1) Odinstaluj ten program:
Body Text Feathering (HKLM-x32\...\PopupProduct) (Version: 1.0.0.0 - Body Text Feathering) <==== UWAGA
2) Otwórz Notatnik i wklej w nim:
Task: {14308DB2-0D2B-4971-A160-B54F6681AF23} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== UWAGA
Task: {6680C602-81A6-4B0C-B05D-E8E753619F3C} - System32\Tasks\KuaiZip_Update => C:\Program Files\żěŃą\X86\Update.exe [2016-10-12] (Shanghai Guangle Network Technology Ltd
) <==== UWAGA
Task: C:\Windows\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== UWAGA
RemoveDirectory: C:\Program Files (x86)\UCBrowser
RemoveDirectory: C:\Program Files\żěŃą
RemoveDirectory: C:\Users\Radek\AppData\Roaming\AzigcWig
RemoveDirectory: C:\Program Files (x86)\00000000-1476269399-0000-0000-4CCC6A653515
RemoveDirectory: C:\ProgramData\Logic Handler
RemoveDirectory: C:\ProgramData\NetworkPacketManitor
RemoveDirectory: C:\Users\Radek\AppData\Roaming\Hemkajdoa
RemoveDirectory: C:\Program Files (x86)\KuaiZip
RemoveDirectory: C:\Program Files (x86)\GreatMaker
RemoveDirectory: c:\program files (x86)\hzocult
RemoveDirectory: C:\Program Files (x86)\hhh
ShortcutWithArgument: C:\Users\Radek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
ShortcutWithArgument: C:\Users\Radek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9501e18d7c2ab92e\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 2"
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
C:\ProgramData\service.exe
Reg: reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v app /f
Reg: reg delete HKU\S-1-5-21-2224646682-2379115363-2177298087-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v apphide /f
Reg: reg delete HKU\S-1-5-21-2224646682-2379115363-2177298087-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v svchost0 /f
FirewallRules: [{5B41EDAA-57A8-49EC-891A-0374D4A8EDF0}] => (Allow) C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe
FirewallRules: [{431AF16F-D728-4155-A416-CEF9A1F4AE8B}] => (Allow) C:\Users\Radek\AppData\Local\Temp\is-63UA0.tmp\download\MiniThunderPlatform.exe
FirewallRules: [{9DA86F76-960D-47EF-A589-CDBA4928018D}] => (Allow) C:\Program Files (x86)\GreatMaker\MaohaWiFi\MaohaWifiSvr.exe
Reg: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v PendingFileRenameOperations /t REG_MULTI_SZ /d "" /f
CMD: for %i in ("C:\Program Files\żěŃą\X86\*.dll") do regsvr32.exe /s /u %i
HKLM-x32\...\Run: [app] => C:\Program Files (x86)\hhh\uc.exe
HKU\S-1-5-21-2224646682-2379115363-2177298087-1001\...\Run: [svchost0] => "C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"\UUC0789.exe
HKU\S-1-5-21-2224646682-2379115363-2177298087-1001\...\Run: [apphide] => C:\Program Files (x86)\hhh\uc.exe
HKU\S-1-5-21-2224646682-2379115363-2177298087-1001\...\Run: [msiql] => C:\Users\Radek\AppData\Local\Temp\00030760\msiql.exe [1883648 2016-10-12] () <===== UWAGA
