Wyszukiwarka pieseach

[scaza]

Witam

Nie mogę usunąć z opery tej pseudo wyszukiwarki pieseach.

Jakby ktoś mógł mi w tym pomóc to dzięki.

 

FRST.txt

Addition.txt

Shortcut.txt

[picasso]

Skróty LNK Opery mają doklejony adres piesearch.com. Poza tym, są inne śmieci adware. Używałeś lewe skanery z czarnej listy: SpyHunter i YAC (Yet Another Cleaner). Akcje do wykonania:

 

1. Odinstaluj stare wersje i zbędnik Hewlett: Adobe AIR, Gadu-Gadu 10, HP Customer Participation Program 13.0, Java 7 Update 71.

 

2. Otwórz Notatnik i wklej w nim:

 

CloseProcesses:
CreateRestorePoint:
ShortcutWithArgument: C:\Users\Damian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera 26.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.piesearch.com/?type=sc&ts=1445521710&pid=etc22&uid=389458e5-880d-4d4d-9d95-41f8448ed22d 
StartMenuInternet: (HKLM) Opera - c:\program files (x86)\opera\opera.exe hxxp://www.piesearch.com/?type=sc&ts=1445521710&pid=etc22&uid=389458e5-880d-4d4d-9d95-41f8448ed22d
OPR Session Restore: -> [funkcja włączona]
CHR HomePage: Default -> gazeta.pl/0,0.html?p=174
CHR HKLM\...\Chrome\Extension: [oggihoncmelambjaefiboekididcaffe] - C:\Users\Damian\AppData\Local\Google\Chrome\User Data\Default\Extensions\oggihoncmelambjaefiboekididcaffe.crx [2015-10-22]
CHR HKLM-x32\...\Chrome\Extension: [mgmkibjehmijilgdlafejbedipjcjeaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [oggihoncmelambjaefiboekididcaffe] - C:\Users\Damian\AppData\Local\Google\Chrome\User Data\Default\Extensions\oggihoncmelambjaefiboekididcaffe.crx [2015-10-22]
GroupPolicy: Ograniczenia - Chrome 
GroupPolicyUsers\S-1-5-21-144805859-2219087630-3865369261-1005\User: Ograniczenia 
CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia 
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
SearchScopes: HKU\S-1-5-21-144805859-2219087630-3865369261-1001 -> {szukaj.gazeta.pl} URL = hxxp://szukaj.gazeta.pl/internet/0,0.html?slowo={searchTerms}
FF user.js: detected! => C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\xzpq7mwo.default-1445603186771\user.js [2015-11-28]
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF HKU\S-1-5-21-144805859-2219087630-3865369261-1001\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
HKLM\...\Run: [sound+] => "C:\Program Files\Sound+\Sound+.exe"
BootExecute: autocheck autochk * sh4native Sh4Removal
R1 {b28b30d2-a22b-48a9-8948-d4167c37e7f0}Gw64; C:\Windows\System32\drivers\{b28b30d2-a22b-48a9-8948-d4167c37e7f0}Gw64.sys [48784 2015-11-28] (StdLib)
S1 CFRMD; C:\Windows\SysWOW64\DRIVERS\CFRMD.sys [37976 2012-09-03] (Windows ® Win 7 DDK provider) [brak podpisu cyfrowego]
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2015-10-23] ()
S2 iSafeService; C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe [X]
Task: {0731C493-1698-4F14-B206-45173F0BCA5E} - System32\Tasks\{7F1DF47E-AB9A-40B6-8029-BE3AFB438C54} => pcalua.exe -a F:\BeachSoccer-Setup.exe -d F:\
Task: {11A83ED7-02FA-4458-9E52-534A61C6C7F8} - System32\Tasks\{0B4B8186-51F5-4F1D-96E0-CAD8D8AB7A0F} => pcalua.exe -a R:\wwp_vista_win7_fix_v1.4\wwp_vista_win7_fix_v1.4.exe -d R:\wwp_vista_win7_fix_v1.4
