Wirus blokuje dostęp do internetu

[patrykk9]

Cześć,

 

mój problem polega na braku połączenia z internetem w normalnym trybie (w awaryjnym działa poprawnie, czasem pojawia się ten sam problem co w trybie normalnym).

W prawym dolnym rogu, ikonka ilustrująca stan połączenia sieciowego informuje o dostępie do internetu, mimo że tak nie jest.

Działania jakie podjąłem w celu rozwiązania problemu to:

- skanowanie systemu za pomocą programu Microsoft Safety Scanner,

- skanowanie systemu za pomocą programu Avast.

Podczas skanowania programy te usuneły kilkanaście błędów, niestety nie pamiętam czego dotyczyły.

Addition.txt

FRST.txt

Shortcut.txt

[picasso]

Linki typu hxxp robi się dla adresów malware/adware a nie raportów. Proszę dołączaj raporty w postaci załączników forum a nie serwisach zewnętrznych. Posty uporządkowałam, logi też. OTL usunęłam, FRST przeniosłam do załączników. Nadal brakuje GMER.

 

Wracając do problemu zasadniczego: wirusów i trojanów tu nie widać, ale owszem jest ogromny śmietnik w systemie i mnóstwo obiektów adware, w tym dwa sterowniki które mogą być przyczyną konfliktu sieciowego. Usuńmy to wszystko i zobaczymy co się stanie. Dodatkowy problem to brak danych o egzotycznych przeglądarkach: Maxthon Cloud Browse + Maxthon Nitro, FRST tego nie skanuje i będę musiała ręcznie pobrać pewne dane, ale to potem.

 

 

---

Działania wstępne:

 

1. Deinstalacje:

 

----> Przez Panel sterowania odinstaluj:

 

- Adware/PUP: BrotherSoft Extreme Toolbar, Browser Configuration Utility, Conduit Engine, Download Updater (AOL Inc.), DVDVideoSoftTB Toolbar, File Association Helper, Funmoods, Hyperionics DB Toolbar, IB Updater 2.0.0.574, omiga-plus uninstall, SFT_Polska Toolbar, Solution Real, Uptodown EN Toolbar, uTorrentBar Toolbar, Winamp Toolbar, WinZipper.

- Stare wersje i zbędniki: Adobe Flash Player 16 ActiveX, Adobe Flash Player 16 NPAPI, Adobe Reader XI (11.0.10) - Polish, Feedback Tool, HP Customer Participation Program 13.0, Java 7 Update 45, Logitech Desktop Messenger, McAfee Security Scan Plus.

 

----> Uruchom też ten skrót: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MyFree Codec\1.0b beta\Uninstall.lnk

 

Jeśli coś będzie niewidoczne lub nie będzie dało się odinstalować, nie szkodzi, kontynuuj z resztą zadań, poprawkami zajmę się potem.

 

2. Otwórz Notatnik i wklej w nim:

 

