie popraw jeszcze za pomocą DelFix oraz wyczyść foldery Przywracania systemu: KLIK.

Instrukcje aktualizacji: Jak zaktualizować oprogramowanie routera ADSL (dla TD-W8840T, TD-W8901G, TD-W8951ND oraz TD-W8961ND) Firmware dla TD-W8901G Masz do wyboru kilka serii firmware: V Numer. Porównujesz z naklejką na swoim urządzeniu i ustawiasz korespondujący link pobierania.

Ostatnia poprawka. Otwórz Notatnik i wklej w nim: DeleteKey: HKCU\Software\PRODUCTSETUP DeleteKey: HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C} DeleteKey: HKLM\SOFTWARE\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48} DeleteKey: HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5} DeleteKey: HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785} DeleteKey: HKLM\SOFTWARE\Wow6432Node\hdcode DeleteKey: HKLM\SOFTWARE\Wow6432Node\TSv DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785} DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3} Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Tym razem nie będzie restartu. Przedstaw wynikowy fixlog.txt.

Podałeś mi stary log sprzed kilku miesięcy ze starej wersji AdwCleaner: # AdwCleaner v4.202 - Logfile created 29/04/2015 at 19:10:46 Przez SHIFT+DEL (omija Kosz) skasuj cały folder C:\AdwCleaner, powtórz akcję skanowania i dostarcz najnowszy log.

Jest tu więcej śmieci adware. Operacje do przeprowadzenia: 1. Deinstalacje: - Klawisz z flagą Windows + X > Programy i funkcje > odinstaluj adware WordFly 1.10.0.28. - Uruchom narzędzie Norton Removal Tool, gdyż w systemie są liczne obiekty po niepoprawnie odinstalowanym pakiecie Norton Internet Security. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: ShortcutWithArgument: C:\Users\Agniecha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815 ShortcutWithArgument: C:\Users\Agniecha\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815 ShortcutWithArgument: C:\Users\Agniecha\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera 33.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.yoursites123.com/?type=sc&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera 33.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.yoursites123.com/?type=sc&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815&q={searchTerms} HKU\S-1-5-21-2100001416-2170443706-2230923172-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815 HKU\S-1-5-21-2100001416-2170443706-2230923172-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815 SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815&q={searchTerms} SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815&q={searchTerms} SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815&q={searchTerms} SearchScopes: HKU\S-1-5-21-2100001416-2170443706-2230923172-1002 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815&q={searchTerms} SearchScopes: HKU\S-1-5-21-2100001416-2170443706-2230923172-1002 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815&q={searchTerms} StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.yoursites123.com/?type=sc&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815 OPR Session Restore: -> [funkcja włączona] StartMenuInternet: (HKLM) OperaStable - C:\Program Files (x86)\Opera\Launcher.exe hxxp://www.yoursites123.com/?type=sc&ts=1450102952&z=97a3a9b96ed0ae4bc57b83cgcz7w1e7g7e3o4t1zbt&from=wpm07173&uid=SAMSUNGXHN-M101MBB_S2RQJ1NBB10815 U3 idsvc; Brak ImagePath U3 wpcsvc; Brak ImagePath HKU\S-1-5-21-2100001416-2170443706-2230923172-1000\...\Run: [sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun Task: {03917C64-5EE5-427B-8A8D-44A987017A5F} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => C:\Windows\ehome\ehrec.exe Task: {04E29903-F8E4-4D6E-88AB-FE6BCE1D679B} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => C:\Windows\ehome\ehPrivJob.exe Task: {186DDBF1-D45D-44AE-87F6-A3E4A019B61B} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => C:\Windows\ehome\mcupdate.exe Task: {1876D088-1070-43EB-AE91-24A91CAFF404} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => C:\Windows\ehome\mcupdate.exe Task: {1887C891-1C14-4A3D-89A4-29F736F69664} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => C:\Windows\ehome\ehPrivJob.exe Task: {1A18C4E0-6C76-43E2-A3DB-B5AD606AE315} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> Brak pliku Task: {2341AAD4-6DAE-4BF2-9BCC-577F257FE51B} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => C:\Windows\ehome\ehPrivJob.exe Task: {244F0274-90E6-496A-B4B3-7BA9B306298F} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> Brak pliku Task: {26F9B746-FDD1-4165-95D7-301D6AD7D6CD} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\Windows\ehome\mcupdate.exe Task: {29A31F4D-6F4D-4EC9-B1C6-A05DEFF5BB25} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => C:\Windows\ehome\ehPrivJob.exe Task: {2E263298-B443-4664-A6FD-A48EECD39C12} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => C:\Windows\ehome\mcupdate.exe Task: {2E2CBCB6-041E-4C42-BE9F-830F6089A942} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => C:\Windows\ehome\ehPrivJob.exe Task: {305EF1E5-28AA-4543-998E-0F133C0C486F} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => C:\Windows\ehome\mcupdate.exe Task: {37C744B1-FBD9-4A1B-8638-3BABA76A1459} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> Brak pliku Task: {428B58A8-81DF-4F3C-A533-BF2EA45A1025} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => C:\Windows\ehome\ehPrivJob.exe Task: {44FC81C7-4F30-4B89-A3D9-B5FD1E61C4F6} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> Brak pliku Task: {47C42DC1-B093-48B3-9BF3-1F76831C796A} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> Brak pliku Task: {49C1321A-6DA9-4375-8924-C2CC2A66686E} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => C:\Windows\ehome\mcupdate.exe Task: {4A09FE6B-1802-49E8-A678-CC12D7F38170} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => C:\Windows\ehome\ehPrivJob.exe Task: {4F0EB740-7F3D-4E09-8564-72F9693A7EBC} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => C:\Windows\ehome\MCUpdate.exe Task: {58C562DE-FC12-4560-9C97-9C84A760EBAA} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => C:\Windows\ehome\ehPrivJob.exe Task: {5D4850AC-682F-4803-98E5-D24415968AA4} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => C:\Windows\ehome\ehPrivJob.exe Task: {6AD5B59F-C5B6-442B-89E0-12907B811FA0} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> Brak pliku Task: {7F918AA3-2000-48E3-9C9D-CFFF69B0C2DD} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Brak pliku Task: {B4D89121-BE3B-4EF8-9F77-8F7A1EC957E7} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Brak pliku Task: {BA951026-0C32-4E1B-8820-A9C8D908A4D4} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => C:\Windows\ehome\ehPrivJob.exe Task: {CE6162E8-656E-42CC-9BA3-68C96A0312EB} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => C:\Windows\ehome\ehPrivJob.exe Task: {D83C9EC1-96A6-46DF-91F6-2163A8DE4D89} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => C:\Windows\ehome\mcupdate.exe Task: {EC1D5C1F-1725-443A-8C7A-5CBE7A5731D2} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> Brak pliku Task: {EDBE865D-69D8-4D2A-B06F-C1B08F188625} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => C:\Windows\ehome\ehPrivJob.exe Task: {F2D88229-ADBC-475A-8C72-25A147F8852A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Brak pliku Task: {F7088F29-4C79-4117-A284-A6F0E35C0EDC} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> Brak pliku Task: {F7EB9D2D-6B1B-4DD6-A2D3-D5415F55A1D6} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => C:\Windows\ehome\ehPrivJob.exe Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedHomepages /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedSearchScopes /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OpenSearch" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\yoursites123.com" /f DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKLM\SOFTWARE\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Wow6432Node\Google DeleteKey: HKLM\SOFTWARE\Wow6432Node\Mozilla DeleteKey: HKLM\SOFTWARE\Wow6432Node\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software RemoveDirectory: C:\Program Files (x86)\WordFly_1.10.0.28 RemoveDirectory: C:\ProgramData\DWMiniProD RemoveDirectory: C:\ProgramData\Temp RemoveDirectory: C:\Users\Agniecha\AppData\Roaming\istartsurf RemoveDirectory: C:\Windows\ehome RemoveDirectory: C:\Windows\System32\Tasks\Microsoft\Windows\Media Center C:\ProgramData\{*}.* C:\WINDOWS\SysWOW64\data.bin EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt. Potwierdź, że problemu nie ma także w przeglądarce Edge.

