picasso

Jest tu więcej adware, nie tylko tytułowy problem. Był tu używany ComboFix i na ten temat: KLIK. To obecnie nawet nie jest dobry program do usuwania adware, są inne bardziej specjalizowane. Akcje do przeprowadzenia: 1. Odinstaluj adware WordFly 1.10.0.25 oraz zbędny program Badanie mające na celu poprawę produktów HP Deskjet 1510 series. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: ShortcutWithArgument: C:\Users\Damian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 ShortcutWithArgument: C:\Users\Damian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 ShortcutWithArgument: C:\Users\Damian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 ShortcutWithArgument: C:\Users\Damian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 ShortcutWithArgument: C:\Users\Damian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia HKU\S-1-5-21-2426139859-1562633933-961591751-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms} HKU\S-1-5-21-2426139859-1562633933-961591751-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\S-1-5-21-2426139859-1562633933-961591751-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms} SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms} SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms} SearchScopes: HKU\S-1-5-21-2426139859-1562633933-961591751-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms} SearchScopes: HKU\S-1-5-21-2426139859-1562633933-961591751-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms} BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\IPS\IPSBHO.DLL => Brak pliku BHO-x32: Brak nazwy -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> Brak pliku FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2012-10-01] (Microsoft Corporation) FF HKLM-x32\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\2g6w3xar.default\extensions\defsearchp@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\2g6w3xar.default\extensions\deskCutv2@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [sidebarff@gmail.com] - C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\2g6w3xar.default\extensions\sidebarff@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\2g6w3xar.default\extensions\default_newtabff@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\2g6w3xar.default\extensions\yahooprotected@gmail.com => nie znaleziono StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 HKLM-x32\...\Run: [updReg] => C:\Windows\UpdReg.EXE HKLM-x32\...\Run: [] => [X] R2 IhPul; C:\Users\Damian\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-08] (tsvr.com) R2 SSFK; C:\Program Files (x86)\SFK\SSFK.exe [170144 2015-11-27] (TODO: ) S3 GVTDrv64; C:\Windows\GVTDrv64.sys [30528 2015-12-14] () S3 catchme; \??\C:\ComboFix\catchme.sys [X] DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software DeleteKey: HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main DeleteKey: HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main DeleteKey: HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main RemoveDirectory: C:\Program Files (x86)\Mozilla Firefox\plugins RemoveDirectory: C:\Program Files (x86)\SFK RemoveDirectory: C:\Program Files (x86)\WinZipper RemoveDirectory: C:\Qoobox RemoveDirectory: C:\Users\Damian\AppData\Roaming\RHEng RemoveDirectory: C:\Users\Damian\AppData\Roaming\TSv RemoveDirectory: C:\Users\Damian\Desktop\Stare dane programu Firefox C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt.

Operacje do przeprowadzenia: 1. Deinstalacje: - Klawisz z flagą Windows + X > Programy i funkcje > odinstaluj instalację sponsorowaną McAfee Security Scan Plus. - Uruchom narzędzie Microsoftu: KLIK. Zaakceptuj > Wykryj problemy i pozwól mi wybrać poprawki do zastosowania > Odinstalowywanie > zaznacz na liście wpis Metric Collection SDK > Dalej. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: ShortcutWithArgument: C:\Users\Lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 ShortcutWithArgument: C:\Users\Lenovo\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 ShortcutWithArgument: C:\Users\Lenovo\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.yoursites123.com/?type=sc&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 GroupPolicy: Restriction - Chrome CHR HKLM\SOFTWARE\Policies\Google: Restriction HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} HKU\S-1-5-21-157526072-1602897899-2300392595-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 HKU\S-1-5-21-157526072-1602897899-2300392595-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} SearchScopes: HKU\S-1-5-21-157526072-1602897899-2300392595-1001 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} SearchScopes: HKU\S-1-5-21-157526072-1602897899-2300392595-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843&q={searchTerms} SearchScopes: HKU\S-1-5-21-157526072-1602897899-2300392595-1001 -> {776A0229-539F-4759-916F-4DB93673690E} URL = BHO-x32: No Name -> {c723a437-2eaf-466d-a95b-3fa0966bf88c} -> No File StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.istartsurf.com/?type=sc&ts=1443478259&z=9d78e11fa70e77f1fd603c7gbz1z6c3z8mebce1m2e&from=cor&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 FF HKLM-x32\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\noweppvz.default-1443478920222\extensions\defsearchp@gmail.com => not found FF HKLM-x32\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\6dfom8hu.default\extensions\deskCutv2@gmail.com => not found FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\noweppvz.default-1443478920222\extensions\default_newtabff@gmail.com => not found FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\Lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\noweppvz.default-1443478920222\extensions\yahooprotected@gmail.com => not found StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.yoursites123.com/?type=sc&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 StartMenuInternet: (HKLM) OperaStable - C:\Program Files (x86)\Opera\Launcher.exe hxxp://www.yoursites123.com/?type=sc&ts=1449854587&z=4ed0e03a0ec51f49689660fgcz4zdt8b9wfz1w6t8z&from=ient07021&uid=WDCXWD5000BPVT-22HXZT3_WD-WXQ1A818484384843 CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-06-18] R2 WdMan; C:\ProgramData\lWdMl\WdMan.exe [333312 2015-12-04] (TFuns LIMITED) [File not signed] S3 ew_hwusbdev; \SystemRoot\system32\DRIVERS\ew_hwusbdev.sys [X] S3 ew_usbenumfilter; \SystemRoot\System32\drivers\ew_usbenumfilter.sys [X] S3 huawei_enumerator; \SystemRoot\System32\drivers\ew_jubusenum.sys [X] S3 hwusb_cdcacm; \SystemRoot\system32\DRIVERS\ew_cdcacm.sys [X] S3 hwusb_wwanecm; \SystemRoot\system32\DRIVERS\ew_wwanecm.sys [X] S1 tcfd_vw_1_10_0_24; system32\drivers\tcfd_vw_1_10_0_24.sys [X] Winlogon\Notify\igfxcui: igfxdev.dll [X] CustomCLSID: HKU\S-1-5-21-157526072-1602897899-2300392595-1001_Classes\CLSID\{E68D0A55-3C40-4712-B90D-DCFA93FF2534}\InprocServer32 -> C:\Users\Lenovo\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll => No File Task: {3B2C75AB-FE05-4D11-AE3E-D47DA131ED07} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 => C:\Program Files (x86)\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2015-07-01] (Lenovo) Task: {95CF3481-A7D8-4FC0-9B22-AE757935E22C} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program => C:\Program Files\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe Task: {D751D845-80F1-420A-A1A0-170F0C61A205} - System32\Tasks\{F5C4F0DB-A5CD-413A-A417-C93E61A11F36} => pcalua.exe -a C:\Users\Lenovo\AppData\Roaming\istartsurf\UninstallManager.exe -c -ptid=cor Task: {DABB7B13-FD63-4ACC-9515-297673B18FB3} - System32\Tasks\{C7F08F34-D94A-4615-8D58-ED50A0F85CE8} => Firefox.exe hxxp://ui.skype.com/ui/0/7.2.0.103/pl/abandoninstall?page=tsMain Task: {E961CE18-F48B-4866-BAFA-E11A65EADC4A} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 35 => C:\Program Files (x86)\Lenovo\Customer Feedback Program 35\Lenovo.TVT.CustomerFeedback.Agent35.exe [2015-08-17] (Lenovo) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""="" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""="" DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software RemoveDirectory: C:\ProgramData\lWdMl C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\windows\SysWOW64\pl.html CMD: netsh advfirewall reset EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Wyczyść przeglądarki z adware: Odłącz synchronizację (o ile włączona): KLIK. Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone. Menu Historia > Wyczyść całą historię przeglądania. Opera: Odłącz synchronizację (o ile włączona): KLIK Ustawienia > karta Rozszerzenia > odinstaluj adware Strong Signal 4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt.

