[POMOCY] Jak usunąć SafeFinder!


(Piotrekjxd) #1

Witam, od nie dawna zainstalowałem oprogramowanie z waszej strony i zainstalował mi się wirus.


(IPSEN) #2

Podaj logi -farbar-recovery-scan-tool-raport-obowiazkowy i zaczekaj na specjalistę od logów


(Piotrekjxd) #3

Logi

Shortcut.txt

FRST.txt

Addition.txt


(nowy hd) #4

malwarebytes anti-malware pomoże


(Atis) #5

 

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

CloseProcesses:
HKU\S-1-5-21-2900505-3551942356-805820487-1000\...\Run: [AdobeBridge] = [X]
AppInit_DLLs: C:\ProgramData\dlohn\Bluetough.dll = C:\ProgramData\dlohn\Bluetough.dll [805376 2016-01-30] ()
AppInit_DLLs-x32: C:\ProgramData\dlohn\Dingbam.dll = C:\ProgramData\dlohn\Dingbam.dll [257536 2016-01-30] ()
HKU\S-1-5-21-2900505-3551942356-805820487-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0NHUjB5IQvhQI_yYO_q6uVfMg3cHqGEX0eNA4e92PStCz5KTAX_g6ZMf27B4AUNIzyn0IwPFR_NzoJ9Jlvx823fQACiaYkM,q={searchTerms}
HKU\S-1-5-21-2900505-3551942356-805820487-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0N3cKp1CpvSF94dIP2HKcEG_CVIOKY5_dDp1YPwt0ZpdrDC7z2GR2MawtauxUkLxMtUscNpJwIcYbhb9VB0P5mBT3rHoTwY,
HKU\S-1-5-21-2900505-3551942356-805820487-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0NHUjB5IQvhQI_yYO_q6uVfMg3cHqGEX0eNA4e92PStCz5KTAX_g6ZMf27B4AUNIzyn0IwPFR_NzoJ9Jlvx823fQACiaYkM,q={searchTerms}
HKU\S-1-5-21-2900505-3551942356-805820487-1000\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0NHUjB5IQvhQI_yYO_q6uVfMg3cHqGEX0eNA4e92PStCz5KTAX_g6ZMf27B4AUNIzyn0IwPFR_NzoJ9Jlvx823fQACiaYkM,q={searchTerms}
SearchScopes: HKLM-x32 - DefaultScope {ielnksrch} URL =
SearchScopes: HKLM-x32 - ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0NHUjB5IQvhQI_yYO_q6uVfMg3cHqGEX0eNA4e92PStCz5KTAX_g6ZMf27B4AUNIzyn0IwPFR_NzoJ9Jlvx823fQACiaYkM,q={searchTerms}
SearchScopes: HKU\S-1-5-21-2900505-3551942356-805820487-1000 - DefaultScope {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0NHUjB5IQvhQI_yYO_q6uVfMg3cHqGEX0eNA4e92PStCz5KTAX_g6ZMf27B4AUNIzyn0IwPFR_NzoJ9Jlvx823fQACiaYkM,q={searchTerms}
SearchScopes: HKU\S-1-5-21-2900505-3551942356-805820487-1000 - {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0NHUjB5IQvhQI_yYO_q6uVfMg3cHqGEX0eNA4e92PStCz5KTAX_g6ZMf27B4AUNIzyn0IwPFR_NzoJ9Jlvx823fQACiaYkM,q={searchTerms}
CHR HomePage: Default - hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0NHPYMP47Bprk_5s90KVuTfOMQwO8rZLf_O1M-bzndbKbAwi4SgydtUpIl8ZYCmlXynd5X7LB1XFjwWmxhJTIKVXNlNjp10,
CHR DefaultSearchURL: Default - hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0NHDe-ZR1Gqv3KFLWyXLiyZcL66I3fGAmctjB4FsKcdf_t2ZpLCjlmEBch_miG0nvZtCc73r25JA7bN6wKcoix5f-BFs8QM,q={searchTerms}
CHR DefaultSearchKeyword: Default - feed.sonic-search.com
CHR DefaultSuggestURL: Default - hxxps://search.yahoo.com/sugg/chrome?output=fxjsonappid=crmascommand={searchTerms}
