Czynne adware

[siekieramotyka]

Mam kolejny przypadek prawdopodobnie czynnego adware, objawami są wyskakujące okienka bez ładu i składu. Przyczyną był niezabezpieczony komputer.

 

Załączam obowiązkowe logi i proszę o pomoc w wyczyszczeniu.

 

Dziękuję z góry.

 

Addition.txt

Extras.Txt

FRST.txt

gmer.txt

OTL.Txt

[picasso]

Owszem, jest tu porażająca ilość adware. Do wdrożenia następujące akcje:

 

1. Otwórz Notatnik i wklej w nim:

 

(Just Develop It) C:\Program Files\MyPC Backup\BackupStack.exe
() C:\Users\Administrator\AppData\Local\fst_en_2\upfst_en_2.exe
(Ask) C:\Program Files\Ask.com\Updater\Updater.exe
(Updater) C:\ProgramData\Updater\updater.exe
() C:\Program Files\fst_en_2\fst_en_2.exe
(Parallel Lines Development, LLC) C:\ProgramData\InternetUpdater\InternetUpdaterService.exe
() C:\Program Files\fst_en_2\freeSoftToday_widget.exe
() C:\Users\Administrator\AppData\Local\Galileo\galileo.exe
(MyPCBackup.com) C:\Program Files\MyPC Backup\MyPC Backup.exe
(WatchDog) C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe
(WatchDog) C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe
(WatchDog) C:\ProgramData\RHelpers\IEHelper\IeHelper.exe
R2 BackupStack; C:\Program Files\MyPC Backup\BackupStack.exe [36392 2014-02-06] (Just Develop It)
S2 ca82e1a5; C:\Program Files\Optimizer Pro\OptProCrashSvc.dll [186496 2014-02-08] ()
R2 InternetUpdater; C:\ProgramData\InternetUpdater\InternetUpdaterService.exe [45568 2014-01-15] (Parallel Lines Development, LLC)
S2 MyWebSearchService; C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe [X]
S3 ewusbnet; system32\DRIVERS\ewusbnet.sys [X]
S3 hwusbdev; system32\DRIVERS\ewusbdev.sys [X]
Task: {2B839400-8D41-4286-AD13-B93940743690} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files\Ask.com\UpdateTask.exe [2013-04-25] ()
Task: {6B191DBD-918F-4DD9-B07D-F75E8C1951D8} - System32\Tasks\EPUpdater => C:\Users\ADMINI~1\AppData\Roaming\BABSOL~1\Shared\BabMaint.exe 
Task: {C920B5FD-15F6-417E-931C-87AA69059EF4} - System32\Tasks\RegClean Pro_DEFAULT => C:\Program Files\RegClean Pro\RegCleanPro.exe [2013-07-11] (Systweak Inc) 
Task: {D29AC0E9-E494-4E0D-A4CF-37336919CE6B} - System32\Tasks\RegClean Pro => C:\Program Files\RegClean Pro\RegCleanPro.exe [2013-07-11] (Systweak Inc) 
Task: {EFDEDAF9-277B-42A5-831E-551007858AEB} - System32\Tasks\RegClean Pro_UPDATES => C:\Program Files\RegClean Pro\RegCleanPro.exe [2013-07-11] (Systweak Inc) 
Task: C:\Windows\Tasks\RegClean Pro_DEFAULT.job => C:\Program Files\RegClean Pro\RegCleanPro.exe 
Task: C:\Windows\Tasks\RegClean Pro_UPDATES.job => C:\Program Files\RegClean Pro\RegCleanPro.exe 
HKLM\...\Run: [] - [X]
HKLM\...\Run: [ApnUpdater] - C:\Program Files\Ask.com\Updater\Updater.exe [1648264 2013-04-25] (Ask)
HKLM\...\Run: [updater] - C:\ProgramData\Updater\Updater.exe [486264 2013-12-18] (Updater)
HKLM\...\Run: [fst_en_2] - C:\Program Files\fst_en_2\fst_en_2.exe [11671024 2013-12-18] ()
HKLM\...\Run: [freeSoftToday_widget] - C:\Program Files\fst_en_2\freeSoftToday_widget.exe [3531216 2014-01-09] ()
HKLM\...\RunOnce: [upfst_en_2.exe] - C:\Users\Administrator\AppData\Local\fst_en_2\upfst_en_2.exe -runonce [3153904 2014-01-20] ()
HKU\S-1-5-21-1469707236-2288353759-1584227296-500\...\Run: [EA Core] - "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
HKU\S-1-5-21-1469707236-2288353759-1584227296-500\...\Run: [ChomikBox] - C:\Program Files\ChomikBox\chomikbox.exe
HKU\S-1-5-21-1469707236-2288353759-1584227296-500\...\Run: [Galileo] - C:\Users\Administrator\AppData\Local\Galileo\galileo.exe [4035072 2014-01-12] ()
HKU\S-1-5-21-1469707236-2288353759-1584227296-500\...\Run: [updater] - C:\ProgramData\Updater\updater.exe [486264 2013-12-18] (Updater)
AppInit_DLLs: C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll => File Not Found
