Otwiera mi sie sama strona w przeglądarce

[sweter]

nazywa się "financehint", wywala mi ją co jakąś tam ilość kliknięć, zaczęło się parę dni temu, skanowałam komputer czym się dało i dalej to badziewie gdzieś się chowa


gmer http://www.wklej.org/hash/276e1862284/
OTL http://www.wklej.org/hash/db643f0896a/
EXTRAS http://www.wklej.org/hash/bac29bf15d5/

[wojtas]

odinstaluj Vuze_Remote Toolbar

Uruchom OTL i w sekcji własne opcje skanowania / skrypt wklej:

:OTL
SRV - File not found [Auto | Stopped] -- -- (nbsjjqzdtyqun)
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-790525478-1409082233-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://vshare.toolbarhome.com/?hp=df&t=1
IE - HKU\S-1-5-21-790525478-1409082233-725345543-1003\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-790525478-1409082233-725345543-1003\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz2.dll (Conduit Ltd.)
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.defaultthis.engineName: "Softonic-Polska Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=8460"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..extensions.enabledItems: mil@toolbar:1.0.0
FF - prefs.js..extensions.enabledItems: vshare@toolbar:1.0.0
[2011-03-24 09:36:54 | 000,000,000 | ---D | M] (Vuze Remote Community Toolbar) -- C:\Documents and Settings\ADMIN\Dane aplikacji\Mozilla\Firefox\Profiles\c0apta66.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
[2011-03-24 09:36:54 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Documents and Settings\ADMIN\Dane aplikacji\Mozilla\Firefox\Profiles\c0apta66.default\extensions\engine@conduit.com
[2010-08-29 18:44:24 | 000,000,000 | ---D | M] (MakeItLive) -- C:\Documents and Settings\ADMIN\Dane aplikacji\Mozilla\Firefox\Profiles\c0apta66.default\extensions\mil@toolbar
[2010-10-10 17:52:18 | 000,000,000 | ---D | M] (vShare Plugin) -- C:\Documents and Settings\ADMIN\Dane aplikacji\Mozilla\Firefox\Profiles\c0apta66.default\extensions\vshare@toolbar
[2011-03-22 20:24:40 | 000,000,000 | ---D | M] ("urn:mozilla:install-manifest" em:id="avg@igeared" em:name="AVG Security Toolbar" em:version="6.103.018.001" em:displayname="AVG Security Toolbar" em:iconURL="chrome://tavgp/skin/logo.ico" em:creator="AVG Technologies" em:description="AVG Security Toolbar" em:homepageURL="http://www.avg.com" >) -- C:\PROGRAM FILES\AVG\AVG9\TOOLBAR\FIREFOX\AVG@IGEARED
O2 - BHO: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll ()
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz2.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll ()
O3 - HKLM\..\Toolbar: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz2.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (FlashGet Bar) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll (Amaze Soft)
O3 - HKU\S-1-5-21-790525478-1409082233-725345543-1003\..\Toolbar\ShellBrowser: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No CLSID value found.
O3 - HKU\S-1-5-21-790525478-1409082233-725345543-1003\..\Toolbar\WebBrowser: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll ()
O3 - HKU\S-1-5-21-790525478-1409082233-725345543-1003\..\Toolbar\WebBrowser: (Vuze Remote Toolbar) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files\Vuze_Remote\tbVuz2.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-790525478-1409082233-725345543-1003\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [F-Secure TNB] File not found
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [RemoteControl] File not found
O4 - Startup: C:\Documents and Settings\ADMIN\Menu Start\Programy\Autostart\PowerReg Scheduler.exe ()
O4 - HKU\S-1-5-21-790525478-1409082233-725345543-1003..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] File not found
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O20 - HKLM Winlogon: TaskMan - (C:\Documents and Settings\ADMIN\fswagz.exe) - C:\Documents and Settings\ADMIN\fswagz.exe ()
O20 - AppInit_DLLs: (?U??U??UBoth) - File not found
O20 - HKU\S-1-5-21-790525478-1409082233-725345543-1003 Winlogon: Shell - (C:\Documents and Settings\ADMIN\fswagz.exe) - C:\Documents and Settings\ADMIN\fswagz.exe ()
O20 - Winlogon\Notify\WRNotifier: DllName - WRLogonNTF.dll - File not found
O33 - MountPoints2\{47979d54-406a-11dd-b815-0016e64f4bef}\Shell\AutoRun\command - "" = o1.com
O33 - MountPoints2\{47979d54-406a-11dd-b815-0016e64f4bef}\Shell\explore\Command - "" = o1.com
O33 - MountPoints2\{47979d54-406a-11dd-b815-0016e64f4bef}\Shell\open\Command - "" = o1.com
O33 - MountPoints2\{732abbe2-3a53-11df-bb5a-0016e64f4bef}\Shell\AutoRun\command - "" = WDSetup.exe
O33 - MountPoints2\{a4d25032-49ad-11e0-bd69-0016e64f4bef}\Shell - "" = AutoRun
O33 - MountPoints2\{a4d25032-49ad-11e0-bd69-0016e64f4bef}\Shell\AutoRun\command - "" = H:\autorun.exe
O33 - MountPoints2\{e22837fa-7393-11dd-b867-0016e64f4bef}\Shell - "" = AutoRun
O33 - MountPoints2\{e22837fa-7393-11dd-b867-0016e64f4bef}\Shell\AutoRun\command - "" = H:\autorun\Autorun.exe SamMax101.exe