Task: {317EB34F-2335-44A8-9244-1218179686D9} - \LaunchPreSignup -> Brak pliku 
Task: {3371C453-BCF7-4F61-A063-8EEEF3B2CFC8} - System32\Tasks\{49E7D1B3-8A45-41B3-9DBA-AF9CB4A4DC2D} => pcalua.exe -a "C:\Users\Damian\Desktop\Video Download Pro 2011 v1.6 + Serial Setup.exe" -d C:\Users\Damian\Desktop
Task: {3C0B5843-28CE-4CD2-B8E3-27645815856F} - System32\Tasks\{0D857135-05DB-4F84-A463-F4C6CB051ADD} => pcalua.exe -a D:\STEROWNIKI\CIPSET\Intel_Chipset_V9111019_XPVistaWin7\AsusSetup.exe -d D:\STEROWNIKI\CIPSET\Intel_Chipset_V9111019_XPVistaWin7
Task: {505F3DDB-9193-414A-881D-7615C27D9225} - \ShopperProJSUpd -> Brak pliku 
Task: {60C17F4C-066C-46EF-BDAC-C744D02A8430} - System32\Tasks\{57AF6269-C597-4705-8636-79854E5C9156} => pcalua.exe -a "M:\EBBOOKI\Poradniki\W_zki_wid_owe\Wózki widłowe.exe" -d M:\EBBOOKI\Poradniki\W_zki_wid_owe
Task: {6515BE6B-2826-443D-B2EC-366116D7D14F} - System32\Tasks\{94587AC7-7D38-4D0A-B32F-5C9932FD8238} => pcalua.exe -a Q:\install.exe -d Q:\
Task: {6758FA59-E929-4345-AF6D-6C37A276127B} - System32\Tasks\{B3164340-0AB0-49A1-9E30-FB7A3F2A51E9} => pcalua.exe -a "D:\gry\Worms World Party\Install Fix - WWP.exe" -d "D:\gry\Worms World Party"
Task: {6C733E92-8F52-4F48-868E-01F4E44254E5} - System32\Tasks\{6B577985-DD11-45BA-84C8-B6F908EEF5EC} => pcalua.exe -a "D:\KURSY NOWE\NOWE\Spielegeier.de C&C 3 MapPack 1 (buczek0)\gsc_cnc3_mappack1.exe" -d "D:\KURSY NOWE\NOWE\Spielegeier.de C&C 3 MapPack 1 (buczek0)".)
Task: {92CFD66A-2F53-4DBC-9508-CDB57B311DEA} - System32\Tasks\Quark Updater => C:\Program Files (x86)\Quark\Quark Update\AutoUpdate.exe
Task: {AEE9F6A6-445C-417A-81E9-A59363D9368B} - System32\Tasks\{6D8A562D-DA95-40BB-B673-25E8471D4C7E} => pcalua.exe -a S:\Setup.exe -d S:\
Task: {B430B682-48EE-49B3-9280-4E5A8781BBC2} - System32\Tasks\{2052379E-F022-4D1C-93E0-D908860BA9FF} => E:\PandoraMT2\PandoraMT2\PandoraMT2.exe
Task: {BC347298-122C-4976-9E7E-1B92296AB63E} - System32\Tasks\{97B892F9-F64F-4700-BEE0-25EAB13E376E} => pcalua.exe -a "D:\KURSY NOWE\NOWE\Spielegeier.de C&C 3 MapPack 4 (buczek0)\gsc_cnc3_mappack4.exe" -d "D:\KURSY NOWE\NOWE\Spielegeier.de C&C 3 MapPack 4 (buczek0)"
Task: {BD12206F-AE8B-4AE9-BA1B-4A0A31AB2983} - System32\Tasks\{3E87F9C4-BF82-4161-8DCA-26837C855774} => pcalua.exe -a C:\Users\Damian\Desktop\chomikowe2\Alcohol120_retail_1.9.8.7612_incl_Crack\Alcohol120_retail_1.9.8.7612.exe -d C:\Users\Damian\Desktop\chomikowe2\Alcohol120_retail_1.9.8.7612_incl_Crack
Task: {C4CADBAB-2EAD-4411-A40C-E5F9A1C57894} - \LaunchSignup -> Brak pliku 
Task: {C6907BBA-CA38-409A-ACE1-6E4A31B6E185} - System32\Tasks\{A91B074A-D354-4D0E-BC5A-D22F8C4EA6CB} => pcalua.exe -a C:\Users\Damian\Desktop\VirtualDub-1.9.11\auxsetup.exe -d C:\Users\Damian\Desktop\VirtualDub-1.9.11
Task: {C9FB88B2-96D7-40F2-9831-64ABAC14F4AF} - System32\Tasks\{5A1B6063-9453-48EE-ADE1-D5BC9D95FDE1} => E:\PandoraMT2\PandoraMT2\PandoraMT2.exe
