Złośliwe oprogramowanie

**Posty:** 4 · przez **efciapel** 16 Lut 2016, 00:23

Po kliknięciu w jakąś reklamę na komputer ściągnął się wirus, który utrudnia używanie przeglądarki poprzez natarczywe włączanie reklam i odsyłanie do dziwnych stron po naciśnięciu na linki. Dodatkowo uruchamianie Windowsa trwa dłużej niż zwykle. Windowsowemu antywirusowi nie udało się skończyć pracy, ponieważ wcześniej zawiesił się system. Nie udało się również wygenerować raportu z Gmera - wywalało do bluescreen i pokazywał się komunikat, że plik ugloapod.sys może uszkodzić system. Uruchomienie Gmera w trybie awaryjnym również nie podziałało, dlatego załączam jedynie raporty z OTL. Mam zainstalowany Windows Vista 32-bit

**Posty:** 4765 · przez **ordynat** 16 Lut 2016, 00:24

PRC - [2016-02-08 18:08:51 | 000,371,200 | ---- | M] (The Privoxy team - http://www.privoxy.org) -- C:\Program Files\Gamma Task Menager\privoxy.exe

tego programu nie ma na liście Twoich programów - znasz to?

1) Użyj Adw-Cleaner http://www.programosy.pl/program,adwcleaner.html
najpierw kliknij na SZUKAJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego "C"

2) Zrób logi z FRST > http://forum.programosy.pl/frst-otl-zoek-vt139692.html
Przed skanem zaznacz "Addition.txt" oraz "Shortcut.txt".
.

**Posty:** 4 · przez **efciapel** 16 Lut 2016, 02:04

Programu nie poznaję, ale adw-cleaner się nim zajął.

**Posty:** 4765 · przez **ordynat** 16 Lut 2016, 09:07

Otwórz Notatnik i wklej w nim:

CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\edzia\AppData\Local\Google\Update\1.3.27.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{3050F406-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{3050F667-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{3050F67D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\edzia\AppData\Local\Google\Update\1.3.28.1\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\edzia\AppData\Local\Google\Update\1.3.28.13\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\edzia\AppData\Local\Google\Update\1.3.26.9\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\edzia\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\edzia\AppData\Local\Google\Update\1.3.29.1\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{CD773740-B187-4974-A1D5-E0FF91372277}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\edzia\AppData\Local\Google\Update\1.3.25.11\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\edzia\AppData\Local\Google\Update\1.3.28.15\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{D7B70EE0-4340-11CF-B063-0020AFC2CD35}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{E569BDE7-A8DC-47F3-893F-FD2B31B3EEFD}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000_Classes\CLSID\{FF393560-C2A7-11CF-BFF4-444553540000}\InprocServer32 -> no filepath
Task: {0425D48B-EF3D-4107-9501-7E7A9639DF88} - System32\Tasks\{9BB9F73E-C439-41DE-9378-0EDC7B9D17D6} => pcalua.exe -a "C:\Gry\Kult; Heretic Kingdoms [PL]\Kult; Heretic Kingdoms [PL]\Patch\Kult_Patch_15.exe" -d "C:\Gry\Kult; Heretic Kingdoms [PL]\Kult; Heretic Kingdoms [PL]\Patch"
Task: {105CD1E6-DF06-4980-B977-65065591BE18} - System32\Tasks\{E689313D-DE9E-46D4-A1A6-5A1F272D95A6} => pcalua.exe -a E:\Programy\TS2HomeCrafterPlus_Install.exe -d E:\Programy
Task: {1F780219-2BDD-4372-B9F3-F1578B58BC82} - System32\Tasks\Performance Security Task => C:\Program Files\Performance Security\PerformanceSecurity.exe [2016-02-08] (Secure Updater) <==== ATTENTION
C:\Program Files\Performance Security
Task: {4007CD44-A1E3-4B60-B0BE-9E4B79576B91} - System32\Tasks\{64788B57-53DD-4A6D-BBAD-1E9607F2F604} => pcalua.exe -a E:\autoplay.exe -d E:\
Task: {51C4D906-E35F-4173-BC58-EE859EA78E0D} - System32\Tasks\Internet Update => C:\Users\edzia\AppData\Roaming\Internet Update\Internet Update.exe [2016-02-02] () <==== ATTENTION
Task: {6A1E6F4F-8817-4142-BFF5-72C609D18769} - System32\Tasks\{DF6A81EB-FCE3-4FF1-8326-5DF3C72EE600} => pcalua.exe -a "C:\Gry\The Sims 2\Sims2_uninst.exe" -d "C:\Gry\The Sims 2"
C:\Users\edzia\AppData\Roaming\Internet Update
Task: {76E8DD6F-8C64-4CEF-BC78-90B3D15C83F1} - System32\Tasks\{DF73AF3D-0EF9-4385-BC80-DD2AD68191F7} => pcalua.exe -a "C:\Program Files\EA GAMES\The Sims 2 Podróże\BearShare Applications\BearShare\UninstallSurvey.exe" -d "C:\Program Files\EA GAMES\The Sims 2 Podróże\BearShare Applications\BearShare"
Task: {8B0705AF-924B-407B-92DB-10741CA7A23F} - System32\Tasks\{F127DA4A-256D-4492-B069-B94557C9F2DC} => pcalua.exe -a E:\Setup95.exe -d E:\
Task: {94C6A914-5DB3-4EEE-AC2F-4B10AACDCD2D} - \Program aktualizacji online firmy Adobe. -> No File <==== ATTENTION
Task: {99530BE1-F60C-4D89-8960-22203484C5DD} - System32\Tasks\{CCC5801C-CA26-4B63-ADD5-DC69D7A34E8F} => pcalua.exe -a E:\eauninstall.exe -d E:\
Task: {D296F7AD-9956-4C65-A2CC-E8B03AF2B899} - System32\Tasks\{C9C7B9BA-38E2-452A-8238-D4617430C9A4} => pcalua.exe -a E:\Setup.exe -d E:\
Task: {DCE7BF3D-97BB-49FC-86E8-B5B607E1B5D5} - System32\Tasks\Symantec\Symantec Error Processor 17.9.0.12 => C:\Program Files\Norton Internet Security\Engine\17.9.0.12\SymErr.exe
Task: {DE047661-3E91-4FB3-AA86-D5226F1FE406} - System32\Tasks\{FBC8FF63-71BD-4759-848F-7859E0B4FA55} => pcalua.exe -a E:\ubrania\bielizna.exe -d E:\ubrania
Task: {FBEBD879-7564-48BB-B104-A4757D4FDFDE} - System32\Tasks\{37190C36-59A6-48E1-8441-C114A83507F5} => pcalua.exe -a E:\dodatki\gimp-2.2.8-i586-setup.exe -d E:\dodatki
Task: {2BF90429-271C-4A94-A604-0BB44B375193} - System32\Tasks\e-pity2012_kwiecien => C:\Program Files\e-file\e-pity2012\signxml.exe
Task: {19D77F8F-7853-493A-BDD0-F62F9A30FB7C} - System32\Tasks\e-pity2012_styczen => C:\Program Files\e-file\e-pity2012\signxml.exe
Task: {145124EF-5347-484A-84EA-D2CA1D3C3D9E} - System32\Tasks\Symantec\Symantec Error Analyzer 17.9.0.12 => C:\Program Files\Norton Internet Security\Engine\17.9.0.12\SymErr.exe
C:\Program Files\Norton Internet Security
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"
C:\ProgramData\Hewlett-Packard\wtwc\onplay.lnk
C:\Users\Ewa\AppData\Roaming\Microsoft\Windows\Start Menu\AutoScreenRecorder 3.1 Free.lnk
C:\Users\Ewa\Desktop\omnes circulos\MpcStar.lnk
C:\Users\Guest\Desktop\coś\Diner Dash 2 - Restaurant Rescue.lnk
C:\Users\Guest\AppData\Roaming\Real\RealPlayer\History\Bękarty wojny.2009.TS.t88.Napisy PL.lnk
C:\Users\Guest\AppData\Roaming\Real\RealPlayer\History\Like A Stone.lnk
HKU\S-1-5-21-1696172363-3599968675-2358206074-1000\...\MountPoints2: {f4a9537b-b89c-11de-9a04-001e68a250db} - f2kmj.exe
GroupPolicy: Restriction - Chrome <======= ATTENTION
ProxyServer: [S-1-5-21-1696172363-3599968675-2358206074-1000] => 127.0.0.1:8118
AutoConfigURL: [S-1-5-21-1696172363-3599968675-2358206074-1000] => 127.0.0.1:8118
Toolbar: HKU\S-1-5-21-1696172363-3599968675-2358206074-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\real-networks@partners.mozilla.com [not found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org [not found]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [not found]
FF Extension: No Name - C:\rp\browserrecord [not found]
FF HKLM\...\Firefox\Extensions: [{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn => not found
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird => not found
S2 gupdate1c988fcf38c0887; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [X]
R1 {55dce8ba-9dec-4013-937e-adbf9317d990}t; C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}t.sys [55232 2014-07-17] (StdLib)
C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}t.sys
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 upperdev; system32\DRIVERS\usbser_lowerflt.sys [X]
C:\Users\edzia\AppData\Local\nsi541E.tmp
C:\Users\edzia\AppData\Local\nsx171C.tmp
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix (NAPRAW).

PITy 2009 dla Windows kompilacja:1.1.2.8 (HKLM\...\PITy 2009_is1) (Version: - IPS Przedsiębiorstwo Informatyczne)

Minęło już 5 lat, więc PIT'y z 2009 roku już nie będą potrzebne - odinstaluj więc ten program.

Zainstaluj nowszą, bezpieczniejszą wersję Javy:
>http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html (wybierz: Windows x86 Offline)
.
----------------------
Jeśli będzie OK, to będziemy kończyć:
Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix (NAPRAW).
przez SHIFT+DEL usuń pozostały folder C:\FRST.

W Adw-Cleaner kliknij na przycisk Odinstaluj (UNINSTALL).
.

**Posty:** 4 · przez **efciapel** 16 Lut 2016, 20:40

Wszystko działa jak należy. Dziękuję