Tu nie tylko jest hijacker yoursites123, ale też i Bitcoin Miner udający Steam i uruchamiający się via Harmonogram zadań, powinieneś notować wysokie obciążenie CPU: Task: {812F5055-02A6-4D10-9877-70B76FC83A95} - System32\Tasks\Steam-S-1-8-22-9865GUI => C:\Users\MAX\AppData\Roaming\WinRAR\Reversed\steam.exe [2015-08-06] () Działania do przeprowadzenia: 1. Odinstaluj firmowy zbędnik Browser Configuration Utility i starszą wersję Java 8 Update 51. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: R2 IhPul; C:\Users\MAX\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-08] (tsvr.com) R2 SSFK; C:\Program Files\SFK\SSFK.exe [170144 2015-11-27] (TODO: ) ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Euro Truck Simulator 2 Multiplayer\Play Euro Truck Simulator 2 Multiplayer.lnk -> C:\Program Files\Euro Truck Simulator 2 Multiplayer\launcher.exe (ETS2MP Team) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\Users\MAX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\Users\MAX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\Users\MAX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\Users\MAX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\Users\MAX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\Users\MAX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX ShortcutWithArgument: C:\Users\Public\Desktop\Play Euro Truck Simulator 2 Multiplayer.lnk -> C:\Program Files\Euro Truck Simulator 2 Multiplayer\launcher.exe (ETS2MP Team) -> hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX HKU\S-1-5-21-1191921471-775121805-984144667-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX&q={searchTerms} HKU\S-1-5-21-1191921471-775121805-984144667-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX HKU\S-1-5-21-1191921471-775121805-984144667-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX HKU\S-1-5-21-1191921471-775121805-984144667-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX&q={searchTerms} SearchScopes: HKU\S-1-5-21-1191921471-775121805-984144667-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX&q={searchTerms} SearchScopes: HKU\S-1-5-21-1191921471-775121805-984144667-1000 -> {1925F7FA-8547-4c65-B51E-1AE3FD0AA2E2} URL = hxxp://www.google.com/custom?client=pub-3794288947762788&forid=1&channel=1975384696&ie=UTF-8&oe=UTF-8&safe=active&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A1&hl=pl&q={searchTerms} SearchScopes: HKU\S-1-5-21-1191921471-775121805-984144667-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX&q={searchTerms} SearchScopes: HKU\S-1-5-21-1191921471-775121805-984144667-1000 -> {B2F351CC-2D9A-4730-9C25-B8EBC6159D8C} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=IEBD FF HKLM\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\MAX\AppData\Roaming\Mozilla\Firefox\Profiles\be0qfrvt.default\extensions\defsearchp@gmail.com => nie znaleziono FF HKLM\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\MAX\AppData\Roaming\Mozilla\Firefox\Profiles\be0qfrvt.default\extensions\deskCutv2@gmail.com => nie znaleziono FF HKLM\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\MAX\AppData\Roaming\Mozilla\Firefox\Profiles\be0qfrvt.default\extensions\default_newtabff@gmail.com => nie znaleziono FF HKLM\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\MAX\AppData\Roaming\Mozilla\Firefox\Profiles\be0qfrvt.default\extensions\yahooprotected@gmail.com => nie znaleziono CHR HomePage: Default -> hxxp://www.yoursites123.com/?type=hp&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX CHR StartupUrls: Default -> "hxxp://www.yoursites123.com/?type=hp&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX" CHR DefaultSearchURL: Default -> hxxp://www.yoursites123.com/web/?type=ds&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX&q={searchTerms} CHR DefaultSearchKeyword: Default -> yoursites123 StartMenuInternet: Google Chrome - C:\Program Files\Google\Chrome\Application\chrome.exe hxxp://www.yoursites123.com/?type=sc&ts=1450083796&z=fa1d4d30cb59bad08c5bb62gbz9wee3e7b6cbm4t3q&from=wpm07173&uid=TOSHIBAXDT01ACA100_Z4LEMS4NSXXZ4LEMS4NSX Task: {024D4797-B19C-4E19-AAB3-F5D34BF3606A} - System32\Tasks\{AE12B38F-49F8-4BB0-B43F-CA54CCB33DAA} => pcalua.exe -a C:\Users\MAX\Desktop\vcredist_x86.exe -d C:\Users\MAX\Desktop Task: {2D09B38F-D9A9-4D3B-8ADC-978B0E848446} - System32\Tasks\{B2625D08-42EF-4261-97C9-349BDD1B84BD} => pcalua.exe -a "I:\Farming Simulator 2015 [RePack]\Setup.exe" -d "I:\Farming Simulator 2015 [RePack]" Task: {812F5055-02A6-4D10-9877-70B76FC83A95} - System32\Tasks\Steam-S-1-8-22-9865GUI => C:\Users\MAX\AppData\Roaming\WinRAR\Reversed\steam.exe [2015-08-06] () Task: {D55EB98E-EE42-48EF-A3B8-986B4627E94E} - System32\Tasks\{655D4F00-57A7-472F-AAD5-8D53A8163551} => pcalua.exe -a C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe -c /M{9527A496-5DF9-412A-ADC7-168BA5379CA6} S3 FairplayKD; \??\C:\ProgramData\MTA San Andreas All\Common\temp\FairplayKD.sys [X] S3 gdrv; \??\C:\Windows\gdrv.sys [X] S1 wfdrvr_vt_1_10_0_28; system32\drivers\wfdrvr_vt_1_10_0_28.sys [X] DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 DeleteKey: HKLM\SOFTWARE\yoursites123Software RemoveDirectory: C:\Program Files\SFK RemoveDirectory: C:\Program Files\WinZipper RemoveDirectory: C:\ProgramData\2WdM2 RemoveDirectory: C:\ProgramData\OWdMO RemoveDirectory: C:\ProgramData\ZWMiniProZ RemoveDirectory: C:\Users\MAX\AppData\Local\Microsoft\Windows\GameExplorer\{8827CE3D-9D26-46B3-ADE9-1E8078799DB3} RemoveDirectory: C:\Users\MAX\AppData\Roaming\istartsurf RemoveDirectory: C:\Users\MAX\AppData\Roaming\TSv RemoveDirectory: C:\Users\MAX\AppData\Roaming\WinZipper RemoveDirectory: C:\Users\MAX\AppData\Roaming\WinRAR\Reversed C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\Users\MAX\Desktop\Foldery\muzyka\Music\msc2\Disco Polo 2014 - Spike - Weekendowy Szał - Official Video.lnk C:\Users\MAX\Desktop\Foldery\muzyka\mp3\Nowy folder\20.05.2015\Disco Polo 2014 - Spike - Weekendowy Szał - Official Video.lnk C:\Users\MAX\Desktop\Foldery\Stare nutki\Disco Polo 2014 - Spike - Weekendowy Szał - Official Video.lnk C:\Users\MAX\Desktop\Foldery\There is my dolphin\Aparat i prezentacja.lnk C:\Users\MAX\Desktop\Foldery\There is my dolphin\Karta roweromujwa.lnk EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Wyczyść przeglądarki z adware: Firefox: Odłącz synchronizację (o ile włączona): KLIK. Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone, ale Adblock Plus trzeba będzie przeinstalować. Menu Historia > Wyczyść całą historię przeglądania. Google Chrome: Zresetuj synchronizację (o ile włączona): KLIK. Ustawienia > karta Ustawienia > Pokaż ustawienia zaawansowane > zjedź na sam spód i uruchom opcję Resetowanie ustawień. Zakładki i hasła nie zostaną naruszone. Ustawienia > karta Ustawienia > sekcja Szukaj > klik w Zarządzanie wyszukiwarkami > skasuj z listy yousites123 (o ile nadal będzie). 4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt.

Wszystko zrobione. Poprawki: 1. Nie zauważyłam na liście zainstalowanych starego Nowego Gadu-Gadu oraz odpadka po odinstalowanym Nero VCRedistSetup. Ten pierwszy odinstaluj tradycyjnie. Ale ten drugi wpis jest ukryty, posłuż się tym samym narzędziem Microsoftu co poprzednio w celu jego usunięcia. 2. Otwórz Notatnik i wklej w nim: S2 IMFservice; C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.EXE [X] DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ALLUpdate DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG_UI DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CCleaner Monitoring DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vProt RemoveDirectory: C:\FRST\Quarantine RemoveDirectory: C:\MATS RemoveDirectory: C:\Program Files\Enigma Software Group RemoveDirectory: C:\Program Files\IObit RemoveDirectory: C:\Program Files\Java RemoveDirectory: C:\ProgramData\IObit RemoveDirectory: C:\Users\PHUFOTOSET\AppData\LocalLow\IObit RemoveDirectory: C:\Users\PHUFOTOSET\AppData\Roaming\IObit RemoveDirectory: C:\Users\PHUFOTOSET\AppData\Roaming\ProductData Hosts: CMD: del /q C:\spyhunter.fix CMD: del /q C:\Users\PHUFOTOSET\Desktop\isygl1k7.exe CMD: del /q C:\Users\PHUFOTOSET\Desktop\MicrosoftFixit.ProgramInstallUninstall.RNP.Run.exe Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Tym razem nie będzie restartu. Przedstaw wynikowy fixlog.txt. 3. Uruchom AdwCleaner. Wybierz opcję Skanuj i dostarcz log wynikowy z folderu C:\AdwCleaner.

Poprawki: 1. W Google Chrome nadal jest ten hijacker. Czy na pewno wykonałeś to: Wykonaj i to przed punktem dwa. 2. Uruchom AdwCleaner. Wybierz opcję Skanuj i dostarcz log wynikowy z folderu C:\AdwCleaner.

