yoursites123

kam · 13 Grudnia 2015

Witam. Mam problem z wirusem yoursites, jak wielu użytkowników wcześniej. Proszę o pomoc

picasso · 14 Grudnia 2015

Działania do przeprowadzenia:

1. Klawisz z flagą Windows + X > Programy i funkcje > odinstaluj: Amazon 1Button App, Picexa. Następnie uruchom Zoek i w oknie wklej:

Metric Collection SDK;u

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

Klik w Run Script. Powstanie plik zoek-results.log. W eksploratorze Windows menu Widok > Opcje > Zmień opcje folderów i wyszukiwania > Widok > odznacz Ukryj rozszerzenia znanych plików > zmień nazwę pliku na zoek-results.txt, by dało się go wstawić jako załącznik forum.

2. Otwórz Notatnik i wklej w nim:

CloseProcesses:

CreateRestorePoint:

ShortcutWithArgument: C:\Users\Anna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367

ShortcutWithArgument: C:\Users\Anna\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367

GroupPolicy: Ograniczenia - Chrome

CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367

HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367&q={searchTerms}

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367&q={searchTerms}

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367&q={searchTerms}

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367&q={searchTerms}

HKU\S-1-5-21-3582033095-210680416-1671569307-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367

HKU\S-1-5-21-3582033095-210680416-1671569307-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367

SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =

SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367&q={searchTerms}

SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367&q={searchTerms}

SearchScopes: HKU\S-1-5-21-3582033095-210680416-1671569307-1001 -> {ACA901FD-3807-4DE4-B11A-7BDF781A7F6E} URL =

StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.yoursites123.com/?type=sc&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367

Edge HomeButtonPage: HKU\S-1-5-21-3582033095-210680416-1671569307-1001 -> hxxp://www.yoursites123.com/?type=hp&ts=1449740439&z=b55f1467a0c5df3e3d3df3eg6z4zctem4z0e3cct4e&from=ient07021&uid=SanDiskXSDSSDHII480G_153266400367

Task: {04EDC69F-6EC0-4670-B438-58D5C82745EC} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> Brak pliku

Task: {286B0FDC-C20B-45F9-9383-195725E71F46} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 => C:\Program Files (x86)\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2015-07-08] (Lenovo)

Task: {381366F4-9428-474F-A726-26981FB230FB} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Brak pliku

Task: {5C966E97-A51C-4A41-BD42-7ADE49C72721} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Brak pliku

Task: {62ABA388-5213-4A60-939C-60C87F7370B0} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> Brak pliku

Task: {83F1190D-2978-4B60-B536-C87D69BF79DD} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> Brak pliku

Task: {9340CE08-6888-4752-B56D-B622FBD3C6C6} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> Brak pliku

Task: {9679FD21-1C38-4D42-BCB1-D867F5AFBFBC} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> Brak pliku

Task: {A2292B5B-5FA6-41F8-8ED7-95BA9DABBA91} - System32\Tasks\UninstallDDS-C960901F-CE14-4DE1-9729-1305F719A337 => C:\WINDOWS\TEMP\DeleteFolderTask.exe [2015-12-13] ()

Task: {AE5C3EB7-D3E5-480A-811D-95796EEB8CCC} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Brak pliku

Task: {C36450A1-FA7D-4549-9E8D-4925634F3338} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> Brak pliku

Task: {C724DEF4-DBDF-4EC2-B351-AC7BE13427F3} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> Brak pliku

Task: {EF788547-4A75-4CB2-9300-57F29C89C418} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> Brak pliku

DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I

DeleteKey: HKCU\Software\dobreprogramy

DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Lenovo

DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software

Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedHomepages /f

Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedSearchScopes /f

Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OpenSearch" /f

Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.yoursites123.com" /f

Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\yoursites123.com" /f

Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.yoursites123.com" /f

Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\yoursites123.com" /f

RemoveDirectory: C:\Program Files (x86)\Google

RemoveDirectory: C:\Program Files (x86)\Lenovo

RemoveDirectory: C:\Program Files (x86)\Picexa

RemoveDirectory: C:\ProgramData\BWdMB

RemoveDirectory: C:\ProgramData\JWdMJ

RemoveDirectory: C:\ProgramData\yWMiniProy

RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picexa

RemoveDirectory: C:\Users\Anna\AppData\Local\Google

RemoveDirectory: C:\Users\Anna\AppData\Local\Lenovo

RemoveDirectory: C:\Users\Anna\AppData\Roaming\eCyber

RemoveDirectory: C:\Users\Anna\AppData\Roaming\Picexa Viewer

RemoveDirectory: C:\Windows\System32\Tasks\Lenovo

C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat

C:\WINDOWS\SysWOW64\data.bin

EmptyTemp:

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt.

3. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też pliki fixlog.txt i zoek-results.txt. Potwierdź ustąpienie problemu także w przelądarce Edge.