CHR HKLM-x32\...\Chrome\Extension: [fcgnigmofekcllgbiejhmigggmgehkip] - hxxps://clients2.google.com/service/update2/crx
R2 Airtostrong; C:\ProgramData\\Airtostrong\\Airtostrong.exe [531456 2016-01-29] () [Brak podpisu cyfrowego]
R2 dlohn; C:\ProgramData\\dlohn\\dlohn.exe [531456 2016-01-30] () [Brak podpisu cyfrowego]
R2 eupdateddw; C:\Users\Admin\AppData\Local\Silhatcity.exe [28160 2016-01-27] () [Brak podpisu cyfrowego]
R2 REACHit; C:\Program Files\REACHit\REACHit.exe [383488 2016-01-29] () [Brak podpisu cyfrowego]
S1 {dceba70f-5909-488d-be47-91bf75d9075e}Gw64; system32\drivers\{dceba70f-5909-488d-be47-91bf75d9075e}Gw64.sys [X]
2016-02-01 21:31 - 2016-02-02 19:36 - 00002393 _____ C:\Windows\SysWOW64\findit.xml
2016-01-30 11:46 - 2016-02-04 08:37 - 00000000 ____ D C:\ProgramData\dlohn
2016-01-30 11:46 - 2016-01-30 11:47 - 00000000 ____ D C:\ProgramData\dlohns
2016-01-27 05:18 - 2016-02-04 08:36 - 00000000 ____ D C:\ProgramData\Airtostrong
2016-01-27 05:18 - 2016-01-27 05:18 - 03276533 _____ () C:\Program Files\Common Files\nndxhwke.exe
2016-01-27 05:18 - 2016-01-27 05:18 - 00000000 ____ D C:\ProgramData\Airtostrongs
2016-01-27 05:18 - 2016-01-27 05:18 - 00000000 ____ D C:\Program Files\Common Files\bv04i5hi
2016-01-27 04:14 - 2016-02-01 09:23 - 00000000 ____ D C:\AdwCleaner
2016-01-27 04:10 - 2016-01-27 04:10 - 00000000 ____ D C:\Program Files\REACHit
2016-01-27 04:10 - 2016-01-27 04:10 - 0041472 _____ () C:\Users\Admin\AppData\Local\Silhatcity.dat
2016-01-27 04:10 - 2016-01-27 04:10 - 0028160 _____ () C:\Users\Admin\AppData\Local\Silhatcity.exe
2016-01-27 04:10 - 2016-01-27 04:10 - 0000187 _____ () C:\Users\Admin\AppData\Local\Silhatcity.exe.config
C:\Users\Admin\AppData\Local\*.exe
ShortcutWithArgument: C:\Users\Admin\Desktop\Google Chrome.lnk - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) - hxxp://feed.helperbar.com/?publisher=PRReddpid=generalsearchtype=prbarcodeid=163867
ShortcutWithArgument: C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Google Chrome.lnk - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) - hxxp://feed.helperbar.com/?publisher=PRReddpid=generalsearchtype=prbarcodeid=163867
ShortcutWithArgument: C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) - hxxp://feed.helperbar.com/?publisher=PRReddpid=generalsearchtype=prbarcodeid=163867
ShortcutWithArgument: C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Google Chrome.lnk - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) - hxxp://feed.helperbar.com/?publisher=PRReddpid=generalsearchtype=prbarcodeid=163867
Hosts:
EmptyTemp:

Uruchom FRST i kliknij Napraw (Fix). Pokaż raport z usuwania Fixlog.


(Piotrekjxd) #6

Niestety, nie pomogło. Otworzyłem chrome i wszystko było ok. A jak zamknąłem i włączyłem to się znowu to pojawiło.