Wszystko zrobione, ale profile Google Chrome to jeszcze bardziej rozmnożyłeś, a chodziło mi tylko o usunięcie poprzedniego (wg raportu FRST były dwa profile na dysku). Poprawki: Otwórz Notatnik i wklej w nim: S2 LiveUpdateSvc; C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2934048 2015-10-09] (IObit) S3 esgiguard; \??\C:\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [X] HKLM\...\Run: [shadow Defender Daemon] => "C:\Program Files\Shadow Defender\DefenderDaemon.exe" /Auto HKLM-x32\...\Run: [] => [X] DeleteKey: HKU\S-1-5-21-583818649-3997608106-3267890143-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall RemoveDirectory: C:\AdwCleaner RemoveDirectory: C:\FRST\Quarantine RemoveDirectory: C:\Program Files\GridinSoft Trojan Killer RemoveDirectory: C:\Program Files (x86)\IObit RemoveDirectory: C:\ProgramData\IObit RemoveDirectory: C:\ProgramData\ProductData RemoveDirectory: C:\Users\Lenovo\AppData\Local\Google\Chrome\User Data\Default RemoveDirectory: C:\Users\Lenovo\AppData\Local\Google\Chrome\User Data\Profile 1 RemoveDirectory: C:\Users\Lenovo\AppData\LocalLow\IObit RemoveDirectory: C:\Users\Lenovo\AppData\Roaming\IObit RemoveDirectory: C:\Users\Lenovo\AppData\Roaming\ProductData RemoveDirectory: C:\Users\Lenovo\Desktop\Stare dane programu Firefox RemoveDirectory: C:\Windows\Tasks\ImCleanDisabled Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Tym razem nie będzie restartu. Przedstaw wynikowy fixlog.txt.

Oto co widzi log: Tcpip\Parameters: [NameServer] 199.203.131.145 82.163.143.167 Tcpip\..\Interfaces\{CB860721-8BDA-4005-8E26-5C160DD7D67F}: [NameServer] 199.203.131.145 82.163.143.167,8.8.8.8,8.8.4.4 Czyli nadal ustawione serwery adware, a Google to "doklejone" na szarym końcu. Nie wiem co robisz źle, ale tak te wpisy nie powinny wyglądać po poprawnej edycji. W związku z tym usunę je z rejestru skryptem FRST, w razie czego po akcji (gdyby odcięło internet) trzeba będzie poprawić ręcznie w konfiguracji Połączeń sieciowych. Kolejna porcja zadań: AKCJE NA KONCIE PAULINA: 1. Jeśli na tym koncie były cenne zakładki w Goole Chrome, to skopiuj na Pulpit poniższy plik, bo cały folder profilu poleci z dysku: C:\Users\Paulina\AppData\Local\Google\Chrome\User Data\Default\Bookmarks + Bookmarks.bak (o ile jest) 2. Otwórz Notatnik i wklej: HKU\S-1-5-21-74317436-289575424-2793545732-1003\...\Run: [ares] => "C:\Program Files (x86)\Ares\Ares.exe" -h HKU\S-1-5-21-74317436-289575424-2793545732-1003\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" HKU\S-1-5-21-74317436-289575424-2793545732-1003\...\Run: [ALLUpdate] => "D:\Program Files (x86)\ALLPlayer\ALLUpdate.exe" "sleep" HKU\S-1-5-21-74317436-289575424-2793545732-1003\...\Run: [CompuCare Check for updates] => C:\Users\Paulina\AppData\Roaming\SuperPump\updater.exe HKU\S-1-5-21-74317436-289575424-2793545732-1003\...\MountPoints2: {18bb2952-a0e4-11e1-a51b-d02788674266} - H:\autorun.exe HKU\S-1-5-21-74317436-289575424-2793545732-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=56626&homepage= HKU\S-1-5-21-74317436-289575424-2793545732-1003\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://pl.v9.com/?utm_source=b&utm_medium=fft HKU\S-1-5-21-74317436-289575424-2793545732-1003\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.omniboxes.com/web/?type=ds&ts=1447228033&z=3e6f03e8de92d5ddb4f2578g9z4zam4o9obbfe0m8w&from=wpm07173&uid=ST31000524AS_6VPED1VGXXXX6VPED1VG&q={searchTerms} URLSearchHook: HKU\S-1-5-21-74317436-289575424-2793545732-1003 - (Brak nazwy) - {EEE6C35D-6118-11DC-9C72-001320C79847} - Brak pliku URLSearchHook: HKU\S-1-5-21-74317436-289575424-2793545732-1003 - (Brak nazwy) - {00000000-6E41-4FD3-8538-502F5495E5FC} - Brak pliku URLSearchHook: HKU\S-1-5-21-74317436-289575424-2793545732-1003 - (Brak nazwy) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - Brak pliku URLSearchHook: HKU\S-1-5-21-74317436-289575424-2793545732-1003 - (Brak