Kolejna porcja działań: 1. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: Task: C:\WINDOWS\Tasks\At1.job => C:\DOCUME~1\ADMINI~1\DANEAP~1\FoxTab\UPDATE~1\UPDATE~1.EXE ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => Brak pliku HKU\S-1-5-21-1957994488-2000478354-1417001333-500\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie DeleteKey: HKCU\Software\Mozilla DeleteKey: HKLM\SOFTWARE\Mozilla DeleteKey: HKLM\SOFTWARE\mozilla.org DeleteKey: HKLM\SOFTWARE\MozillaPlugins RemoveDirectory: C:\Program Files\BonanzaDeals EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. Przedstaw wynikowy fixlog.txt. 2. Uruchom AdwCleaner. Wybierz opcję Skanuj i dostarcz log wynikowy z folderu C:\AdwCleaner.

Wszystko pomyślnie wykonane. Już prawie kończymy. Ostatni skrypt do FRST. Otwórz Notatnik i wklej w nim: S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2015-12-11] () RemoveDirectory: C:\FRST\Quarantine RemoveDirectory: C:\MATS RemoveDirectory: C:\Users\lenovo\Downloads\FRST-OlderVersion CMD: del /q C:\Users\lenovo\Downloads\MicrosoftFixit.ProgramInstallUninstall.RNP.Run.exe CMD: del /q C:\WINDOWS\system32\Drivers\EsgScanner.sys Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Tym razem nie będzie restartu. Przedstaw wynikowy fixlog.txt.

Wszystko zrobione. Teraz: Uruchom AdwCleaner. Wybierz opcję Skanuj i dostarcz log wynikowy z folderu C:\AdwCleaner.

Poprawki: 1. Odinstaluj zbędnik Samsunga MyFreeCodec. 2. Następnie uruchom ponownie AdwCleaner, tym raze wybierz zestaw opcji Skanuj + Usuń i przedstaw wynikowy log z usuwania.

Wszystko zrobione. Teraz: Uruchom AdwCleaner. Wybierz opcję Skanuj i dostarcz log wynikowy z folderu C:\AdwCleaner.

DelFix wykonał zadanie. Skasuj z dysku plik C:\delfix.txt. To tyle.

Wszystko zrobione. Kończymy: 1. Przez SHIFT+DEL (omija Kosz) skasuj z Pulpitu folder frst. Następnie popraw jeszcze za pomocą DelFix oraz wyczyść foldery Przywracania systemu: KLIK. 2. Zaktualizuj Adobe Reader XI z wersji 11.0.00 do 11.0.13. To maksymalna wersja obsługiwana na XP. Nowszy Adobe Reader niedostępny. 3. Do czytania na co uważać, by w przyszłości uniknąć podobnych problemów: KLIK.

Posty dla porządku połączyłam, ale oczywiście odpowiadasz mi już w nowym poście. Logi FRST nadal nie skonfigurowane jak należy, w instrukcji jest wyraźnie napisane, by nie zaznaczać opcji "Lista BCD", "MD5 sterowników", "Pliki z 90 dni". Akcje do przeprowadzenia: 1. Deinstalacje: - Przez Panel sterowania odinstaluj stare wersje Adobe Acrobat 9 Pro - English, Français, Deutsch; Adobe Reader 8; Java 7 Update 55. - Uruchom narzędzie Microsoftu: KLIK. Zaakceptuj > Wykryj problemy i pozwól mi wybrać poprawki do zastosowania > Odinstalowywanie > zaznacz na liście odpadkowe wpisy Google Toolbar for Internet Explorer, Google Update Helper (dwie pozycje) > Dalej. Narzędzie nie umożliwia akcji hurtowej, należy je uruchomić tyle razy ile podanych wpisów. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: R2 WdMan; C:\ProgramData\HWdMH\WdMan.exe [333312 2015-12-04] (TFuns LIMITED) [brak podpisu cyfrowego] U4 eabfiltr; Brak ImagePath GroupPolicy: Ograniczenia - Chrome CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia ShortcutWithArgument: C:\Users\Magda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449653867&z=517fc3f79fedffe469acf36gdzbz3tfq3wfc6bcm3o&from=ient07021&uid=WDCXWD1200BEVS-60UST0_WD-WXE907G8700487004 ShortcutWithArgument: C:\Users\Magda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449653867&z=517fc3f79fedffe469acf36gdzbz3tfq3wfc6bcm3o&from=ient07021&uid=WDCXWD1200BEVS-60UST0_WD-WXE907G8700487004 ShortcutWithArgument: C:\Users\Magda\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449653867&z=517fc3f79fedffe469acf36gdzbz3tfq3wfc6bcm3o&from=ient07021&uid=WDCXWD1200BEVS-60UST0_WD-WXE907G8700487004 ShortcutWithArgument: C:\Users\Magda\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449653867&z=517fc3f79fedffe469acf36gdzbz3tfq3wfc6bcm3o&from=ient07021&uid=WDCXWD1200BEVS-60UST0_WD-WXE907G8700487004 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449653867&z=517fc3f79fedffe469acf36gdzbz3tfq3wfc6bcm3o&from=ient07021&uid=WDCXWD1200BEVS-60UST0_WD-WXE907G8700487004 ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449653867&z=517fc3f79fedffe469acf36gdzbz3tfq3wfc6bcm3o&from=ient07021&uid=WDCXWD1200BEVS-60UST0_WD-WXE907G8700487004 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449653867&z=517fc3f79fedffe469acf36gdzbz3tfq3wfc6bcm3o&from=ient07021&uid=WDCXWD1200BEVS-60UST0_WD-WXE907G8700487004 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449653867&z=517fc3f79fedffe469acf36gdzbz3tfq3wfc6bcm3o&from=ient07021&uid=WDCXWD1200BEVS-60UST0_WD-WXE907G8700487004&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449653867&z=517fc3f79fedffe469acf36gdzbz3tfq3wfc6bcm3o&from=ient07021&uid=WDCXWD1200BEVS-60UST0_WD-WXE907G8700487004 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449653867&z=517fc3f79fedffe469acf36gdzbz3tfq3wfc6bcm3o&from=ient07021&uid=WDCXWD1200BEVS-60UST0_WD-WXE907G8700487004&q={searchTerms} HKU\S-1-5-21-1690032049-1338340778-4026156367-1006\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449653867&z=517fc3f79fedffe469acf36gdzbz3tfq3wfc6bcm3o&from=ient07021&uid=WDCXWD1200BEVS-60UST0_WD-WXE907G8700487004 HKU\S-1-5-21-1690032049-1338340778-4026156367-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449653867&z=517fc3f79fedffe469acf36gdzbz3tfq3wfc6bcm3o&from=ient07021&uid=WDCXWD1200BEVS-60UST0_WD-WXE907G8700487004 SearchScopes: HKU\S-1-5-21-1690032049-1338340778-4026156367-1006 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449653867&z=517fc3f79fedffe469acf36gdzbz3tfq3wfc6bcm3o&from=ient07021&uid=WDCXWD1200BEVS-60UST0_WD-WXE907G8700487004&q={searchTerms} BHO: Brak nazwy -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> Brak pliku Toolbar: HKLM - Brak nazwy - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - Brak pliku Toolbar: HKU\S-1-5-21-1690032049-1338340778-4026156367-1006 -> Brak nazwy - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Brak pliku FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation) FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension StartMenuInternet: FIREFOX.EXE - C:\Program Files\Mozilla Firefox\firefox.exe hxxp://www.yoursites123.com/?type=sc&ts=1449653867&z=517fc3f79fedffe469acf36gdzbz3tfq3wfc6bcm3o&from=ient07021&uid=WDCXWD1200BEVS-60UST0_WD-WXE907G8700487004 HKLM\...\Run: [] => [X] Task: {17780549-88F0-465B-9BDE-E5192A885349} - System32\Tasks\Opera N Saturday => C:\Program Files\Opera\launcher.exe Task: {2755BEF1-FA08-4B4A-BE23-1A820D3353F8} - System32\Tasks\{59DB60CC-AE7F-40CB-8122-E90F65D71699} => pcalua.exe -a "C:\Program Files\Picexa\uninstall.exe" Task: {67D2ED1D-DA0A-4F35-A303-1B7A5113A195} - System32\Tasks\{FDC55BFE-4E9A-457C-8DF8-34F10D3D1543} => pcalua.exe -a C:\Windows\system32\Macromed\Flash\FlashUtil32_20_0_0_235_Plugin.exe -c -maintain plugin Task: {7C0B8F11-B67E-4066-9906-9037FD5044B6} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe Task: {D9B9D8C2-B79D-4186-9CB8-CD5DA1F28A55} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKLM\SOFTWARE\yoursites123Software DeleteKey: HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes DeleteKey: HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes DeleteKey: HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes RemoveDirectory: C:\AdwCleaner RemoveDirectory: C:\Program Files\Google RemoveDirectory: C:\Program Files\Opera RemoveDirectory: C:\ProgramData\HWdMH RemoveDirectory: C:\Users\Magda\AppData\Local\Opera Software RemoveDirectory: C:\Users\Magda\AppData\Roaming\Opera Software RemoveDirectory: C:\Users\Magda\AppData\Roaming\Shortcut RemoveDirectory: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension C:\Program Files\Common Files\*.DLL C:\Users\Public\AdwCleaner.exe C:\Windows\system32\pl.html CMD: netsh advfirewall reset EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Zrób nowy log FRST z opcji Skanuj (Scan) skonfigurowany wg wytycznych forum, ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt.

