1) CHR DefaultProfile:
ChromeDefaultDataUruchom Google Chrome
> Naciśnij klawisze: lewy Alt+F i kliknij przycisk Ustawienia >
> Sekcja: OSOBY
>zaznacz (wybierz):
user0kliknij znaczek
X znajdujący się po prawej stronie.
2)
Shortcut: C:\Users\X\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files\Zooarm\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\X\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files\Zooarm\Application\chrome.exe (Google Inc.)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files\Zooarm\Application\chrome.exe (Google Inc.)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Program Files\Zooarm\Application\chrome.exe (Google Inc.)
Te skróty dam do usuwania, bo uruchamiają fałszywą przeglądarkę, która wygląda jak Google Chrome, ale w rzeczywistości jest Trojanem.
Potem zrobisz sobie nowe skróty w tych samych lokalizacjach.
C:\Program Files\Firefox - falszywy Firefox
C:\program files\mozilla firefox
- prawdziwy Firefox
Dam też do usunięcia tego fałszywego Firefoxa.
3) Otwórz Notatnik i wklej w nim:
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bonanza Deals
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Bonanza Deals
DeleteKey: HKU\S-1-5-21-4056426076-1055544622-2806743744-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bonanza
DeleteKey: HKU\S-1-5-21-4056426076-1055544622-2806743744-1000\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Bonanza
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iSafe
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\iSafeTask: {00F71471-4379-4CF1-861D-45727FF1A8E3} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> Brak pliku <==== UWAGA
Task: {0A376EB6-4E27-4638-83AE-DA4A003D102B} - System32\Tasks\BonanzaDealsUpdate => C:\Program [Argument = Files\BonanzaDeals\BonanzaDealsUpdate.exe] <==== UWAGA
Task: {0D5D0035-FCDA-4ACE-89E9-A03B16FDC44A} - System32\Tasks\386980v2a43h72 => Rundll32.exe "C:\ProgramData\386980v2a43h72\386980v2a43h72.dll",bgozrak <==== UWAGA
Task: {14A32944-71DC-4A62-9561-9EB408D71FCD} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> Brak pliku <==== UWAGA
Task: {162E6359-B632-486B-8FD8-E2CAD56AD1EF} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> Brak pliku <==== UWAGA
Task: {2F6FFC66-A3AB-49DB-8A42-6C0E3240F02A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> Brak pliku <==== UWAGA
Task: {5BFA4F56-E084-4F11-B7A7-141FC1DC94F1} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> Brak pliku <==== UWAGA
Task: {5FE47F19-CCCD-45F6-8541-01D1C3250D04} - System32\Tasks\{06B9B599-B217-4042-95BE-4F0A49F8F1DF} => pcalua.exe -a C:\Users\X\Downloads\wmp11-windowsxp-x86-PL-PL.exe -d "C:\Program Files\Mozilla Firefox"
Task: {61C2689D-9AE9-4E04-90F3-EA6B9DEDAA32} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> Brak pliku <==== UWAGA
Task: {66214CAD-414D-4E04-A2DD-17E4ABD9DD90} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Brak pliku <==== UWAGA
Task: {AE098045-BABE-4FEE-861C-3E6AA2E479EA} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> Brak pliku <==== UWAGA
Task: {AF54A133-3BF7-44CE-9830-FC4F74DB026A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Brak pliku <==== UWAGA
Task: {CAC836D3-027F-4F2B-9B59-48ED27D3B182} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> Brak pliku <==== UWAGA
Task: {CFB40DCE-13CE-4EFA-BA7F-367FEFC0D3A1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> Brak pliku <==== UWAGA
