yoursite 123 - problem w przeglądarkach

[sps80]

Witam,

Przyczepił się do mnie yoursite. We wszystkich przeglądarkach mam go jako stronę startową. Zmiana strony startowej nic nie daje. Serdecznie proszę o pomoc. 

Dołączam pliki FRST. Z góry proszę o zrozumienie - nie jestem zaawansowanym użytkownikiem, więc pewnie będę często dopytywał (niekiedy trudno zrozumieć mi język, którym posługują się osoby informatycznie zaawansowane )

 

EDIT: korzystając z dobrej rady dołączam jeszcze plik GMER.

Addition.txt

FRST.txt

Shortcut.txt

gmer.txt

[picasso]

Jest tu więcej obiektów adware niż tylko zgłoszony problem. Działania do przeprowadzenia:

 

1. Klawisz z flagą Windows + X > Programy i funkcje > odinstaluj adware PriceFountain, qksee, Sparta, Update for PriceFountain oraz zbędny co dopiero doinstalowany Trojan Remover 6.9.4.2943.

 

2. Otwórz Notatnik i wklej w nim:

 

CloseProcesses:
CreateRestorePoint:
R2 IhPul; C:\Users\Paweł\AppData\Roaming\TSv\TSvr.exe [116368 2016-03-11] (tsvr.com)
R2 qkseeService; C:\Program Files (x86)\qksee\qkseeSvc.exe [699952 2016-03-08] (Qksee Pvt Ltd.)
ShortcutWithArgument: C:\Users\Paweł\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.yoursites123.com/?type=sc&ts=1457616819&z=eb3fdeb65f9f964376a5457gezew6m9q6gcq2b1oce&from=wpm06023&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1457616819&z=eb3fdeb65f9f964376a5457gezew6m9q6gcq2b1oce&from=wpm06023&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1457616819&z=eb3fdeb65f9f964376a5457gezew6m9q6gcq2b1oce&from=wpm06023&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.yoursites123.com/?type=sc&ts=1457616819&z=eb3fdeb65f9f964376a5457gezew6m9q6gcq2b1oce&from=wpm06023&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1457616819&z=eb3fdeb65f9f964376a5457gezew6m9q6gcq2b1oce&from=wpm06023&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX
Edge HomeButtonPage: HKU\S-1-5-21-1527049857-3966740355-1081886749-1001 -> hxxp://www.yoursites123.com/?type=hp&ts=1457946990&z=8b56f61cb354d03d27d071egbz0w6m5tbz6q3tetag&from=wpm0314&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX
CHR HomePage: Default -> hxxp://www.yoursites123.com/?type=hp&ts=1457946990&z=8b56f61cb354d03d27d071egbz0w6m5tbz6q3tetag&from=wpm0314&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX
CHR StartupUrls: Default -> "hxxp://www.yoursites123.com/?type=hp&ts=1457946990&z=8b56f61cb354d03d27d071egbz0w6m5tbz6q3tetag&from=wpm0314&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX"
CHR DefaultSearchURL: Default -> hxxp://yoursites123.com/web?type=ds&ts=1457946990&z=8b56f61cb354d03d27d071egbz0w6m5tbz6q3tetag&from=wpm0314&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX&q={searchTerms}
CHR DefaultSearchKeyword: Default -> yoursites123
StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.yoursites123.com/?type=sc&ts=1457616819&z=eb3fdeb65f9f964376a5457gezew6m9q6gcq2b1oce&from=wpm06023&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX
StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.yoursites123.com/?type=sc&ts=1457616819&z=eb3fdeb65f9f964376a5457gezew6m9q6gcq2b1oce&from=wpm06023&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX
StartMenuInternet: (HKLM) OperaStable - C:\Program Files (x86)\Opera\Launcher.exe hxxp://www.yoursites123.com/?type=sc&ts=1457616819&z=eb3fdeb65f9f964376a5457gezew6m9q6gcq2b1oce&from=wpm06023&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1457946990&z=8b56f61cb354d03d27d071egbz0w6m5tbz6q3tetag&from=wpm0314&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1457946990&z=8b56f61cb354d03d27d071egbz0w6m5tbz6q3tetag&from=wpm0314&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://yoursites123.com/web?type=ds&ts=1452246889&z=9efa50a809597cab3aaf86dgaz9wdododzcqab5tee&from=wpm01073&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://yoursites123.com/web?type=ds&ts=1452246889&z=9efa50a809597cab3aaf86dgaz9wdododzcqab5tee&from=wpm01073&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1457946990&z=8b56f61cb354d03d27d071egbz0w6m5tbz6q3tetag&from=wpm0314&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1457946990&z=8b56f61cb354d03d27d071egbz0w6m5tbz6q3tetag&from=wpm0314&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://yoursites123.com/web?type=ds&ts=1452246889&z=9efa50a809597cab3aaf86dgaz9wdododzcqab5tee&from=wpm01073&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://yoursites123.com/web?type=ds&ts=1452246889&z=9efa50a809597cab3aaf86dgaz9wdododzcqab5tee&from=wpm01073&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX&q={searchTerms}
HKU\S-1-5-21-1527049857-3966740355-1081886749-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449651705&z=8c201e92005a15c88f66f02g4z7zatbq2w4g1maeeq&from=ient07021&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX&q={searchTerms}
HKU\S-1-5-21-1527049857-3966740355-1081886749-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1457946990&z=8b56f61cb354d03d27d071egbz0w6m5tbz6q3tetag&from=wpm0314&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX
HKU\S-1-5-21-1527049857-3966740355-1081886749-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1457946990&z=8b56f61cb354d03d27d071egbz0w6m5tbz6q3tetag&from=wpm0314&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX
HKU\S-1-5-21-1527049857-3966740355-1081886749-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449651705&z=8c201e92005a15c88f66f02g4z7zatbq2w4g1maeeq&from=ient07021&uid=HGSTXHTS541010A9E680_JD1008CC22NTXV22NTXVX&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope - brak wartości
