Problem z Omiga-plus

[Jagla]

Witam,

Ostatnio zainfekowałem sobie komputer i mam problem z jakimś programem, który w firefoxie zmienia mi wyszukiwarke na pasku (na amiga-plus), stronę startową itd i nie potrafię go usunąć. I przy okazji chciałem też przeskanować komputer czy nie mam tam żadnego złośliwego oprogramowania. Wrzucam logi. Z góry dziękuje za pomoc

skan.txt

Addition.txt

FRST.txt

Shortcut.txt

[picasso]

Cóż, mnóstwo adware nabyte na jeden z tych sposobów: KLIK. A użycie AdwCleaner nieskuteczne, bo po formie logów na dysku widać, że próbowałeś używać jakąś archaiczną wersję (zapisuje logi wprost na C, a nie w osobnym folderze C:\AdwCleaner). AdwCleaner nigdy nie będzie skuteczny, jeśli używany w starszych wersjach, ten program należy pobierać cały czas od początku, gdyż jest zbyt często aktualizowany (czasem nawet dziennie). Na razie AdwCleaner zostaw w spokoju. Działania wstępne do przeprowadzenia:

 

1. Przez Panel sterowania odinstaluj stare niebezpieczne wersje: Adobe Flash Player 10 ActiveX, Adobe Flash Player 11 Plugin, Adobe Shockwave Player 11.6, Java 7 Update 9, Java™ 6 Update 31.

 

2. Otwórz Notatnik i wklej w nim:

 