nazwy) - {a5ae8924-4036-420f-b7f6-a47e4b8f692e} - Brak pliku SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxp://isearch.avg.com/search?cid={B63A4DBF-C1D4-4A4D-A16B-A902037CCE43}&mid=55624213de5347d1bcec016ece83ab95-cf12c9a2b59a93b3b3f9c41ce979ab34f8b8fa9f&lang=pl&ds=AVG&pr=fr&d=2012-07-30 09:34:57&v=15.2.0.5&pid=avg&sg=0&sap=dsp&q={searchTerms} SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> bProtectorDefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> {0D7562AE-8EF6-416d-A838-AB665251703A} URL = hxxp://start.facemoods.com/?a=bfus&s={searchTerms}&f=4 SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = hxxp://search.babylon.com/?q={searchTerms}&affID=112555&tt=3412_3&babsrc=SP_ss&mntrId=0e936e0500000000000000ff132222b0 SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> {0F347250-9E6C-4492-A3B0-CF709EB52F1F} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=PROTOSV SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://pl.v9.com/s#gsc.tab=0&gsc.q={searchTerms}&gsc.page=1 SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> {36DEE1AC-B709-4DE4-BD0F-6A1813AB8A07} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=FF&o=14594&src=crm&q={searchTerms}&locale=&apn_ptnrs=FV&apn_dtid=YYYYYYUGPL&apn_uid=371fea84-af3c-4c8b-b4de-b1ce078d9f90&apn_sauid=7C024AE1-FB61-481A-A173-37275FD1A3B0 SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxp://isearch.avg.com/search?cid={B63A4DBF-C1D4-4A4D-A16B-A902037CCE43}&mid=55624213de5347d1bcec016ece83ab95-cf12c9a2b59a93b3b3f9c41ce979ab34f8b8fa9f&lang=pl&ds=AVG&pr=fr&d=2012-07-30 09:34:57&v=15.2.0.5&pid=avg&sg=0&sap=dsp&q={searchTerms} SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> {D1DC3A83-58B1-4041-A584-6ED6A91F7CC6} URL = hxxp://www.google.com/cse?cx=partner-pub-3794288947762788%3A4107735745&ie=UTF-8&q=&sa=Search&siteurl=www.google.com%2Fcse%2Fhome%3Fcx%3Dpartner-pub-3794288947762788%3A4107735745&q={searchTerms} SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> {D4885D0D-3699-4384-B21F-674ACCCCDC8E} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=PROTOSV SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> {E4F3BAAF-E268-47E4-9961-44C17C560EFF} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2670199 SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> {EEE6C360-6118-11DC-9C72-001320C79847} URL = hxxp://search.sweetim.com/search.asp?src=6&q={searchTerms} SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> {FED54F96-2849-463A-A2FB-77861CE3C225} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=FF&o=14594&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=FV&apn_dtid=YYYYYYUGPL&apn_uid=371fea84-af3c-4c8b-b4de-b1ce078d9f90&apn_sauid=7C024AE1-FB61-481A-A173-37275FD1A3B0 SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> {FF0FDC7A-9812-4532-82B9-B56AD3741A95} URL = hxxp://www.google.com/cse?cx=partner-pub-3794288947762788%3A4107735745&ie=UTF-8&q=&sa=Search&siteurl=www.google.com%2Fcse%2Fhome%3Fcx%3Dpartner-pub-3794288947762788%3A4107735745&q={searchTerms} Toolbar: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> Brak nazwy - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - Brak pliku Toolbar: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> Brak nazwy - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Brak pliku Toolbar: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> Brak nazwy - {EEE6C35B-6118-11DC-9C72-001320C79847} - Brak pliku Toolbar: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> Brak nazwy - {A5AE8924-4036-420F-B7F6-A47E4B8F692E} - Brak pliku Toolbar: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> Brak nazwy - {7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} - Brak pliku Toolbar: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> Brak nazwy - {D4027C7F-154A-4066-A1AD-4243D8127440} - Brak pliku Toolbar: HKU\S-1-5-21-74317436-289575424-2793545732-1003 -> Brak nazwy - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - Brak