Safefinder i inne porywacze przeglądarki

[Dino1984]

Złapałem gdzieś badziewie typu "nicesearch" (wyszukiwarka) i "advertisementbycontext" (wyskakujące reklamy).

 

Odinstalowałem wszystkie podejrzane programy oprócz safefinder'a  - ten nie chce się odinstalować (kliknięcie "uninstal" w panelu sterowania powoduje tylko zamknięcie firefoxa, jeśli jest otwarty). Usunąłem też wszelkie "dopiski" do adresu skrótu firefoxa i wywaliłem wszelkie addony. Problem ustąpił częściowo - stronę główną udało się przywrócić, ale otwarcie nowej karty ciągle powoduje otwarcie innej strony (searchinme). Dodatkowo na profilu innego użytkownika na tym komputerze nijak nie można się pozbyć tych wyszukiwarek.

 

EDIT: wyskakujących reklam nie mogę siępozbyć w żaden sposób.

 

Kaspersky nie pokazuje żadnego Malware.

 

Załączam logi

Addition.txt

FRST.txt

GMER.txt

Shortcut.txt

[jessica]

1) Spróbuj odinstalować ten program:

WinZip (HKLM-x32\...\WinZip) (Version: 2.2.74 - Winzipper Pvt Ltd.) <==== ATTENTION

 

2) Otwórz Notatnik i wklej w nim:

 