HKU\S-1-5-18\...\Run: [] => 0
ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => C:\Program Files\żěŃą\X64\KZipShell.dll [2016-10-12] ()
ShellIconOverlayIdentifiers: [KzShlobj2] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} => C:\Program Files (x86)\KuaiZip\X64\KZipShell.dll [2016-10-12] ()
Tcpip\..\Interfaces\{278113f7-8e6e-4ef4-9979-f7ea34593993}: [NameServer] 104.197.191.4
Tcpip\..\Interfaces\{9a09523d-76ef-11e6-a54d-806e6f6e6963}: [NameServer] 104.197.191.4
Tcpip\..\Interfaces\{f38d7eb6-4b2a-45c1-b419-54cb4fa7c1ed}: [NameServer] 104.197.191.4
HKU\S-1-5-21-2224646682-2379115363-2177298087-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoGk3GzeHhcr-ccZ9CG1th_NJ3aIxi49zmOXbQL8qaC_zZ9NirkP5IQSM5CsInT_YxA1S5uLdtDeaEJHIiwp5VrFFfnaayWQQomPVJDrkFKc6RK_1dnOLmDduChNcD6CloIwOy_PzKwx_cdxb8MWkInRYXyZp1HJKRzaO3ovRJg,,&q={searchTerms}
HKU\S-1-5-21-2224646682-2379115363-2177298087-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=131207683642326213&GUID=A5398763-DE7D-448E-B204-226BC1CE32FA
HKU\S-1-5-21-2224646682-2379115363-2177298087-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoGk3GzeHhcr-ccZ9CG1th_NJ3aIxi49zmOXbQL8qaC_zZ9NirkP5IQSM5CsInT_YxA1S5uLdtDeaEJHIiwp5VrFFfnaayWQQomPVJDrkFKc6RK_1dnOLmDduChNcD6CloIwOy_PzKwx_cdxb8MWkInRYXyZp1HJKRzaO3ovRJg,,&q={searchTerms}
HKU\S-1-5-21-2224646682-2379115363-2177298087-1001\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoGk3GzeHhcr-ccZ9CG1th_NJ3aIxi49zmOXbQL8qaC_zZ9NirkP5IQSM5CsInT_YxA1S5uLdtDeaEJHIiwp5VrFFfnaayWQQomPVJDrkFKc6RK_1dnOLmDduChNcD6CloIwOy_PzKwx_cdxb8MWkInRYXyZp1HJKRzaO3ovRJg,,&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoGk3GzeHhcr-ccZ9CG1th_NJ3aIxi49zmOXbQL8qaC_zZ9NirkP5IQSM5CsInT_YxA1S5uLdtDeaEJHIiwp5VrFFfnaayWQQomPVJDrkFKc6RK_1dnOLmDduChNcD6CloIwOy_PzKwx_cdxb8MWkInRYXyZp1HJKRzaO3ovRJg,,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2224646682-2379115363-2177298087-1001 -> DefaultScope {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoGk3GzeHhcr-ccZ9CG1th_NJ3aIxi49zmOXbQL8qaC_zZ9NirkP5IQSM5CsInT_YxA1S5uLdtDeaEJHIiwp5VrFFfnaayWQQomPVJDrkFKc6RK_1dnOLmDduChNcD6CloIwOy_PzKwx_cdxb8MWkInRYXyZp1HJKRzaO3ovRJg,,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2224646682-2379115363-2177298087-1001 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoGk3GzeHhcr-ccZ9CG1th_NJ3aIxi49zmOXbQL8qaC_zZ9NirkP5IQSM5CsInT_YxA1S5uLdtDeaEJHIiwp5VrFFfnaayWQQomPVJDrkFKc6RK_1dnOLmDduChNcD6CloIwOy_PzKwx_cdxb8MWkInRYXyZp1HJKRzaO3ovRJg,,&q={searchTerms}
CHR HomePage: Profile 2 -> hxxp://www.mystartsearch.com/?type=sy&ts=1434643989&z=18341b13a003e248251a383gdzcc1zdq8zcc8t9t6c&from=cmi&uid=WDCXWD3200BPVT-22JJ5T0_WD-WX91C12R0412R0412