Task: {CACB8B61-687D-40DE-8AA9-C534A980562B} - System32\Tasks\ReimageUpdater => C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [2015-08-19] (Reimage®) 
Task: {CF98020F-D126-4711-98E4-6D01C6419A51} - System32\Tasks\{892E58CB-273F-4819-8EF2-86D902F2B59A} => pcalua.exe -a "E:\PROGRAMY 2\WinZip120PL2.Pro\Key.exe" -d "E:\PROGRAMY 2\WinZip120PL2.Pro"
Task: {EC3F7223-6D4E-432C-8462-C530213D659C} - System32\Tasks\{3D1BE8FA-CFE8-449B-9BF7-9C37CDEF7AEB} => pcalua.exe -a C:\Users\Damian\Desktop\NetFx20SP1_x64.exe -d C:\Users\Damian\Desktop
Task: {EFA32238-1062-482F-BC4D-43F0FCB89B48} - System32\Tasks\{66FAFD47-6C5E-406A-B13C-59DE5D960966} => pcalua.exe -a U:\InstallVol1.exe -d U:\
Task: {F6F1E030-EF7D-452C-B557-643250D901B9} - System32\Tasks\{CDBA298A-806E-471E-97DE-3B7977C98C38} => pcalua.exe -a F:\Launch.exe -d F:\
Task: {F947F921-54F4-4FCB-B954-922172B51E05} - System32\Tasks\{8DEEB99E-7AD6-42A9-9E53-3B923A19676D} => pcalua.exe -a F:\instmsiw.exe -d F:\
HKU\S-1-5-21-144805859-2219087630-3865369261-1001\Software\Classes\.exe: exefile => 
C:\END
C:\Program Files\Reimage
C:\ProgramData\Malwarebytes
C:\ProgramData\Microsoft\Windows\Start Menu\µTorrent.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WavePad Sound Editor.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audio Related Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoConnect
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DivX
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MP3Gain
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite
C:\Users\Damian\Start Menu\Programs\SpyHunter
C:\Users\Damian\AppData\Local\{683D1C05-7868-4006-9A95-F6AB78778047}
C:\Users\Damian\AppData\Local\Installer.lnk
C:\Users\Damian\AppData\Local\Installer
C:\Users\Damian\AppData\Local\Microsoft\Windows\GameExplorer\{629FE38E-26C9-476A-BE5D-F67290DD8507}
C:\Users\Damian\AppData\Local\Microsoft\Windows\GameExplorer\{95D39E4F-8A6B-43CA-9168-A0D93AE24E98}
C:\Users\Damian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\COMODO GeekBuddy.lnk
C:\Users\Damian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
C:\Users\Damian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Run in safe mode.lnk
C:\Users\Damian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera 26 (2).lnk
C:\Users\Damian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\WorldEdit.lnk
C:\Users\Damian\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
C:\Users\Damian\AppData\Roaming\Mr Retro\Machine Wash\MW Vol 1 Washes Folder.lnk
C:\Users\Damian\Desktop\Angielski przed wyjazdem_mp3+pdf — skrót.lnk
C:\Users\Damian\Desktop\driver+ecran+asus+vh192d_10924_i91756123_il345.exe
C:\Users\Damian\Desktop\SpyHunter 4.20.9.4533 Eng 32 Bit Portable
C:\Users\Damian\Downloads\BA42.tmp
C:\Windows\System32\drivers\{b28b30d2-a22b-48a9-8948-d4167c37e7f0}Gw64.sys
C:\Windows\System32\drivers\EsgScanner.sys
C:\Windows\SysWOW64\drivers\CFRMD.sys
Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f
Reg: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google2SRT Packages" /f
CMD: netsh advfirewall reset
EmptyTemp:

