Yoursite123 kolejny zainfekowany:(

[Mosfet]

Mam ten sam problem co wiele osób na tym forum, bardzo proszę o pomoc

FRST.txt

Addition.txt

Shortcut.txt

GMER.txt

[picasso]

W logu są ślady, że problem adware (nie tylko tytułowy) zaczął się przy pobieraniu "Free Word To PDF", użyłeś jakiś "downloader" portalowy... Więcej na ten temat: KLIK. Kolejna sprawa: używałeś skaner-naciągacz SpyHunter, z daleka od tego świństwa, nie szukać "pełnej wersji". I było podejście z HijackThis, a to stary 32-bitowy program zupełnie niezdatny na systemie 64-bit!

 

 

Działania do przeprowadzenia:

 

1. Deinstalacje:

- Odinstaluj stare wersje i pozostałe: Adobe AIR, AVG Web TuneUp, Java 7 Update 17 (64-bit), Java 7 Update 21, Mozilla Firefox 33.1.1 (x86 pl), SpyHunter. Uwaga: zakładam, że deinstalacja Firefox zostanie wykonana i w punkcie 2 w skrypcie doczyszczam elementy Firefox.

- Uruchom narzędzie Microsoftu: KLIK. Zaakceptuj > Wykryj problemy i pozwól mi wybrać poprawki do zastosowania > Odinstalowywanie > zaznacz na liście wpis Metric Collection SDK > Dalej.

 

2. Otwórz Notatnik i wklej w nim:

 

