yoursites123 problem

[defmastah]

Zainfekowało i mój komputer niestety. W załączeniu wymagane pliki.

Z góry dziękuję za pomoc.

 

 

FRST.txt

Addition.txt

GMER.txt

Shortcut.txt

[picasso]

Akcje do przeprowadzenia:

 

1. Deinstalacje:

- Klawisz z flagą Windows + X > Programy i funkcje > odinstaluj stare wersje Java 7 Update 75 (64-bit), Java 8 Update 31 (64-bit), Java 8 Update 40 (64-bit), Java SE Development Kit 7 Update 75 (64-bit), PrivDog 2 Legacy Browser Plug-ins oraz SHAREit Lenovo (przypuszczalnie wymuszona instalacja).

- Uruchom narzędzie Microsoftu: KLIK. Zaakceptuj > Wykryj problemy i pozwól mi wybrać poprawki do zastosowania > Odinstalowywanie > zaznacz na liście wpis Metric Collection SDK 35 > Dalej.

 

2. Otwórz Notatnik i wklej w nim:

 

CloseProcesses:
CreateRestorePoint:
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wiedźmin Edycja rozszerzona\The Witcher.lnk -> C:\Gry\The Witcher Enhanced Edition\launcher.exe (CD Projekt Red) -> hxxp://www.yoursites123.com/?type=sc&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630
ShortcutWithArgument: C:\Users\Patryk_2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630
ShortcutWithArgument: C:\Users\Patryk_2\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630
ShortcutWithArgument: C:\Users\Patryk_2\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630
ShortcutWithArgument: C:\Users\Patryk_2\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.yoursites123.com/?type=sc&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630
ShortcutWithArgument: C:\Users\Patryk_2\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\5d696d521de238c3\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630
StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.yoursites123.com/?type=sc&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe hxxp://www.yoursites123.com/?type=sc&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630
GroupPolicy: Ograniczenia - Chrome 
CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia 
CHR HomePage: Default -> hxxp://www.yoursites123.com/?type=hp&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630
CHR StartupUrls: Default -> "hxxp://www.yoursites123.com/?type=hp&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630"
CHR DefaultSearchURL: Default -> hxxp://www.yoursites123.com/web/?type=ds&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630&q={searchTerms}
CHR DefaultSearchKeyword: Default -> yoursites123
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630&q={searchTerms}
HKU\S-1-5-21-3680470863-837635135-2748872348-1009\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630
HKU\S-1-5-21-3680470863-837635135-2748872348-1009\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3680470863-837635135-2748872348-1009 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3680470863-837635135-2748872348-1009 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449734008&z=9e06f432922dad23fa641a2gczczdtbm7caz3e1eft&from=ient07021&uid=ST1000LM024XHN-M101MBB_S2U5J9DC835630&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3680470863-837635135-2748872348-1009 -> {C71907BF-3075-44A2-97AA-9ECBFC00F850} URL =
BHO-x32: Brak nazwy -> {DF925EF3-7A87-44E4-9CAF-8D7B280BF616} -> Brak pliku
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - Brak pliku
Toolbar: HKLM - Brak nazwy - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - Brak pliku
Toolbar: HKU\S-1-5-21-3680470863-837635135-2748872348-1009 -> Brak nazwy - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Brak pliku
Task: {181106EE-28C3-4629-BE0F-DD750C22F6F1} - System32\Tasks\{AE91BA69-A1A4-4076-8DFB-FB08375530E6} => pcalua.exe -a H:\setup.exe -d H:\
Task: {4513674C-45F5-495A-8759-A759F6DB7E6A} - System32\Tasks\DropboxUpdateTaskUserS-1-5-21-3680470863-837635135-2748872348-1002UA => C:\Users\Patryk\AppData\Local\Dropbox\Update\DropboxUpdate.exe
Task: {625A84C7-0AC1-4F0D-9E83-286E956A17A4} - System32\Tasks\{337D64FE-D5DA-40B1-934D-8E9D24CA6B1F} => pcalua.exe -a "C:\Program Files (x86)\Maxis\SimCity 4\eauninstall.exe" -d "C:\Program Files (x86)\Maxis\SimCity 4"
Task: {7EFB6DDE-1C09-41AD-A196-9A8C8AA7E4FD} - System32\Tasks\DropboxUpdateTaskUserS-1-5-21-3680470863-837635135-2748872348-1002Core => C:\Users\Patryk\AppData\Local\Dropbox\Update\DropboxUpdate.exe
Task: {D1EBEA14-C11C-4550-A18B-B25ACAE0C8A9} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 35 => C:\Program Files (x86)\Lenovo\Customer Feedback Program 35\Lenovo.TVT.CustomerFeedback.Agent35.exe [2015-09-24] (Lenovo)
Task: {F8DC7B9A-8B64-4BC6-8549-513003E48C8A} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program => C:\Program Files\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskUserS-1-5-21-3680470863-837635135-2748872348-1002Core.job => C:\Users\Patryk\AppData\Local\Dropbox\Update\DropboxUpdate.exe
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskUserS-1-5-21-3680470863-837635135-2748872348-1002UA.job => C:\Users\Patryk\AppData\Local\Dropbox\Update\DropboxUpdate.exe
S1 {df47b99d-26f5-45f4-85c5-97b4da365f21}Gw64; system32\drivers\{df47b99d-26f5-45f4-85c5-97b4da365f21}Gw64.sys [X]
R4 acedrv11; \??\C:\WINDOWS\system32\drivers\acedrv11.sys [X]
S2 Privacy Content Firewall; "C:\Program Files\AdTrustMedia\PrivDog\3.0.108.0\PrivDogService.exe" [X]
DisableService: Mobile Partner. RunOuc
DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I
DeleteKey: HKCU\Software\dobreprogramy
DeleteKey: HKLM\SOFTWARE\MozillaPlugins
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Mozilla\Firefox
DeleteKey: HKLM\SOFTWARE\Wow6432Node\MozillaPlugins
DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2
DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software
Reg: reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /f
Reg: reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /ve /t REG_SZ /d Bing /f
Reg: reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /v URL /t REG_SZ /d "http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC" /f
Reg: reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /v DisplayName /t REG_SZ /d "@ieframe.dll,-12512" /f
Reg: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /f
Reg: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /ve /t REG_SZ /d Bing /f
Reg: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /v URL /t REG_SZ /d "http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC" /f
Reg: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /v DisplayName /t REG_SZ /d "@ieframe.dll,-12512" /f
Reg: reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder /v "McAfee Security Scan Plus.lnk" /f
Reg: reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "Adobe ARM" /f
Reg: reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "SunJavaUpdateSched" /f
Reg: reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "Wondershare Helper Compact.exe" /f
RemoveDirectory: C:\AdwCleaner
RemoveDirectory: C:\ProgramData\DWdMD
RemoveDirectory: C:\ProgramData\iWMiniProi
RemoveDirectory: C:\ProgramData\JWdMJ
RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stardock
C:\Users\Administrator\Desktop\Customize Fences.lnk
C:\Users\PW\Desktop\Customize Fences.lnk
CMD: netsh advfirewall reset
EmptyTemp:

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Wyłącz COMODO, gdyż zablokuje operacje FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt.

 

3. W Google Chrome:

• Zresetuj synchronizację (o ile włączona): KLIK.
• Ustawienia > karta Ustawienia > Pokaż ustawienia zaawansowane > zjedź na sam spód i uruchom opcję Resetowanie ustawień. Zakładki i hasła nie zostaną naruszone.

4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt.

[defmastah]

Dołączam potrzebne pliki

FRST.txt

Addition.txt

Fixlog.txt

[picasso]

Wszystko zrobione. Ostatnia drobna poprawka nowe puste wpisy. Otwórz Notatnik i wklej w nim:

 

HKLM-x32\...\Run: [PrivDogService] => "C:\Program Files (x86)\AdTrustMedia\PrivDog\2.2.0.14\trustedadssvc.exe"
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => Brak pliku
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => Brak pliku
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => Brak pliku
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => Brak pliku
ShellIconOverlayIdentifiers: [sugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll Brak pliku
ShellIconOverlayIdentifiers: [sugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll Brak pliku
ShellIconOverlayIdentifiers: [sugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll Brak pliku
ShellIconOverlayIdentifiers: [sugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll Brak pliku
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => Brak pliku
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => Brak pliku
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => Brak pliku
RemoveDirectory: C:\FRST\Quarantine
RemoveDirectory: C:\MATS
RemoveDirectory: C:\Program Files\Java
RemoveDirectory: C:\Users\Patryk_2\Desktop\FRST-OlderVersion
CMD: del /q C:\Users\Patryk_2\Desktop\8svwje29.exe
CMD: del /q C:\Users\Patryk_2\Downloads\MicrosoftFixit.ProgramInstallUninstall.RNP.Run.exe

 

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Wyłącz COMODO na czas akcji. Uruchom FRST i kliknij w Napraw (Fix). Tym razem nie będzie restartu. Przedstaw wynikowy fixlog.txt. Nowe skany FRST zbędne.

[defmastah]

Zamieszczam fixlog

Fixlog.txt

[picasso]

Kończymy:

 

1. Zastosuj DelFix oraz wyczyść foldery Przywracania systemu: KLIK.

 

2. Poczytaj na co uważać, by uniknąć podobnych problemów: KLIK.

[defmastah]

Niestety nie mogę dodać pliku Delfix. Wrzucam go w poście:

 

# DelFix v1.011 - Logfile created 13/12/2015 at 21:44:19

# Updated 18/08/2015 by Xplode

# Username : Patryk_2 - IDEA-PC

# Operating System : Windows 8.1 (64 bits)

 

~ Removing disinfection tools ...

 

Deleted : C:\FRST

Deleted : C:\Users\Patryk_2\Desktop\Addition.txt

Deleted : C:\Users\Patryk_2\Desktop\Fixlog.txt

Deleted : C:\Users\Patryk_2\Desktop\FRST.txt

Deleted : C:\Users\Patryk_2\Desktop\FRST64.exe

Deleted : C:\Users\Patryk_2\Downloads\Addition_10-12-2015_20-17-43.txt

Deleted : C:\Users\Patryk_2\Downloads\adwcleaner_5.015.exe

Deleted : HKLM\SOFTWARE\AdwCleaner

 

########## - EOF - ##########

[picasso]

DelFix wykonał zadanie. Skasuj z dysku plik C:\delfix.txt.

 

To tyle.

[defmastah]

Dzięki za pomoc