Akamai NetSession
Tego programu nie ma już na liście programów - pozostał po nim tylko pusty klucz Autostartu.
1) Do odinstalowania te programy:
WinZipper (HKLM\...\WinZipper) (Version: 1.5.105 - Taiwan Shui Mu Chih Ching Technology Limited.) <==== ATTENTION
YAC(Yet Another Cleaner!) (HKLM\...\iSafe) (Version: 6.6.214 - ELEX DO BRASIL cenzura!ÇÕES LTDA) <==== ATTENTION
2) Użyj
Adw-Cleaner http://www.programosy.pl/program,adwcleaner.html
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
3)
Sentinel Protection
Ten program jest zainstalowany od 2009 roku - więc zostawiamy go w spokoju.
4)
HKU\S-1-5-21-1454471165-602609370-839522115-1003\...\MountPoints2: {9c32a2d8-0ecc-11de-8ea9-0016e65307f6} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe
HKU\S-1-5-21-1454471165-602609370-839522115-1003\...\MountPoints2: {ddcd68c3-d7f8-11de-8f8b-0016e65307f6} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\\\\name\\\\\\\\\\\\less.exe
te klucze mogą świadczyć o zarażeniu pendrive'a, ale pen nie był podpięty w czasie robienia skanu, więc sytuacja nie jest jednoznaczna.
Zrób log z USBFix z opcji LISTING
http://www.fixitpc.pl/topic/8-dezynfekcja-zbi%C3%B3r-narz%C4%99dzi-usuwaj%C4%85cych/#entry745)
HKLM Group Policy restriction on software: *.ppt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION
To robi któryś z zainstalowanych programów - nie pamiętam który, ale zostawiamy to w spokoju.
6) Otwórz Notatnik i wklej w nim:
2015-07-24 12:27 - 2015-07-24 12:27 - 00000000 ____D C:\Program Files\Elex-tech
2015-07-24 12:27 - 2015-07-24 12:27 - 00000000 ____D C:\Documents and Settings\DNU_AW\Dane aplikacji\Elex-tech
2015-07-24 12:27 - 2015-04-16 10:55 - 00048784 _____ (Elex do Brasil cenzura!ções Ltda) C:\WINDOWS\system32\Drivers\iSafeKrnlBoot.sys
2015-07-24 12:27 - 2015-04-14 11:01 - 00056232 _____ (Elex do Brasil cenzura!ções Ltda) C:\WINDOWS\system32\Drivers\iSafeNetFilter.sys
2015-07-16 14:21 - 2015-07-24 11:54 - 00000000 ____D C:\Documents and Settings\DNU_AW\Dane aplikacji\WinZipper
2015-07-16 14:20 - 2015-07-16 14:20 - 00000000 ____D C:\Program Files\MiuiTab
2015-07-16 14:18 - 2015-07-16 14:18 - 00000000 ____D C:\Documents and Settings\DNU_AW\Dane aplikacji\MailUpdate
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f
Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f
S3 SunkFilt; \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys [X]
S3 VComm; system32\DRIVERS\VComm.sys [X]
S3 VcommMgr; System32\Drivers\VcommMgr.sys [X]
S3 BlueletAudio; system32\DRIVERS\blueletaudio.sys [X]
S3 BlueletSCOAudio; system32\DRIVERS\BlueletSCOAudio.sys [X]
S3 BT; system32\DRIVERS\btnetdrv.sys [X]
S3 Btcsrusb; System32\Drivers\btcusb.sys [X]
S3 BTHidEnum; system32\DRIVERS\vbtenum.sys [X]
S0 BTHidMgr; System32\Drivers\BTHidMgr.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
R1 iSafeKrnl; C:\Program Files\Elex-tech\YAC\iSafeKrnl.sys [225896 2015-05-14] (Elex do Brasil cenzura!ções Ltda)
S3 iSafeKrnlBoot; C:\WINDOWS\System32\DRIVERS\iSafeKrnlBoot.sys [48784 2015-04-16] (Elex do Brasil cenzura!ções Ltda)
R1 iSafeKrnlKit; C:\Program Files\Elex-tech\YAC\iSafeKrnlKit.sys [97784 2015-07-03] (Elex do Brasil cenzura!ções Ltda)
R1 iSafeKrnlR3; C:\Program Files\Elex-tech\YAC\iSafeKrnlR3.sys [73232 2015-07-23] (Elex do Brasil cenzura!ções Ltda)
R1 iSafeNetFilter; C:\WINDOWS\System32\DRIVERS\iSafeNetFilter.sys [56232 2015-04-14] (Elex do Brasil cenzura!ções Ltda)
S2 iSafeService; C:\Program Files\Elex-tech\YAC\iSafeSvc.exe [118048 2015-04-16] (Elex do Brasil cenzura!ções Ltda)
FF HKLM\...\Firefox\Extensions: [quick_searchff@gmail.com] - C:\Documents and Settings\DNU_AW\Dane aplikacji\Mozilla\Firefox\Profiles\k227gfn5.default\extensions\quick_searchff@gmail.com
FF HKLM\...\Firefox\Extensions: [sweetsearch@gmail.com] - C:\Documents and Settings\DNU_AW\Dane aplikacji\Mozilla\Firefox\Profiles\k227gfn5.default\extensions\sweetsearch@gmail.com
FF HKLM\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Documents and Settings\DNU_AW\Dane aplikacji\Mozilla\Firefox\Profiles\k227gfn5.default\extensions\default_newtabff@gmail.com
FF HKLM\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Documents and Settings\DNU_AW\Dane aplikacji\Mozilla\Firefox\Profiles\k227gfn5.default\extensions\defsearchp@gmail.com