CHR StartupUrls: Profile 2 -> "hxxp://www.mystartsearch.com/?type=hp&ts=1434641622&z=f67b43f16ba5c60eafc3566g5zdc8zbq8zageqco4q&from=cmi&uid=WDCXWD3200BPVT-22JJ5T0_WD-WX91C12R0412R0412","hxxp://www.mystartsearch.com/?type=hppp&ts=1434643989&z=18341b13a003e248251a383gdzcc1zdq8zcc8t9t6c&from=cmi&uid=WDCXWD3200BPVT-22JJ5T0_WD-WX91C12R0412R0412"
CHR Session Restore: Profile 2 -> [funkcja włączona]
CHR Extension: (Browser Hunt) - C:\Users\Radek\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdckocnfhibclnnkifmjbbogcfkbijki [2016-10-12]
CHR Profile: C:\Users\Radek\AppData\Local\Google\Chrome\User Data\System Profile [2016-10-12]
R2 backlh; C:\ProgramData\Logic Handler\set.exe [3786752 2016-10-07] () [Brak podpisu cyfrowego]
R2 Citdhwa; C:\Users\Radek\AppData\Roaming\AzigcWig\Geeswu.exe [121344 2016-08-11] () [Brak podpisu cyfrowego]
R2 GoogleChromeUpService; C:\ProgramData\service.exe [1620992 2016-10-12] () [Brak podpisu cyfrowego]
R2 Kuaizip Update Checker; C:\Program Files (x86)\KuaiZip\X86\kuaizipUpdateChecker.dll [216704 2016-10-12] ()
R2 KuaizipUpdateChecker; C:\Program Files\żěŃą\X86\kuaizipUpdateChecker.dll [219072 2016-10-12] ()
R2 MaohaWifiSvr; C:\Program Files (x86)\GreatMaker\MaohaWiFi\MaohaWifiSvr.exe [170464 2014-12-18] (猫哈网络 版权所有)
R2 Nettrans; C:\ProgramData\NetworkPacketManitor\Nettrans.exe [57856 2016-09-28] () [Brak podpisu cyfrowego]
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopupProduct
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PopupProduct
R2 Rohucultatoergh; C:\Program Files (x86)\Hzocult\rrgsch.dll [280064 2016-10-12] () [Brak podpisu cyfrowego]
R2 Viokdojvaf; C:\Users\Radek\AppData\Roaming\Hemkajdoa\Hemkajdoa.exe [170496 2016-08-11] () [Brak podpisu cyfrowego]
R2 fysevowu; C:\Program Files (x86)\00000000-1476269399-0000-0000-4CCC6A653515\knsz7298.tmpfs [X]
R2 KuaiZipDrive; C:\Windows\system32\drivers\KuaiZipDrive.sys [92872 2016-10-12] (WinMount International Inc)
S2 KuaiZipDrive2; C:\Windows\system32\drivers\KuaiZipDrive2.sys [93072 2016-10-12] (WinMount International Inc) <==== UWAGA
R1 MaohaWifiNetPro; C:\Program Files (x86)\GreatMaker\MaohaWiFi\MaoHaWiFiNet64.sys [871152 2015-10-27] ()
C:\Windows\system32\drivers\KuaiZipDrive2.sys
C:\Windows\system32\drivers\KuaiZipDrive.sys
R1 UCGuard; C:\Windows\System32\DRIVERS\ucguard.sys [81792 2016-08-02] (Huorong Borui (Beijing) Technology Co., Ltd.) <==== UWAGA
C:\Windows\System32\DRIVERS\ucguard.sys
S4 NVHDA; \SystemRoot\system32\drivers\nvhda64v.sys [X]
C:\Windows\Minidump\*.dmp
C:\Users\Radek\AppData\Roaming\Microsoft\Windows\Start Menu\żěŃą.lnk
C:\Users\Radek\Desktop\żěŃą.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MaohaWiFi
C:\Windows\system32\Drivers\bsdpf64.sys
C:\Windows\system32\Drivers\bsdpr64.sys
C:\Users\Radek\AppData\Local\Tempfolder
C:\Users\Public\Thunder Network
C:\ProgramData\Thunder Network
C:\Windows\SysWOW64\Number of results
C:\Users\Radek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC浏览器.lnk