CloseProcesses:
CreateRestorePoint:
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.22find.com/?utm_source=b&utm_medium=idgnew&from=idgnew&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&ts=1363964864
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sierra\Zeus - Pan Olimpu\Linki\Strona internetowa Caesar III.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.22find.com/?utm_source=b&utm_medium=idgnew&from=idgnew&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&ts=1363964864
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sierra\Zeus - Pan Olimpu\Linki\Strona internetowa Empire Earth.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.22find.com/?utm_source=b&utm_medium=idgnew&from=idgnew&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&ts=1363964864
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sierra\Zeus - Pan Olimpu\Linki\Strona internetowa Impressions Games.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.22find.com/?utm_source=b&utm_medium=idgnew&from=idgnew&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&ts=1363964864
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sierra\Zeus - Pan Olimpu\Linki\Strona internetowa Pharaoh.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.22find.com/?utm_source=b&utm_medium=idgnew&from=idgnew&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&ts=1363964864
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sierra\Zeus - Pan Olimpu\Linki\Strona internetowa Sierra.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.22find.com/?utm_source=b&utm_medium=idgnew&from=idgnew&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&ts=1363964864
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sierra\Zeus - Pan Olimpu\Linki\Strona internetowa Zeusa.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.22find.com/?utm_source=b&utm_medium=idgnew&from=idgnew&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&ts=1363964864
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://isearch.omiga-plus.com/web/?type=ds&ts=1422643946&from=cor&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/?type=hppp&ts=1422644015&from=cor&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1422643946&from=cor&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&q={searchTerms}
HKU\S-1-5-21-1454207623-1880706861-3650100424-1001\Software\Microsoft\Internet Explorer\Main,Search Page = http://isearch.omiga-plus.com/web/?type=dspp&ts=1422644015&from=cor&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&q={searchTerms}
HKU\S-1-5-21-1454207623-1880706861-3650100424-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/#utm_source=instalki&utm_medium=installer&utm_campaign=instalki
HKU\S-1-5-21-1454207623-1880706861-3650100424-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/?type=hppp&ts=1422644015&from=cor&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3
HKU\S-1-5-21-1454207623-1880706861-3650100424-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://isearch.omiga-plus.com/web/?type=dspp&ts=1422644015&from=cor&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1454207623-1880706861-3650100424-1001 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=dspp&ts=1422644015&from=cor&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1454207623-1880706861-3650100424-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://isearch.omiga-plus.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&ts=1422644027&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1454207623-1880706861-3650100424-1001 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://isearch.omiga-plus.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&ts=1422644027&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1454207623-1880706861-3650100424-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=dspp&ts=1422644015&from=cor&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1454207623-1880706861-3650100424-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://isearch.omiga-plus.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&ts=1422644027&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1454207623-1880706861-3650100424-1001 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://isearch.omiga-plus.com/web/?utm_source=b&utm_medium=cor&utm_campaign=install_ie&utm_content=ds&from=cor&uid=ST3500418AS_5VM2XLF3XXXX5VM2XLF3&ts=1422644027&type=default&q={searchTerms}
BHO: FG2CatchUrl -> {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} -> d:\Programy\FlashGet universal\ComDlls\bhoCATCH.dll No File
BHO: Bruowse2saavee -> {2F287E2F-FDA1-86EC-E036-015F9D67CBE1} -> No File
BHO: SeAraCCh-NewTab -> {5223838A-E03C-6745-6CB4-3835F3C5CB9E} -> No File
Toolbar: HKU\.DEFAULT -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
FF HKLM\...\Firefox\Extensions: [fftoolbar2014@etech.com] - C:\Users\Dom\AppData\Roaming\Mozilla\Firefox\Profiles\duz912c6.default-1368449410798\extensions\fftoolbar2014@etech.com
CustomCLSID: HKU\S-1-5-21-1454207623-1880706861-3650100424-1001_Classes\CLSID\{cb4c77f0-ab2a-407c-93ac-963769824b18}\localserver32 -> C:\Users\Dom\AppData\Local\Temp\{b3ede298-ae75-4a1c-ab7e-1b9229b77bbe}\IDriver.NonElevated.exe No Fi (the data entry has 2 more characters).