pliku DeleteKey: HKCU\Software\Google DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0} DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\FileHunter DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\YourFileDownloader RemoveDirectory: C:\Users\Paulina\AppData\Local\Google RemoveDirectory: C:\Users\Paulina\AppData\Roaming\Splashtop C:\Users\Paulina\AppData\Local\{*} C:\Users\Paulina\AppData\Local\dt.dat C:\Users\Paulina\AppData\Roaming\appdataFr25.bin C:\Users\Paulina\AppData\Roaming\appdataFr3.bin Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Powstanie fixlog.txt. 3. Wyczyść Firefox z adware: Odłącz synchronizację (o ile włączona): KLIK. Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone. Menu Historia > Wyczyść historię przeglądania 4. Zrób nowy log FRST z opcji Skanuj (Scan), bez Addition i Shortcut. Dołącz też plik fixlog.txt. AKCJE NA KONCIE ZBIGNIEW: 1. Jeśli na tym koncie były cenne zakładki w Goole Chrome, to skopiuj na Pulpit poniższy plik, bo cały folder profilu poleci z dysku: C:\Users\Zbigniew\AppData\Local\Google\Chrome\User Data\Default\Bookmarks + Bookmarks.bak (o ile jest) 2. Otwórz Notatnik i wklej: HKU\S-1-5-21-74317436-289575424-2793545732-1004\...\Run: [ALLUpdate] => "D:\Program Files (x86)\ALLPlayer\ALLUpdate.exe" "sleep" HKU\S-1-5-21-74317436-289575424-2793545732-1004\...\Run: [CompuCare Check for updates] => C:\Users\Zbigniew\AppData\Roaming\SuperPump\updater.exe HKU\S-1-5-21-74317436-289575424-2793545732-1004\...\Run: [GOOBZOYouTubeAccelerator] => "C:\Program Files (x86)\YouTube Accelerator\YouTubeAccelerator.exe" /startup HKU\S-1-5-21-74317436-289575424-2793545732-1004\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:splashtopconnect HKU\S-1-5-21-74317436-289575424-2793545732-1004\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://pl.v9.com/?utm_source=b&utm_medium=fft HKU\S-1-5-21-74317436-289575424-2793545732-1004\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.omniboxes.com/web/?type=ds&ts=1447228033&z=3e6f03e8de92d5ddb4f2578g9z4zam4o9obbfe0m8w&from=wpm07173&uid=ST31000524AS_6VPED1VGXXXX6VPED1VG&q={searchTerms} URLSearchHook: HKU\S-1-5-21-74317436-289575424-2793545732-1004 - (Brak nazwy) - {0F3DC9E0-C459-4a40-BCF8-747BD9322E10} - Brak pliku URLSearchHook: HKU\S-1-5-21-74317436-289575424-2793545732-1004 - (Brak nazwy) - {00000000-6E41-4FD3-8538-502F5495E5FC} - Brak pliku URLSearchHook: HKU\S-1-5-21-74317436-289575424-2793545732-1004 - (Brak nazwy) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - Brak pliku URLSearchHook: HKU\S-1-5-21-74317436-289575424-2793545732-1004 - (Brak nazwy) - {EEE6C35D-6118-11DC-9C72-001320C79847} - Brak pliku URLSearchHook: HKU\S-1-5-21-74317436-289575424-2793545732-1004 - (Brak nazwy) - {a5ae8924-4036-420f-b7f6-a47e4b8f692e} - Brak pliku SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = hxxp://search.sweetim.com/search.asp?src=6&q={searchTerms} SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> bProtectorDefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> {0070CA47-0F26-4d11-8E6C-727F6FD841AC} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=PROTOSV SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> {0D7562AE-8EF6-416d-A838-AB665251703A} URL = hxxp://start.facemoods.com/?a=bfus&s={searchTerms}&f=4 SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = hxxp://search.babylon.com/?q={searchTerms}&affID=112555&tt=3412_3&babsrc=SP_ss&mntrId=0e936e0500000000000000ff132222b0 SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://pl.v9.com/s#gsc.tab=0&gsc.q={searchTerms}&gsc.page=1 SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> {36DEE1AC-B709-4DE4-BD0F-6A1813AB8A07} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=FF&o=14594&src=crm&q={searchTerms}&locale=&apn_ptnrs=FV&apn_dtid=YYYYYYUGPL&apn_uid=371fea84-af3c-4c8b-b4de-b1ce078d9f90&apn_sauid=7C024AE1-FB61-481A-A173-37275FD1A3B0 SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> {780F312D-5C64-4b3c-B232-FCCEDB1EEB10} URL = hxxp://www.google.com/cse?cx=partner-pub-3794288947762788%3A4107735745&ie=UTF-8&q=&sa=Search&siteurl=www.google.com%2Fcse%2Fhome%3Fcx%3Dpartner-pub-3794288947762788%3A4107735745&q={searchTerms} SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxp://isearch.avg.com/search?cid={B63A4DBF-C1D4-4A4D-A16B-A902037CCE43}&mid=55624213de5347d1bcec016ece83ab95-cf12c9a2b59a93b3b3f9c41ce979ab34f8b8fa9f&lang=pl&ds=AVG&pr=fr&d=2012-07-30 09:34:57&v=15.3.0.11&pid=avg&sg=0&sap=dsp&q={searchTerms} SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> {D4885D0D-3699-4384-B21F-674ACCCCDC8E} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=PROTOSV SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> {E4F3BAAF-E268-47E4-9961-44C17C560EFF} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2670199 SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> {EEE6C360-6118-11DC-9C72-001320C79847} URL = hxxp://search.sweetim.com/search.asp?src=6&q={searchTerms} SearchScopes: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> {FF0FDC7A-9812-4532-82B9-B56AD3741A95} URL = hxxp://www.google.com/cse?cx=partner-pub-3794288947762788%3A4107735745&ie=UTF-8&q=&sa=Search&siteurl=www.google.com%2Fcse%2Fhome%3Fcx%3Dpartner-pub-3794288947762788%3A4107735745&q={searchTerms} Toolbar: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> Brak nazwy - {7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} - Brak pliku Toolbar: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> Brak nazwy - {A5AE8924-4036-420F-B7F6-A47E4B8F692E} - Brak pliku Toolbar: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> Brak nazwy - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - Brak pliku Toolbar: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> Brak nazwy - {EEE6C35B-6118-11DC-9C72-001320C79847} - Brak pliku Toolbar: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> Brak nazwy - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Brak pliku Toolbar: HKU\S-1-5-21-74317436-289575424-2793545732-1004 -> Brak nazwy - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - Brak pliku FF HKU\S-1-5-21-74317436-289575424-2793545732-1004\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi => nie znaleziono DeleteKey: HKCU\Software\Google DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0} DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\FileHunter DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\YourFileDownloader RemoveDirectory: C:\Users\Zbigniew\AppData\Local\Google RemoveDirectory: C:\Users\Zbigniew\AppData\Roaming\Splashtop C:\Users\Zbigniew\AppData\Local\{146C58F1-DBFC-4460-B9C6-1DAD41462EC5} C:\Users\Zbigniew\AppData\Roaming\appdataFr25.bin C:\Users\Zbigniew\AppData\Roaming\appdataFr3.bin Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Powstanie fixlog.txt. 3. Wyczyść Firefox z adware: Odłącz synchronizację (o ile włączona): KLIK. Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone. Menu Historia > Wyczyść historię przeglądania 4. Zrób nowy log FRST z opcji Skanuj (Scan), bez Addition i Shortcut. Dołącz też plik fixlog.txt. AKCJE NA KONCIE AREK: 1. Otwórz Notatnik i wklej: Tcpip\Parameters: [NameServer] 199.203.131.145 82.163.143.167 Tcpip\..\Interfaces\{CB860721-8BDA-4005-8E26-5C160DD7D67F}: [NameServer] 199.203.131.145 82.163.143.167,8.8.8.8,8.8.4.4 CMD: ipconfig /flushdns CMD: del /q C:\Users\AREK\steam_api.dll RemoveDirectory: C:\FRST\Quarantine RemoveDirectory: C:\ProgramData\Splashtop RemoveDirectory: C:\Users\AREK\AppData\Roaming\Splashtop Reboot: Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Nastąpi restart. Powstanie fixlog.txt. 2. Uruchom AdwCleaner. Wybierz opcję Skanuj, log powstanie w folderzeC:\AdwCleaner. 3. Zrób nowy log FRST z opcji Skanuj (Scan), bez Addition i Shortcut. Dołącz też plik fixlog.txt i log AdwCleaner.

