Mystartsearch i inne śmieci


(wernix) #1

Hej,

 

Nie mogę usunąć na komputerze córki przekierowania przeglądarki Mystartsearch. Komputer ogólnie wygląda na zawirusowany (sam nie wiem co ona tam ściągała i instalowała) więc byłbym wdzięczny jakby ktoś rzucił okiem na logi i pomógł. Z góry dziękuję za pomoc.

 

Logi z FRST:

 

http://wklejto.org/w/ba6ef470

http://wklejto.org/w/fb1a3be2

http://wklejto.org/w/db4a4e31

 

Pozdrawiam,

 

M.

 


(Acorus) #2

Odinstaluj GovernorBranch,Reimage Protector.Otwórz notatnik systemowy i wklej:

Task: {E1DFDA1F-B005-407F-B1AC-2A93E777E182} - System32\Tasks\ReimageUpdater = C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [2015-01-14] (Reimage®) ==== ATTENTION
GroupPolicy: Group Policy on Chrome detected ======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction ======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mystartsearch.com/?type=hpppts=1422393191from=wpcuid=ST1000LM024XHN-M101MBB_S30YJ9EF113239
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mystartsearch.com/web/?type=dsts=1422393118from=wpcuid=ST1000LM024XHN-M101MBB_S30YJ9EF113239q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mystartsearch.com/?type=hpppts=1422393191from=wpcuid=ST1000LM024XHN-M101MBB_S30YJ9EF113239
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mystartsearch.com/web/?type=dsts=1422393118from=wpcuid=ST1000LM024XHN-M101MBB_S30YJ9EF113239q={searchTerms}
HKU\S-1-5-21-2664714632-150986054-3073284575-1001\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mystartsearch.com/web/?type=dsppts=1422393191from=wpcuid=ST1000LM024XHN-M101MBB_S30YJ9EF113239q={searchTerms}
HKU\S-1-5-21-2664714632-150986054-3073284575-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com/?fr=hp-ddc-bdtype=pr __alt__ ddc_dsssyc_bd_com
HKU\S-1-5-21-2664714632-150986054-3073284575-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/pl-pl/?ocid=iehp
HKU\S-1-5-21-2664714632-150986054-3073284575-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mystartsearch.com/?type=hpppts=1422393191from=wpcuid=ST1000LM024XHN-M101MBB_S30YJ9EF113239
HKU\S-1-5-21-2664714632-150986054-3073284575-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mystartsearch.com/web/?type=dsppts=1422393191from=wpcuid=ST1000LM024XHN-M101MBB_S30YJ9EF113239q={searchTerms}
SearchScopes: HKLM - DefaultScope {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://www.bing.com/search?q={searchTerms}form=MSSEDFpc=MSE1
SearchScopes: HKLM - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=dsts=1422393118from=wpcuid=ST1000LM024XHN-M101MBB_S30YJ9EF113239q={searchTerms}
SearchScopes: HKLM - {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://www.bing.com/search?q={searchTerms}form=MSSEDFpc=MSE1
SearchScopes: HKU\S-1-5-21-2664714632-150986054-3073284575-1001 - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://q.search-simple.com/?affID=pr_3642be22-3594-4605-8f8c-7d8be97aa7a3q={searchTerms}
SearchScopes: HKU\S-1-5-21-2664714632-150986054-3073284575-1001 - OldSearch URL = http://www.mystartsearch.com/web/?type=dsppts=1422393191from=wpcuid=ST1000LM024XHN-M101MBB_S30YJ9EF113239q={searchTerms}
SearchScopes: HKU\S-1-5-21-2664714632-150986054-3073284575-1001 - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://q.search-simple.com/?affID=pr_3642be22-3594-4605-8f8c-7d8be97aa7a3q={searchTerms}
SearchScopes: HKU\S-1-5-21-2664714632-150986054-3073284575-1001 - {9F95B8A0-831C-4CD8-8206-A766A3ACCCEB} URL = http://q.search-simple.com/?affID=naq={searchTerms}r=585
SearchScopes: HKU\S-1-5-21-2664714632-150986054-3073284575-1001 - {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.searchfix.info/?unqvl=63idate=2015/01/27l=1q={searchTerms}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe http://www.mystartsearch.com/?type=scts=1422393118from=wpcuid=ST1000LM024XHN-M101MBB_S30YJ9EF113239
FF DefaultSearchEngine: Yahoo! Search
FF DefaultSearchEngine,S: WebSearch
FF DefaultSearchUrl: hxxp://websearch.searchfix.info/?unqvl=63idate=2015/01/27l=1q=
FF SearchEngineOrder.1: WebSearch
FF SearchEngineOrder.1,S: WebSearch
FF SelectedSearchEngine: Yahoo! Search
FF SelectedSearchEngine,S: WebSearch
FF Homepage: hxxp://search.yahoo.com/?fr=hp-ddc-bdtype=616_pr __alt__ ddc_dsssyc_bd_com
FF SearchPlugin: C:\Users\julka\AppData\Roaming\Mozilla\Firefox\Profiles\zp9f6awz.default\searchplugins\dsrlte.xml [2015-03-24]
FF SearchPlugin: C:\Users\julka\AppData\Roaming\Mozilla\Firefox\Profiles\zp9f6awz.default\searchplugins\mystartsearch.xml [2015-04-05]
FF SearchPlugin: C:\Users\julka\AppData\Roaming\Mozilla\Firefox\Profiles\zp9f6awz.default\searchplugins\search-simple.xml [2015-03-24]
FF SearchPlugin: C:\Users\julka\AppData\Roaming\Mozilla\Firefox\Profiles\zp9f6awz.default\searchplugins\WebSearch.xml [2015-01-27]
FF Extension: uuneiosalees - C:\Users\julka\AppData\Roaming\Mozilla\Firefox\Profiles\zp9f6awz.default\Extensions\b@OE.net [2015-01-27]
FF Extension: youtubeadblocker - C:\Users\julka\AppData\Roaming\Mozilla\Firefox\Profiles\zp9f6awz.default\Extensions\CYd3@Ns7fpK.com [2015-01-27]
FF Extension: FF Toolbar - C:\Users\julka\AppData\Roaming\Mozilla\Firefox\Profiles\zp9f6awz.default\Extensions\fftoolbar2014@etech.com [2015-03-31]
FF Extension: TaakeThoECoupon - C:\Users\julka\AppData\Roaming\Mozilla\Firefox\Profiles\zp9f6awz.default\Extensions\g@5TO.edu [2015-03-31]
FF Extension: unisalues - C:\Users\julka\AppData\Roaming\Mozilla\Firefox\Profiles\zp9f6awz.default\Extensions\MzMc@ma.com [2015-01-27]
FF Extension: youtubeadblocker - C:\Users\julka\AppData\Roaming\Mozilla\Firefox\Profiles\zp9f6awz.default\Extensions\PYUh@YzA.net [2015-01-27]
FF Extension: RaonndomPrriCe - C:\Users\julka\AppData\Roaming\Mozilla\Firefox\Profiles\zp9f6awz.default\Extensions\ReNfSFt@f.org [2015-03-27]
FF HKLM\...\Firefox\Extensions: [fftoolbar2014@etech.com] - C:\Users\julka\AppData\Roaming\Mozilla\Firefox\Profiles\zp9f6awz.default\extensions\fftoolbar2014@etech.com
R2 IHProtect Service; C:\Program Files\XTab\ProtectService.exe [158896 2015-01-16] (XTab system)
R2 ReimageRealTimeProtector; C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [6079848 2015-01-14] (Reimage®)
R1 {237a87b5-881c-4fd8-b80a-c3b471ff75d7}Gw; C:\Windows\System32\drivers\{237a87b5-881c-4fd8-b80a-c3b471ff75d7}Gw.sys [43152 2015-03-24] (StdLib)
R1 {237a87b5-881c-4fd8-b80a-c3b471ff75d7}w; C:\Windows\System32\drivers\{237a87b5-881c-4fd8-b80a-c3b471ff75d7}w.sys [43152 2015-04-21] (StdLib)
R1 {4cc550cb-ad95-48a3-ae71-6ab7c8433971}Gw; C:\Windows\System32\drivers\{4cc550cb-ad95-48a3-ae71-6ab7c8433971}Gw.sys [43152 2015-03-10] (StdLib)
R1 {72502b1b-b916-4994-814e-c516f9f681b2}Gw; C:\Windows\System32\drivers\{72502b1b-b916-4994-814e-c516f9f681b2}Gw.sys [43152 2015-02-28] (StdLib)
R1 {81711fd0-60e8-45bb-a4ff-3004058b32b4}Gw; C:\Windows\System32\drivers\{81711fd0-60e8-45bb-a4ff-3004058b32b4}Gw.sys [43152 2015-02-07] (StdLib)
R1 {c6cf689f-ec21-4add-accd-adc0bafcbba6}Gw; C:\Windows\System32\drivers\{c6cf689f-ec21-4add-accd-adc0bafcbba6}Gw.sys [43152 2015-02-21] (StdLib)
R1 {d0194130-21b3-4618-b5c8-b6dfe1e0bb88}Gw; C:\Windows\System32\drivers\{d0194130-21b3-4618-b5c8-b6dfe1e0bb88}Gw.sys [43152 2015-02-12] (StdLib)
2015-04-23 21:48 - 2015-04-23 21:49 - 00000000 ____ D () C:\ProgramData\Reimage Protector
2015-04-23 21:48 - 2015-04-23 21:48 - 00000000 ____ D () C:\Program Files\Reimage
2015-04-23 21:46 - 2015-04-23 21:49 - 00000156 _____ () C:\Windows\Reimage.ini
2015-04-23 21:46 - 2015-04-23 21:46 - 00768512 _____ (Reimage®) C:\Users\julka\Downloads\ReimageRepair.exe
2015-05-02 18:48 - 2015-01-27 23:09 - 00000000 ____ D () C:\Program Files\youtubeadblocker
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.