Operacje do przeprowadzenia: 1. Deinstalacje: - Odinstaluj stare wersje Adobe AIR, Adobe Shockwave Player 12.0 oraz adware Picexa, WinZipper. - Uruchom narzędzie Microsoftu: KLIK. Zaakceptuj > Wykryj problemy i pozwól mi wybrać poprawki do zastosowania > Odinstalowywanie > zaznacz na liście wpis Metric Collection SDK 35 > Dalej. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: R2 IhPul; C:\Users\Darek\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-08] (tsvr.com) R2 SSFK; C:\Program Files (x86)\SFK\SSFK.exe [170144 2015-11-27] (TODO: ) R2 WdMan; C:\ProgramData\XWdMX\WdMan.exe [333312 2015-12-04] (TFuns LIMITED) [brak podpisu cyfrowego] ShortcutWithArgument: C:\Users\Darek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449834235&z=35df6e9902be71cd64d8f8eg4z4z3tab4cdzao5c4g&from=ient07021&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912 ShortcutWithArgument: C:\Users\Darek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449834235&z=35df6e9902be71cd64d8f8eg4z4z3tab4cdzao5c4g&from=ient07021&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912 ShortcutWithArgument: C:\Users\Darek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450099754&z=fb672e988aa5bf19ececb03gezewaede1tct6m2wac&from=wpm07173&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912 ShortcutWithArgument: C:\Users\Darek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449834235&z=35df6e9902be71cd64d8f8eg4z4z3tab4cdzao5c4g&from=ient07021&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912 ShortcutWithArgument: C:\Users\Darek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450099754&z=fb672e988aa5bf19ececb03gezewaede1tct6m2wac&from=wpm07173&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450099754&z=fb672e988aa5bf19ececb03gezewaede1tct6m2wac&from=wpm07173&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912 ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450099754&z=fb672e988aa5bf19ececb03gezewaede1tct6m2wac&from=wpm07173&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.omniboxes.com/?type=hp&ts=1449063109&z=3b2accc2512831127f16630g2z0zdtfefq4c6gce4t&from=ient07021&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.omniboxes.com/?type=hp&ts=1449063109&z=3b2accc2512831127f16630g2z0zdtfefq4c6gce4t&from=ient07021&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://do-search.com/web/?type=ds&ts=1425579730&from=cor&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.omniboxes.com/?type=hp&ts=1449063109&z=3b2accc2512831127f16630g2z0zdtfefq4c6gce4t&from=ient07021&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.omniboxes.com/?type=hp&ts=1449063109&z=3b2accc2512831127f16630g2z0zdtfefq4c6gce4t&from=ient07021&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://do-search.com/web/?type=ds&ts=1425579730&from=cor&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = HKU\S-1-5-21-1104056212-3661391068-887333560-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://search.delta-homes.com/web/?type=ds&ts=1432134796&z=859235f19c2c79ef93d50e8g8zbc1oeg3c5zdm3t8w&from=wpm05203&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912&q={searchTerms} HKU\S-1-5-21-1104056212-3661391068-887333560-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://search.delta-homes.com/web/?type=ds&ts=1432134796&z=859235f19c2c79ef93d50e8g8zbc1oeg3c5zdm3t8w&from=wpm05203&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912&q={searchTerms} HKU\S-1-5-21-1104056212-3661391068-887333560-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.omniboxes.com/?type=hp&ts=1449063109&z=3b2accc2512831127f16630g2z0zdtfefq4c6gce4t&from=ient07021&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912 HKU\S-1-5-21-1104056212-3661391068-887333560-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.omniboxes.com/?type=hp&ts=1449063109&z=3b2accc2512831127f16630g2z0zdtfefq4c6gce4t&from=ient07021&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912 SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.omniboxes.com/web/?type=ds&ts=1449063109&z=3b2accc2512831127f16630g2z0zdtfefq4c6gce4t&from=ient07021&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912&q={searchTerms} SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.omniboxes.com/web/?type=ds&ts=1449063109&z=3b2accc2512831127f16630g2z0zdtfefq4c6gce4t&from=ient07021&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912&q={searchTerms} SearchScopes: HKU\S-1-5-21-1104056212-3661391068-887333560-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450099754&z=fb672e988aa5bf19ececb03gezewaede1tct6m2wac&from=wpm07173&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912&q={searchTerms} SearchScopes: HKU\S-1-5-21-1104056212-3661391068-887333560-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-1104056212-3661391068-887333560-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450099754&z=fb672e988aa5bf19ececb03gezewaede1tct6m2wac&from=wpm07173&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912&q={searchTerms} SearchScopes: HKU\S-1-5-21-1104056212-3661391068-887333560-1000 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = hxxp://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms} BHO-x32: Brak nazwy -> {DF925EF3-7A87-44E4-9CAF-8D7B280BF616} -> Brak pliku Toolbar: HKLM - Brak nazwy - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - Brak pliku StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe hxxp://www.delta-homes.com/?type=sc&ts=1432134796&z=859235f19c2c79ef93d50e8g8zbc1oeg3c5zdm3t8w&from=wpm05203&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912 CHR HomePage: Default -> hxxp://www.yoursites123.com/?type=hp&ts=1450099754&z=fb672e988aa5bf19ececb03gezewaede1tct6m2wac&from=wpm07173&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912 CHR StartupUrls: Default -> "hxxp://www.yoursites123.com/?type=hp&ts=1450099754&z=fb672e988aa5bf19ececb03gezewaede1tct6m2wac&from=wpm07173&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912" CHR DefaultSearchURL: Default -> hxxp://www.yoursites123.com/web/?type=ds&ts=1450099754&z=fb672e988aa5bf19ececb03gezewaede1tct6m2wac&from=wpm07173&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912&q={searchTerms} CHR DefaultSearchKeyword: Default -> yoursites123 StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.yoursites123.com/?type=sc&ts=1450099754&z=fb672e988aa5bf19ececb03gezewaede1tct6m2wac&from=wpm07173&uid=WDCXWD10EZEX-00RKKA0_WD-WCC1S295291252912 HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-1104056212-3661391068-887333560-1000\...\Run: [VkontakteDJ] => C:\Program Files\VkontakteDJ\VKontakteDJ.exe /H ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => Brak pliku S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X] S3 ESEADriver2; \??\C:\Users\Darek\AppData\Local\Temp\ESEADriver2.sys [X] S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X] S3 MSICDSetup; \??\F:\CDriver64.sys [X] S3 NTIOLib_1_0_C; \??\F:\NTIOLib_X64.sys [X] S3 pccsmcfd; system32\DRIVERS\pccsmcfdx64.sys [X] S3 XFDriver64; \??\C:\Program Files (x86)\Xfire2\XFDriver64.sys [X] S3 xhunter1; \??\C:\Windows\xhunter1.sys [X] Task: {061BD404-1CA9-42B8-A5F3-7C095C41BE6B} - System32\Tasks\{17D6ECA6-AE30-4F94-A427-46D81D01D18F} => pcalua.exe -a "D:\Program Files (x86)\Steam\steam.exe" -c steam://uninstall/230410 Task: {2BB4354D-C232-4642-88CC-05B43A9DC9B6} - System32\Tasks\{E6605988-A788-4B59-894E-42152ACF5A8A} => pcalua.exe -a I:\sa1356_97_fus_aen.exe -d I:\ Task: {2C4987B9-1365-4737-87BB-59CA39F0A520} - System32\Tasks\{61097DBB-6914-428F-A2FE-0E09EA6105EC} => Chrome.exe hxxp://ui.skype.com/ui/0/6.6.0.106/pl/abandoninstall?page=tsMain Task: {2EC3649C-6101-455D-BA31-6D8AC9ADA0FB} - System32\Tasks\{481CC9B1-0E64-4FAD-BE7B-518FFCE59BC5} => pcalua.exe -a C:\Users\Darek\Downloads\GTAIV_spolszczenie_1.0_www.INSTALKI.pl(1).exe -d C:\Users\Darek\Downloads Task: {4C80FE5E-8CC2-42E7-AA44-620E934AF6DF} - System32\Tasks\{008DA700-7B0C-44F8-BBBC-3A13B36A37DB} => pcalua.exe -a F:\setup.exe -d F:\ Task: {58F23ACE-107C-4F03-89E9-BB0C7C7961ED} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 35 => C:\Program Files (x86)\Lenovo\Customer Feedback Program 35\Lenovo.TVT.CustomerFeedback.Agent35.exe Task: {67F0BA0D-4184-41F1-96AD-AFB0949067A8} - System32\Tasks\{04A767F6-CBC0-493D-94D9-ED821AAB6598} => pcalua.exe -a E:\Pobrane\cjb7100EN.exe -d E:\Pobrane Task: {6F908E5D-94F6-4FAB-954D-94E88989BCD3} - System32\Tasks\{06470DC0-1287-4AD4-82CD-C4E9311F0985} => pcalua.exe -a C:\Users\Darek\Downloads\cjb7100EN.exe -d C:\Users\Darek\Downloads Task: {88BC8807-E3A8-4E67-A962-A3A9D45CBF7D} - System32\Tasks\{EF573546-F357-4E77-9B15-0050354D34C4} => pcalua.exe -a G:\INSTALL.EXE -d G:\ Task: {AB7BE3A2-0422-4B71-8223-BBF378516380} - System32\Tasks\{0AA9C947-3D38-4ADC-83C0-C44791300BAA} => pcalua.exe -a C:\Users\Darek\Desktop\mid\hde_mod_installer.exe -d C:\Users\Darek\Desktop\mid Task: {C0A30709-61E5-4899-A4DD-AEF25E374016} - System32\Tasks\{53E777DF-28E4-4CEA-9322-BF98E178F6E0} => pcalua.exe -a "E:\Pobrane\INSTALL v2.03.exe" -d E:\Pobrane Task: {CE0D9316-3EE7-4B6E-82ED-C73992D9B8AE} - System32\Tasks\{D8497738-BCA8-4A83-98D8-0F87A40F1C0C} => pcalua.exe -a C:\Users\Darek\Downloads\sa1356_97_fus_aen.exe -d C:\Users\Darek\Downloads DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Lenovo DeleteKey: HKCU\Software\Mozilla DeleteKey: HKCU\Software\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Mozilla DeleteKey: HKLM\SOFTWARE\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Wow6432Node\Mozilla DeleteKey: HKLM\SOFTWARE\Wow6432Node\mozilla.org DeleteKey: HKLM\SOFTWARE\Wow6432Node\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software RemoveDirectory: C:\Program Files\VkontakteDJ RemoveDirectory: C:\Program Files (x86)\Lenovo RemoveDirectory: C:\Program Files (x86)\Mozilla Firefox RemoveDirectory: C:\Program Files (x86)\Picexa RemoveDirectory: C:\Program Files (x86)\SFK RemoveDirectory: C:\Program Files (x86)\WinZipper RemoveDirectory: C:\ProgramData\4WMiniPro4 RemoveDirectory: C:\ProgramData\BWdMB RemoveDirectory: C:\ProgramData\eWdMe RemoveDirectory: C:\ProgramData\XWdMX RemoveDirectory: C:\ProgramData\TEMP RemoveDirectory: C:\ProgramData\Microsoft\Windows\GameExplorer\{C05D8CDB-417D-4335-A38C-A0659EDFD6B8} RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Alcohol 120% RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bloody RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Frets on Fire RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hi-Rez Studios RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lexmark 7100 Series RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mortal Kombat Komplete Edition RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MotioninJoy RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picexa RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Razor 1911 RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sierra RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZipper RemoveDirectory: C:\Users\Darek\AppData\Local\Lenovo RemoveDirectory: C:\Users\Darek\AppData\Local\Mozilla RemoveDirectory: C:\Users\Darek\AppData\Local\Microsoft\Windows\GameExplorer\{351BE6CD-1C61-4374-87B4-F2F56405C103} RemoveDirectory: C:\Users\Darek\AppData\Local\Microsoft\Windows\GameExplorer\{659DEBF9-04EB-4421-BE15-438F5EB59E37} RemoveDirectory: C:\Users\Darek\AppData\Local\Microsoft\Windows\GameExplorer\{7D802801-894D-45E2-BBC3-446962A25C59} RemoveDirectory: C:\Users\Darek\AppData\Local\Microsoft\Windows\GameExplorer\{A39EB4CF-2BBD-4AB0-A08D-5059F66D5522} RemoveDirectory: C:\Users\Darek\AppData\Local\Microsoft\Windows\GameExplorer\{D3D31BAE-8AB7-459D-91AD-DE8356F1AD0C} RemoveDirectory: C:\Users\Darek\AppData\Roaming\Mozilla RemoveDirectory: C:\Users\Darek\AppData\Roaming\Picexa Viewer RemoveDirectory: C:\Users\Darek\AppData\Roaming\TSv RemoveDirectory: C:\Users\Darek\AppData\Roaming\VKDJ RemoveDirectory: C:\Users\Darek\AppData\Roaming\WinZipper RemoveDirectory: C:\Users\Darek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Browser Warden RemoveDirectory: C:\WQindows\System32\Tasks\Lenovo C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\ProgramData\Microsoft\Windows\Start Menu\Sierra Utilities.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Brother\DCP-395CN\Monitor Statusu.lnk C:\Users\Darek\sethc.exe C:\Users\Darek\AppData\Local剜捯獫慴⁲慇敭屳呇⁁屖湥楴汴浥湥⹴湩潦 C:\Users\Darek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\b15f30ab853b7d31\Diablo III.lnk C:\Users\Darek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Picexa.lnk C:\Users\Darek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\WinRAR.lnk C:\Users\Darek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DC Universe Online PSG.lnk C:\Users\Darek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EverQuest II.lnk C:\Users\Darek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PlanetSide 2 PSG.lnk C:\Users\Darek\AppData\Roaming\Skype\My Skype Received Files\Minecraft 1.7.5.lnk C:\Users\Darek\Desktop\Aplikacje\Bloody3.lnk C:\Users\Darek\Desktop\Aplikacje\DS3 Tool.lnk C:\Users\Darek\Desktop\Aplikacje\LibreOffice 4.0.lnk C:\Users\Darek\Desktop\Aplikacje\Nexus Mod Manager.lnk C:\Users\Darek\Desktop\Aplikacje\Testy Bplus.lnk C:\Users\Darek\Desktop\Aplikacje\Tunatic.lnk C:\Users\Darek\Desktop\Aplikacje\Tunngle beta.lnk C:\Users\Darek\Desktop\Aplikacje\Xfire.lnk C:\Users\Darek\Desktop\Gry\AION Free-to-Play.lnk C:\Users\Darek\Desktop\Gry\Battlefield 3.lnk C:\Users\Darek\Desktop\Gry\Dragon Age Origins.lnk C:\Users\Darek\Desktop\Gry\Hi-Rez Diagnostics and Support.lnk C:\Users\Darek\Desktop\Gry\Mortal Kombat Komplete Edition.lnk C:\Users\Darek\Desktop\Gry\Plants vs. Zombies.lnk C:\Users\Darek\Desktop\Gry\Skyrim (SKSE).lnk C:\Users\Darek\Desktop\Gry\Trine 2.lnk C:\Users\Darek\Desktop\Gry\Wiedźmin.lnk C:\Users\Darek\Desktop\Wszystko\Picexa.lnk C:\Users\Darek\Documents\Euro Truck Simulator 2\readme.rtf.lnk C:\Windows\SysWOW64\pl.html C:\Windows\SysWOW64\zlib.dll CMD: netsh advfirewall reset EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Z menu Notatnika > Plik > Zapisz jako > wprowadź nazwę fixlist.txt > Kodowanie zmień na UTF-8 Plik fixlist.txt umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Wyczyść Google Chrome z adware: Zresetuj synchronizację (o ile włączona): KLIK. Ustawienia > karta Ustawienia > Pokaż ustawienia zaawansowane > zjedź na sam spód i uruchom opcję Resetowanie ustawień. Zakładki i hasła nie zostaną naruszone. Ustawienia > karta Ustawienia > sekcja Szukaj > klik w Zarządzanie wyszukiwarkami > skasuj z listy yoursites123 (o ile nadal będzie). 4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt.