CloseProcesses:
CreateRestorePoint:
R1 {31c21995-b861-4864-ab50-4a53fbca73d4}Gw64; C:\Windows\System32\drivers\{31c21995-b861-4864-ab50-4a53fbca73d4}Gw64.sys [48784 2015-03-10] (StdLib)
R1 {df8eec40-f909-439c-9ffe-3fee212f71b9}w64; C:\Windows\System32\drivers\{df8eec40-f909-439c-9ffe-3fee212f71b9}w64.sys [48784 2015-01-31] (StdLib)
R2 DefaultTabUpdate; C:\Users\Patryk\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [107520 2012-10-27] () [File not signed]
R2 IHProtect Service; C:\Program Files (x86)\XTab\ProtectService.exe [158864 2014-12-29] (XTab system)
S1 StarOpen; C:\Windows\SysWow64\Drivers\StarOpen.sys [5632 2006-07-24] () [File not signed]
S3 BT; system32\DRIVERS\btnetdrv.sys [X]
S3 BTCOM; system32\DRIVERS\btcomport.sys [X]
S3 BTCOMBUS; System32\Drivers\btcombus.sys [X]
S3 Btcsrusb; System32\Drivers\btcusb.sys [X]
S3 VHidMinidrv; system32\drivers\VHIDMini.sys [X]
AppInit_DLLs: c:\progra~3\bitguard\271769~1.27\{c16c1~1\loader.dll => c:\progra~3\bitguard\271769~1.27\{c16c1~1\loader.dll File Not Found
Task: {095F9472-6FFB-46CF-B2CA-FFDED86B4920} - System32\Tasks\{378F3210-FE68-4740-B8FB-523FDD285C36} => F:\SWTFU_Autorun.exe
Task: {14D5DEDD-FA13-4358-959C-A8FD08C846CA} - System32\Tasks\{2F4C12CA-C05D-4495-B7F9-CEA4155EE050} => pcalua.exe -a F:\support\dotnet\dotnetfx35.exe -d F:\support\dotnet
Task: {17047284-8F7C-40AC-B045-9BB1B5BC48CA} - System32\Tasks\{845A186A-A410-4D76-ACC5-600F041D3581} => F:\SWTFU_Autorun.exe
Task: {46981864-A2DA-43BD-8C52-70053A11F812} - System32\Tasks\{F57AF293-3275-466D-9932-10C7390E218A} => pcalua.exe -a "C:\Program Files (x86)\InstallShield Installation Information\{8C3727F2-8E37-49E4-820C-03B1677F53B6}\setup.exe" -c -runfromtemp -l0x0009 -removeonly
Task: {5135CE44-B9D2-4DBD-97B3-5BE3006DA85E} - System32\Tasks\{69978D2D-9383-485F-BA6B-E05F60DEA599} => pcalua.exe -a D:\PROGRA~1\Eidos\HITMAN~1\uninstall.exe
Task: {513BFB8C-7A2B-4AD0-B1E6-FC5F2690785A} - System32\Tasks\{64936F53-B1D4-4D62-BDB3-29A977DE72DC} => pcalua.exe -a "D:\Star Wars KOTOR\swkotor.exe"
Task: {570F217A-2B79-42D9-92B1-A5658D01CB4F} - System32\Tasks\{1234A022-5F48-4355-9F26-DF224735BE57} => Firefox.exe http://ui.skype.com/ui/0/6.3.0.107/pl/abandoninstall?source=lightinstaller&page=tsProgressBar
Task: {66CEA532-EBDA-4396-9738-EEBA1D53E5A2} - System32\Tasks\{83953037-06E0-4A02-8771-3810BD43594E} => C:\Users\Patryk\AppData\Local\Programs\Opera\Opera.exe
Task: {6FEB4E50-96B7-4512-A612-626E8C046A60} - System32\Tasks\{13036613-5680-43A7-9636-72A51B228280} => D:\PLATOON\Platoon.exe
Task: {7B55E1F0-9381-480C-B262-EB04DD784FE6} - System32\Tasks\{D2203421-220B-4021-A5D2-FC776EFD2481} => pcalua.exe -a C:\Users\Marian\Downloads\LogitechHarmonyRemote7.7.0-WIN-x86.exe -d C:\Users\Marian\Downloads
Task: {7BA11FFC-8130-4E9D-9988-B0B313C98903} - System32\Tasks\{8D2609E4-1555-4B6D-A4D1-D19137FA6C04} => pcalua.exe -a "C:\Users\Patryk\Desktop\Call of Duty\DVD1\setup.exe" -d "C:\Users\Patryk\Desktop\Call of Duty\DVD1"
Task: {830F1A1F-AE44-44B7-930A-F082652FCDA2} - System32\Tasks\{AA388184-F890-4C90-85D1-87778D8840BD} => pcalua.exe -a "C:\Program Files (x86)\InstallShield Installation Information\{6592FDEC-2C1A-413A-9985-25FEC2F0848D}\setup.exe" -d C:\Windows -c -runfromtemp -removeonly
Task: {8B3AAB9E-0C17-4107-9270-2319847A6A7D} - System32\Tasks\{1D5E5C1B-F6E8-4D85-93FC-A766C802F962} => C:\Users\Patryk\Desktop\Star wars\autorun.exe
Task: {981A8643-50E1-448C-980D-01E6B306CF5C} - System32\Tasks\{5377F232-2393-4DC5-BB89-22259D468471} => Firefox.exe http://ui.skype.com/ui/0/6.3.0.107/pl/abandoninstall?source=lightinstaller&page=tsInstall
Task: {9973CE61-434F-4739-9BDC-82601622CA66} - System32\Tasks\{8122687D-3FF5-47B6-A863-DA60B7A30E8A} => Firefox.exe http://ui.skype.com/ui/0/5.0.0.152/pl/abandoninstall?source=lightinstaller&page=tsMain&installinfo=google-toolbar:notoffered;ienotdefaultbrowser2,google-chrome:notoffered;alreadyoffered
Task: {9CEEE834-EBCA-4515-871B-38C3BC0296FB} - System32\Tasks\{F2EB62A1-5AC0-4894-9DA2-BD3AB483FF38} => pcalua.exe -a "C:\Program Files (x86)\InstallShield Installation Information\{D596980D-17BE-4425-B8F0-5640719AADE9}\setup.exe" -c -runfromtemp -l0x0409