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Z menu Notatnika > Plik > Zapisz jako > wprowadź nazwę fixlist.txt > Kodowanie zmień na UTF-8

 

Plik fixlist.txt umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt.

 

3. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale bez Shortcut. Dołącz też plik fixlog.txt.

[scaza]

Nowe logi

FRST.txt

Addition.txt

Fixlog.txt

[picasso]

Wszystko zrobione. Uruchom AdwCleaner. Wybierz opcję Skanuj i dostarcz log wynikowy z folderu C:\AdwCleaner.

[scaza]

Log adwleaner

AdwCleanerS1.txt

[picasso]

Ostatnia poprawka. Otwórz Notatnik i wklej w nim:

 

Task: {B2B679A8-EB4F-44B9-A813-6912DBC6ED47} - System32\Tasks\{EC8325B5-6AA4-4329-A017-954574DE9712} => pcalua.exe -a C:\Users\Damian\Desktop\Setup-TrojanKiller-DM.exe -d C:\Users\Damian\Desktop
Task: {EF7E523F-B954-4E9F-8880-CBB7AD387AF9} - System32\Tasks\{BBBF2650-07A4-48A0-8176-087D5C28FCAC} => pcalua.exe -a C:\Users\Damian\Desktop\jre-8u66-windows-i586-iftw.exe -d C:\Users\Damian\Desktop
DeleteKey: HKCU\Software\Classes\pokki
DeleteKey: HKCU\Software\InstalledBrowserExtensions
DeleteKey: HKCU\Software\Softonic
DeleteKey: HKCU\Software\tstamptoken
DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{444785F1-DE89-4295-863A-D46C3A781394}
DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{444785F1-DE89-4295-863A-D46C3A781394}
DeleteKey: HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
DeleteKey: HKLM\SOFTWARE\Classes\CLSID\{3CCC052E-BDEE-408A-BEA7-90914EF2964B}
DeleteKey: HKLM\SOFTWARE\Classes\CLSID\{61F47056-E400-43D3-AF1E-AB7DFFD4C4AD}
DeleteKey: HKLM\SOFTWARE\Classes\CLSID\{E2B98EEA-EE55-4E9B-A8C1-6E5288DF785A}
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{444785F1-DE89-4295-863A-D46C3A781394}
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\amiupdaterExd
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\amiupdaterExi
DeleteKey: HKLM\SOFTWARE\InstalledBrowserExtensions
DeleteKey: HKLM\SOFTWARE\Solvusoft
DeleteKey: HKLM\SOFTWARE\SOUNDPLUS
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{EAC7DE5C-9520-435D-91AA-4A02E4773CEA}
DeleteKey: HKLM\SOFTWARE\Wow6432Node\InstalledBrowserExtensions
DeleteKey: HKLM\SOFTWARE\Wow6432Node\ShopperPro
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Reimage
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Reimage Repair
DeleteKey: HKU\S-1-5-18\Software\GeekBuddyRSP
DeleteKey: HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes
DeleteKey: HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes
DeleteKey: HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes
RemoveDirectory: C:\FRST\Quarantine
RemoveDirectory: C:\Program Files (x86)\Elex-tech
RemoveDirectory: C:\Program Files\AdTrustMedia
RemoveDirectory: C:\ProgramData\GridinSoft
RemoveDirectory: C:\Users\Damian\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\elicpjhcidhpjomhibiffojpinpmmpil
RemoveDirectory: C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\jq1wfeqx.default
RemoveDirectory: C:\Windows\system32\log

 

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Tym razem nie będzie restartu. Przedstaw wynikowy fixlog.txt.

[scaza]

Log

Fixlog.txt

[picasso]

Drobna poprawka, ze zmęczenia "odwrotnie" zastąpiłam w Notatniku ścieżki 32-bit i 64-bit. Otwórz Notatnik i wklej w nim:

 

DeleteKey: HKLM\SOFTWARE\ShopperPro
DeleteKey: HKLM\SOFTWARE\Reimage
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Reimage Repair
DeleteKey: HKLM\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
DeleteKey: HKLM\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}
DeleteKey: HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
DeleteKey: HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
DeleteKey: HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
DeleteKey: HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
DeleteKey: HKLM\SOFTWARE\Classes\Interface\{EAC7DE5C-9520-435D-91AA-4A02E4773CEA}
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Solvusoft
DeleteKey: HKLM\SOFTWARE\Wow6432Node\SOUNDPLUS
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3CCC052E-BDEE-408A-BEA7-90914EF2964B}
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{61F47056-E400-43D3-AF1E-AB7DFFD4C4AD}
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E2B98EEA-EE55-4E9B-A8C1-6E5288DF785A}
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{444785F1-DE89-4295-863A-D46C3A781394}

 

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Przedstaw wynikowy fixlog.txt.

[scaza]

Log

Fixlog.txt

[picasso]

Zadanie wykonane. Na koniec:

 

Usuń pobrane narzędzia i ich logi z folderów Nowy folder (4) + Nowy folder (5) na Pulpicie. Następnie zastosuj DelFix oraz wyczyść foldery Przywracania systemu: KLIK.