Task: {010AC60A-77E8-4BB4-9572-B12C30ABC510} - System32\Tasks\{7C963B4B-5B44-462F-A3CD-BB5A85374840} => pcalua.exe -a D:\Programy\NeroExpress\setup.exe -d D:\Programy\NeroExpress
Task: {0488AA97-B653-476C-9ECE-8171942C7C03} - System32\Tasks\{BECE8C49-61F1-42A8-BFD2-119613D8ABBD} => pcalua.exe -a C:\Users\Dom\Desktop\b4p_enu_xp.exe -d C:\Users\Dom\Desktop
Task: {377F66A2-FA16-46B9-A775-03745D94DABE} - System32\Tasks\RunAsStdUser => C:\Program Files\Desk 365\desk365.exe 
Task: {4EFFDB6B-0408-4111-B58E-4B8827DC681C} - System32\Tasks\{49864660-ABF9-42B9-8790-B7F63645CADB} => pcalua.exe -a "D:\Programy\Adobe Photoshop 7.0 PL\Photoshop\Setup.exe" -d "D:\Programy\Adobe Photoshop 7.0 PL\Photoshop"
Task: {546FBA28-D3A9-497E-B8E7-CEFCA6D4887D} - System32\Tasks\{4A34E747-8DE1-4331-940C-49311204FE22} => Firefox.exe
Task: {6539ED63-798B-497F-BBDF-8C94C2D93E39} - System32\Tasks\TKBXPO => C:\Users\Dom\AppData\Roaming\TKBXPO.exe 
Task: {874F1F82-B67D-480C-9DC0-320446BC2DED} - System32\Tasks\{FF2D7C99-FCE9-4591-828C-9E92556EE149} => pcalua.exe -a C:\Users\Dom\Desktop\LEXMARK_AAP_WIN2KXP_PCL_PL.EXE -d C:\Users\Dom\Desktop
Task: {8DCD30FF-E0E7-4EB3-9C75-CA50362FD5F8} - System32\Tasks\{5A1FA46D-FDAF-48B8-ADA4-5CE404EFFFE7} => pcalua.exe -a C:\Windows\IsUn0415.exe -c -fd:\Uninst.isu -c"d:\uninst.dll" -BFLANG=21
Task: {9584340B-1951-4BE6-B793-D6BE3F21C5C7} - System32\Tasks\FOG => C:\Users\Dom\AppData\Roaming\FOG.exe 
Task: {AF3251E5-D608-4D84-9B93-E090E636319E} - System32\Tasks\{A5D47190-E159-4C2E-A504-2846B29770CD} => C:\Program Files\DAEMON Tools Lite\DTLite.exe [2009-10-30] (DT Soft Ltd)
Task: {AFCF1165-78B0-4223-9918-54C4BDAE3F99} - System32\Tasks\{5C48FA42-87F4-487F-8C5F-2B1E71008124} => Firefox.exe
Task: {F3A9A3DC-2436-4726-A978-9AA778502786} - System32\Tasks\{AFFAB225-5820-47DE-9A2A-CEB40E83988F} => Firefox.exe
Task: {FDE20C8A-A1CC-4DF4-8A0F-307706655A9C} - System32\Tasks\{6B62FFB3-2BFE-46DE-A199-1A9CC4D4F5D3} => Firefox.exe
Task: C:\Windows\Tasks\FOG.job => C:\Users\Dom\AppData\Roaming\FOG.exe 
Task: C:\Windows\Tasks\TKBXPO.job => C:\Users\Dom\AppData\Roaming\TKBXPO.exe 
R1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [33112 2013-02-19] (AVG Technologies)
R2 HPSLPSVC; C:\Users\Dom\AppData\Local\Temp\7zS2DB2\hpslpsvc32.dll [701288 2012-11-14] (Hewlett-Packard Co.)
S2 IHProtect Service; C:\Program Files\XTab\ProtectService.exe [X]
S1 pfnfd_1_10_0_8; system32\drivers\pfnfd_1_10_0_8.sys [X]
S2 Update Solution Real; "C:\Program Files\Solution Real\updateSolutionReal.exe" [X]
S2 WindowsMangerProtect; C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe -service [X]
HKLM\...\Run: [sunJavaUpdateSched] => "C:\Program Files\Java\jre7\bin\jusched.exe"
HKLM\...\Run: [mobilegeni daemon] => C:\Program Files\Mobogenie\DaemonProcess.exe
HKU\S-1-5-21-1454207623-1880706861-3650100424-1001\...\Run: [Akamai NetSession Interface] => "C:\Users\Dom\AppData\Local\Akamai\netsession_win.exe"
HKU\S-1-5-21-1454207623-1880706861-3650100424-1001\...\Run: [Napisy24.pl] => "C:\Program Files\Napisy24\Napisy24.exe" AutoStart
HKU\S-1-5-21-1454207623-1880706861-3650100424-1001\...\MountPoints2: {e927ef9c-3f68-11e0-8faa-00241d8d1e95} - K:\autorun.exe
Startup: C:\Users\Dom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPTISetup.lnk
C:\AdwCleaner*.txt
C:\Program Files\globalUpdate
C:\Program Files\Opera
C:\Program Files\XTab
C:\ProgramData\{a50d5638-14b9-31da-a50d-d563814b58e0}
C:\ProgramData\4980443400007310
C:\ProgramData\IHProtectUpDate
C:\ProgramData\WindowsMangerProtect
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gadu-Gadu
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FlashGet
C:\Users\Dom\AppData\Local\Temp*.html
C:\Users\Dom\AppData\Local\Gameo
C:\Users\Dom\AppData\Local\globalUpdate
C:\Users\Dom\AppData\Local\Google
C:\Users\Dom\AppData\Local\Opera Software
C:\Users\Dom\AppData\Roaming\FOG
C:\Users\Dom\AppData\Roaming\TKBXPO
C:\Users\Dom\AppData\Roaming\GoldenGate
C:\Users\Dom\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\StormFall.lnk
C:\Users\Dom\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\WorldofTanks.lnk
C:\Users\Dom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Play Games Online.url
C:\Users\Dom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StormFall
C:\Users\Dom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WorldofTanks
C:\Users\Dom\AppData\Roaming\omiga-plus
C:\Users\Dom\AppData\Roaming\Opera Software
C:\Users\Dom\Documents\Optimizer Pro
C:\Windows\system32\drivers\avgtpx86.sys
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Reader Speed Launcher" /f
Reg: reg delete HKCU\Software\Google /f
Reg: reg delete HKLM\SOFTWARE\Google /f
EmptyTemp:

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Fix. Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt.

 

3. Wyczyść Firefox z adware: menu Pomoc > Informacje dla pomocy technicznej > Zresetuj / Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone.

 

4. Zrób nowy log FRST z opcji Scan (bez Addition i Shortcut). Dołącz też plik fixlog.txt.