Task: {AC1B304E-117E-4414-81D4-68182F0F26A8} - System32\Tasks\{7D76E292-55B4-457B-9F23-570E2A2A865D} => pcalua.exe -a "C:\Program Files (x86)\InstallShield Installation Information\{45057FCE-5784-48BE-8176-D9D00AF56C3C}\Sims3EP03Setup.exe" -c -runfromtemp -l0x0015 -removeonly
Task: {B1D66CF0-BE14-4506-8F51-8F68E9EA6FF2} - System32\Tasks\Funmoods => C:\Users\Patryk\AppData\Roaming\Funmoods\UpdateProc\UpdateTask.exe [2013-04-12] () 
Task: {B3711EC6-9BC6-4DDC-9DFA-46555E9A1CD5} - System32\Tasks\{8C66C9A5-CFEF-453D-A48C-D28B7EA0F2DE} => Firefox.exe http://ui.skype.com/ui/0/7.0.0.102/pl/abandoninstall?page=tsMain
Task: {B5A0794D-4470-4393-AE32-E14A0FF58F4B} - System32\Tasks\{EF7C3CBF-9F0F-44B2-BAB7-C70F025C2933} => pcalua.exe -a F:\Install.exe -d F:\
Task: {B5B91785-E966-4C43-B3C8-DDB340E23360} - System32\Tasks\{F2E13D27-A236-4A9A-82FD-E67F40237A2D} => pcalua.exe -a C:\Users\Marian\Downloads\VT6656_Win7_V1.1.0.2_64bit.exe -d C:\Users\Marian\Downloads
Task: {C3A08254-20E0-438D-9316-2D51B7A53F35} - System32\Tasks\{8C72BFBF-D143-4BDD-812A-59FE75A1F5F2} => pcalua.exe -a C:\Users\Patryk\Desktop\nbvn\autorun.exe -d C:\Users\Patryk\Desktop\nbvn
Task: {DC9182C6-D78E-4169-BC25-82AF14C35CF9} - System32\Tasks\{71592B0D-2ECB-4C3E-97B3-1E3F88C35DFE} => F:\install.exe
Task: {E3E0CC96-51D2-49C2-867C-AD76440D112E} - System32\Tasks\{2779C098-D158-4863-94DC-4F7565A09047} => pcalua.exe -a "C:\Program Files (x86)\Common Files\DVDVideoSoft\Uninstall.exe"
Task: {E8A73BE8-13F3-4AE0-8569-20CCE5ACB657} - System32\Tasks\{D81BBDC6-D6FF-49C6-A3B8-5B5ABA0D4AA3} => pcalua.exe -a F:\setup.exe -d F:\
Task: {E9A1959F-88CB-484E-BF28-676217FA6906} - System32\Tasks\{5310FFF2-7106-4BCB-8255-E24470120816} => C:\Users\Patryk\AppData\Local\Programs\Opera\Opera.exe
Task: {EF3A0E26-E8A0-4964-998E-7C6CB76BB122} - System32\Tasks\{8AEAF636-5527-462D-8B9A-5000E10EBC55} => pcalua.exe -a C:\Users\Patryk\Downloads\vb_web.exe -d C:\Users\Patryk\Desktop
Task: {F94214EA-2B9A-4174-9C13-4EC685F51871} - System32\Tasks\{C764C9CD-C5AA-42BE-81EB-8BA2CCF5CEC3} => C:\Program Files (x86)\LucasArts\Star Wars Empire at War Forces of Corruption Demo\EAWXLauncher.exe
GroupPolicy: Group Policy on Chrome detected 
GroupPolicyUsers\S-1-5-21-1693294449-2853722536-560343305-1006\User: Group Policy restriction detected 
GroupPolicyUsers\S-1-5-21-1693294449-2853722536-560343305-1004\User: Group Policy restriction detected 
GroupPolicyUsers\S-1-5-21-1693294449-2853722536-560343305-1003\User: Group Policy restriction detected 
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction 
ShortcutWithArgument: C:\Users\Marian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.qvo6.com/?utm_source=b&utm_medium=cor&utm_campaign=eXQ&utm_content=sc&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&ts=1380138517
ShortcutWithArgument: C:\Users\Marian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.qvo6.com/?utm_source=b&utm_medium=cor&utm_campaign=eXQ&utm_content=sc&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&ts=1380138517
ShortcutWithArgument: C:\Users\Marian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.qvo6.com/?utm_source=b&utm_medium=cor&utm_campaign=eXQ&utm_content=sc&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&ts=1380138517
ShortcutWithArgument: C:\Users\Marian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.qvo6.com/?utm_source=b&utm_medium=cor&utm_campaign=eXQ&utm_content=sc&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&ts=1380138517
ShortcutWithArgument: C:\Users\Patryk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.delta-homes.com/?type=sc&ts=1421258256&from=wpm01141&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3
ShortcutWithArgument: C:\Users\Patryk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.delta-homes.com/?type=sc&ts=1421258256&from=wpm01141&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3
