problem z qooqlle

[adiqer]

Witam.Mam problem z qooqlle.Wyskakuje ono jako strona startowa w mojej operze

 

Proszę o pomoc

 

Z góry dziękuję

OTL.Txt

Extras.Txt

[picasso]

W skład obowiązkowych logów wchodzi także GMER. System nie przygotowany do jego uruchomienia, czyli nie wykonane instrukcje z ogłoszenia (KLIK):

 

DRV - [2010-12-20 17:40:25 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)

 

 

Infekcja Qooqlle nabyta, nie ukrywajmy, przez głupotę. Pobrany z torrent materiał z "kodekami". I nie tylko Qooqlle tu jest, także ta infekcja: KLIK.

 

 

1. Uruchom OTL i w sekcji Własne opcje skanowania / skrypt wklej:

 

:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = "http://www.qooqlle.com/"
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.startup.homepage: "http://www.qooqlle.com/"
FF - prefs.js..extensions.enabledItems: toolbar@ask.com:3.12.2.16749
FF - prefs.js..extensions.enabledItems: vshare@toolbar:1.0.0
FF - prefs.js..keyword.URL: "http://websearch.ask.com/redirect?client=ff&src=kw&tb=BT5&o=15443&locale=en_US&apn_uid=7FB16828-629A-4CE0-B5F0-7B30564359AD&apn_ptnrs=GX&apn_sauid=545F57A3-4855-4E64-8F19-E24B2A2B3F15&apn_dtid=YYYYYYB3PL&q="
O2 - BHO: (no name) - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - No CLSID value found.
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [KernelFaultCheck]  File not found
O4 - HKLM..\Run: [NPSStartup]  File not found
O4 - HKLM..\Run: [Readar_sl] C:\Documents and Settings\nowy\Dane aplikacji\Readar_sl.exe (Created with WinAutomation ("http://www.WinAutomation.com"))
O4 - HKLM..\Run: [system] C:\WINDOWS\system32\ie5unit.exe ()
O4 - HKLM..\Run: [TunesHelper] C:\Documents and Settings\All Users\TunesHelper.exe ()
O4 - HKCU..\Run: [system] C:\WINDOWS\system32\ie5unit.exe ()
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} "http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB" (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} "http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab" (Reg Error: Key error.)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
[2011-07-06 19:04:22 | 000,000,000 | ---D | C] -- C:\Program Files\Theorica Divx ;-) Codecs
[2011-05-28 15:01:13 | 000,000,000 | ---D | M] (Ask Toolbar) -- C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\extensions\toolbar@ask.com
[2010-12-12 20:10:28 | 000,000,000 | ---D | M] (vShare) -- C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\extensions\vshare@toolbar
[2011-07-07 09:43:19 | 000,002,567 | ---- | M] () -- C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\searchplugins\askcom.xml
[2011-07-07 09:33:11 | 000,001,860 | ---- | M] () -- C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\searchplugins\search.xml
[2010-12-08 21:41:44 | 000,001,583 | ---- | M] () -- C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\searchplugins\web-search.xml
[2011-07-07 13:01:01 | 000,000,232 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2011-01-19 16:41:08 | 000,000,136 | ---- | C] () -- C:\WINDOWS\w5win.ini
@Alternate Data Stream - 24 bytes -> C:\WINDOWS:33A16C347C8DD65B
 
:Commands
[emptyflash]
[emptytemp]

Rozpocznij przyciskiem Wykonaj skrypt. System będzie restartował. Po restarcie powinien się zgłosić log z wynikami usuwania.

 

2. Skrypty OTL nie mogą konfigurować przeglądarki Opera. Należy ręcznie przestawić stronę startową i wyszukiwarkę w opcjach (KLIK).

 

3. Przejdź do Dodaj / Usuń programy i odinstaluj śmieci: Ask Toolbar, vShare Plugin (tak, to ta meczowa wtyczka, wątpliwej reputacji), Winamp Toolbar. Wszystkie obiekty Yahoo też możesz zlikwidować.

 

4. Nowe logi do wglądu, czyli:

 

• OTL: generujesz nowy log z OTL opcją Skanuj. Dołączasz też log z wynikami usuwania pozyskany w punkcie 1.
  
• Zaległy GMER uruchomiony po usunięciu sterownika emulacji SPTD.
  
• Log trybu skanu z AD-Remover.
  

 

 

 

.

[adiqer]

Wyniki usuwania:

 

All processes killed

========== OTL ==========

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!

Prefs.js: "Ask.com" removed from browser.search.defaultengine

Prefs.js: "Ask.com" removed from browser.search.defaultenginename

Prefs.js: "Ask.com" removed from browser.search.order.1

Prefs.js: "http://www.qooqlle.com/" removed from browser.startup.homepage

Prefs.js: toolbar@ask.com:3.12.2.16749 removed from extensions.enabledItems

Prefs.js: vshare@toolbar:1.0.0 removed from extensions.enabledItems

Prefs.js: "http://websearch.ask.com/redirect?client=ff&src=kw&tb=BT5&o=15443&locale=en_US&apn_uid=7FB16828-629A-4CE0-B5F0-7B30564359AD&apn_ptnrs=GX&apn_sauid=545F57A3-4855-4E64-8F19-E24B2A2B3F15&apn_dtid=YYYYYYB3PL&q=" removed from keyword.URL

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater not found.

File C:\Program Files\Ask.com\Updater\Updater.exe not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NPSStartup deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Readar_sl deleted successfully.

C:\Documents and Settings\nowy\Dane aplikacji\Readar_sl.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\System deleted successfully.

C:\WINDOWS\system32\ie5unit.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\TunesHelper deleted successfully.

C:\Documents and Settings\All Users\TunesHelper.exe moved successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\System deleted successfully.