Działania do przeprowadzenia: 1. Klawisz z flagą Windows + X > Programy i funkcje > odinstaluj stare wersje i zbędniki: Adobe Reader X (10.1.16) MUI, HP Deskjet 3520 series — badanie mające na celu poprawę produktów, Java 8 Update 25. Następnie uruchom Zoek i w oknie wklej: Metric Collection SDK 35;u Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Klik w Run Script. Powstanie plik zoek-results.log. W eksploratorze Windows menu Widok > Opcje > Zmień opcje folderów i wyszukiwania > Widok > odznacz Ukryj rozszerzenia znanych plików > zmień nazwę pliku na zoek-results.txt, by dało się go wstawić jako załącznik forum. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: R2 IhPul; C:\Users\Michał\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-08] (tsvr.com) R2 WdMan; C:\ProgramData\tWdMt\WdMan.exe [333312 2015-12-04] (TFuns LIMITED) [brak podpisu cyfrowego] ShortcutWithArgument: C:\Users\Michał\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449648574&z=ba9f503fca513245a78a3fcg9z0z4t7q6z2b8w2bfw&from=ient07021&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS ShortcutWithArgument: C:\Users\Michał\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1449648574&z=ba9f503fca513245a78a3fcg9z0z4t7q6z2b8w2bfw&from=ient07021&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS ShortcutWithArgument: C:\Users\Michał\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449648574&z=ba9f503fca513245a78a3fcg9z0z4t7q6z2b8w2bfw&from=ient07021&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS ShortcutWithArgument: C:\Users\Michał\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1449648574&z=ba9f503fca513245a78a3fcg9z0z4t7q6z2b8w2bfw&from=ient07021&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS ShortcutWithArgument: C:\Users\Michał\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\69639df789022856\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1449648574&z=ba9f503fca513245a78a3fcg9z0z4t7q6z2b8w2bfw&from=ient07021&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1449648574&z=ba9f503fca513245a78a3fcg9z0z4t7q6z2b8w2bfw&from=ient07021&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia HKU\S-1-5-21-1890577046-1904970765-735041783-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=130945540971226823&GUID=4A770436-E1B6-4A5C-BDD9-8D9CF61A66EA HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=130945540971236597&GUID=4A770436-E1B6-4A5C-BDD9-8D9CF61A66EA HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.omniboxes.com/web/?type=ds&ts=1447141879&z=21e223b3f0c97db3c281da1g7zccaefozzjcktmlma&from=wpm07163&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449648574&z=ba9f503fca513245a78a3fcg9z0z4t7q6z2b8w2bfw&from=ient07021&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449648574&z=ba9f503fca513245a78a3fcg9z0z4t7q6z2b8w2bfw&from=ient07021&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449648574&z=ba9f503fca513245a78a3fcg9z0z4t7q6z2b8w2bfw&from=ient07021&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.omniboxes.com/web/?type=ds&ts=1447141879&z=21e223b3f0c97db3c281da1g7zccaefozzjcktmlma&from=wpm07163&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449648574&z=ba9f503fca513245a78a3fcg9z0z4t7q6z2b8w2bfw&from=ient07021&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS&q={searchTerms} HKU\S-1-5-21-1890577046-1904970765-735041783-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.omniboxes.com/web/?type=ds&ts=1447141646&z=b5842949f4f8f8e2756394dgaz5zbm0gcz7g3qbq3o&from=wpm07163&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS&q={searchTerms} HKU\S-1-5-21-1890577046-1904970765-735041783-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=130945540971258425&GUID=4A770436-E1B6-4A5C-BDD9-8D9CF61A66EA HKU\S-1-5-21-1890577046-1904970765-735041783-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449648574&z=ba9f503fca513245a78a3fcg9z0z4t7q6z2b8w2bfw&from=ient07021&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS HKU\S-1-5-21-1890577046-1904970765-735041783-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.omniboxes.com/web/?type=ds&ts=1447141646&z=b5842949f4f8f8e2756394dgaz5zbm0gcz7g3qbq3o&from=wpm07163&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1 SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1 SearchScopes: HKU\S-1-5-21-1890577046-1904970765-735041783-1001 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1 SearchScopes: HKU\S-1-5-21-1890577046-1904970765-735041783-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1 SearchScopes: HKU\S-1-5-21-1890577046-1904970765-735041783-1001 -> {607D409B-3C06-4744-AA43-6650F770CB34} URL = StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.yoursites123.com/?type=sc&ts=1449648574&z=ba9f503fca513245a78a3fcg9z0z4t7q6z2b8w2bfw&from=ient07021&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS Edge HomeButtonPage: HKU\S-1-5-21-1890577046-1904970765-735041783-1001 -> hxxp://www.delta-homes.com/?type=hp&ts=1444459961&z=51a300e0dd52e700901a1edg3z5z8z2z4qce1eaecb&from=wpm07163&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS CHR HKLM\...\Chrome\Extension: [jdiejbegdjikmehflknhkbieocmnogcf] - C:\Users\Michał\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\jdiejbegdjikmehflknhkbieocmnogcf.crx [2015-11-07] CHR HKLM-x32\...\Chrome\Extension: [jdiejbegdjikmehflknhkbieocmnogcf] - C:\Users\Michał\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\jdiejbegdjikmehflknhkbieocmnogcf.crx [2015-11-07] StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.yoursites123.com/?type=sc&ts=1449648574&z=ba9f503fca513245a78a3fcg9z0z4t7q6z2b8w2bfw&from=ient07021&uid=TOSHIBAXMQ01ABD050_93P5S0FVSXX93P5S0FVS HKLM-x32\...\Run: [] => [X] HKLM\...\Policies\Explorer\Run: [btvStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe Task: {233F29FA-46D2-4B93-9102-63524E9A5B87} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> Brak pliku Task: {41B4A687-E032-42B6-9A60-171896F63E2C} - System32\Tasks\{C5C490B4-9C9F-464F-BCC5-D10E4A7F0061} => pcalua.exe -a C:\Users\Michał\AppData\Roaming\mystartsearch\UninstallManager.exe -c -ptid=tt4u Task: {702D2A1B-817B-4A60-B9E9-074940AF496D} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Brak pliku Task: {7CAE9303-2606-4E49-B331-F8DCD91016BB} - System32\Tasks\{2A1F61DD-61AD-466F-BC19-4797CE369D96} => Chrome.exe hxxp://ui.skype.com/ui/0/7.15.85.103/pl/privacy Task: {8B18732A-8E83-40F8-AC3D-6150C63E07A3} - System32\Tasks\{CE9B6BF6-B523-4F4A-8CBB-20D770D544F9} => pcalua.exe -a E:\autorun.exe -d E:\ Task: {B8040DB3-B017-4E48-B2C1-F69B31F0E2AF} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Brak pliku Task: {C8FD7879-CE0B-43F8-A661-4CB064DCDA95} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 35 => C:\Program Files (x86)\Lenovo\Customer Feedback Program 35\Lenovo.TVT.CustomerFeedback.Agent35.exe Task: {EE62EAEF-D5C9-47C1-9327-995E31DDB6C9} - \Microsoft\Windows\Setup\gwx\runappraiser -> Brak pliku Task: {EF4F3440-E4A2-4207-B65E-5ACC5C2A3C61} - System32\Tasks\SAgent => C:\Program Files\Samsung\S Agent\CommonAgent.exe DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Lenovo DeleteKey: HKLM\SOFTWARE\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Wow6432Node\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software DeleteKey: HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main DeleteKey: HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main DeleteKey: HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main DeleteKey: HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes DeleteKey: HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes DeleteKey: HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedHomepages /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedSearchScopes /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OpenSearch" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\yoursites123.com" /f Reg: reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v SunJavaUpdateSched /f RemoveDirectory: C:\Program Files (x86)\Lenovo RemoveDirectory: C:\ProgramData\pWdMp RemoveDirectory: C:\ProgramData\QWMiniProQ RemoveDirectory: C:\ProgramData\tWdMt RemoveDirectory: C:\ProgramData\Microsoft\Windows\GameExplorer\{9A55E265-D6B7-46A5-AE15-2ADDE966D45E} RemoveDirectory: C:\Users\Michał\AppData\Local\Lenovo RemoveDirectory: C:\Users\Michał\AppData\Roaming\eCyber RemoveDirectory: C:\Users\Michał\AppData\Roaming\TSv RemoveDirectory: C:\Users\Michał\AppData\Local\Microsoft\Windows\GameExplorer\{7E65DAAF-3ECA-47D7-820F-35D8CC0BFC8E} RemoveDirectory: C:\Windows\System32\Tasks\Lenovo C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\Users\Michał\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Picexa*.lnk C:\Users\Michał\Desktop\Programy\CCleaner.lnk C:\Users\Michał\Desktop\Programy\Help Desk.lnk C:\Users\Michał\Desktop\Programy\Support Center.lnk C:\WINDOWS\SysWOW64\pl.html CMD: type C:\ProgramData\MakeMarkerFile.xml EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też pliki fixlog.txt + zoek-results.txt. Potwierdź ustąpienie problemu także z przeglądarki Edge.