Task: {FD7E4B76-803F-42A1-9CB5-FF4400E2BC54} - System32\Tasks\Aroedom Mapper => C:\Program Files\Shaverck\reeherry.exe [2016-12-29] (Glarysoft Ltd)
Task: {FFEA6172-CC48-479C-8D5F-7D343652DE00} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Brak pliku <==== UWAGA
RemoveDirectory: C:\Program Files\Shaverck
RemoveDirectory: C:\ProgramData\386980v2a43h72
RemoveDirectory: C:\Program Files\Zooarm
RemoveDirectory: c:\program files\gubed
RemoveDirectory: c:\programdata\winsapsvc
RemoveDirectory: C:\Program Files\Firefox
RemoveDirectory: C:\Program Files\Elex-tech
RemoveDirectory: C:\Users\X\AppData\Roaming\Grucaphanojicult
RemoveDirectory: C:\Program Files\Kermush Verfier
RemoveDirectory: C:\Users\X\AppData\Local\Zooarm
RemoveDirectory: C:\Users\X\AppData\Roaming\Elex-tech
C:\Program Files\WinArcher
C:\Program Files\2u4xq0g5
C:\Users\X\AppData\Local\Zerwocultatutly
2017-01-03 22:49 - 2017-01-03 22:49 - 0000000 _____ () C:\Program Files\metadata
2017-01-03 22:49 - 2017-01-03 22:49 - 0000040 _____ () C:\Program Files\settings.dat
Task: C:\WINDOWS\Tasks\Update Service for Youtube AdBlock2.job => C:\Program Files\Youtube AdBlock\e24ZrPW.exe <==== UWAGA
C:\Users\X\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
C:\Users\X\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk
FirewallRules: [{97D237C1-3B32-40B5-87AB-E8448A680366}] => C:\Program Files\Zooarm\Application\chrome.exe
FirewallRules: [{6DBB4B75-8BED-43E3-8AB9-3C56091D1282}] => C:\Program Files\Firefox\bin\FirefoxUpdate.exe
FirewallRules: [{C0BFFB00-0029-478D-824F-BE0439D2BFC2}] => C:\Program Files\Firefox\Firefox.exe
HKLM\...\RunOnce: [wd] => C:\Windows\Temp\gEF39.tmp.exe [260608 2017-01-03] () <===== UWAGA
HKU\S-1-5-21-4056426076-1055544622-2806743744-1000\...\Run: [BingSvc] => C:\Users\X\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-05] (© 2015 Microsoft Corporation)
HKLM\...\Providers\w2rdzthv: C:\Program Files\Kermush Verfier\local32spl.dll
ShellExecuteHooks: Brak nazwy - {AD25A2B4-CA9A-11E6-B50E-64006A5CFC23} - C:\Users\X\AppData\Roaming\Grucaphanojicult\Muzither.dll -> Brak pliku
ShellIconOverlayIdentifiers: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => -> Brak pliku
ShellIconOverlayIdentifiers: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => -> Brak pliku
ShellIconOverlayIdentifiers: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => -> Brak pliku
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> Brak pliku
GroupPolicy: Ograniczenia - Chrome <======= UWAGA
HKU\S-1-5-21-4056426076-1055544622-2806743744-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = pl.v9.com/ins/ins_1328859910_954514
SearchScopes: HKU\S-1-5-21-4056426076-1055544622-2806743744-1000 -> DefaultScope {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=FF&o=&src=crm&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=&apn_uid=0E2C23AD-9059-414A-B04C-EFF5DC780288&apn_sauid=48434217-5671-4BE2-9B0D-BB2EBB2BEF00
SearchScopes: HKU\S-1-5-21-4056426076-1055544622-2806743744-1000 -> {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=FF&o=&src=crm&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=&apn_uid=0E2C23AD-9059-414A-B04C-EFF5DC780288&apn_sauid=48434217-5671-4BE2-9B0D-BB2EBB2BEF00
Toolbar: HKU\S-1-5-21-4056426076-1055544622-2806743744-1000 -> Brak nazwy - {D4027C7F-154A-4066-A1AD-4243D8127440} - Brak pliku