Task: {23F9BBCC-F88B-4002-A361-5B15A25A8F18} - System32\Tasks\{EDC40DF3-9E10-4D1A-AF24-98D0235A6F05} => pcalua.exe -a "K:\Adobe CS6\Set-up.exe" -d "K:\Adobe CS6"
Task: {61595C35-56D5-4401-97B0-7EBEE453FBA5} - System32\Tasks\{4AA75E9E-9464-4AEF-9230-1EC6ECF64C75} => pcalua.exe -a C:\Users\DINO\Downloads\iview442_setup.exe -d C:\Users\DINO\Downloads
Task: {942DD457-381C-4F26-995D-C9304E467C63} - System32\Tasks\{960028F6-94A0-4318-9C86-21A57C6288A8} => pcalua.exe -a C:\Users\DINO\Downloads\Saitek_X52_Flight_Controller_SD6_64.exe -d C:\Users\DINO\Downloads
Task: {AE95E0F2-333F-425B-A6AF-70187E1B5823} - System32\Tasks\YestonyUpdateTaskMachineCore => C:\Program Files (x86)\Yestony\Update\YestonyUpdate.exe [2016-05-27] () <==== ATTENTION
Task: {DE51F135-2165-4227-B352-3F417DDD4534} - System32\Tasks\YestonyUpdateTaskMachineUA => C:\Program Files (x86)\Yestony\Update\YestonyUpdate.exe [2016-05-27] () <==== ATTENTION
RemoveDirectory: C:\Program Files (x86)\Yestony
RemoveDirectory: C:\Program Files (x86)\WinSaber
RemoveDirectory: C:\Program Files (x86)\WinZipper
RemoveDirectory: C:\ProgramData\swinps
RemoveDirectory: C:\Users\DINO\AppData\Roaming\TSv
RemoveDirectory: C:\ProgramData\Opejob
RemoveDirectory: C:\Program Files (x86)\SFK
RemoveDirectory: C:\Windows\SysWOW64\_SSpm
R2 IhPul; C:\Users\DINO\AppData\Roaming\TSv\TSvr.exe [210128 2016-08-08] (Trend Corp.)
R2 WdMan; C:\ProgramData\swinps\WFini.exe [564456 2016-08-02] (WFini LIMITED)
R2 winsaber; C:\Program Files (x86)\WinSaber\WinSaber.exe [432344 2016-07-28] ()
R2 winzipersvc; C:\Program Files (x86)\WinZipper\winzipersvc.exe [1242232 2016-07-27] (ExWzp Pvt Ltd.) <==== ATTENTION
S4 YestonyP; C:\ProgramData\Yestony\Yestony.exe [399768 2016-05-27] ()
S4 YestonyU; C:\Program Files (x86)\Yestony\Update\YestonyUpdate.exe [533400 2016-05-27] ()
S2 NoIPDUCService4; D:\PROGRAMY\No-IP\ducservice.exe [X]
S2 Opejob; C:\ProgramData\Opejob\Opejob.exe [X]
S2 SSFK; C:\Program Files (x86)\SFK\SSFK.exe -s [X]
S3 avchv; system32\DRIVERS\avchv.sys [X]
S3 BRDriver64; \??\C:\programdata\bitraider\BRDriver64.sys [X]
S3 BRDriver64_1_3_3_7ECFDFEA; \??\C:\ProgramData\BitRaider\support\1.3.3\7ECFDFEA\BRDriver64.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S1 wfdrvr_vt_1_10_0_28; system32\drivers\wfdrvr_vt_1_10_0_28.sys [X]
S1 {31c21995-b861-4864-ab50-4a53fbca73d4}Gw64; system32\drivers\{31c21995-b861-4864-ab50-4a53fbca73d4}Gw64.sys [X]
S1 {371bcf01-e691-44bf-9345-60788e5d16a5}Gw64; system32\drivers\{371bcf01-e691-44bf-9345-60788e5d16a5}Gw64.sys [X]
S1 {df8eec40-f909-439c-9ffe-3fee212f71b9}Gw64; system32\drivers\{df8eec40-f909-439c-9ffe-3fee212f71b9}Gw64.sys [X]
U3 kxtdapob; \??\C:\Users\DINO\AppData\Local\Temp\kxtdapob.sys [X]
ShortcutWithArgument: C:\Users\DINO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.nuesearch.com/?type=sc&ts=1467717899&z=5ac70d7741297910ff3c9a6gfz3q4mam2g6m9t7e2o&from=wpm0616&uid=TOSHIBAXQ300_Y5DB635CKNRX
ShortcutWithArgument: C:\Users\DINO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.nuesearch.com/?type=sc&ts=1467717899&z=5ac70d7741297910ff3c9a6gfz3q4mam2g6m9t7e2o&from=wpm0616&uid=TOSHIBAXQ300_Y5DB635CKNRX
ShortcutWithArgument: C:\Users\DINO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WarThunder\WarThunder.lnk -> C:\Games\WarThunder\launcher.exe (Gaijin Entertainment) -> hxxp://www.nuesearch.com/?type=sc&ts=1467717899&z=5ac70d7741297910ff3c9a6gfz3q4mam2g6m9t7e2o&from=wpm0616&uid=TOSHIBAXQ300_Y5DB635CKNRX
ShortcutWithArgument: C:\Users\DINO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.nuesearch.com/?type=sc&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX
ShortcutWithArgument: C:\Users\DINO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.nuesearch.com/?type=sc&ts=1467717899&z=5ac70d7741297910ff3c9a6gfz3q4mam2g6m9t7e2o&from=wpm0616&uid=TOSHIBAXQ300_Y5DB635CKNRX
ShortcutWithArgument: C:\Users\DINO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Google Chrome.lnk -> C:\Program Files (x86)\Yestony\Application\chrome.exe (Google Inc.) -> hxxp://www.nuesearch.com/?type=sc&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX
ShortcutWithArgument: C:\Users\DINO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Mozilla Firefox.lnk -> C:\Program Files (x86)\Firefox\Firefox.exe (Mozilla Corporation) -> hxxp://www.nuesearch.com/?type=sc&ts=1470379113&z=1d88acf30453e535ffefa6bg8z8mee7c4m0t6g3ofo&from=wpm0802&uid=TOSHIBAXQ300_Y5DB635CKNRX
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Yestony\Application\chrome.exe (Google Inc.) -> hxxp://www.nuesearch.com/?type=sc&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Firefox\Firefox.exe (Mozilla Corporation) -> hxxp://www.nuesearch.com/?type=sc&ts=1467717899&z=5ac70d7741297910ff3c9a6gfz3q4mam2g6m9t7e2o&from=wpm0616&uid=TOSHIBAXQ300_Y5DB635CKNRX