Operacje do przeprowadzenia: 1. Klawisz z flagą Windows + X > Programy i funkcje > odinstaluj potwornie stare wersje Adobe Flash Player 10 ActiveX, Adobe Flash Player 10 Plugin. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: R2 IhPul; C:\Users\Mariusz\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-14] (tsvr.com) R2 WdMan; C:\ProgramData\cWdMc\WdMan.exe [333312 2015-12-14] (TFuns LIMITED) [brak podpisu cyfrowego] S3 gdrv; \??\C:\Windows\gdrv.sys [X] ShortcutWithArgument: C:\Users\Mariusz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N ShortcutWithArgument: C:\Users\Mariusz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N ShortcutWithArgument: C:\Users\Mariusz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N&q={searchTerms} HKU\S-1-5-21-2915783206-49812008-3396176740-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N&q={searchTerms} SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N&q={searchTerms} SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N&q={searchTerms} SearchScopes: HKU\S-1-5-21-2915783206-49812008-3396176740-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N&q={searchTerms} StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.istartpageing.com/?type=sc&ts=1448960542&z=c4bd8d7d723de9c92568429g1zaz4bct3qbe0wczcz&from=cor&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N Edge HomeButtonPage: HKU\S-1-5-21-2915783206-49812008-3396176740-1001 -> hxxp://www.yoursites123.com/?type=hp&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N FF HKLM-x32\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\Mariusz\AppData\Roaming\Mozilla\Firefox\Profiles\ag4a6ebu.default\extensions\deskCutv2@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\Mariusz\AppData\Roaming\Mozilla\Firefox\Profiles\ag4a6ebu.default\extensions\default_newtabff@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\Mariusz\AppData\Roaming\Mozilla\Firefox\Profiles\ag4a6ebu.default\extensions\yahooprotected@gmail.com => nie znaleziono StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.yoursites123.com/?type=sc&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N CHR StartupUrls: Default -> "hxxp://www.yoursites123.com/?type=hp&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N" CHR Session Restore: Default -> [funkcja włączona] CHR HKU\S-1-5-21-2915783206-49812008-3396176740-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bknbnapaddjdnbilpmlacdkjdkjmbjhd] - hxxp://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [bknbnapaddjdnbilpmlacdkjdkjmbjhd] - hxxp://clients2.google.com/service/update2/crx StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.yoursites123.com/?type=sc&ts=1450086581&z=794b06610d81dd46286c89egez5w3ede4b1q1wdbbb&from=wpm07173&uid=SamsungXSSDX850XEVOX120GB_S21UNSAG309837N HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE -> DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedHomepages /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedSearchScopes /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OpenSearch" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\yoursites123.com" /f RemoveDirectory: C:\ProgramData\cWdMc RemoveDirectory: C:\ProgramData\QWdMQ RemoveDirectory: C:\ProgramData\tWMiniProt RemoveDirectory: C:\Users\Mariusz\AppData\Roaming\istartpageing RemoveDirectory: C:\Users\Mariusz\AppData\Roaming\TSv C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\Windows\SysWOW64\data.bin C:\Windows\SysWOW64\pl.html EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Wyłącz COMODO, gdyż zablokuje FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Wyczyść przeglądarki z adware: Firefox: Odłącz synchronizację (o ile włączona): KLIK. Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone. Menu Historia > Wyczyść całą historię przeglądania. Google Chrome: Zresetuj synchronizację (o ile włączona): KLIK. Ustawienia > karta Rozszerzenia > odinstaluj mocno podejrzane rozszerzenie Video AdBlock for Chrome. Ustawienia > karta Ustawienia > Pokaż ustawienia zaawansowane > zjedź na sam spód i uruchom opcję Resetowanie ustawień. Zakładki i hasła nie zostaną naruszone. Ustawienia > karta Ustawienia > sekcja Szukaj > klik w Zarządzanie wyszukiwarkami > skasuj z listy yoursites123 (o ile nadal będie widoczny). 4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt. Potwierdź ustąpienie problemu także w przeglądarce Edge.