Skrypty czyszczące o których mówiłam, w tym usuwanie aktywnych odpadków po niepoprawnie odinstalowanym RealPlayer: 1. Uruchom Zoek i w oknie wklej: RealDownloader;u RealNetworks - Microsoft Visual C++ 2008 Runtime;u RealNetworks - Microsoft Visual C++ 2010 Runtime;u RealNetworks - Microsoft Visual C++ 2010 Runtime;u RealUpgrade 1.1;u UpdateService;u Klik w Run Script. Powstanie plik zoek-results.log. W eksploratorze Windows menu Widok > Opcje > Zmień opcje folderów i wyszukiwania > Widok > odznacz Ukryj rozszerzenia znanych plików > zmień nazwę pliku na zoek-results.txt, by dało się go wstawić jako załącznik forum. Przedstaw ten log. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: S4 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39568 2014-02-12] () S4 RealPlayer Cloud Service; c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe [1141336 2014-03-04] (RealNetworks, Inc.) S4 RealPlayerUpdateSvc; C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [23552 2014-02-12] () [brak podpisu cyfrowego] U3 idsvc; Brak ImagePath U3 wpcsvc; Brak ImagePath Task: {01C7ADE5-FC0E-41D0-9125-103D85AECDC1} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => C:\Windows\ehome\ehPrivJob.exe Task: {0D395C85-18E7-40E5-9F70-611A7DE74ADF} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => C:\Program Files\Microsoft Security Client\MpCmdRun.exe Task: {2AF6AB98-00E4-4F02-B0AE-B0A2DA08D0A9} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => C:\Windows\ehome\ehPrivJob.exe Task: {301209E3-4EE8-4D83-9EB4-507C0C561556} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => C:\Windows\ehome\mcupdate.exe Task: {33D3290E-8018-4076-8667-7A4783AF05D4} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> Brak pliku Task: {36A16578-D840-443E-B110-DD4E2E3A613D} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1795135361-112343103-1123866960-1001 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe [2014-02-12] (RealNetworks, Inc.) Task: {3EE75BD5-242D-4F3D-A6CB-97CDB00A97AA} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => C:\Windows\ehome\ehPrivJob.exe Task: {401033EF-9620-443D-A1DC-62B4157449E6} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => C:\Windows\ehome\mcupdate.exe Task: {4190092D-1D05-47F1-93FE-4F9AAA3AFD82} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => C:\Windows\ehome\mcupdate.exe Task: {454AA207-7170-43CF-BCB1-A4F47E46B88E} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => C:\Windows\ehome\ehPrivJob.exe Task: {48804A5F-19E3-4CF9-8E4C-AD77A6E61EE2} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => C:\Windows\ehome\ehPrivJob.exe Task: {4B37BC4B-15E9-45D5-86E5-5668DF5A34DC} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => C:\Windows\ehome\ehPrivJob.exe Task: {4DF981E2-C3C0-460A-99F8-F9132C26659D} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => C:\Windows\ehome\MCUpdate.exe Task: {4FB8F98F-204E-45A5-A9FF-9EFFC483A9FD} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\Windows\ehome\mcupdate.exe Task: {52372068-ED5D-435C-931D-9B8FB0F4E7E4} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => C:\Windows\ehome\ehPrivJob.exe Task: {549AC358-976A-42B1-B35D-6BEE969A9A93} - System32\Tasks\Microsoft\Microsoft Antimalware\MpIdleTask => C:\Program Files\Microsoft Security Client\MpCmdRun.exe Task: {5C4FC867-B14E-49DC-959F-619CED47FB47} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => C:\Windows\ehome\ehPrivJob.exe Task: {63FEC160-FDC1-4551-A866-579BDBB4CB12} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => C:\Windows\ehome\mcupdate.exe Task: {6AA28E6E-8D79-462E-84C6-CFD8197D9DCB} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => C:\Windows\ehome\ehPrivJob.exe Task: {6AA5449C-368E-428A-9F82-95E204A63C32} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> Brak pliku Task: {6D0304D1-6775-4E52-BB3F-A3DC9C20ADB0} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => C:\Windows\ehome\ehPrivJob.exe Task: {7E41E4AC-8A56-458D-9DD1-D3F4A9D589F4} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => C:\Windows\ehome\ehPrivJob.exe Task: {7FCDB01A-F4AC-4F99-9EE8-05AAA7B81292} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> Brak pliku Task: {81E0F302-A360-49D3-AC3F-53179A9CF82B} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1795135361-112343103-1123866960-1001 