Youtube accelerator, iwebar.exe i inne

**Posty:** 5 · przez **micmalkowski** 02 Sty 2015, 13:22

Witam
mam taki problem, a mianowicie po ściągnięciu Deamon Tools poinstalowały mi się na komputerze różne świństwa. Zrobiłem przywracanie systemu do momentu przed instalacja. Youtube accelerator został odinstalowany ale antywirus nadal co jakiś czas wykrywa złośliwe pliki a Opera blokuje wyskakujące reklamy.Prosiłbym o pomoc w usunięciu tego. Poniżej zamieszczam logi i skan z Gmer'a.

**Posty:** 4765 · przez **ordynat** 02 Sty 2015, 13:35

1) Odinstaluj te programy:
"iWebar" = iWebar
"uTorrentControl_v6 Toolbar" = uTorrentControl_v6 Toolbar
"WindowsMangerProtect" = WindowsMangerProtect20.0.0.722
"WinZipper" = WinZipper
"Akamai" = Akamai NetSession Interface

2) Użyj Adw-Cleaner http://www.programosy.pl/program,adwcleaner.html
najpierw kliknij na SZUKAJ, a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ, to kliknij na niego.
Daj z tego raport C:\AdwCleaner\AdwCleaner[S].txt.

3)

O4 - HKU\S-1-5-21-1115096086-1140705043-1597315316-1001..\Run: [WinLess] C:\Program Files (x86)\Mark Lagendijk\WinLess\WinLess.exe ()

Sprawdź ten plik na --> JOTTI/ albo na VIRUSTOTAL

4)

zaraz to przejrzę ....

**Posty:** 5 · przez **micmalkowski** 02 Sty 2015, 13:42

odinstalowane

**Posty:** 4765 · przez **ordynat** 02 Sty 2015, 13:55

za szybko działasz, jak na moje możliwości

wróć do mojego poprzedniego postu.

Potem:
Uruchom OTL i w oknie Własne opcje skanowania/Skrypt wklej to:

:OTL
[2014-12-14 17:08:58 | 000,000,000 | ---D | M] -- C:\Users\micmalkowski\AppData\Roaming\WinZipper
[2015-01-01 19:56:31 | 000,000,000 | ---D | M] -- C:\Users\micmalkowski\AppData\Roaming\VOPackage
[2013-10-29 17:58:00 | 000,000,000 | ---D | M] -- C:\Users\micmalkowski\AppData\Roaming\OpenCandy
[2014-08-09 12:40:38 | 000,000,000 | ---D | M] -- C:\Users\micmalkowski\AppData\Roaming\newnext.me
[2014-07-03 19:46:44 | 000,000,000 | ---D | M] -- C:\Users\micmalkowski\AppData\Roaming\Browser Tab Search by Ask
[2015-01-02 10:53:06 | 000,002,794 | ---- | C] () -- C:\Windows\tasks\1ae13559-59ab-47cf-9e33-5ed03087faa0-5_user.job
[2015-01-02 10:53:04 | 000,002,794 | ---- | C] () -- C:\Windows\tasks\1ae13559-59ab-47cf-9e33-5ed03087faa0-5.job
[2015-01-02 10:52:56 | 000,002,450 | ---- | C] () -- C:\Windows\tasks\1ae13559-59ab-47cf-9e33-5ed03087faa0-2.job
[2015-01-02 10:52:51 | 000,003,440 | ---- | C] () -- C:\Windows\tasks\1ae13559-59ab-47cf-9e33-5ed03087faa0-1.job
[2015-01-02 10:52:27 | 000,000,942 | ---- | C] () -- C:\Windows\tasks\globalUpdateUpdateTaskMachineUA.job
[2015-01-02 10:52:27 | 000,000,938 | ---- | C] () -- C:\Windows\tasks\globalUpdateUpdateTaskMachineCore.job
[2015-01-02 10:52:23 | 000,005,524 | ---- | C] () -- C:\Windows\tasks\1ae13559-59ab-47cf-9e33-5ed03087faa0-11.job
[2015-01-01 17:37:02 | 000,001,732 | ---- | C] () -- C:\Windows\tasks\FPFSGGU.job
[2015-01-01 17:37:00 | 002,052,584 | ---- | M] (Object Browser) -- C:\Users\micmalkowski\AppData\Roaming\FPFSGGU.exe
[2014-12-10 10:21:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZipper
[2014-12-10 10:21:01 | 000,000,000 | ---D | C] -- C:\Users\micmalkowski\AppData\Roaming\WinZipper
[2014-12-10 10:21:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinZipper
[2015-01-01 17:26:23 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\GOOBZO
[2015-01-01 17:26:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\YouTube Accelerator
[2015-01-01 17:26:16 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\ShopperPro
[2015-01-01 17:26:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ShopperPro
[2015-01-01 17:26:52 | 000,000,000 | ---D | C] -- C:\Users\micmalkowski\AppData\Roaming\VOPackage
[2015-01-01 17:26:29 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\YTAHelper
[2015-01-01 17:37:00 | 000,000,000 | ---D | C] -- C:\Users\micmalkowski\AppData\Local\globalUpdate
[2015-01-01 17:37:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\globalUpdate
[2015-01-02 10:52:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iWebar
O27:64bit: - HKLM IFEO\bitguard.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\bprotect.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\bpsvc.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\browserdefender.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\browserprotect.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\browsersafeguard.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\dprotectsvc.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\jumpflip: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\protectedsearch.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\searchinstaller.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\searchprotection.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\searchprotector.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\searchsettings.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\searchsettings64.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\snapdo.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\stinst32.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\stinst64.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\umbrella.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\utiljumpflip.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\volaro: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\vonteera: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\websteroids.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\websteroidsservice.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\bitguard.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\bprotect.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\bpsvc.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browserdefender.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browserprotect.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browsersafeguard.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\dprotectsvc.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\jumpflip: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\protectedsearch.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchinstaller.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchprotection.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchprotector.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchsettings.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchsettings64.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\snapdo.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\stinst32.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\stinst64.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\umbrella.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\utiljumpflip.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\volaro: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\vonteera: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\websteroids.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\websteroidsservice.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1115096086-1140705043-1597315316-1001..\Run: [Akamai NetSession Interface] C:\Users\micmalkowski\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc.)
O4 - HKLM..\Run: [fst_en_2] File not found
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-1115096086-1140705043-1597315316-1001\..\Toolbar\WebBrowser: (uTorrentControl_v6 Toolbar) - {96F454EA-9D38-474F-B504-56193E00C1A5} - C:\Program Files (x86)\uTorrentControl_v6\prxtbuTor.dll (Conduit Ltd.)
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (uTorrentControl_v6 Toolbar) - {96f454ea-9d38-474f-b504-56193e00c1a5} - C:\Program Files (x86)\uTorrentControl_v6\prxtbuTor.dll (Conduit Ltd.)
O2 - BHO: (uTorrentControl_v6 Toolbar) - {96f454ea-9d38-474f-b504-56193e00c1a5} - C:\Program Files (x86)\uTorrentControl_v6\prxtbuTor.dll (Conduit Ltd.)
O2 - BHO: (iWebar) - {11111111-1111-1111-1111-110611511123} - C:\Program Files (x86)\iWebar\iWebar-bho.dll (iWebar)
O2:64bit: - BHO: (iWebar) - {11111111-1111-1111-1111-110611511123} - C:\Program Files (x86)\iWebar\iWebar-bho64.dll (iWebar)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10: C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll (globalUpdate)
FF - HKLM\Software\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4: C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll (globalUpdate)
IE - HKU\S-1-5-21-1115096086-1140705043-1597315316-1001\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.delta-homes.com/web/?type=ds&ts=1418203219&from=wpm12103&uid=ST500DM002-1BD142_Z3T9WGJ5XXXXZ3T9WGJ5&q={searchTerms}
IE - HKU\S-1-5-21-1115096086-1140705043-1597315316-1001\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2488}: "URL" = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=210&systemid=488&v=a13277-346&apn_uid=2311933914174124&apn_dtid=TCH001&o=APN11459&apn_ptnrs=AG1&q={searchTerms}
IE - HKU\S-1-5-21-1115096086-1140705043-1597315316-1001\..\SearchScopes\{CBB269FB-3771-4EEE-AFE0-FD1708E1D8C5}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289075&CUI=UN78139675715488283&UM=1
IE - HKU\S-1-5-21-1115096086-1140705043-1597315316-1001\..\URLSearchHook: {96f454ea-9d38-474f-b504-56193e00c1a5} - C:\Program Files (x86)\uTorrentControl_v6\prxtbuTor.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1115096086-1140705043-1597315316-1001\..\SearchScopes,DefaultScope = {33BB0A4E-99AF-4226-BDF6-49120163DE86}
IE - HKU\S-1-5-21-1115096086-1140705043-1597315316-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sweet-page.com/?type=hp&ts=1410714906&from=cor&uid=ST500DM002-1BD142_Z3T9WGJ5XXXXZ3T9WGJ5
IE - HKU\S-1-5-21-1115096086-1140705043-1597315316-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.delta-homes.com/web/?type=ds&ts=1418203219&from=wpm12103&uid=ST500DM002-1BD142_Z3T9WGJ5XXXXZ3T9WGJ5&q={searchTerms}
IE - HKU\S-1-5-21-1115096086-1140705043-1597315316-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://search.delta-homes.com/web/?type=ds&ts=1418203219&from=wpm12103&uid=ST500DM002-1BD142_Z3T9WGJ5XXXXZ3T9WGJ5&q={searchTerms}
IE - HKU\S-1-5-21-1115096086-1140705043-1597315316-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sweet-page.com/?type=hp&ts=1410714906&from=cor&uid=ST500DM002-1BD142_Z3T9WGJ5XXXXZ3T9WGJ5
SRV - [2015-01-02 10:52:21 | 000,068,608 | ---- | M] (globalUpdate) [On_Demand | Stopped] -- C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe -- (globalUpdatem)
SRV - [2015-01-02 10:52:21 | 000,068,608 | ---- | M] (globalUpdate) [Auto | Stopped] -- C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe -- (globalUpdate)
SRV - [2014-12-10 07:09:09 | 000,485,888 | ---- | M] (Fuyu LIMITED) [Auto | Running] -- C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe -- (WindowsMangerProtect)

:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes]
[-HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes]

:Commands
[emptytemp]

Kliknij w Wykonaj Skrypt. Zatwierdź restart komputera. Zapisz raport, który pokaże się po restarcie.
Następnie uruchom OTL ponownie, tym razem kliknij Skanuj.
Pokaż nowy log OTL.txt oraz raport z usuwania Skryptem.
.

**Posty:** 5 · przez **micmalkowski** 02 Sty 2015, 14:19

ad3) nic nie znalazło

**Posty:** 4765 · przez **ordynat** 02 Sty 2015, 14:23

Folder Usunięto : C:\Users\micmalkowski\AppData\Local\Mobogenie

Sprawdź, czy razem z Mobogenie nie zainstalował Ci się dodatkowy Użytkownik C:\Users\wangzhisong

napisz o tym

**Posty:** 5 · przez **micmalkowski** 02 Sty 2015, 14:26

C:\Users\wangzhisong nie ma. Jednak jest cos takiego jak: C:\Users\dub_cm_auto - nie wiem czy to cos złego ;p

**Posty:** 4765 · przez **ordynat** 02 Sty 2015, 14:29

Nie, to nie jest szkodliwe. To obiekt stworzony przez Nortona, a taki masz zainstalowany.

Drobna poprawka:
Uruchom OTL i w oknie Własne opcje skanowania/Skrypt wklej to:

:OTL
[2014-09-01 09:18:44 | 000,001,248 | ---- | C] () -- C:\Users\micmalkowski\AppData\Roaming\FPFSGGU

:Commands
[emptytemp]

Kliknij w Wykonaj Skrypt.

Raportu z tego już nie dawaj.

Kończymy:
W Adw-Cleaner kliknij na przycisk Odinstaluj (UNINSTALL).
W OTL kliknij na przycisk Sprzątanie - to go usunie razem z jego Kwarantanną.
.

**Posty:** 5 · przez **micmalkowski** 02 Sty 2015, 14:40

Zrobione. Wygląda na to że wszystko jest ok!

Dzięki wielkie za pomoc!

Kto jest na forum