Działania do przeprowadzenia: 1. Odinstaluj zbędny Akamai NetSession Interface, starą wersję Java 8 Update 45 oraz adware WinZipper. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: R2 IhPul; C:\Users\Justyna\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-08] (tsvr.com) R2 SSFK; C:\Program Files (x86)\SFK\SSFK.exe [170144 2015-11-27] (TODO: ) R2 WdMan; C:\ProgramData\5WdM5\WdMan.exe [333312 2015-12-04] (TFuns LIMITED) [brak podpisu cyfrowego] S3 xhunter1; \??\C:\Windows\xhunter1.sys [X] ShortcutWithArgument: C:\Users\Justyna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 ShortcutWithArgument: C:\Users\Justyna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 ShortcutWithArgument: C:\Users\Justyna\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 ShortcutWithArgument: C:\Users\Justyna\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 ShortcutWithArgument: C:\Users\Justyna\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 ShortcutWithArgument: C:\Users\Justyna\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538&q={searchTerms} HKU\S-1-5-21-2237237147-802211931-1834638873-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 HKU\S-1-5-21-2237237147-802211931-1834638873-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538&q={searchTerms} SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538&q={searchTerms} SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538&q={searchTerms} SearchScopes: HKU\S-1-5-21-2237237147-802211931-1834638873-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538&q={searchTerms} SearchScopes: HKU\S-1-5-21-2237237147-802211931-1834638873-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538&q={searchTerms} StartMenuInternet: IEXPLORE.EXE - iexplore.exe FF HKLM-x32\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\Justyna\AppData\Roaming\Mozilla\Firefox\Profiles\ygfgb4y0.default\extensions\defsearchp@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\Justyna\AppData\Roaming\Mozilla\Firefox\Profiles\ygfgb4y0.default\extensions\deskCutv2@gmail.com => nie znaleziono FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\Justyna\AppData\Roaming\Mozilla\Firefox\Profiles\ygfgb4y0.default\extensions\default_newtabff@gmail.com FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\Justyna\AppData\Roaming\Mozilla\Firefox\Profiles\ygfgb4y0.default\extensions\yahooprotected@gmail.com StartMenuInternet: FIREFOX.EXE - firefox.exe CHR HomePage: Default -> hxxp://www.yoursites123.com/?type=hp&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 CHR StartupUrls: Default -> "hxxp://www.yoursites123.com/?type=hp&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538" CHR DefaultSearchURL: Default -> hxxp://www.yoursites123.com/web/?type=ds&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538&q={searchTerms} CHR DefaultSearchKeyword: Default -> yoursites123 StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.yoursites123.com/?type=sc&ts=1450075143&z=d7afbfed17fdc258d580a2dgbz5w6eee7mbw5gfcdb&from=wpm07173&uid=SAMSUNGXHD502HJ_S20BJA0B189538 Task: {160B3703-F659-4BE8-BA5F-ABCAB1106545} - System32\Tasks\UpdateTask => C:\Users\Justyna\AppData\Local\Chromium\APPLIC~1\450244~1.0\INSTAL~1\UNINST~1.EXE Task: C:\Windows\Tasks\UpdateTask.job => C:\Users\Justyna\AppData\Local\Chromium\APPLIC~1\450244~1.0\INSTAL~1\UNINST~1.EXE DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software DeleteKey: HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes DeleteKey: HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes DeleteKey: HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes RemoveDirectory: C:\Program Files (x86)\SFK RemoveDirectory: C:\ProgramData\5WdM5 RemoveDirectory: C:\ProgramData\tWMiniProt RemoveDirectory: C:\ProgramData\yWdMy RemoveDirectory: C:\ProgramData\Microsoft\Windows\GameExplorer\{94519241-1F6A-4433-8AAA-2E65A912A54A} RemoveDirectory: C:\Users\Justyna\AppData\Roaming\TSv C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\Users\Justyna\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chromium.lnk C:\Windows\SysWOW64\pl.html EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Wyczyść przeglądarki z adware: Firefox: Odłącz synchronizację (o ile włączona): KLIK. Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone. Menu Historia > Wyczyść całą historię przeglądania. Google Chrome: Zresetuj synchronizację (o ile włączona): KLIK. Ustawienia > karta Ustawienia > Pokaż ustawienia zaawansowane > zjedź na sam spód i uruchom opcję Resetowanie ustawień. Zakładki i hasła nie zostaną naruszone. Ustawienia > karta Ustawienia > sekcja Szukaj > klik w Zarządzanie wyszukiwarkami > skasuj z listy yoursites123 (o ile nadal będzie). 4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt.