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe [2014-02-12] (RealNetworks, Inc.) Task: {A010AB97-5B7B-46AA-94E3-0EB8EFFBDDAF} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Brak pliku Task: {A59CE82F-72AC-49E2-83C3-48294100A6A6} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> Brak pliku Task: {AC1C47EC-A310-4454-9823-2F0FDE87C546} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Brak pliku Task: {B167BFAC-C3D7-4D9F-BE6D-BEACD1571474} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> Brak pliku Task: {B47A2308-FEB5-4431-8603-10C93098D88F} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Brak pliku Task: {C32958AB-7802-4663-944A-D2BD12DFF61E} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => C:\Windows\ehome\ehPrivJob.exe Task: {C49DAACA-1CAD-4BAE-95BC-AE2AFD82AA19} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => C:\Windows\ehome\mcupdate.exe Task: {CA4EE9A2-F7C1-4910-859C-608F0FB6C5FF} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => C:\Windows\ehome\ehrec.exe Task: {D968CAD5-2356-44EE-98E7-C0D88192D702} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> Brak pliku Task: {D9D28CFD-9CCB-4725-AF8A-6D2265738F34} - System32\Tasks\Microsoft\Windows\Media Center\StartRecording => C:\Windows\ehome\ehrec.exe Task: {F282C074-2B18-47B9-AF1E-898BB79EC4E3} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => C:\Windows\ehome\ehPrivJob.exe Task: {F531C1D4-73A0-453D-BAC4-61BBC09C495A} - System32\Tasks\{C152D7DC-3B6B-47DA-9DA2-BCC8651C2A78} => C:\Nexon\Combat Arms EU\CombatArms.exe Task: {F7637E47-8621-46A0-BA20-9BE27A7EA985} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> Brak pliku Task: {F774A30D-DF42-4E46-9FBE-8C2DE1E375DB} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => C:\Windows\ehome\mcupdate.exe Task: {F8B6E021-8BAD-4A48-B2D6-4FAF40ECD3CB} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> Brak pliku Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe HKLM\...\Run: [ETDCtrl] => %ProgramFiles%\Elantech\ETDCtrl.exe BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin64.dll [2014-02-12] (RealDownloader) BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2014-02-12] (RealDownloader) FF Plugin-x32: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [brak pliku] FF Plugin-x32: @real.com/nppl3260;version=17.0.6.13 -> c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll [2014-03-04] (RealNetworks, Inc.) FF Plugin-x32: @real.com/nprndlchromebrowserrecordext;version=17.0.6 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [2014-02-12] (RealNetworks, Inc.) FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=17.0.6 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [2014-02-12] (RealNetworks, Inc.) FF Plugin-x32: @real.com/nprndlpepperflashvideoshim;version=17.0.6 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll [2014-02-12] (RealNetworks, Inc.) FF Plugin-x32: @real.com/nprpjplug;version=6.0.12.69 -> C:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll [2008-09-10] (RealNetworks, Inc.) FF Plugin-x32: @real.com/nprpplugin;version=17.0.6.13 -> c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll [2014-03-04] (RealPlayer Cloud) FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext FF HKLM-x32\...\Firefox\Extensions: [{8E8D8D12-A43B-4289-994D-DF2C7C0EF736}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center DeleteKey: HKLM\SOFTWARE\Wow6432Node\Google Reg: reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v ETDCtrl /f RemoveDirectory: C:\AdwCleaner RemoveDirectory: C:\Program Files (x86)\Real RemoveDirectory: C:\Program Files (x86)\RealNetworks RemoveDirectory: C:\ProgramData\RealNetworks RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealNetworks RemoveDirectory: C:\Windows\ehome RemoveDirectory: C:\Windows\System32\Tasks\Microsoft\Windows\Media Center CMD: del /q C:\Users\Lenovo\AppData\Local\*.* CMD: del /q "C:\Users\Lenovo\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Combat Arms EU.lnk" CMD: del /q C:\Users\UpdatusUser\Desktop\*.lnk CMD: netsh advfirewall reset EmptyTemp: Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. Przedstaw go.

Podaj model routera, może być konieczna aktualizacja firmware.