(Atis) #7

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

CloseProcesses:
AppInit_DLLs: C:\ProgramData\Airtostrong\BigStock.dll = C:\ProgramData\Airtostrong\BigStock.dll [805376 2016-02-04] ()
AppInit_DLLs-x32: C:\ProgramData\Airtostrong\JayTinfax.dll = C:\ProgramData\Airtostrong\JayTinfax.dll [257536 2016-02-04] ()
HKU\S-1-5-21-2900505-3551942356-805820487-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0NHUjB5IQvhQI_yYO_q6uVREzaHFaFqOXci3krfFhaTvmoE72s2g2-VfbnyuQRXggm6PGp0rG7jzU6pIltsDizw51rElMow,q={searchTerms}
HKU\S-1-5-21-2900505-3551942356-805820487-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0N3cKp1CpvSF94dIP2HKcEIc-2qMrsRGVGvjooVBN4mPOhIDoVIBiKS054Nhpc0A2rajzZzjtWr6DebsFL6KULX7qXQOWJY,
HKU\S-1-5-21-2900505-3551942356-805820487-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0NHUjB5IQvhQI_yYO_q6uVREzaHFaFqOXci3krfFhaTvmoE72s2g2-VfbnyuQRXggm6PGp0rG7jzU6pIltsDizw51rElMow,q={searchTerms}
HKU\S-1-5-21-2900505-3551942356-805820487-1000\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0NHUjB5IQvhQI_yYO_q6uVREzaHFaFqOXci3krfFhaTvmoE72s2g2-VfbnyuQRXggm6PGp0rG7jzU6pIltsDizw51rElMow,q={searchTerms}
SearchScopes: HKLM-x32 - DefaultScope {ielnksrch} URL =
SearchScopes: HKLM-x32 - ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0NHUjB5IQvhQI_yYO_q6uVREzaHFaFqOXci3krfFhaTvmoE72s2g2-VfbnyuQRXggm6PGp0rG7jzU6pIltsDizw51rElMow,q={searchTerms}
SearchScopes: HKU\S-1-5-21-2900505-3551942356-805820487-1000 - DefaultScope {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0NHUjB5IQvhQI_yYO_q6uVREzaHFaFqOXci3krfFhaTvmoE72s2g2-VfbnyuQRXggm6PGp0rG7jzU6pIltsDizw51rElMow,q={searchTerms}
SearchScopes: HKU\S-1-5-21-2900505-3551942356-805820487-1000 - {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0NHUjB5IQvhQI_yYO_q6uVREzaHFaFqOXci3krfFhaTvmoE72s2g2-VfbnyuQRXggm6PGp0rG7jzU6pIltsDizw51rElMow,q={searchTerms}
CHR HomePage: Default - hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0NHPYMP47Bprk_5s90KVuTRqxDPOIqHRXdU4tURQgNCIOfbRHc-dJu2ajkZP2d8dEEdJxe76PB-hD-2Z-gSW2MVWeQpIPek,
CHR DefaultSearchURL: Default - hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B3vZOxc6r0vkIwdtPR0BHnCu-SxMH0UCiAqv5sNGkzIY-AzQOnySG1WLsSJ6r_17qEc68SP80JDmR0NHDe-ZR1Gqv3KFLWyXLiyZcL66I3fGAmctjB4FsKcdf_t2ZpLCjlmEBch_miG0nvZtCc73r25JA7bN6wKcoix5f-BFs8QM,q={searchTerms}
CHR DefaultSearchKeyword: Default - feed.sonic-search.com
CHR DefaultSuggestURL: Default - hxxps://search.yahoo.com/sugg/chrome?output=fxjsonappid=crmascommand={searchTerms}
R2 Airtostrong; C:\ProgramData\\Airtostrong\\Airtostrong.exe [530944 2016-02-04] () [Brak podpisu cyfrowego]
C:\ProgramData\Airtostrongs
C:\ProgramData\Airtostrong
C:\Windows\SysWOW64\findit.xml
C:\Program Files\Common Files\*.exe
C:\Program Files\Common Files\vkc1s3bd
EmptyTemp:

Uruchom FRST i kliknij Napraw (Fix). Pokaż raport z usuwania Fixlog.