ShortcutWithArgument: C:\Users\Patryk\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.delta-homes.com/?type=sc&ts=1421258256&from=wpm01141&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.omiga-plus.com/?type=hppp&ts=1420881270&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://isearch.omiga-plus.com/?type=hppp&ts=1420881270&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://isearch.omiga-plus.com/web/?type=ds&ts=1420881240&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://isearch.omiga-plus.com/web/?type=ds&ts=1420881240&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/?type=hppp&ts=1420881270&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/?type=hppp&ts=1420881270&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1420881240&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1420881240&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&q={searchTerms}
HKU\S-1-5-21-1693294449-2853722536-560343305-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.delta-homes.com/web/?type=ds&ts=1421258256&from=wpm01141&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&q={searchTerms}
HKU\S-1-5-21-1693294449-2853722536-560343305-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.omiga-plus.com/?type=hppp&ts=1420881270&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3
HKU\S-1-5-21-1693294449-2853722536-560343305-1003\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.msn.com/?pc=AV01
HKU\S-1-5-21-1693294449-2853722536-560343305-1003\Software\Microsoft\Internet Explorer\Main,bProtector Start Page = http://search.babylon.com/?babsrc=HP_ss_gin2g&mntrId=E60D6CF04912EFE9&affID=119357&tt=070713_9124&tsp=4936
HKU\S-1-5-21-1693294449-2853722536-560343305-1003\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/?type=hppp&ts=1420881270&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3
HKU\S-1-5-21-1693294449-2853722536-560343305-1003\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.delta-homes.com/web/?type=ds&ts=1421258256&from=wpm01141&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&q={searchTerms}
URLSearchHook: HKLM-x32 - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
URLSearchHook: HKLM-x32 - (No Name) - {8f3c1d75-d467-43c2-9a36-655366b76f5f} - No File
URLSearchHook: HKLM-x32 - (No Name) - {40f5f417-32bb-4296-9446-c1e0094e7d82} - No File
URLSearchHook: HKLM-x32 - (No Name) - {5c5b9468-d672-4eb7-b52f-b5afabf28c5b} - No File
URLSearchHook: HKLM-x32 - (No Name) - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - No File
URLSearchHook: HKLM-x32 - (No Name) - {51a86bb3-6602-4c85-92a5-130ee4864f13} - No File
URLSearchHook: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 - (No Name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - No File
URLSearchHook: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
URLSearchHook: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 - (No Name) - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - No File
URLSearchHook: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 - (No Name) - {5c5b9468-d672-4eb7-b52f-b5afabf28c5b} - No File
URLSearchHook: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 - (No Name) - {51a86bb3-6602-4c85-92a5-130ee4864f13} - No File
URLSearchHook: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 - (No Name) - {8040829d-1177-46e2-9157-8282438b79c7} - No File
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1420881240&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1420881240&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1420881240&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1420881240&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&q={searchTerms}
SearchScopes: HKLM-x32 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = http://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
SearchScopes: HKLM-x32 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3031817
SearchScopes: HKLM-x32 -> {d3f22a84-2a84-49eb-91e6-5dadaaf0165d} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=GRxdm518YYpl&ptnrS=GRxdm518YYpl&ptb=DEDE97AE-18CC-436D-ACC8-39572D52CB1E&ind=2012112715&n=77ee674b&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=dspp&ts=1420881270&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> bProtectorDefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
