Nie można nic zrobić po uruchomieniu komputera

[Rinqu]

Witam, kolega przywiózł komputer dziewczyny która "coś zainstalowała" i zaczeły się problemy. Komputer normalnie startuje windowsa, po uruchomieniu się przez chwile da się coś robić/klikać. Prawie odrazu zużycie procesora skacze do max a jakiekolwiek kliknięcie/użycie skrótu nie przynosi żadnych efektów i potrzebny jest reset. Logi z tego powodu robione w stanie awaryjnym.

 

FRST

http://wklej.org/id/1136092

http://wklej.org/id/1136091/

OTL

http://wklej.org/id/1136090/

http://wklej.org/id/1136089/

GMER

http://wklej.org/id/1136094/

 

Z góry dzięki za pomoc.

[picasso]

Jest tu adware, przypuszczalnie objawy produkuje niejaki "BitGuard". Akcja do wykonania:

 

1. Otwórz Notatnik i wklej w nim:

 

S2 BitGuard; C:\ProgramData\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\BitGuard.exe [3029472 2013-09-13] ()
AppInit_DLLs-x32: c:\progra~3\bitguard\261673~1.238\{16cdf~1\bitguard.dll [2700768 2013-09-13] ()
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [ActiveCollector] - C:\Program Files (x86)\NetNucleous\ActiveCollector\ActiveCollector.exe [1269760 2012-09-04] ()
HKCU\...\Run: [LonelyWalker] - C:\Program Files (x86)\NetNucleous\ActiveCollector\AcRecover.exe [61440 2012-07-02] ()
HKCU\...\Run: [Mobile Partner] - C:\Program Files (x86)\Plus Web partner\Plus Web partner
Task: {2ED8A262-EC83-420D-A9C1-CB47B48AB54F} - \AdobeFlashPlayerUpdate No Task File
Task: {36D9C824-D1F5-48B0-9E90-080F16AF8CFC} - \AdobeFlashPlayerUpdate 2 No Task File
Task: {3BF7DA0D-BF9B-4BD5-92FC-A40BAEAE66CA} - System32\Tasks\YourFile Update => C:\Program Files (x86)\YourFileDownloader\YourFileUpdater.exe
Task: {671E36B1-8815-4046-A329-8A231FD31288} - System32\Tasks\BitGuard => Sc.exe start BitGuard
Task: {AC309EF4-CCB3-44C7-B011-91B01717EC19} - System32\Tasks\ProtectedSearch\Protected Search => C:\Program Files (x86)\Protected Search\ProtectedSearch.exe [2012-11-26] (Simplygen)
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
HKCU\Software\Microsoft\Internet Explorer\Main,BrowserMngr Start Page = http://www.google.pl/
HKCU\Software\Microsoft\Internet Explorer\Main,bProtector Start Page = http://www.google.pl/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Default_Page_URL = http://search.certified-toolbar.com?si=41460&home=true&tid=2937
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Default_Page_URL = http://search.certified-toolbar.com?si=41460&home=true&tid=2937
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Bar = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
SearchScopes: HKLM-x32 - DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://search.certified-toolbar.com?si=41460&bs=true&tid=2937&q={searchTerms}
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.sweetim.com/search.asp?src=6&q={searchTerms}
SearchScopes: HKLM-x32 - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://search.certified-toolbar.com?si=41460&bs=true&tid=2937&q={searchTerms}
SearchScopes: HKCU - DefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://isearch.babylon.com/?q={searchTerms}&affID=112555&tt=071012_24_4012_1&babsrc=SP_ss&mntrId=643bce4700000000000018f46a88c454
SearchScopes: HKCU - BrowserMngrDefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
SearchScopes: HKCU - bProtectorDefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://startsear.ch/?aff=1&q={searchTerms}
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://isearch.babylon.com/?q={searchTerms}&affID=112555&tt=071012_24_4012_1&babsrc=SP_ss&mntrId=643bce4700000000000018f46a88c454
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.babylon.com/?q={searchTerms}&affID=112089&tt=3612_3&babsrc=SP_ss&mntrId=643bce4700000000000018f46a88c454