AppInit_DLLs: c:\progra~2\bitguard\271832~1.68\{c16c1~1\bitguard.dll => File Not Found
AppInit_DLLs: c:\progra~1\optimi~1\optpro~1.dll => File Not Found
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com/?ctid=CT3319611&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPE6D1C798-7843-4AD0-8273-E7A6468FDD31&SSPV=
HKCU\Software\Microsoft\Internet Explorer\Main,bProtector Start Page =
URLSearchHook: HKLM - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
URLSearchHook: HKCU - UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll No File
URLSearchHook: HKCU - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
URLSearchHook: HKCU - (No Name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL No File
SearchScopes: HKLM - DefaultScope {56256A51-B582-467e-B8D4-7786EDA79AE0} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZCman000&ptnrS=ZCman000&ptb=sNGFWIBJo19dqgiJoTF_6A&ind=2012012816&n=77ece110&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKLM - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKLM - {56256A51-B582-467e-B8D4-7786EDA79AE0} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZCman000&ptnrS=ZCman000&ptb=sNGFWIBJo19dqgiJoTF_6A&ind=2012012816&n=77ece110&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKLM - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
SearchScopes: HKCU - DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://search.conduit.com/Results.aspx?ctid=CT3319611&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SPE6D1C798-7843-4AD0-8273-E7A6468FDD31&q={searchTerms}&SSPV=
SearchScopes: HKCU - bProtectorDefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://search.conduit.com/Results.aspx?ctid=CT3319611&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SPE6D1C798-7843-4AD0-8273-E7A6468FDD31&q={searchTerms}&SSPV=
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://www1.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=C0A3BCAEC50B3D3B&affID=119357&tt=180713_9129&tsp=4947
SearchScopes: HKCU - {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL = http://websearch.ask.com/redirect?client=ie&tb=MGX&o=15355&src=kw&q={searchTerms}&locale=en_US&apn_ptnrs=JP&apn_dtid=YYYYYYYYPL&apn_uid=799279F7-71F7-4384-A06F-93FF1306093C&apn_sauid=59E5D565-D4A2-46D1-B973-AFE7DCA40A9A
SearchScopes: HKCU - {483830EE-A4CD-4b71-B0A3-3D82E62A6909} URL =
SearchScopes: HKCU - {56256A51-B582-467e-B8D4-7786EDA79AE0} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZCman000&ptnrS=ZCman000&ptb=sNGFWIBJo19dqgiJoTF_6A&ind=2012012816&n=77ece110&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
Toolbar: HKLM - No Name - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
Toolbar: HKLM - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
Toolbar: HKLM - My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL No File
Toolbar: HKCU - No Name - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
Toolbar: HKCU - No Name - {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
Toolbar: HKCU - My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll No File
FF Plugin: @mywebsearch.com/Plugin - C:\Program Files\MyWebSearch\bar\2.bin\NPMyWebS.dll No File
FF HKLM\...\Firefox\Extensions: [m3ffxtbr@mywebsearch.com] - C:\Program Files\MyWebSearch\bar\2.bin
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction 
C:\Program Files\DAEMON Tools Toolbar
C:\Users\Administrator\hqnwnkie.exe
C:\Users\Administrator\AppData\Local\Google
C:\Users\Administrator\AppData\Roaming\Administrator
C:\Users\Administrator\AppData\Roaming\BabSolution
C:\Users\Administrator\AppData\Roaming\Babylon
Reg: reg delete HKLM\SOFTWARE\Google /f

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Fix. Powstanie plik fixlog.txt.

