Otwierająca się samoczynni strona

Dla specjalistów Bezpieczeństwo
#1

Witam,

 

Od jakiegoś czasu po uruchomieniu komputera włącza mi się sama przeglądarka firefox (najpierw wyskakuje okienko cmd na jakąś 1s) ze stroną gamezdoka.org.

Ma ktoś pomysł jak się tego pozbyć?

Skanowałem już komputer wieloma programami czyszczącymi typu antimalwere i nie pomogło, w zainstalowanych programach też nie widzę niczego podejrzanego w procesach podobnie.

 

Komputer

Monitor: LCD LG 19’’ 1934S-BN

#2

Nowy log obowiązkowy - Farbar Recovery Scan Tool

#3

FRST

http://www.wklej.org/id/1537870/

 

Addition

http://www.wklej.org/id/1537873/

#4

Otwórz Notatnik i wklej:

Task: {046D2102-F8FF-42EF-8FC0-C1858FBBE479} - System32\Tasks\WOT W1 = Firefox.exe http://mmotraffic.com/catalog/goplay/1327/MTE3NjYvLy8xMzI3/ ==== ATTENTION
Task: {5596A897-7B61-48E3-A3A5-CDF69BCDE399} - System32\Tasks\WOT WW2 = Firefox.exe http://mmotraffic.com/catalog/goplay/1327/MTE3NjYvLy8xMzI3/ ==== ATTENTION
Task: {8E206875-2423-40C5-A8FA-DB1A1E92131A} - System32\Tasks\WOT WWED1 = Firefox.exe http://mmotraffic.com/catalog/goplay/1327/MTE3NjYvLy8xMzI3/ ==== ATTENTION
Task: {92CE128A-6545-4D41-8BFE-D5476F942B49} - System32\Tasks\WOT WTHUR1 = Firefox.exe http://mmotraffic.com/catalog/goplay/1327/MTE3NjYvLy8xMzI3/ ==== ATTENTION
Task: {962786B8-B474-4DB6-B9E7-CC3FC6C011AC} - System32\Tasks\WOT WFRI1 = Firefox.exe http://mmotraffic.com/catalog/goplay/1327/MTE3NjYvLy8xMzI3/ ==== ATTENTION
Task: {A8745B96-2D63-4116-A986-E6ED023EB09F} - System32\Tasks\WOT WW1 = Firefox.exe http://mmotraffic.com/catalog/goplay/1327/MTE3NjYvLy8xMzI3/ ==== ATTENTION
Task: {B5D3A841-260F-4966-81C7-C67D06E9266A} - System32\Tasks\WOT WTUE1 = Firefox.exe http://mmotraffic.com/catalog/goplay/1327/MTE3NjYvLy8xMzI3/ ==== ATTENTION
HKU\S-1-5-21-3349865243-1250912301-2486857206-1001\...\Run: [CMD] = cmd.exe /c start http://ooov.net exit ===== ATTENTION
BootExecute: autocheck autochk * sdnclean64.exe
HKU\S-1-5-21-3349865243-1250912301-2486857206-1002\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.awesomehp.com/?type=hpts=1393607782from=amtuid=WDCXWD5000AAKS-00A7B2_WD-WMASY350352003520
HKU\S-1-5-21-3349865243-1250912301-2486857206-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.awesomehp.com/?type=hpts=1393607782from=amtuid=WDCXWD5000AAKS-00A7B2_WD-WMASY350352003520
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.awesomehp.com/web/?type=dsts=1393607782from=amtuid=WDCXWD5000AAKS-00A7B2_WD-WMASY350352003520q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.awesomehp.com/web/?type=dsts=1393607782from=amtuid=WDCXWD5000AAKS-00A7B2_WD-WMASY350352003520q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.awesomehp.com/web/?type=dsts=1393607782from=amtuid=WDCXWD5000AAKS-00A7B2_WD-WMASY350352003520q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.awesomehp.com/web/?type=dsts=1393607782from=amtuid=WDCXWD5000AAKS-00A7B2_WD-WMASY350352003520q={searchTerms}
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction ======= ATTENTION
SearchScopes: HKLM - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKLM-x32 - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKU\S-1-5-21-3349865243-1250912301-2486857206-1002 - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.awesomehp.com/web/?type=dsts=1393607782from=amtuid=WDCXWD5000AAKS-00A7B2_WD-WMASY350352003520q={searchTerms}
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\avg-secure-search.xml
FF HKLM-x32\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG Secure Search\FireFoxExt\18.1.9.799
S3 MBAMSwissArmy; \\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S1 nethfdrv; \\C:\Windows\system32\drivers\nethfdrv.sys [X]
2014-11-25 17:33 - 2014-11-25 17:33 - 00000000 ____ D () C:\Users\Tomek\Downloads\FRST-OlderVersion
2014-11-22 13:42 - 2014-11-22 14:34 - 00000000 ____ D () C:\Program Files (x86)\Spybot - Search Destroy 2
2014-11-22 13:42 - 2014-11-22 14:21 - 00000000 ____ D () C:\ProgramData\Spybot - Search Destroy
2014-11-22 13:42 - 2014-11-22 13:42 - 00000000 ____ D () C:\Windows\System32\Tasks\Safer-Networking
2014-11-22 13:41 - 2014-11-22 13:41 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\Tomek\Downloads\spybot-2_4.exe
2014-11-22 13:41 - 2014-11-22 13:41 - 00003456 _____ () C:\Windows\System32\Tasks\WOT WWED1
2014-11-22 13:41 - 2014-11-22 13:41 - 00003456 _____ () C:\Windows\System32\Tasks\WOT WW2
2014-11-22 13:41 - 2014-11-22 13:41 - 00003456 _____ () C:\Windows\System32\Tasks\WOT WW1
2014-11-22 13:41 - 2014-11-22 13:41 - 00003456 _____ () C:\Windows\System32\Tasks\WOT WTUE1
2014-11-22 13:41 - 2014-11-22 13:41 - 00003456 _____ () C:\Windows\System32\Tasks\WOT WTHUR1
2014-11-22 13:41 - 2014-11-22 13:41 - 00003456 _____ () C:\Windows\System32\Tasks\WOT WFRI1
2014-11-22 13:41 - 2014-11-22 13:41 - 00003456 _____ () C:\Windows\System32\Tasks\WOT W1
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.

#5

Działa, wielkie dzięki.

Problem z głowy

 

Pozdrawiam

#6

Skasuj folder C:\FRST