SearchScopes: HKCU - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://search.sweetim.com/search.asp?src=6&q={searchTerms}
BHO: ActiveCollectorPluginBHO Class 64 - {07202B0E-149C-4568-90DF-ACC2B4057809} - C:\Program Files (x86)\NetNucleous\ActiveCollector\ActiveCollectorPlugin64.dll (NetNucleus Inc.)
BHO-x32: ActiveCollectorPluginBHO Class - {07202B0D-149C-4568-90DF-ACC2B4057809} - C:\Program Files (x86)\NetNucleous\ActiveCollector\ActiveCollectorPlugin.dll (NetNucleus Inc.)
BHO-x32: IE5BarLauncherBHO Class - {78F3A323-798E-4AEA-9A57-88F4B05FD5DD} - C:\Program Files (x86)\vShare.tv plugin\BarLcher.dll (VShare Inc.)
BHO-x32: DownTango Launcher - {e327b07a-0e11-4fd4-bef2-b2c5605b59c6} - C:\Users\Paulina\AppData\Roaming\DownTangoFTToolbar\DownTangoFTToolbar.dll (Simplytech Ltd.)
Toolbar: HKLM-x32 - VShareToolBar - {7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} - C:\Program Files (x86)\vShare.tv plugin\BarLcher.dll (VShare Inc.)
Toolbar: HKLM-x32 - DownTango Launcher - {e327b07a-0e11-4fd4-bef2-b2c5605b59c6} - C:\Users\Paulina\AppData\Roaming\DownTangoFTToolbar\DownTangoFTToolbar.dll (Simplytech Ltd.)
Toolbar: HKCU - No Name - {7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} - No File
CHR HKLM-x32\...\Chrome\Extension: [dhkplhfnhceodhffomolpfigojocbpcb] - C:\Users\Paulina\AppData\Roaming\BabylonToolbar\CR\BabylonChrome1.crx
CHR HKLM-x32\...\Chrome\Extension: [gladcbhcbkdeddbidiblppadjdjalidb] - C:\Program Files (x86)\DownTangoFTToolbar\chrome\DownTangoFTToolbar.crx
CHR HKLM-x32\...\Chrome\Extension: [kpionmjnkbpcdpcflammlgllecmejgjj] - C:\Program Files (x86)\vShare.tv plugin\vshareplg.crx
S3 ewusbnet; system32\DRIVERS\ewusbnet.sys [x]
S3 hwusbdev; system32\DRIVERS\ewusbdev.sys [x]
C:\Users\Paulina\AppData\Roaming\File Scout
C:\Users\Paulina\AppData\Roaming\YourFileDownloader
C:\Program Files (x86)\vShare.tv plugin
C:\Windows\SysWow64\ChromeLog.dll
C:\Windows\SysWOW64\*.tmp
Reg: reg delete "HKCU\Software\Microsoft\Internet Explorer\AboutURLs" /f
Reg: reg delete "HKCU\Software\Microsoft\Internet Explorer\Search" /f
Reg: reg delete "HKCU\Software\Microsoft\Internet Explorer\SearchURI" /f
Reg: reg delete "HKCU\Software\Microsoft\Internet Explorer\SearchUrl" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchURI" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl" /f
Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\AboutURLs" /f
Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\Main" /f
Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\Search" /f
Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchURI" /f
Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchUrl" /f
Reg: reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search" /f
Reg: reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchURI" /f
Reg: reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchUrl" /f
Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f
Reg: reg delete HKCU\Software\Mozilla /f
Reg: reg delete HKLM\SOFTWARE\MozillaPlugins /f
Reg: reg delete HKLM\SOFTWARE\Wow6432Node\Mozilla /f
Reg: reg delete HKLM\SOFTWARE\Wow6432Node\mozilla.org /f
Reg: reg delete HKLM\SOFTWARE\Wow6432Node\MozillaPlugins /f
CMD: for /d %f in (C:\Users\Paulina\AppData\Local\{*}) do rd /s /q "%f"
CMD: netsh advfirewall reset

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Fix. Powstanie plik fixlog.txt.

 

2. Przejdź w Tryb normalny Windows. Odinstaluj adware:

- Przez Panel sterowania: Active Collector, ActiveCollector, BabylonObjectInstaller, BitGuard, DownTango Launcher, Protected Search 1.1.

- W Google Chrome w Rozszerzeniach: DownTango Launcher, vshare plugin. O ile będą widzialne.

 

3. Uruchom AdwCleaner. Zastosuj Szukaj, a po tym Usuń. Powstanie folder C:\AdwCleaner z raportem z usuwania.

 

3. Zrób nowy skan FRST (bez Addition). Dołącz plik fixlog.txt i log z AdwCleaner.

 

 

.