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.nuesearch.com/?type=sc&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX
ShortcutWithArgument: C:\Users\Public\Desktop\WarThunder.lnk -> C:\Games\WarThunder\launcher.exe (Gaijin Entertainment) -> hxxp://www.nuesearch.com/?type=sc&ts=1467717899&z=5ac70d7741297910ff3c9a6gfz3q4mam2g6m9t7e2o&from=wpm0616&uid=TOSHIBAXQ300_Y5DB635CKNRX
AlternateDataStreams: C:\ProgramData\Microsoft:GXanUABG0Tqo6L6XDgZk1Yldo71Ji [2102]
AlternateDataStreams: C:\ProgramData\Microsoft:MW8Pp9mzabCLuZhJtJDkjeK [2054]
AlternateDataStreams: C:\Users\DINO\AppData\Local\Temp:L2Exx3kmbplrP0txYFRc5T3aLXK4 [2052]
HKU\S-1-5-21-819675344-3165160550-3345714557-1000\...\Run: [AdobeBridge] => [X]
ppInit_DLLs: C:\ProgramData\Opejob\Singredstrong.dll => No File
AppInit_DLLs-x32: C:\ProgramData\Opejob\Opensanlab.dll => No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.nuesearch.com/?type=hp&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.nuesearch.com/?type=hp&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.nuesearch.com/search/?type=ds&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.nuesearch.com/search/?type=ds&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.nuesearch.com/?type=hp&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.nuesearch.com/?type=hp&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.nuesearch.com/search/?type=ds&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.nuesearch.com/search/?type=ds&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX&q={searchTerms}
HKU\S-1-5-21-819675344-3165160550-3345714557-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBPxn49PYmQ6e1krQXBFZY3csf7qNDRR7O5HssxgYHeMF2xQynl7GLhHvGItAUHZBjZDlyy9jruiQvCzaAtJFeGv92xlrPapX7ojg1jZ825FxNry4WYsTTI4c2go-EP7VBrJFObQdxmUl5TaT6YhkMW_gNz2Q7k_MZnaw,,&q={searchTerms}
HKU\S-1-5-21-819675344-3165160550-3345714557-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.nuesearch.com/?type=hp&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX
HKU\S-1-5-21-819675344-3165160550-3345714557-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBPxn49PYmQ6e1krQXBFZY3csf7qNDRR7O5HssxgYHeMF2xQynl7GLhHvGItAUHZBjZDlyy9jruiQvCzaAtJFeGv92xlrPapX7ojg1jZ825FxNry4WYsTTI4c2go-EP7VBrJFObQdxmUl5TaT6YhkMW_gNz2Q7k_MZnaw,,&q={searchTerms}
HKU\S-1-5-21-819675344-3165160550-3345714557-1000\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBPxn49PYmQ6e1krQXBFZY3csf7qNDRR7O5HssxgYHeMF2xQynl7GLhHvGItAUHZBjZDlyy9jruiQvCzaAtJFeGv92xlrPapX7ojg1jZ825FxNry4WYsTTI4c2go-EP7VBrJFObQdxmUl5TaT6YhkMW_gNz2Q7k_MZnaw,,&q={searchTerms}
HKU\S-1-5-21-819675344-3165160550-3345714557-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.nuesearch.com/?type=hp&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.nuesearch.com/search/?type=ds&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.nuesearch.com/search/?type=ds&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.nuesearch.com/search/?type=ds&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.nuesearch.com/search/?type=ds&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX&q={searchTerms}
SearchScopes: HKU\S-1-5-21-819675344-3165160550-3345714557-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.nuesearch.com/search/?type=ds&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX&q={searchTerms}
SearchScopes: HKU\S-1-5-21-819675344-3165160550-3345714557-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.nuesearch.com/search/?type=ds&ts=1466009986&z=8a91de2c6a230366785450egbzfq5q8e4ebt1t6tde&from=wpm0614&uid=TOSHIBAXQ300_Y5DB635CKNRX&q={searchTerms}
StartMenuInternet: IEXPLORE.EXE - c:\program files (x86)\internet explorer\iexplore.exe hxxp://www.nuesearch.com/?type=sc&ts=1470660500&z=92cd54b43c4a0751522bac0g0zdmaebqaq7eew4e2g&from=wpm0808&uid=TOSHIBAXQ300_Y5DB635CKNRX
FF Homepage: hxxp://www.nuesearch.com/?type=hp&ts=1470660500&z=92cd54b43c4a0751522bac0g0zdmaebqaq7eew4e2g&from=wpm0808&uid=TOSHIBAXQ300_Y5DB635CKNRX
StartMenuInternet: (HKLM) OperaStable - C:\Program Files (x86)\Opera\Launcher.exe hxxp://www.nuesearch.com/?type=sc&ts=1470660500&z=92cd54b43c4a0751522bac0g0zdmaebqaq7eew4e2g&from=wpm0808&uid=TOSHIBAXQ300_Y5DB635CKNRX
C:\Windows\SysWOW64\pl.html
C:\Windows\SysWOW64\pl_*.html
C:\Windows\SysWOW64\EN_*.html
C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3ABFE3EF-41B7-415D-B2AF-20AF570679A5}
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{3ABFE3EF-41B7-415D-B2AF-20AF570679A5}
DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\YestonyP
DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\qkseeService
DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\YestonyU
HOSTS:
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix (NAPRAW).

 

3) Użyj >Adw-cleaner
najpierw kliknij na SKANUJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego "C"

 

4) Zrób nowe logi FRST.

 

jessi