FF SearchPlugin: C:\Documents and Settings\DNU_AW\Dane aplikacji\Mozilla\Firefox\Profiles\k227gfn5.default\searchplugins\delta-homes.xml [2015-07-27]
FF Extension: Default NewTab - C:\Documents and Settings\DNU_AW\Dane aplikacji\Mozilla\Firefox\Profiles\k227gfn5.default\Extensions\default_newtabff@gmail.com [2015-07-16]
FF Extension: Default SearchProtected - C:\Documents and Settings\DNU_AW\Dane aplikacji\Mozilla\Firefox\Profiles\k227gfn5.default\Extensions\defsearchp@gmail.com.xpi [2015-06-26]
FF NewTab: hxxp://www.delta-homes.com/newtab/?type=nt&ts=1437049130&z=f9a21e564b0a734d92f6e99gez5c9m6eazet7g6ccw&from=wpm07163&uid=ST3808110AS_5LR5EEHFXXXX5LR5EEHF
FF DefaultSearchEngine: delta-homes
FF SelectedSearchEngine: delta-homes
FF Homepage: hxxp://www.delta-homes.com/?type=hp&ts=1437049130&z=f9a21e564b0a734d92f6e99gez5c9m6eazet7g6ccw&from=wpm07163&uid=ST3808110AS_5LR5EEHFXXXX5LR5EEHF
Toolbar: HKU\S-1-5-21-1454471165-602609370-839522115-1003 -> Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
HKU\S-1-5-21-1454471165-602609370-839522115-1003\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.delta-homes.com/?type=hp&ts=1433153782&z=7802a5b1c9cc67d4725d3e4g3zcc7c5g4wacft3meb&from=wpm06013&uid=ST3808110AS_5LR5EEHFXXXX5LR5EEHF
HKU\S-1-5-21-1454471165-602609370-839522115-1003\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.delta-homes.com/web/?type=ds&ts=1437049130&z=f9a21e564b0a734d92f6e99gez5c9m6eazet7g6ccw&from=wpm07163&uid=ST3808110AS_5LR5EEHFXXXX5LR5EEHF&q={searchTerms}
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.delta-homes.com/web/?type=ds&ts=1433153782&z=7802a5b1c9cc67d4725d3e4g3zcc7c5g4wacft3meb&from=wpm06013&uid=ST3808110AS_5LR5EEHFXXXX5LR5EEHF&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.delta-homes.com/web/?type=ds&ts=1433153782&z=7802a5b1c9cc67d4725d3e4g3zcc7c5g4wacft3meb&from=wpm06013&uid=ST3808110AS_5LR5EEHFXXXX5LR5EEHF&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1454471165-602609370-839522115-1003 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.delta-homes.com/web/?type=ds&ts=1437049130&z=f9a21e564b0a734d92f6e99gez5c9m6eazet7g6ccw&from=wpm07163&uid=ST3808110AS_5LR5EEHFXXXX5LR5EEHF&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1454471165-602609370-839522115-1003 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.delta-homes.com/web/?type=ds&ts=1437049130&z=f9a21e564b0a734d92f6e99gez5c9m6eazet7g6ccw&from=wpm07163&uid=ST3808110AS_5LR5EEHFXXXX5LR5EEHF&q={searchTerms}
HKU\S-1-5-21-1454471165-602609370-839522115-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.delta-homes.com/?type=hp&ts=1433153782&z=7802a5b1c9cc67d4725d3e4g3zcc7c5g4wacft3meb&from=wpm06013&uid=ST3808110AS_5LR5EEHFXXXX5LR5EEHF
HKU\S-1-5-21-1454471165-602609370-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.delta-homes.com/web/?type=ds&ts=1437049130&z=f9a21e564b0a734d92f6e99gez5c9m6eazet7g6ccw&from=wpm07163&uid=ST3808110AS_5LR5EEHFXXXX5LR5EEHF&q={searchTerms}
KU\S-1-5-21-1454471165-602609370-839522115-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.delta-homes.com/?type=hp&ts=1433153782&z=7802a5b1c9cc67d4725d3e4g3zcc7c5g4wacft3meb&from=wpm06013&uid=ST3808110AS_5LR5EEHFXXXX5LR5EEHF
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sweet-page.com/web/?type=ds&ts=1422435326&from=cor&uid=ST3808110AS_5LR5EEHFXXXX5LR5EEHF&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.delta-homes.com/?type=hp&ts=1433153782&z=7802a5b1c9cc67d4725d3e4g3zcc7c5g4wacft3meb&from=wpm06013&uid=ST3808110AS_5LR5EEHFXXXX5LR5EEHF
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sweet-page.com/web/?type=ds&ts=1422435326&from=cor&uid=ST3808110AS_5LR5EEHFXXXX5LR5EEHF&q={searchTerms}
Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f
HKU\S-1-5-21-1454471165-602609370-839522115-1003\...\Run: [Akamai NetSession Interface] => "C:\Documents and Settings\DNU_AW\Ustawienia lokalne\Dane aplikacji\Akamai\netsession_win.exe"
C:\Documents and Settings\DNU_AW\Ustawienia lokalne\Dane aplikacji\Akamai\netsession_win.exe
EmptyTemp:
Plik zapisz pod nazwą
fixlist.txt i umieść obok FRST.exe
Uruchom
FRST i kliknij przycisk
Fix.
.