:Files
C:\WINDOWS\Tasks\WGASetup.job
C:\Documents and Settings\ADMIN\Dane aplikacji\BabylonToolbar
C:\Documents and Settings\All Users\Dane aplikacji\AVG Security Toolbar
C:\WINDOWS\System32\shimg.dll
C:\Program Files\AVG\AVG9\Toolbar
C:\Program Files\Vuze_Remote
C:\Program Files\ConduitEngine

:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"TaskMan"=-

:Services
nbsjjqzdtyqun

:Commands
[emptytemp]
[emptyflash]

Kliknij wykonaj skrypt. I potwierdź reset komputera .

Następnie uruchamiasz OTL z opcją skanuj. Pokazujesz nowy log OTL.txt oraz raport z czyszczenia (zawartość notatnika, która otworzy się po restarcie).

[sweter]

OTL http://www.wklej.org/hash/6cc23dfba3c/

raport z czyszczenia http://www.wklej.org/hash/2e6947ccc57/

[wojtas]

:OTL
IE - HKU\S-1-5-21-790525478-1409082233-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://vshare.toolbarhome.com/?hp=df&t=1
() (No name found) -- C:\DOCUMENTS AND SETTINGS\ADMIN\DANE APLIKACJI\MOZILLA\FIREFOX\PROFILES\C0APTA66.DEFAULT\EXTENSIONS\{19503E42-CA3C-4C27-B1E2-9CDB2170EE34}.XPI
O3 - HKU\S-1-5-21-790525478-1409082233-725345543-1003\..\Toolbar\WebBrowser: (no name) - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - No CLSID value found.
O3 - HKU\S-1-5-21-790525478-1409082233-725345543-1003\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No CLSID value found.
O3 - HKU\S-1-5-21-790525478-1409082233-725345543-1003\..\Toolbar\WebBrowser: (no name) - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - No CLSID value found.
O20 - HKLM Winlogon: TaskMan - (C:\Documents and Settings\ADMIN\fswagz.exe) - C:\Documents and Settings\ADMIN\fswagz.exe ()
O18 - Protocol\Handler\vsharechrome {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - File not found

:Files
C:\Documents and Settings\ADMIN\fswagz.exe
C:\Documents and Settings\ADMIN\Dane aplikacji\Mozilla\Firefox\Profiles\c0apta66.default\extensions\{c86eb8a9-ccc2-4b6c-b75d-73576ed591bf}

:Services
AVG Security Toolbar Service

:Commands
[emptytemp]
[emptyflash]

Kliknij wykonaj skrypt. I potwierdź reset komputera .