SearchScopes: HKU\S-1-5-21-1527049857-3966740355-1081886749-1001 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll => Brak pliku
BHO-x32: Crazy Score -> {f439aa7e-a2a0-4635-99a2-164180e848ca} -> C:\Program Files (x86)\Crazy Score\Extensions\f439aa7e-a2a0-4635-99a2-164180e848ca.dll => Brak pliku
GroupPolicy: Ograniczenia - Chrome 
CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia 
FF HKLM-x32\...\Firefox\Extensions: [firefox@bho.com] - C:\Program Files\Hewlett-Packard\SimplePass\FFBHOExt
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [blueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe
Task: {0EF69011-9907-4E78-86A7-5F0D9BDCDEF6} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> Brak pliku 
Task: {164EACF4-D349-423E-B55E-27329C76199B} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> Brak pliku 
Task: {1A9F482D-E600-4E5C-82D6-7A134732EDB5} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Brak pliku 
Task: {1BDF7289-3C06-4220-B8B9-273E99EA24CD} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Brak pliku 
Task: {1E403F14-1F18-416C-BDB3-D3FCF0DC82DB} - System32\Tasks\PawełPaddyAdmiringV2 => Rundll32.exe QueenliestRecurrence.dll,main 7 1 
Task: {216DF7FA-9D53-410C-97BA-5BFAB6FB4F57} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> Brak pliku 
Task: {840FB214-B101-43F3-8523-9D5095447604} - System32\Tasks\PriceFountainUpdateVer => C:\Users\Paweł\AppData\Roaming\PriceFountainUpdateVer\UpdateProc\UpdateTask.exe [2016-03-10] () 
Task: {8E785614-6758-4FAF-B0F0-7C5043C164F7} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> Brak pliku 
Task: {94868A7A-5D2A-4E22-93FA-FDEBDB0AD766} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> Brak pliku 
Task: {AB60656C-EC98-41C0-99D0-AA1B062A3051} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> Brak pliku 
Task: {B6835CA6-8D4B-4674-8A78-CB089C416ABE} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> Brak pliku 
Task: {CF7555BC-8CB0-4F5B-BE3D-AC04819AC48F} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> Brak pliku 
Task: {F9E778F4-77E3-4C2E-99CA-FF3EE10C4E72} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Brak pliku 
Task: C:\WINDOWS\Tasks\PriceFountainUpdateVer.job =>
DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I
DeleteKey: HKCU\Software\dobreprogramy
DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2
DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software
DeleteKey: HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main
Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedHomepages /f
Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" /v ProtectedSearchScopes /f
Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OpenSearch" /f
Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.yoursites123.com" /f
Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\yoursites123.com" /f
Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.yoursites123.com" /f
Reg: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\yoursites123.com" /f
Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v Napisy24Update /f
C:\Program Files (x86)\SSFK.exe
C:\Program Files (x86)\SFK
C:\Program Files (x86)\qksee
C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
C:\ProgramData\5WdM5
C:\ProgramData\MWdMM
C:\ProgramData\Temp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qksee
C:\Users\Paweł\AppData\Local\AION
C:\Users\Paweł\AppData\Local\PaddyAdmiring
C:\Users\Paweł\AppData\Local\Sparta
C:\Users\Paweł\AppData\Local\TarpaperStylizes
C:\Users\Paweł\AppData\Roaming\PriceFountainUpdateVer
C:\Users\Paweł\AppData\Roaming\qksee
C:\Users\Paweł\AppData\Roaming\sparta111
C:\Users\Paweł\AppData\Roaming\TSv
C:\Users\Paweł\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
C:\Users\Paweł\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Sparta.lnk
C:\Users\Paweł\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\qksee.lnk
C:\Users\Paweł\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Play Games Online.url
C:\Users\Paweł\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sparta
C:\Users\Paweł\Downloads\_\_\_01\ARCHIWUM- do przejrzenia\PDF-XChange Viewer.lnk
C:\WINDOWS\SysWOW64\data.bin
C:\WINDOWS\SysWOW64\upddf
DisableService: Mobile Partner. RunOuc
CMD: netsh advfirewall reset
EmptyTemp:

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, system zostanie zresetowany. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt.

 

3. Wyczyść przeglądarki z adware:

 

Firefox:

• Odłącz synchronizację (o ile włączona): KLIK.
• Menu Pomoc > Informacje dla pomocy technicznej > Odśwież program Firefox. Zakładki i hasła nie zostaną naruszone.
• Menu Historia > Wyczyść całą historię przeglądania.

Google Chrome:

• Zresetuj synchronizację (o ile włączona): KLIK.
• Ustawienia > karta Ustawienia > Pokaż ustawienia zaawansowane > zjedź na sam spód i uruchom opcję Resetowanie ustawień. Zakładki i hasła nie zostaną naruszone.
• Ustawienia > karta Ustawienia > sekcja Szukaj > klik w Zarządzanie wyszukiwarkami > skasuj z listy wszystko z wyjątkiem Google.

4. Zrób nowy log FRST z opcji Skanuj (Scan), ponownie z Addition, ale już bez Shortcut. Dołącz też plik fixlog.txt. Edytowane 2 Czerwca 2016 przez picasso
Temat zostaje zamknięty z powodu braku odpowiedzi. //picasso