Działania do przeprowadzenia: 1. Klawisz z flagą Windows + X > Programy i funkcje > odinstaluj: Amazon 1Button App, Picexa. Następnie uruchom Zoek i w oknie wklej: Metric Collection SDK;u Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Klik w Run Script. Powstanie plik zoek-results.log. W eksploratorze Windows menu Widok > Opcje > Zmień opcje folderów i wyszukiwania > Widok > odznacz Ukryj rozszerzenia znanych plików > zmień nazwę pliku na zoek-results.txt, by dało się go wstawić jako załącznik forum. 2. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: ShortcutWithArgument: C:\Users\Anna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367 ShortcutWithArgument: C:\Users\Anna\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367 GroupPolicy: Ograniczenia - Chrome CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367&q={searchTerms} HKU\S-1-5-21-3582033095-210680416-1671569307-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367 HKU\S-1-5-21-3582033095-210680416-1671569307-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367 SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367&q={searchTerms} SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367&q={searchTerms} SearchScopes: HKU\S-1-5-21-3582033095-210680416-1671569307-1001 -> {ACA901FD-3807-4DE4-B11A-7BDF781A7F6E} URL = StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.yoursites123.com/?type=sc&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367 Edge HomeButtonPage: HKU\S-1-5-21-3582033095-210680416-1671569307-1001 -> hxxp://www.yoursites123.com/?type=hp&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367 Task: {04EDC69F-6EC0-4670-B438-58D5C82745EC} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> Brak pliku Task: {286B0FDC-C20B-45F9-9383-195725E71F46} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 => C:\Program Files (x86)\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2015-07-08] (Lenovo) Task: {381366F4-9428-474F-A726-26981FB230FB} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Brak pliku Task: {5C966E97-A51C-4A41-BD42-7ADE49C72721} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Brak pliku Task: {62ABA388-5213-4A60-939C-60C87F7370B0} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> Brak pliku Task: {83F1190D-2978-4B60-B536-C87D69BF79DD} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> Brak pliku Task: {9340CE08-6888-4752-B56D-B622FBD3C6C6} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> Brak pliku Task: {9679FD21-1C38-4D42-BCB1-D867F5AFBFBC} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> Brak pliku Task: {A2292B5B-5FA6-41F8-8ED7-95BA9DABBA91} - System32\Tasks\UninstallDDS-C960901F-CE14-4DE1-9729-1305F719A337 => C:\WINDOWS\TEMP\DeleteFolderTask.exe [2015-12-13] () Task: {AE5C3EB7-D3E5-480A-811D-95796EEB8CCC} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Brak pliku Task: {C36450A1-FA7D-4549-9E8D-4925634F3338} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> Brak pliku Task: {C724DEF4-DBDF-4EC2-B351-AC7BE13427F3} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> Brak pliku Task: {EF788547-4A75-4CB2-9300-57F29C89C418} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> Brak pliku DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Lenovo DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedHomepages /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedSearchScopes /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OpenSearch" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.yoursites123.com" /f Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\yoursites123.com" /f RemoveDirectory: C:\Program Files (x86)\Google RemoveDirectory: C:\Program Files (x86)\Lenovo RemoveDirectory: C:\Program Files (x86)\Picexa RemoveDirectory: C:\ProgramData\BWdMB RemoveDirectory: C:\ProgramData\JWdMJ RemoveDirectory: C:\ProgramData\yWMiniProy RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picexa RemoveDirectory: C:\Users\Anna\AppData\Local\Google RemoveDirectory: C:\Users\Anna\AppData\Local\Lenovo RemoveDirectory: C:\Users\Anna\AppData\Roaming\eCyber RemoveDirectory: C:\Users\Anna\AppData\Roaming\Picexa Viewer RemoveDirectory: C:\Windows\System32\Tasks\Lenovo C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\WINDOWS\SysWOW64\data.bin EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 3. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też pliki fixlog.txt i zoek-results.txt. Potwierdź ustąpienie problemu także w przelądarce Edge.

Wygląda na to, że problemem jest proxy wstawione przez jakiś niepożądany element: AutoConfigURL: [s-1-5-21-2293238063-3280660781-4078598226-1001] => hxxp://get-access.me/wpad.dat?3fb82dd56ba594ca4b62f400f8326f9e725043 Druga sprawa, na dysku pliki "Asystenta pobierania" dobrychprogramów, a także pobrany lewy program SpyHunter. Czym to grozi: KLIK. Akcja: 1. Otwórz Notatnik i wklej w nim: CloseProcesses: CreateRestorePoint: CHR HKU\S-1-5-21-2293238063-3280660781-4078598226-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bknbnapaddjdnbilpmlacdkjdkjmbjhd] - hxxp://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [bknbnapaddjdnbilpmlacdkjdkjmbjhd] - hxxp://clients2.google.com/service/update2/crx Task: {C4BE7DFF-2A61-4A0A-8B7C-5D06FC35956D} - \AutoPico Daily Restart -> Brak pliku Task: {D111726B-2208-4B79-91FB-50719497772B} - System32\Tasks\SlimCleaner Plus (Scheduled Scan - Timi) => C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe Task: C:\Windows\Tasks\SlimCleaner Plus (Scheduled Scan - Timi).job => C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exe S2 HuaweiHiSuiteService64.exe; "C:\ProgramData\HandSetService\HuaweiHiSuiteService64.exe" -/service [X] S3 MSICDSetup; \??\E:\CDriver64.sys [X] S3 NTIOLib_1_0_C; \??\E:\NTIOLib_X64.sys [X] DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 C:\Users\Timi\AppData\Local剜捯獫慴⁲慇敭屳呇⁁屖湥楴汴浥湥⹴湩潦 C:\Users\Timi\Downloads\*-dp*.exe C:\Users\Timi\Downloads\*.crdownload C:\Users\Timi\Downloads\SpyHunter*.* RemoveDirectory: C:\AdwCleaner RemoveDirectory: C:\Program Files (x86)\Temp RemoveDirectory: C:\ProgramData\TEMP RemoveDirectory: C:\ProgramData\Tmp0x0x RemoveDirectory: C:\Users\Timi\AppData\Local\Google\Chrome\User Data\Profile 1 RemoveDirectory: C:\Users\Timi\AppData\Local\Google\Chrome\User Data\Profile 2 RemoveDirectory: C:\Users\Timi\AppData\Local\Google\Chrome\User Data\Profile 3 CMD: netsh advfirewall reset RemoveProxy: EmptyTemp: Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Z menu Notatnika > Plik > Zapisz jako > wprowadź nazwę fixlist.txt > Kodowanie zmień na UTF-8 Plik fixlist.txt umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. 2. Sprawa poboczna, w Firefox i Google Chrome masz zainstalowane rozszerzenie Speed Dial [FVD] - New Tab Page, Sync.... To rozszerzenie jest znane z posiadania niepożądanych wtrętów. Przykładowy opis dla Firefox (coś od tego czasu mogło się zmienić na gorsze): KLIK. Sugeruję się pozbyć tego z obu przelądarek. 3. Zrób nowy log FRST z opcji Skanuj (Scan), bez Addition i Shortcut. Dołącz też plik fixlog.txt. Potwierdź ustąpienie problemu.

Wzorowanie się na innych tematach to nie jest dobry pomysł, po to są zasady działy, by się właśnie nie wzorować: KLIK. Instrukcja tworzenia raportów FRST: KLIK. Uzupełnij trzeci brakujący obowiązkowy plik FRST Shortcut.

Kończymy: 1. Przez SHIFT+DEL (omija Kosz) usuń C:\Users\Użytkownik\Desktop\Dokumenty Kuby\Programy i instalki\FRST. Następnie popraw jeszcze za pomocą DelFix oraz wyczyść foldery Przywracania systemu: KLIK. 2. Do czytania na co uważać: KLIK.

Uruchom AdwCleaner ponownie, tym razem dobierz akcje Skanuj + Usuń i dostarcz wynikowy log z czyszczenia.

Poprawki: 1. W Google Chrome: stawienia > karta Ustawienia > Pokaż ustawienia zaawansowane > zjedź na sam spód i uruchom opcję Resetowanie ustawień. Zakładki i hasła nie zostaną naruszone. 2. Otwórz Notatnik i wklej w nim: Reg: reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /f Reg: reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /ve /t REG_SZ /d Bing /f Reg: reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /v URL /t REG_SZ /d "http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC" /f Reg: reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /v DisplayName /t REG_SZ /d "@ieframe.dll,-12512" /f Reg: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /f Reg: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /ve /t REG_SZ /d Bing /f Reg: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /v URL /t REG_SZ /d "http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC" /f Reg: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /v DisplayName /t REG_SZ /d "@ieframe.dll,-12512" /f DeleteKey: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\yoursites123.com DeleteKey: HKCU\Software\PRODUCTSETUP DeleteKey: HKLM\SOFTWARE\Wow6432Node\hdcode DeleteKey: HKLM\SOFTWARE\Wow6432Node\istartsurfSoftware DeleteKey: HKLM\SOFTWARE\Wow6432Node\TSv DeleteKey: HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WdsManPro RemoveDirectory: C:\FRST\Quarantine RemoveDirectory: C:\ProgramData\yWMiniProy RemoveDirectory: C:\Users\Użytkownik\AppData\Roaming\istartsurf CMD: del /q C:\Users\Użytkownik\AppData\Local\LMIR0002*.* CMD: del /q "C:\Users\Użytkownik\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Picexa.lnk" CMD: del /q "C:\Users\Użytkownik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HP Remote Support*.lnk" CMD: del /q "C:\Users\Użytkownik\Desktop\Dokumenty Kuby\STUDNIOWKA\Archiwum Mini.lnk" Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Tym razem nie będzie restartu. Przedstaw wynikowy fixlog.txt.

Jeśli wymieniłeś w pierwszym poście uzupełnione raporty FRST nowymi, to był to błąd, należało je dodać jako nowe, by można było porównać sytuację przed i po. W podanych raportach FRST nie ma widocznych oznak infekcji, więc nie wiem czy ich rzeczywiście nie było i czy to już zastąpione logi. Poza tym, nie uzupełniłeś obowiązkowego raportu z GMER. I koniecznie zaprezentuj co to było za "800" obiektów - jakie nazwy zagrożeń + jakie ścieżki dostępu.

Masz ręcznie usunąć FRST i jego logi oraz co tam jeszcze pobierałeś do usuwania z folderów które wymieniłam, bo DelFix nie działa w określonych ścieżkach. Natomiast DelFix dokasuje folder C:\FRST i inne rzeczy.