(wernix) #3

 

 

Nie moge odinstalowac tego GovernorBranch - pojawia mi się komunikat, że nie może odnaleźć jakiejś DLL.

OK, zrobiłem wszystko. Nowe logi:

 

http://wklejto.org/w/fca2ecda

http://wklejto.org/w/ff0e7ece

 

Governor zniknął z listy programów.

 

M.


(Acorus) #4

Otwórz notatnik systemowy i wklej:

Startup: C:\Users\julka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\John Legend - All Of Me Piano Tutorial - Easy.m4a.lnk [2015-01-27]
ShortcutTarget: John Legend - All Of Me Piano Tutorial - Easy.m4a.lnk - C:\ProgramData\{58dcc731-2cac-4390-58dc-cc7312ca1cc4}\John Legend - All Of Me Piano Tutorial - Easy.m4a.exe (No File)
SearchScopes: HKU\.DEFAULT - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
2015-05-02 19:32 - 2015-05-02 19:37 - 00000000 ____ D () C:\AdwCleaner
2015-04-21 21:10 - 2015-04-21 05:13 - 00043152 _____ (StdLib) C:\Windows\system32\Drivers\{237a87b5-881c-4fd8-b80a-c3b471ff75d7}w.sys

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.


(wernix) #5

Zrobione.

 

Dzięki!