Yoursite123 - pomoc w usunięciu

[damian30]

Witam, proszę o pomoc w usunięciu. Z góry dziękuję za pomoc

 

 

FRST.txt

Addition.txt

Shortcut.txt

[picasso]

Jest tu więcej adware, nie tylko tytułowy problem. Był tu używany ComboFix i na ten temat: KLIK. To obecnie nawet nie jest dobry program do usuwania adware, są inne bardziej specjalizowane. Akcje do przeprowadzenia:

 

1. Odinstaluj adware WordFly 1.10.0.25 oraz zbędny program Badanie mające na celu poprawę produktów HP Deskjet 1510 series.

 

2. Otwórz Notatnik i wklej w nim:

 

CloseProcesses:
CreateRestorePoint:
ShortcutWithArgument: C:\Users\Damian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 
ShortcutWithArgument: C:\Users\Damian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 
ShortcutWithArgument: C:\Users\Damian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 
ShortcutWithArgument: C:\Users\Damian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 
ShortcutWithArgument: C:\Users\Damian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia 
HKU\S-1-5-21-2426139859-1562633933-961591751-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia 
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms}
HKU\S-1-5-21-2426139859-1562633933-961591751-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2426139859-1562633933-961591751-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2426139859-1562633933-961591751-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2426139859-1562633933-961591751-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246&q={searchTerms}
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\IPS\IPSBHO.DLL => Brak pliku
BHO-x32: Brak nazwy -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> Brak pliku
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2012-10-01] (Microsoft Corporation)
FF HKLM-x32\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\2g6w3xar.default\extensions\defsearchp@gmail.com => nie znaleziono
FF HKLM-x32\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\2g6w3xar.default\extensions\deskCutv2@gmail.com => nie znaleziono
FF HKLM-x32\...\Firefox\Extensions: [sidebarff@gmail.com] - C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\2g6w3xar.default\extensions\sidebarff@gmail.com => nie znaleziono
FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\2g6w3xar.default\extensions\default_newtabff@gmail.com => nie znaleziono
FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\2g6w3xar.default\extensions\yahooprotected@gmail.com => nie znaleziono
StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.yoursites123.com/?type=sc&ts=1450101041&z=c53dd7c2fef391ab8baa0a0gez4w2e2gae2g7e2zeg&from=wpm07173&uid=SAMSUNGXHD502IJ_S13TJ9AQ845246
HKLM-x32\...\Run: [updReg] => C:\Windows\UpdReg.EXE
HKLM-x32\...\Run: [] => [X]
R2 IhPul; C:\Users\Damian\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-08] (tsvr.com)
R2 SSFK; C:\Program Files (x86)\SFK\SSFK.exe [170144 2015-11-27] (TODO: )
S3 GVTDrv64; C:\Windows\GVTDrv64.sys [30528 2015-12-14] ()
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I
DeleteKey: HKCU\Software\dobreprogramy
DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software
DeleteKey: HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main
DeleteKey: HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main
DeleteKey: HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main
RemoveDirectory: C:\Program Files (x86)\Mozilla Firefox\plugins
RemoveDirectory: C:\Program Files (x86)\SFK
RemoveDirectory: C:\Program Files (x86)\WinZipper
RemoveDirectory: C:\Qoobox
RemoveDirectory: C:\Users\Damian\AppData\Roaming\RHEng
RemoveDirectory: C:\Users\Damian\AppData\Roaming\TSv
RemoveDirectory: C:\Users\Damian\Desktop\Stare dane programu Firefox
C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
EmptyTemp:

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt.

 

3. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt.

[damian30]

Raporty:

Addition.txt

Fixlog.txt

FRST.txt

[picasso]

Wszystko zrobione. Teraz:

 

Uruchom AdwCleaner. Wybierz opcję Skanuj i dostarcz log wynikowy z folderu C:\AdwCleaner.

[damian30]

Raport:

AdwCleanerS1.txt

[picasso]

Kończymy:

 

1. Uruchom AdwCleaner ponownie, tym razem wybierz opcje Skanuj + Usuń. Gdy program ukończy czyszczenie:

 

2. Zastosuj DelFix oraz wyczyść foldery Przywracania systemu: KLIK.

 

3. Do czytania na co uważać, by ograniczyć podobne problemy: KLIK.

[damian30]

Problem rozwiązany. Dziękuję serdecznie za pomoc.

 

Pozdrawiam

Damian