Problem z yoursites123... Proszę o pomoc

[Stivig]

Witam, 

Jak w temacie, mam problem z yoursites123 . Proszę o pomoc .

Addition.txt

FRST.txt

Shortcut.txt

[Rucek]

Sprobuj jeszcze zrobic obowiązkowy log GMER. Tutaj masz instrukcje: https://www.fixitpc.pl/topic/60-diagnostyka-infekcje-typu-rootkit/?do=findComment&comment=318
Jak nie pójdzie normalnie, to spróbuj w trybie awaryjnym.

[picasso]

Działania do przeprowadzenia:

 

1. Klawisz z flagą Windows + X > Programy i funkcje > odinstaluj stare wersje Adobe Shockwave Player 11.6, Java 7 Update 67, Java 8 Update 45 oraz adware Search App by Ask.

 

2. Otwórz Notatnik i wklej w nim:

 

CloseProcesses:
CreateRestorePoint:
R1 {6e9af5d3-a8f9-4461-ad38-1433888f55dc}Gw64; C:\Windows\System32\drivers\{6e9af5d3-a8f9-4461-ad38-1433888f55dc}Gw64.sys [48792 2015-01-18] (StdLib)
R2 IhPul; C:\Users\Admin\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-08] (tsvr.com)
R2 PicexaService; C:\Program Files (x86)\Picexa\PicexaSvc.exe [731784 2015-12-09] (Taiwan Shui Mu Chih Ching Technology Limited)
R2 SSFK; C:\Program Files (x86)\SFK\SSFK.exe [170144 2015-11-27] (TODO: )
R2 WdMan; C:\ProgramData\aWdMa\WdMan.exe [333312 2015-12-04] (TFuns LIMITED) [brak podpisu cyfrowego]
HKU\S-1-5-21-3564939431-14407423-2232478383-1001\...\Run: [bingSvc] => C:\Users\Admin\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-12] (© 2015 Microsoft Corporation)
ShortcutWithArgument: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449835247&z=27085065a531c6ad3b146d3g3zfzet9b1cbw4o3z5m&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH
ShortcutWithArgument: C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449835247&z=27085065a531c6ad3b146d3g3zfzet9b1cbw4o3z5m&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1449835247&z=27085065a531c6ad3b146d3g3zfzet9b1cbw4o3z5m&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449835247&z=27085065a531c6ad3b146d3g3zfzet9b1cbw4o3z5m&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449835247&z=27085065a531c6ad3b146d3g3zfzet9b1cbw4o3z5m&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1421613586&from=cor&uid=ST500LT012-9WS142_W0V4CFTH&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449835247&z=27085065a531c6ad3b146d3g3zfzet9b1cbw4o3z5m&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449835247&z=27085065a531c6ad3b146d3g3zfzet9b1cbw4o3z5m&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449835247&z=27085065a531c6ad3b146d3g3zfzet9b1cbw4o3z5m&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1421613586&from=cor&uid=ST500LT012-9WS142_W0V4CFTH&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449835247&z=27085065a531c6ad3b146d3g3zfzet9b1cbw4o3z5m&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH&q={searchTerms}
HKU\S-1-5-21-3564939431-14407423-2232478383-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449835247&z=27085065a531c6ad3b146d3g3zfzet9b1cbw4o3z5m&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH
HKU\S-1-5-21-3564939431-14407423-2232478383-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://search.delta-homes.com/web/?type=ds&ts=1442818831&z=5a0ea02a034ae54c10961f7gdzczao0bdgeb7bec3c&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH&q={searchTerms}
HKU\S-1-5-21-3564939431-14407423-2232478383-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.msn.com/?PC=AV01
HKU\S-1-5-21-3564939431-14407423-2232478383-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449835247&z=27085065a531c6ad3b146d3g3zfzet9b1cbw4o3z5m&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH
HKU\S-1-5-21-3564939431-14407423-2232478383-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://search.delta-homes.com/web/?type=ds&ts=1442818831&z=5a0ea02a034ae54c10961f7gdzczao0bdgeb7bec3c&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://search.delta-homes.com/web/?type=ds&ts=1442818831&z=5a0ea02a034ae54c10961f7gdzczao0bdgeb7bec3c&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://search.delta-homes.com/web/?type=ds&ts=1442818831&z=5a0ea02a034ae54c10961f7gdzczao0bdgeb7bec3c&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH&q={searchTerms}
SearchScopes: HKLM-x32 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
SearchScopes: HKU\S-1-5-21-3564939431-14407423-2232478383-1001 -> DefaultScope {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3564939431-14407423-2232478383-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3564939431-14407423-2232478383-1001 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = hxxp://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3564939431-14407423-2232478383-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449835247&z=27085065a531c6ad3b146d3g3zfzet9b1cbw4o3z5m&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3564939431-14407423-2232478383-1001 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3564939431-14407423-2232478383-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3564939431-14407423-2232478383-1001 -> {ACC52B24-A956-4C55-B2A7-64BD53CDAF96} URL = hxxp://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3564939431-14407423-2232478383-1001 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = hxxp://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3564939431-14407423-2232478383-1001 -> {FDFEEB45-4A6B-4A30-8B24-494E19ECF4A8} URL = hxxp://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll => Brak pliku
Toolbar: HKLM - Brak nazwy - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - Brak pliku
Toolbar: HKLM - Brak nazwy - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - Brak pliku
Toolbar: HKU\S-1-5-21-3564939431-14407423-2232478383-1001 -> Brak nazwy - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Brak pliku
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.yoursites123.com/?type=sc&ts=1449835247&z=27085065a531c6ad3b146d3g3zfzet9b1cbw4o3z5m&from=ient07021&uid=ST500LT012-9WS142_W0V4CFTH
CHR HKU\S-1-5-21-3564939431-14407423-2232478383-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
HKU\S-1-5-21-3564939431-14407423-2232478383-1001\...\Policies\Explorer: []
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Brak pliku
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Brak pliku
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => Brak pliku
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Brak pliku
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Brak pliku
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => Brak pliku
CHR HKU\S-1-5-21-3564939431-14407423-2232478383-1001\SOFTWARE\Policies\Google: Ograniczenia 
Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder /v "Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk" /f
Reg: reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v SunJavaUpdateSched /f
DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I
DeleteKey: HKCU\Software\dobreprogramy
DeleteKey: HKLM\SOFTWARE\Mozilla
DeleteKey: HKLM\SOFTWARE\MozillaPlugins
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Mozilla
DeleteKey: HKLM\SOFTWARE\Wow6432Node\MozillaPlugins
DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2
DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software
RemoveDirectory: C:\Program Files (x86)\Picexa
RemoveDirectory: C:\Program Files (x86)\SFK
RemoveDirectory: C:\ProgramData\aWdMa
RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picexa
RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Kits\Windows Software Development Kit
RemoveDirectory: C:\Users\Admin\AppData\Local\Microsoft\BingSvc
RemoveDirectory: C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\{690E0F07-2CBB-4E9E-8468-10B0CAF56D0D}
RemoveDirectory: C:\Users\Admin\AppData\Roaming\Picexa Viewer
RemoveDirectory: C:\Users\Admin\AppData\Roaming\TSv
C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
C:\Users\Admin\AppData\Roaming\Microsoft\Excel\Projekt-zarzadzanie-13.12304882382700332959\Projekt-zarzadzanie-13.12.xlsx.lnk
C:\Users\Admin\AppData\Roaming\Microsoft\Excel\MTM304883490099503112\MTM.xlsx.lnk
C:\Users\Admin\AppData\Roaming\Microsoft\Excel\2%20(1)304883681391867324\2%20(1).xlsx.lnk
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Picexa.lnk
C:\Users\Public\Desktop\Picexa.lnk
C:\Windows\System32\drivers\{6e9af5d3-a8f9-4461-ad38-1433888f55dc}Gw64.sys
C:\WINDOWS\SysWOW64\pl.html
C:\WINDOWS\SysWOW64\pl2.exe
CMD: netsh advfirewall reset
EmptyTemp:

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt.

 

3. Wyczyść Goole Chrome z adware:

• Zresetuj synchronizację (o ile włączona): KLIK.
• Ustawienia > karta Rozszerzenia > odinstaluj sponsorowany Bing, o ile nadal będzie widoczny.
• Ustawienia > karta Ustawienia > Pokaż ustawienia zaawansowane > zjedź na sam spód i uruchom opcję Resetowanie ustawień. Zakładki i hasła nie zostaną naruszone.

4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt.

[Stivig]

OK zrobilem wszystko tak jak jest napisane. Załączam pliki: 

Addition.txt

Fixlog.txt

FRST.txt

[picasso]

Wszystko wykonane i problem zasadniczy rozwiązany. Kolejny etap:

 

Uruchom AdwCleaner. Wybierz opcję Skanuj i dostarcz log wynikowy z folderu C:\AdwCleaner.

[Stivig]

Zrobione

AdwCleanerS1.txt

[picasso]

Uruchom AdwCleaner ponownie, tym razem wybierz po kolei opcje Skanuj i Usuń. Przedstaw log wynikowy z usuwania.

[Stivig]

Gotowe

AdwCleanerC1.txt

[picasso]

Wszystko wykonane. Kończymy:

 

1. Zastosuj DelFix oraz wyczyść foldery Przywracania systemu: KLIK.

 

2. Do czytania na co uważać, by ograniczyć podobne problemy: KLIK.