File C:\WINDOWS\system32\ie5unit.exe not found.

Starting removal of ActiveX control {33564D57-0000-0010-8000-00AA00389B71}

C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf moved successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33564D57-0000-0010-8000-00AA00389B71}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{33564D57-0000-0010-8000-00AA00389B71}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.

Folder C:\Program Files\Theorica Divx ;-) Codecs\ not found.

Folder C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\extensions\toolbar@ask.com\ not found.

C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\extensions\vshare@toolbar\modules folder moved successfully.

C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\extensions\vshare@toolbar\locale\en-US folder moved successfully.

C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\extensions\vshare@toolbar\locale folder moved successfully.

C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\extensions\vshare@toolbar\components folder moved successfully.

C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\extensions\vshare@toolbar\chrome folder moved successfully.

C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\extensions\vshare@toolbar folder moved successfully.

C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\searchplugins\askcom.xml moved successfully.

C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\searchplugins\search.xml moved successfully.

C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\searchplugins\web-search.xml moved successfully.

File C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job not found.

C:\WINDOWS\w5win.ini moved successfully.

Unable to delete ADS C:\WINDOWS:33A16C347C8DD65B .

========== COMMANDS ==========

 

[EMPTYFLASH]

 

User: All Users

 

User: Default User

 

User: LocalService

 

User: NetworkService

 

User: nowy

->Flash cache emptied: 2178 bytes

 

User: VJ

 

Total Flash Files Cleaned = 0,00 mb

 

 

[EMPTYTEMP]

 

User: All Users

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

 

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 35624 bytes

 

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

 

User: nowy

->Temp folder emptied: 2640107 bytes

->Temporary Internet Files folder emptied: 1491815 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 51942187 bytes

->Opera cache emptied: 7312176 bytes

->Flash cache emptied: 0 bytes

 

User: VJ

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2114584 bytes

%systemroot%\System32 .tmp files removed: 2596 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 61751 bytes

RecycleBin emptied: 238536 bytes

 

Total Files Cleaned = 63,00 mb

 

 

OTL by OldTimer - Version 3.2.26.1 log created on 07082011_211053

 

Files\Folders moved on Reboot...

 

Registry entries deleted on Reboot...

 

 

Log z GMER nie mogłem zrobić, ponieważ przy próbie uruchomienia komputer się restartował, mimo usunięcia sptd.sys.

Próbowałem także RootRepeal, jednak zawieszał sie w czasie skanowania

Ad-Report-SCAN1.txt

OTL.Txt

[picasso]

Jeden z wpisów Firefox ponownie przestawił się na Qooqlle, plus do usuwania są jeszcze szczątki paskowe.

 

1. Uruchom OTL i w sekcji Własne opcje skanowania / skrypt wklej:

 

:OTL
FF - prefs.js..browser.search.selectedEngine: "qooqlle"
FF - prefs.js..extensions.enabledItems: vshare@toolbar:1.0.0
[2011-07-08 21:17:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\extensions\vshare@toolbar
 
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{043C5167-00BB-4324-AF7E-62013FAEDACF}"=-
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{043C5167-00BB-4324-AF7E-62013FAEDACF}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{42168F92-DA71-42E6-BC7F-132EAC1F1899}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_LOCAL_MACHINE\Software\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}]
[-HKEY_LOCAL_MACHINE\Software\Freeze.com]
[-HKEY_LOCAL_MACHINE\Software\Trymedia Systems]
[-HKEY_CURRENT_USER\Software\Zugo]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KernelFaultCheck"=-

Klik w Wykonaj skrypt. Tym razem nie będzie restartu.

 

2. Wystarczy mi do oceny tylko log z usuwania.

 

 

.

[adiqer]

Log z usuwania:

========== OTL ==========

Prefs.js: "qooqlle" removed from browser.search.selectedEngine

Prefs.js: vshare@toolbar:1.0.0 removed from extensions.enabledItems

C:\Documents and Settings\nowy\Dane aplikacji\Mozilla\Firefox\Profiles\xncuvf0q.default\extensions\vshare@toolbar folder moved successfully.

========== REGISTRY ==========

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{043C5167-00BB-4324-AF7E-62013FAEDACF} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{043C5167-00BB-4324-AF7E-62013FAEDACF}\ not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.

Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{043C5167-00BB-4324-AF7E-62013FAEDACF}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{043C5167-00BB-4324-AF7E-62013FAEDACF}\ not found.

Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}\ not found.

Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{42168F92-DA71-42E6-BC7F-132EAC1F1899}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42168F92-DA71-42E6-BC7F-132EAC1F1899}\ not found.

Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.

Registry key HKEY_LOCAL_MACHINE\Software\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}\ not found.

Registry key HKEY_LOCAL_MACHINE\Software\Freeze.com\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Trymedia Systems\ deleted successfully.

Registry key HKEY_CURRENT_USER\Software\Zugo\ deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.

 

OTL by OldTimer - Version 3.2.26.1 log created on 07102011_222830

[picasso]

Powyższe zadanie pomyślnie wykonane.

 

1. Jeszcze w poprzednim logu OTL był taki wynik:

 

Unable to delete ADS C:\WINDOWS:33A16C347C8DD65B .

Usuń ten strumień jednym z narzędzi wyliczanych w tym tutorialu o strumieniach NTFS: KLIK.

 

2. Wyczyść po używanych narzędziach: skorzystaj ze Sprzątania w OTL + odinstaluj AD-Remover.

 

3. Przeskanuj system za pomocą Malwarebytes' Anti-Malware i przedstaw raport wynikowy.

 

 

.

Edytowane 12 Sierpnia 2011 przez picasso
12.08.2011 - Temat zostaje zamknięty z powodu braku odpowiedzi. //picasso