CloseProcesses:
CreateRestorePoint:
S2 WdMan; C:\ProgramData\SWdMS\WdMan.exe [333312 2015-12-04] (TFuns LIMITED) [File not signed]
ShortcutWithArgument: C:\Users\KO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450070380&z=21e223b3f0c97db3c281da1g7zccaefozzjcktmlma&from=wpm07173&uid=ST3250410AS_6RY1WRLEXXXX6RY1WRLE
ShortcutWithArgument: C:\Users\KO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome\Program uruchamiający aplikacje Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450070380&z=21e223b3f0c97db3c281da1g7zccaefozzjcktmlma&from=wpm07173&uid=ST3250410AS_6RY1WRLEXXXX6RY1WRLE
ShortcutWithArgument: C:\Users\KO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450070380&z=21e223b3f0c97db3c281da1g7zccaefozzjcktmlma&from=wpm07173&uid=ST3250410AS_6RY1WRLEXXXX6RY1WRLE
ShortcutWithArgument: C:\Users\KO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450070380&z=21e223b3f0c97db3c281da1g7zccaefozzjcktmlma&from=wpm07173&uid=ST3250410AS_6RY1WRLEXXXX6RY1WRLE
ShortcutWithArgument: C:\Users\KO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450070380&z=21e223b3f0c97db3c281da1g7zccaefozzjcktmlma&from=wpm07173&uid=ST3250410AS_6RY1WRLEXXXX6RY1WRLE
ShortcutWithArgument: C:\Users\KO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450070380&z=21e223b3f0c97db3c281da1g7zccaefozzjcktmlma&from=wpm07173&uid=ST3250410AS_6RY1WRLEXXXX6RY1WRLE
ShortcutWithArgument: C:\Users\KO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\69639df789022856\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450070380&z=21e223b3f0c97db3c281da1g7zccaefozzjcktmlma&from=wpm07173&uid=ST3250410AS_6RY1WRLEXXXX6RY1WRLE
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450070380&z=21e223b3f0c97db3c281da1g7zccaefozzjcktmlma&from=wpm07173&uid=ST3250410AS_6RY1WRLEXXXX6RY1WRLE
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450070380&z=21e223b3f0c97db3c281da1g7zccaefozzjcktmlma&from=wpm07173&uid=ST3250410AS_6RY1WRLEXXXX6RY1WRLE
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450070380&z=21e223b3f0c97db3c281da1g7zccaefozzjcktmlma&from=wpm07173&uid=ST3250410AS_6RY1WRLEXXXX6RY1WRLE&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450070380&z=21e223b3f0c97db3c281da1g7zccaefozzjcktmlma&from=wpm07173&uid=ST3250410AS_6RY1WRLEXXXX6RY1WRLE&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKU\S-1-5-21-2044814858-3257045265-4192325483-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKU\S-1-5-21-2044814858-3257045265-4192325483-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKU\S-1-5-21-2044814858-3257045265-4192325483-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={93343963-E764-42B8-8047-6BE83FD753AE}&mid=6b0653b77c2147d08c5181ac0f018585-4323c9a1a5a383db39737bd017fae0a1668e3319&lang=en&ds=AVG&coid=avgtbavg&cmpid=0915wt&pr=un&d=2015-09-13 20:01:02&v=4.1.6.294&pid=wtu&sg=&sap=dsp&q={searchTerms}
Toolbar: HKU\S-1-5-21-2044814858-3257045265-4192325483-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.istartsurf.com/?type=sc&ts=1448450618&z=75314eddb34a151c27cebf0g8z7z3bdz0wfeccbc5m&from=cor&uid=ST3250410AS_6RY1WRLEXXXX6RY1WRLE
HKU\S-1-5-21-2044814858-3257045265-4192325483-1000\...\Policies\Explorer: []
Task: {0E7839FE-EE11-47EF-8C4F-D063070EC499} - System32\Tasks\{2FE8B0D1-4608-4F26-A63F-A98671E9D533} => pcalua.exe -a "C:\Program Files (x86)\Steam\steam.exe" -c steam://uninstall/1250
Task: {0F3AE62F-CE3B-401C-8795-F48408F0BCB2} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 => C:\Program Files (x86)\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2015-07-08] (Lenovo)
Task: {2C6EA660-D6E9-4256-9747-59C2C4015781} - System32\Tasks\CTF Host => C:\Users\KO\AppData\Roaming\.minecraft\Ctfhost\ctfhost.exe
Task: {4E897B6B-2987-4475-8906-E3436FC3B2BC} - System32\Tasks\DLL-Files.Com Fixer_MONTHLY => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
Task: {AD58BF4F-7881-4EE2-B10E-28BCDF613FF1} - System32\Tasks\0915wtUpdateInfo => C:\ProgramData\Avg_Update_0915wt\0915wt_{FBDD9017-B407-48D7-A009-BB1636219C98}.exe
Task: {CE1C38E9-EC40-4587-911F-911153215090} - System32\Tasks\{B3996386-9F10-46F8-8A21-547C99CD2D54} => pcalua.exe -a I:\SISetup.exe -d I:\
Task: {F0FB22AB-0316-466B-B3A2-259321D03A34} - \Program aktualizacji online firmy Adobe. -> No File 
Task: {F12E955B-5C71-49AD-ADFF-BB48133F2220} - System32\Tasks\DLL-Files.Com Fixer_Updates => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
Task: C:\Windows\Tasks\0915wtUpdateInfo.job => C:\ProgramData\Avg_Update_0915wt\0915wt_{FBDD9017-B407-48D7-A009-BB1636219C98}.exe
Task: C:\Windows\Tasks\DLL-Files.Com Fixer_MONTHLY.job => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
Task: C:\Windows\Tasks\DLL-Files.Com Fixer_Updates.job => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
AlternateDataStreams: C:\ProgramData\Microsoft:ecSWXQzQmt0NYxUedBRJg
AlternateDataStreams: C:\ProgramData\Microsoft:NaZu2xXXVCcoQdibmem30Mu4
AlternateDataStreams: C:\ProgramData\Microsoft:YEQkrOj5IinKrit2
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm
DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I
DeleteKey: HKCU\Software\dobreprogramy
DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2
DeleteKey: HKCU\Software\Mozilla\Firefox
DeleteKey: HKCU\Software\MozillaPlugins
DeleteKey: HKLM\SOFTWARE\Mozilla\Firefox
DeleteKey: HKLM\SOFTWARE\MozillaPlugins
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Mozilla\Firefox
DeleteKey: HKLM\SOFTWARE\Wow6432Node\MozillaPlugins
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Lenovo
DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software
RemoveDirectory: C:\Program Files (x86)\Lenovo
RemoveDirectory: C:\Program Files (x86)\Mozilla Firefox
RemoveDirectory: C:\ProgramData\MWMiniProM
RemoveDirectory: C:\ProgramData\NortonInstaller
RemoveDirectory: C:\ProgramData\SWdMS
RemoveDirectory: C:\ProgramData\TEMP
RemoveDirectory: C:\ProgramData\ZWdMZ
RemoveDirectory: C:\Users\KO\AppData\Local\Lenovo
RemoveDirectory: C:\Users\KO\AppData\Local\Mobogenie
RemoveDirectory: C:\Users\KO\AppData\Local\Mozilla\Firefox
RemoveDirectory: C:\Users\KO\AppData\Local\StormFall
RemoveDirectory: C:\Users\KO\AppData\Roaming\dll-files.com
RemoveDirectory: C:\Users\KO\AppData\Roaming\GoldenGate
RemoveDirectory: C:\Users\KO\AppData\Roaming\Mozilla\Firefox
RemoveDirectory: C:\Users\KO\AppData\Roaming\StormFall
RemoveDirectory: C:\Users\KO\AppData\Roaming\WarThunder
RemoveDirectory: C:\Users\KO\Desktop\SpyHunter 4.16.5.4290 [Eng] patch
RemoveDirectory: C:\Users\KO\REACHit
RemoveDirectory: C:\Windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
RemoveDirectory: C:\Windows\System32\Tasks\Lenovo
C:\Program Files (x86)\Mozilla Firefoxavg-secure-search.xml
C:\Users\KO\AppData\Local\Word-to-PDF-Converter_1357.rar
C:\Users\KO\AppData\Local\wordtopdf_setup.exe
C:\Users\KO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\WarThunder.lnk
C:\Users\KO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Play Games Online.url
C:\Users\KO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WarThunder.lnk
C:\Users\KO\Desktop\wordtopdf_setup [1].rar
C:\Users\KO\Desktop\wordtopdf_setup [1].exe
C:\Users\KO\Downloads\sh-remover.exe
C:\Users\KO\Downloads\SpyHunter*.*
C:\Windows\System32\Tasks\SpyHunter4Startup
C:\Windows\SysWOW64\Z
CMD: netsh advfirewall reset
Hosts:
EmptyTemp:

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt.

 

3. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt.

[Mosfet]

strona startowa uwolniona od yoursite123:)

Addition.txt

Fixlog.txt

FRST.txt

[picasso]

Brakuje nowego głównego raportu FRST.txt.

Edytowane 2 Czerwca 2016 przez picasso
Temat zostaje zamknięty z powodu braku odpowiedzi. //picasso