SearchScopes: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> {0BA9EFF0-F360-4AE1-9ACB-7A571FDA610D} URL = http://rts.dsrlte.com/?affID=na&q={searchTerms}&r=643
SearchScopes: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q={searchTerms}&affID=119370&tt=190313_wo3&babsrc=SP_ss_gin2g&mntrId=E60D6CF04912EFE9
SearchScopes: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} URL = http://www.crawler.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=66019
SearchScopes: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=dspp&ts=1420881270&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> {483830EE-A4CD-4b71-B0A3-3D82E62A6909} URL =
SearchScopes: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> {5BB4F252-A3F7-4C72-8E8E-F66BFA0C7DE1} URL = http://search.softonic.com/MON00005/tb_v1?q={searchTerms}&SearchSource=4&cc=&r=674
SearchScopes: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = http://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
SearchScopes: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> {87FE74A0-F9A3-4593-90E6-72C2C875DB9F} URL = http://search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=STDVM
SearchScopes: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = https://isearch.avg.com/search?cid={91CA612C-D769-414A-8EC6-BAD79F2B0E91}&mid=61a2c1c9da3a44cbbb9d226a974d67c1-3a8240382015bed401ff45a03efe52fe9603e643&lang=pl&ds=ax011&pr=&d=2012-09-21 15:31:42&v=12.2.5.34&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2269050
SearchScopes: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> {CEBC9A4E-5C2C-4DEA-B24E-3709952C969E} URL = http://www.mysearchresults.com/search?&c=3507&t=07&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> {d3f22a84-2a84-49eb-91e6-5dadaaf0165d} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=GRxdm518YYpl&ptnrS=GRxdm518YYpl&ptb=DEDE97AE-18CC-436D-ACC8-39572D52CB1E&ind=2012112715&n=77ee674b&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> {F457602F-1819-4047-9C19-1286DA13B886} URL = http://www.google.com/cse?cx=partner-pub-3794288947762788%3A4067623346&ie=UTF-8&q={searchTerms}&sa=Search&siteurl=www.google.com%2Fcse%2Fhome%3Fcx%3Dpartner-pub-3794288947762788%3A4067623346
BHO-x32: No Name -> {14d02517-c8be-4735-a344-3c8366c77aa0} -> No File
BHO-x32: No Name -> {b1df253a-9e7a-480d-b6a5-7a435b520dbb} -> No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKLM-x32 - No Name - {98889811-442D-49dd-99D7-DC866BE87DBC} - No File
Toolbar: HKLM-x32 - No Name - {5018CFD2-804D-4C99-9F81-25EAEA2769DE} - No File
Toolbar: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> No Name - {338B4DFE-2E2C-4338-9E41-E176D497299E} - No File
Toolbar: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> No Name - {A0B1221C-A3FF-4F7C-A393-DC63AF5301E9} - No File
Toolbar: HKU\S-1-5-21-1693294449-2853722536-560343305-1003 -> No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
DPF: HKLM-x32 {68282C51-9459-467B-95BF-3C0E89627E55} http://www.mks.com.pl/skaner/SkanerOnline.cab
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe http://www.qvo6.com/?utm_source=b&utm_medium=cor&utm_campaign=eXQ&utm_content=sc&from=cor&uid=ST31000528AS_5VP5HED3XXXX5VP5HED3&ts=1380138517
C:\Program Files\IB Updater
C:\Program Files (x86)\Google\Chrome
C:\Program Files (x86)\Mobogenie
C:\Program Files (x86)\Mozilla Firefox
C:\Program Files (x86)\OnlineHD.TV
C:\Program Files (x86)\RegCleaner
C:\Program Files (x86)\Solution Real
C:\Program Files (x86)\WinZipper
C:\Program Files (x86)\XTab
C:\ProgramData\whlb32g.dll
C:\ProgramData\SendSpaceExtention
C:\ProgramData\TEMP
C:\ProgramData\Microsoft\Windows\Start Menu\BitTorrent.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\2K Games
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Akademia Umysłu\Koncentracja 2
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Call of Duty
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefly Studios\Twierdza Krzyżowiec Extreme
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefly Studios\Twierdza Deluxe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free Mind Software
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Handbrake
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Logomocja-Imagine Demo