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
FF user.js: detected! => C:\Users\X\AppData\Roaming\Mozilla\Firefox\Profiles\67x5xrpi.default\user.js [2013-10-18]
FF NewTab: Mozilla\Firefox\Profiles\67x5xrpi.default -> hxxp://www.trotux.com/?z=52506e1c73442007bca8ac9g2zcb3c0ebc8zaobw1b&from=icb&uid=HitachiXHTS725032A9A364_100611PCKC00VPK402NJX&type=hp
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\67x5xrpi.default -> trotux
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\67x5xrpi.default -> trotux
FF SearchPlugin: C:\Users\X\AppData\Roaming\Mozilla\Firefox\Profiles\67x5xrpi.default\searchplugins\2u4xq0g5.xml [2016-12-29]
FF SearchPlugin: C:\Users\X\AppData\Roaming\Mozilla\Firefox\Profiles\67x5xrpi.default\searchplugins\askcom.xml [2010-09-28]
FF SearchPlugin: C:\Users\X\AppData\Roaming\Mozilla\Firefox\Profiles\67x5xrpi.default\searchplugins\dokotoolbar.xml [2013-10-18]
FF NewTab: Firefox\Firefox\Profiles\67x5xrpi.default -> hxxp://www.trotux.com/?z=52506e1c73442007bca8ac9g2zcb3c0ebc8zaobw1b&from=icb&uid=HitachiXHTS725032A9A364_100611PCKC00VPK402NJX&type=hp
FF DefaultSearchEngine: Firefox\Firefox\Profiles\67x5xrpi.default -> trotux
FF SelectedSearchEngine: Firefox\Firefox\Profiles\67x5xrpi.default -> trotux
FF Extension: (SimilarWeb) - C:\Users\X\AppData\Roaming\Firefox\Firefox\Profiles\67x5xrpi.default\Extensions\@DA3566E2-F709-11E5-8E87-A604BC8E7F8B.xpi [2017-01-03] [Brak podpisu cyfrowego]
FF Extension: (FF Adr) - C:\Users\X\AppData\Roaming\Firefox\Firefox\Profiles\67x5xrpi.default\Extensions\@H99KV4DO-UCCF-9PFO-9ZLK-8RRP4FVOKD9O.xpi [2017-01-03] [Brak podpisu cyfrowego]
FF SearchPlugin: C:\Users\X\AppData\Roaming\Firefox\Firefox\Profiles\67x5xrpi.default\searchplugins\2u4xq0g5.xml [2016-12-29]
FF SearchPlugin: C:\Users\X\AppData\Roaming\Firefox\Firefox\Profiles\67x5xrpi.default\searchplugins\askcom.xml [2010-09-28]
FF SearchPlugin: C:\Users\X\AppData\Roaming\Firefox\Firefox\Profiles\67x5xrpi.default\searchplugins\dokotoolbar.xml [2013-10-18]
FF SearchPlugin: C:\Users\X\AppData\Roaming\Firefox\Firefox\Profiles\67x5xrpi.default\searchplugins\searchinme.xml [2017-01-03]
FF Plugin: @tools.bdupdater.com/BonanzaDealsLive Update;version=3 -> C:\Program Files\BonanzaDealsLive\Update\1.3.23.0\npGoogleUpdate3.dll [Brak pliku]
FF Plugin: @tools.bdupdater.com/BonanzaDealsLive Update;version=9 -> C:\Program Files\BonanzaDealsLive\Update\1.3.23.0\npGoogleUpdate3.dll [Brak pliku]
CHR DefaultProfile: ChromeDefaultData
CHR HomePage: ChromeDefaultData -> hxxp://www.trotux.com/?z=52506e1c73442007bca8ac9g2zcb3c0ebc8zaobw1b&from=icb&uid=HitachiXHTS725032A9A364_100611PCKC00VPK402NJX&type=hp
CHR StartupUrls: ChromeDefaultData -> "hxxp://www.trotux.com/?z=52506e1c73442007bca8ac9g2zcb3c0ebc8zaobw1b&from=icb&uid=HitachiXHTS725032A9A364_100611PCKC00VPK402NJX&type=hp"
CHR DefaultSearchURL: ChromeDefaultData -> hxxp://www.trotux.com/search/?q={searchTerms}&z=52506e1c73442007bca8ac9g2zcb3c0ebc8zaobw1b&from=icb&uid=HitachiXHTS725032A9A364_100611PCKC00VPK402NJX&type=sp
CHR DefaultSearchKeyword: ChromeDefaultData -> trotux
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\44.0.2403.107\gcswf32.dll => Brak pliku
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll => Brak pliku
CHR Plugin: (Java Deployment Toolkit 6.0.260.3) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll => Brak pliku