C:\Users\Radek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC浏览器
C:\Users\Radek\AppData\Roaming\Cjotionplaratain
C:\Users\Radek\AppData\Local\Rukutyvition
C:\Users\Radek\AppData\Roaming\Microsoft\Windows\Start Menu\KuaiZip.lnk
C:\Users\Radek\AppData\Roaming\Softlink
C:\Users\Radek\AppData\Local\app
C:\Users\Radek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\YSPackage
C:\Users\Radek\AppData\Local\UCBrowser
C:\TOSTACK
C:\Program Files (x86)\WeatherChickn
C:\Users\Radek\AppData\Roaming\gplyra
2016-10-12 12:48 - 2016-10-12 12:57 - 00000000 ____D C:\Program Files (x86)\Microleaves
2016-10-12 12:48 - 2016-10-12 12:49 - 00000000 ____D C:\Users\Radek\AppData\Roaming\Microleaves
2016-10-12 12:48 - 2016-10-12 12:48 - 07203328 _____ C:\Users\Radek\AppData\Roaming\agent.dat
2016-10-12 12:48 - 2016-10-12 12:48 - 01906427 _____ C:\Users\Radek\AppData\Roaming\Labnix.tst
2016-10-12 12:48 - 2016-10-12 12:48 - 01897576 _____ C:\Users\Radek\AppData\Roaming\Triolux.bin
2016-10-12 12:48 - 2016-10-12 12:48 - 00937776 _____ (AutoIt Team) C:\Users\Radek\AppData\Roaming\dRaZ.exe
2016-10-12 12:48 - 2016-10-12 12:48 - 00693760 _____ C:\Users\Radek\AppData\Roaming\Labnix.exe
2016-10-12 12:48 - 2016-10-12 12:48 - 00632342 _____ C:\Users\Radek\AppData\Roaming\YfIgY.au3
2016-10-12 12:48 - 2016-10-12 12:48 - 00190394 _____ C:\Users\Radek\AppData\Roaming\Medstring.bin
2016-10-12 12:48 - 2016-10-12 12:48 - 00140288 _____ C:\Users\Radek\AppData\Roaming\Installer.dat
2016-10-12 12:48 - 2016-10-12 12:48 - 00126464 _____ C:\Users\Radek\AppData\Roaming\noah.dat
2016-10-12 12:48 - 2016-10-12 12:48 - 00070704 _____ C:\Users\Radek\AppData\Roaming\Config.xml
2016-10-12 12:48 - 2016-10-12 12:48 - 00018432 _____ C:\Users\Radek\AppData\Roaming\Main.dat
2016-10-12 12:48 - 2016-10-12 12:48 - 00015792 _____ C:\Users\Radek\AppData\Roaming\InstallationConfiguration.xml
2016-10-12 12:48 - 2016-10-12 12:48 - 00005568 _____ C:\Users\Radek\AppData\Roaming\md.xml
2016-10-12 12:48 - 2016-10-12 12:48 - 00002397 _____ C:\Windows\SysWOW64\findit.xml
2016-10-12 12:48 - 2016-10-12 12:48 - 00000000 ____D C:\Users\Radek\AppData\Roaming\Mozilla
2016-10-12 12:48 - 2016-10-12 12:48 - 00000000 ____D C:\ProgramData\Quoteexs
2016-10-12 12:48 - 2016-10-12 12:48 - 00000000 ____D C:\ProgramData\NetworkPacketManitor
2016-10-12 12:48 - 2016-10-12 12:48 - 00000000 ____D C:\ProgramData\Logic Handler
C:\ProgramData\Ament.ini
StartRegedit:
Windows Registry Editor Version 5.00
[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000000
EndRegedit:
HOSTS:
EmptyTemp:
>>Menu Notatnika >> Plik >>
>>Zapisz jako >>
Nazwa pliku:
fixlistZapisz jako typ:
Dokumenty tekstoweKodowanie:
Unicode>>Zapisz
Plik umieść w folderze I:\
Uruchom FRST i kliknij przycisk Fix (NAPRAW).
Zrób nowe logi FRST.
Przed skanem zaznacz "Addition.txt" oraz "Shortcut.txt"
.