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LucasArts\LEGO Star Wars III The Clone Wars
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movies2iPhone
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo-Brush 5
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZipper
C:\Users\Adrian\AppData\Local\Microsoft\Windows\GameExplorer\{9549EBD4-B722-46A8-801C-57A855582B80}
C:\Users\Adrian\AppData\Local\Microsoft\Windows\GameExplorer\{B8DA32A9-1795-4134-85A2-25290513F751}
C:\Users\Adrian\AppData\Local\Microsoft\Windows\GameExplorer\{CA79C966-7225-4892-9B6A-5BE9E71693EA}
C:\Users\Adrian\Desktop\AccurateBurn MP3 Audio CD Maker.lnk
C:\Users\Adrian\Desktop\Edytor Znaczników HTML.lnk
C:\Users\Adrian\Desktop\GameSpy Arcade.lnk
C:\Users\Adrian\Desktop\Google Chrome.lnk
C:\Users\Adrian\Desktop\Handbrake.lnk
C:\Users\Adrian\Desktop\Minecraft.lnk
C:\Users\Adrian\Desktop\Play Star Wars Jedi Knight II Jedi Outcast Demo.lnk
C:\Users\Adrian\Desktop\RegCleaner.lnk
C:\Users\Adrian\Desktop\Sniper Elite.lnk
C:\Users\EWA.Marian-Komputer\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth\Inne urządzenia....lnk
C:\Users\EWA.Marian-Komputer\Desktop\AccurateBurn MP3 Audio CD Maker.lnk
C:\Users\EWA.Marian-Komputer\Desktop\Handbrake.lnk
C:\Users\EWA.Marian-Komputer\Desktop\Play Star Wars Jedi Knight II Jedi Outcast Demo.lnk
C:\Users\EWA.Marian-Komputer\Desktop\Sniper Elite.lnk
C:\Users\Marian\ALLPlayerEN.exe
C:\Users\Marian\AppData\Local\Microsoft\Windows\GameExplorer\{0E7EE784-7328-4ECC-81AB-1D1D46DEB2BB}
C:\Users\Marian\AppData\Local\Microsoft\Windows\GameExplorer\{4369BBF5-E9E6-4817-BFF6-ACE0921E5D31}
C:\Users\Marian\AppData\Local\Microsoft\Windows\GameExplorer\{54B14E3B-D2B2-4011-849D-7CF718459582}
C:\Users\Marian\AppData\Local\Microsoft\Windows\GameExplorer\{CA275ADB-C6A2-4F6C-905D-4FA5CA8A14DE}
C:\Users\Marian\AppData\Local\Microsoft\Windows\GameExplorer\{F23A5F71-C44C-4F02-8A43-116C9E69A027}
C:\Users\Marian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
C:\Users\Marian\AppData\Roaming\Microsoft\Windows\GameExplorer\{F15D16CC-A712-4BC7-BDBE-A105F7C9A2CC}
C:\Users\Marian\AppData\Roaming\Microsoft\Windows\Start Menu\Koncentracja 2.lnk
C:\Users\Marian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ShenlongMT2.lnk
C:\Users\Marian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Empire Interactive
C:\Users\Marian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Game Cam V2
C:\Users\Marian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GTA IV The Lost and Damned oraz The Ballad of Gay Tony PL
C:\Users\Marian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HyperCam 2
C:\Users\Marian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mobogenie
C:\Users\Marian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OnlineHD.TV
C:\Users\Marian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller
C:\Users\Marian\AppData\Local\Mobogenie
C:\Users\Patryk\AppData\Local剜捯獫慴⁲慇敭屳呇⁁屖湥楴汴浥湥⹴湩潦
C:\Users\Patryk\AppData\Local\setup.exe
C:\Users\Patryk\AppData\Local\Google\Chrome
C:\Users\Patryk\AppData\Local\Microsoft\Windows\GameExplorer\{1F91F091-AA31-4F1F-B06B-ACCE4EEFC9EE}
C:\Users\Patryk\AppData\Local\Microsoft\Windows\GameExplorer\{4369BBF5-E9E6-4817-BFF6-ACE0921E5D31}
C:\Users\Patryk\AppData\Local\Microsoft\Windows\GameExplorer\{4B2E63EF-6C72-44C2-A8F7-AAE5C9DF0710}
C:\Users\Patryk\AppData\Local\Microsoft\Windows\GameExplorer\{671E3D52-9F4B-4F12-A116-391941D2337D}
C:\Users\Patryk\AppData\Local\Microsoft\Windows\GameExplorer\{80A1E545-EEB7-45A4-8368-C20CC4C2AE41}
C:\Users\Patryk\AppData\Local\Microsoft\Windows\GameExplorer\{94784E5A-E7A5-49CC-8BD4-7DE3CD9A53B1}
C:\Users\Patryk\AppData\Local\Microsoft\Windows\GameExplorer\{A70F7B58-6B62-45C8-9D06-9145C847AA10}
C:\Users\Patryk\AppData\Local\Microsoft\Windows\GameExplorer\{D5BAC04D-C18F-43C1-9D81-8F4CC9D1F3DC}
C:\Users\Patryk\AppData\Local\Microsoft\Windows\GameExplorer\{F4518805-9054-434A-84B5-D831B75896C2}
C:\Users\Patryk\AppData\Local\Mozilla\Firefox
C:\Users\Patryk\AppData\Roaming\BabMaint.exe
C:\Users\Patryk\AppData\Roaming\Movies2iPhone.ini
C:\Users\Patryk\AppData\Roaming\DefaultTab