CHR Plugin: (Java(TM) Platform SE 6 U26) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll => Brak pliku
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => Brak pliku
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll => Brak pliku
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL => Brak pliku
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\44.0.2403.107\ppGoogleNaClPluginChrome.dll => Brak pliku
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\44.0.2403.107\pdf.dll => Brak pliku
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll => Brak pliku
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll => Brak pliku
CHR Profile: C:\Users\X\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-01-03] <==== UWAGA
CHR Extension: (Gazeta.pl) - C:\Users\X\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\efhdjkbfpoohkmfaldijcpbnmbpefpkb [2015-07-03]
CHR Extension: (Brak nazwy) - C:\Users\X\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\eojeoeddgeaeahpmfabdfpfialkoplcb [2016-12-30]
CHR Extension: (Brak nazwy) - C:\Users\X\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2016-09-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\X\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-08]
R2 FirefoxU; C:\Program Files\Firefox\bin\FirefoxUpdate.exe [106160 2017-01-03] ()
R2 GubedZL; C:\Program Files\Gubed\GubedZL.dll [120320 2017-01-03] () [Brak podpisu cyfrowego]
S2 iSafeService; C:\Program Files\Elex-tech\YAC\iSafeSvc.exe [131024 2016-12-02] (Elex do Brasil cenzura!ções Ltda)
S2 Themes; C:\WINDOWS\system32\themeservice.dll [55296 2016-07-16] (Microsoft Corporation) [DependOnService: iThemes5]<==== UWAGA
R2 WinSAPSvc; C:\ProgramData\WinSAPSvc\WinSAP.dll [186368 2016-12-30] () [Brak podpisu cyfrowego]
Reg: reg delete HKLM\SYSTEM\CurrentControlSet\Services\Themes /v DependOnService /f
R1 iSafeKrnlMon; C:\Program Files\Elex-tech\YAC\iSafeKrnlMon.sys [45032 2016-05-23] (Elex do Brasil cenzura!ções Ltda)
R1 iSafeKrnlR3; C:\Program Files\Elex-tech\YAC\iSafeKrnlR3.sys [73232 2016-05-23] (Elex do Brasil cenzura!ções Ltda)
R1 iSafeNetFilter; C:\WINDOWS\System32\DRIVERS\iSafeNetFilter.sys [59152 2016-05-19] (Elex do Brasil cenzura!ções Ltda)
C:\WINDOWS\System32\DRIVERS\iSafeNetFilter.sys
CMD: attrib /d /s -r -s -h C:\FOUND.*
CMD: for /d %f in (C:\FOUND.*) do rd /s /q "%f"
2017-01-03 15:02 - 2017-01-04 13:54 - 00000000 _____ C:\Users\Public\Documents\report.dat
2017-01-03 15:02 - 2017-01-04 13:52 - 00000000 _____ C:\Users\Public\Documents\temp.dat
C:\Program Files\WinArcher
C:\Users\X\Desktop\UŻYTKOWE PROGRAMY\Storino.lnk
C:\Users\X\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BonanzaDeals\Uninstall Bonanza Deals.lnk
InternetURL: C:\Users\X\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BonanzaDeals\Bonanza Deals Help.url -> URL: hxxp://support.bonanzadeals.net/
InternetURL: C:\Users\X\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BonanzaDeals\Bonanza Deals.url -> URL: hxxp://www.bonanzadeals.net/
HOSTS:
EmptyTemp:
Plik zapisz pod nazwą
fixlist.txt i umieść obok FRST.exe
Uruchom
FRST i kliknij przycisk
Fix (NAPRAW).
4) Użyj
Adw-Cleaner http://www.programosy.pl/program,adwcleaner.html
najpierw kliknij na SKANUJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk USUŃ (CLEANING), to kliknij na niego.
Pokaż raport z niego "C"
5) Zrób nowe logi FRST.
.
Autor postu otrzymał pochwałę