 

2. Jest tu krzaczasty wpis, którego FRST nie usunie:

 

SearchScopes: HKCU - ŰźĆîZ§’2ąŢpv¨IÍá*X(Ž2s(ŰÎŔJşÔÓµť± vË°!×—(äĽ48иpatm6ęo^Mp`Ëő÷_iŁwľ!„Áű†x˘8€ŮjŔ˙ţ ´Ń;áa´[¦†8 ş~ŹRŮxśňÜ8'Ł-)x­ä­ URL =

 

Start > w polu szukania wpisz regedit > z prawokliku skasuj:

 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\ten krzak

 

3. Przez Panel sterowania odinstaluj adware: Delta Chrome Toolbar, Delta toolbar, fst_en_2, Internet Updater, MAGIX Toolbar, MAGIX Toolbar Updater, My Web Search, MyPC Backup, Optimizer Pro v3.2, RegClean Pro, Search Protect, Updater, uTorrentBar Toolbar, Websteroids. Jest tu Search Protect, ale ten przypadek się nie aplikuje (występuje tu partycja "Zastrzeżone przez system"): KLIK.

 

4. Wyczyść Firefox z adware: menu Pomoc > Informacje dla pomocy technicznej > Zresetuj program Firefox. Zakładki i hasła nie zostaną naruszone.

 

5. Uruchom AdwCleaner. Zastosuj Szukaj, a po tym Usuń. Powstanie folder C:\AdwCleaner z raportem z usuwania.

 

6. Uruchom TFC - Temp Cleaner.

 

7. Zrób nowy skan FRST (bez Addition). Dołącz pliki fixlog.txt i AdwCleaner.

 

 

 

.

[siekieramotyka]

Wszystko zrobione, były problemy z usunięciem niektórych adware z Panelu ale po przejściu AdwCleaner i TFC wszystko poszło w cholerę, w sensie w Panelu już ich nie ma.

 

Załączam nowe logi.

 

Nieśmiało zapytam, czy w poprzednim moim poście już wszystko według Ciebie ok ? KLIK

AdwCleanerR0.txt

AdwCleanerS0.txt

Fixlog.txt

FRST.txt

[picasso]

Poprawki. Otwórz Notatnik i wklej w nim:

 

C:\Program Files\predm
C:\ProgramData\RHelpers
C:\ProgramData\Updater
C:\Users\Administrator\Desktop\TeamViewerQS_pl(*).exe
HKLM\...\Run: [fst_en_2] - [X]
SearchScopes: HKLM - DefaultScope value is missing.
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2B839400-8D41-4286-AD13-B93940743690}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2B839400-8D41-4286-AD13-B93940743690}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Scheduled Update for Ask Toolbar
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C920B5FD-15F6-417E-931C-87AA69059EF4}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C920B5FD-15F6-417E-931C-87AA69059EF4}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RegClean Pro_DEFAULT
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D29AC0E9-E494-4E0D-A4CF-37336919CE6B}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RegClean Pro
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EFDEDAF9-277B-42A5-831E-551007858AEB}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EFDEDAF9-277B-42A5-831E-551007858AEB}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RegClean Pro_UPDATES
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2B839400-8D41-4286-AD13-B93940743690}" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2B839400-8D41-4286-AD13-B93940743690}" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Scheduled Update for Ask Toolbar" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C920B5FD-15F6-417E-931C-87AA69059EF4}" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C920B5FD-15F6-417E-931C-87AA69059EF4}" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RegClean Pro_DEFAULT" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D29AC0E9-E494-4E0D-A4CF-37336919CE6B}" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RegClean Pro" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EFDEDAF9-277B-42A5-831E-551007858AEB}" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EFDEDAF9-277B-42A5-831E-551007858AEB}" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RegClean Pro_UPDATES" /f
Reg: reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f

 

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Fix. Przedstaw wynikowy fixlog.txt.

 

 

 

.

[siekieramotyka]

Zrobione.

Fixlog.txt

[picasso]

Czynności końcowe:

 

1. Przez SHIFT+DEL (omija Kosz) skasuj FRST i foldery:

 

C:\FRST

C:\Users\Administrator\Desktop\Stare dane programu Firefox

 

W AdwCleaner uruchom Odinstaluj, w OTL uruchom Sprzątanie.

 

2. Wyczyść foldery Przywracania systemu: KLIK.

 

3. Odinstaluj stary Shockwave Player i Java, zaktualizuj Operę: KLIK. Wersje widziane obecnie jako zainstalowane:

 

==================== Installed Programs ======================
 

Adobe Shockwave Player 11.6 (Version: 11.6.5.635 - Adobe Systems, Inc.)

Java™ 6 Update 23 (Version: 6.0.230 - Oracle)

Opera 12.14 (Version: 12.14.1738 - Opera Software ASA)

 

 

 

.

[siekieramotyka]

Zrobione, dziękuję.