Następnie uruchamiasz OTL z opcją skanuj. Pokazujesz nowy log OTL.txt oraz raport z czyszczenia (zawartość notatnika, która otworzy się po restarcie).

[sweter]

OTL http://www.wklej.org/hash/dfe5215aa3d/

raport

Kod: Zaznacz wszystko

All processes killed
========== OTL ==========
HKU\S-1-5-21-790525478-1409082233-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Registry value HKEY_USERS\S-1-5-21-790525478-1409082233-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{31CF9EBE-5755-4A1D-AC25-2834D952D9B4} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}\ not found.
Registry value HKEY_USERS\S-1-5-21-790525478-1409082233-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\ not found.
Registry value HKEY_USERS\S-1-5-21-790525478-1409082233-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{965B54B0-71E0-4611-8DE7-F73FA0B20E26} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{965B54B0-71E0-4611-8DE7-F73FA0B20E26}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\TaskMan:C:\Documents and Settings\ADMIN\fswagz.exe deleted successfully.
File move failed. C:\Documents and Settings\ADMIN\fswagz.exe scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\vsharechrome\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484}\ deleted successfully.
File {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - File not found not found.
File ptytemp] not found.
File ptyflash] not found.

OTL by OldTimer - Version 3.2.22.3 log created on 03282011_174322

Files\Folders moved on Reboot...
File move failed. C:\Documents and Settings\ADMIN\fswagz.exe scheduled to be moved on reboot.

Registry entries deleted on Reboot...


[wojtas]

Pobierz i uruchom narzędzie
The Avenger
Wklej do okienka programu

Files to delete:
c:\Documents and Settings\ADMIN\fswagz.exe

Klikasz Execute,

Uruchom OTL i w sekcji własne opcje skanowania / skrypt wklej:

:OTL
O20 - HKLM Winlogon: TaskMan - (c:\documents and settings\admin\fswagz.exe) - c:\Documents and Settings\ADMIN\fswagz.exe ()

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"TaskMan"=-

:Commands
[emptytemp]
[emptyflash]

Kliknij wykonaj skrypt. I potwierdź reset komputera .

wklejasz na forum raport: C:\avenger.txt + log z OTL

[sweter]

Avenger

Kod: Zaznacz wszystko

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\Documents and Settings\ADMIN\fswagz.exe" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

OTL

Kod: Zaznacz wszystko

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\TaskMan:c:\documents and settings\admin\fswagz.exe deleted successfully.
File c:\Documents and Settings\ADMIN\fswagz.exe not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\TaskMan deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: ADMIN
->Temp folder emptied: 1626048 bytes
->Temporary Internet Files folder emptied: 54993 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 81590827 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 1971 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 79,00 mb


[EMPTYFLASH]

User: Default User

User: All Users

User: NetworkService

User: LocalService

User: ADMIN
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0,00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 03292011_165514

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


[wojtas]

Wykonaj czynności końcowe :
*Uruchom OTL z opcji sprzątanie.
* wykonaj optymalizację Windowsa ( instrukcja dla Windowsa XP, lecz w innych systemach jest podobnie )
* zrób pełny skan Malwarebytes Anti-Malware (zaktualizuj, usuń co znajdzie )
* Skasuj stan przywracania systemu


Zaktualizuj zabezpieczenia:
>>> Adobe Reader (bez Free McAfee® Security Scan Plus)
>>> Internet Explorer 8
>>> Service Pack 3
>>> Java™ 6 Update 24

i napisz jak sytuacja

[sweter]

sytuacja wygląda dobrze, tylko czynności końcowe chcą mnie wykończyć
dziękuje za pomoc, poświęcony czas i zaangażowanie

co tu dużo gadać, wojtas, jesteś moim bohaterem!

na wieki będą chwalić twoje imię i mężne czyny