C:\Users\Patryk\AppData\Roaming\Funmoods
C:\Users\Patryk\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
C:\Users\Patryk\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\BitTorrent.lnk
C:\Users\Patryk\AppData\Roaming\Microsoft\Windows\SendTo\Xfire Friend.lnk
C:\Users\Patryk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FTDownloader.com
C:\Users\Patryk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MxNitro Browser
C:\Users\Patryk\AppData\Roaming\Mozilla\Extensions
C:\Users\Patryk\AppData\Roaming\Mozilla\Firefox
C:\Windows\System32\drivers\{31c21995-b861-4864-ab50-4a53fbca73d4}Gw64.sys
C:\Windows\System32\drivers\{df8eec40-f909-439c-9ffe-3fee212f71b9}w64.sys
C:\Windows\SysWow64\drivers\StarOpen.sys
C:\Windows\SysWOW64\jmdp
Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f
Reg: reg delete HKCU\Software\Google\Chrome /f
Reg: reg delete HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D} /f
Reg: reg delete HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96} /f
Reg: reg delete HKCU\Software\Mozilla\Firefox /f
Reg: reg delete HKCU\Software\MozillaPlugins /f
Reg: reg delete HKLM\SOFTWARE\Google\Chrome /f
Reg: reg delete HKLM\SOFTWARE\Mozilla\Firefox /f
Reg: reg delete HKLM\SOFTWARE\MozillaPlugins /f
Reg: reg delete HKLM\SOFTWARE\Wow6432Node\Google\Chrome /f
Reg: reg delete HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D} /f
Reg: reg delete HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96} /f
Reg: reg delete HKLM\SOFTWARE\Wow6432Node\Mozilla\Firefox /f
Reg: reg delete HKLM\SOFTWARE\Wow6432Node\mozilla.org /f
Reg: reg delete HKLM\SOFTWARE\Wow6432Node\MozillaPlugins /f
Reg: reg delete "HKCU\Software\Microsoft\Internet Explorer\AboutURLs" /f
Reg: reg delete "HKCU\Software\Microsoft\Internet Explorer\Search" /f
Reg: reg delete "HKCU\Software\Microsoft\Internet Explorer\SearchURI" /f
Reg: reg delete "HKCU\Software\Microsoft\Internet Explorer\SearchUrl" /f
Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\AboutURLs" /f
Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\Main" /f
Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\Search" /f
Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchURI" /f
Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchUrl" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchURI" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Search" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AMCenter" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BCU" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CrossRiderPlugin" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IVONA Reader" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ROC_ROC_NT" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Sony Ericsson PC Companion" /f
Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched" /f
Reg: reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search" /f
Reg: reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchURI" /f
Reg: reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchUrl" /f
Reg: reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main" /f
Reg: reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Toolbar" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Toolbar" /f
CMD: dir /a "C:\Program Files"
CMD: dir /a "C:\Program Files (x86)"
CMD: dir /a "C:\Program Files\Common Files"
CMD: dir /a "C:\Program Files (x86)\Common Files"
CMD: dir /a C:\ProgramData
CMD: dir /a C:\Users\Adrian\AppData\Local
CMD: dir /a C:\Users\Adrian\AppData\LocalLow
CMD: dir /a C:\Users\Adrian\AppData\Roaming
CMD: dir /a C:\Users\EWA.Marian-Komputer\AppData\Local
CMD: dir /a C:\Users\EWA.Marian-Komputer\AppData\LocalLow
CMD: dir /a C:\Users\EWA.Marian-Komputer\AppData\Roaming
CMD: dir /a C:\Users\Marian\AppData\Local
CMD: dir /a C:\Users\Marian\AppData\LocalLow
CMD: dir /a C:\Users\Marian\AppData\Roaming
CMD: dir /a C:\Users\Patryk\AppData\Local
CMD: dir /a C:\Users\Patryk\AppData\LocalLow
CMD: dir /a C:\Users\Patryk\AppData\Roaming
Folder: C:\Users\Patryk\AppData\Roaming\mxnitro
Folder: D:\Maxthon
RemoveDirectory: C:\Users\UpdatusUser
Hosts:
EmptyTemp:

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Z menu Notatnika > Plik > Zapisz jako > wprowadź nazwę fixlist.txt > Kodowanie zmień na UTF-8

 

Plik fixlist.txt umieść obok narzędzia FRST. Uruchom FRST i kliknij w Fix. Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt.

 

3. W systemie są aż 4 konta:

 

==================== Accounts: =============================
 

Adrian (S-1-5-21-1693294449-2853722536-560343305-1004 - Limited - Enabled) => C:\Users\Adrian

EWA (S-1-5-21-1693294449-2853722536-560343305-1006 - Limited - Enabled) => C:\Users\EWA.Marian-Komputer

Marian (S-1-5-21-1693294449-2853722536-560343305-1001 - Limited - Enabled) => C:\Users\Marian

Patryk (S-1-5-21-1693294449-2853722536-560343305-1003 - Administrator - Enabled) => C:\Users\Patryk

 

Potrzebne logi z każdego konta z osobna. Po kolei zaloguj się na każde poprzez pełny restart komputera (a nie opcje Wyloguj czy Przełącz użytkownika) i na każdym koncie zrób po trzy nowe logi FRST z opcji Scan, pola Addition i Shortcut mają być zaznaczone. Na kontach limitowanych Adrian, EWA i Marian FRST należy uruchomić poprzez dwuklik a nie "Uruchom jako Administrator", by nie został zmieniony kontekst konta na Patryka.

 

Czyli aż 12 logów masz dostarczyć oraz plik fixlog.txt z wynikami usuwania. Wszystkie pliki mają być w postaci załączników forum, a nie na serwisach zewnętrznych.