Proszę o pomoc z usunięcem Adware

hawajski · 7 Marzec 2015 13:02

Witam

Proszę o pomoc usunięcia szkodliwego oprogramowania typu adware itp. Zainstalowałem odnia 3.10 i w między czasie zainstalowała się tona niepotrzebnych adwarowych programów, wyszukiwarek do Firefoxa i innego tego typu dziadostwa część udało mi się usunąć ręcznie z częścią nie potrafię sobie poradzić.

FRST: http://www.wklej.org/id/1656581/

Addition: http://www.wklej.org/id/1656583/

OTL

OTL: http://wklej.org/id/1656572/

Extras: http://wklej.org/id/1656573/

Z góry dziękuję za pomoc

Marex8 · 7 Marzec 2015 13:29

Może AdwCleanerem, nie testowałem, ale popularny http://www.dobreprogramy.pl/AdwCleaner,Program,Windows,38865.html

Acorus · 7 Marzec 2015 13:43

Odinstaluj SavePass 1.1.Otwórz notatnik systemowy i wklej:

Task: {0494857D-DB84-4485-9875-DB555157C1BA} - System32\Tasks\APSnotifierPP2 = C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe ==== ATTENTION
Task: {0C1F73A1-996B-4B62-9102-97CC8D715DF4} - System32\Tasks\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-4 = C:\Program Files (x86)\SavePass 1.1\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-4.exe [2015-03-07] (OB) ==== ATTENTION
Task: {1D5A1B32-AD92-4EAE-B827-81DCB2844E1B} - System32\Tasks\APSnotifierPP3 = C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe ==== ATTENTION
Task: {48C5B56B-BCBF-4E0C-B2E7-42F16640E36F} - System32\Tasks\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-5_user = C:\Program Files (x86)\SavePass 1.1\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-5.exe [2015-03-07] (OB) ==== ATTENTION
Task: {5282E5C2-505E-4B32-B839-74B19FAE8ABE} - System32\Tasks\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-10_user = C:\Program Files (x86)\SavePass 1.1\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-10.exe ==== ATTENTION
Task: {6ED22ED1-2F8A-4AF0-9333-73F99E6F8E1C} - System32\Tasks\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-1-7 = C:\Program Files (x86)\SavePass 1.1\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-1-7.exe [2015-03-07] (OB) ==== ATTENTION
Task: {77F9B1DA-480A-44B7-81BB-B3BFF1527F92} - System32\Tasks\globalUpdateUpdateTaskMachineUA = C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe [2015-03-07] (globalUpdate) ==== ATTENTION
Task: {7AD8AEC4-7CFA-427B-8973-24F2221B3DF6} - System32\Tasks\SmartWeb Upgrade Trigger Task = C:\Users\hawajski\AppData\Local\SmartWeb\SmartWebHelper.exe ==== ATTENTION
Task: {7C5F7C93-79CC-4090-8F92-549FC9A4667F} - System32\Tasks\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-5 = C:\Program Files (x86)\SavePass 1.1\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-5.exe [2015-03-07] (OB) ==== ATTENTION
Task: {8DA96FF1-8AEB-45F5-ADD1-3D5E040F9309} - System32\Tasks\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-1-6 = C:\Program Files (x86)\SavePass 1.1\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-1-6.exe [2015-03-07] (OB) ==== ATTENTION
Task: {C17659DE-FB1B-47FC-9CEB-637F6E70C17F} - System32\Tasks\globalUpdateUpdateTaskMachineCore = C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe [2015-03-07] (globalUpdate) ==== ATTENTION
Task: {C2817394-394A-4042-9985-676D95C96F01} - System32\Tasks\APSnotifierPP1 = C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe ==== ATTENTION
Task: C:\Windows\Tasks\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-1-6.job = C:\Program Files (x86)\SavePass 1.1\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-1-6.exe ==== ATTENTION
Task: C:\Windows\Tasks\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-1-7.job = C:\Program Files (x86)\SavePass 1.1\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-1-7.exe ==== ATTENTION
Task: C:\Windows\Tasks\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-10_user.job = C:\Program Files (x86)\SavePass 1.1\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-10.exe ==== ATTENTION
Task: C:\Windows\Tasks\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-4.job = C:\Program Files (x86)\SavePass 1.1\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-4.exe ==== ATTENTION
Task: C:\Windows\Tasks\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-5.job = C:\Program Files (x86)\SavePass 1.1\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-5.exe ==== ATTENTION
Task: C:\Windows\Tasks\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-5_user.job = C:\Program Files (x86)\SavePass 1.1\a31a59b7-cbe5-4e46-9305-3cbeb0aa3c10-5.exe ==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP1.job = C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe ==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP2.job = C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe ==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP3.job = C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe ==== ATTENTION
Task: C:\Windows\Tasks\globalUpdateUpdateTaskMachineCore.job = C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe ==== ATTENTION
Task: C:\Windows\Tasks\globalUpdateUpdateTaskMachineUA.job = C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe ==== ATTENTION
HKLM-x32\...\Run: [gmsd_pl_63] = [X]
HKU\S-1-5-21-2146358183-2713517906-901313987-1000\...\Run: [ASRockXTU] = [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction ======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=dsts=1425729575from=faceuid=INTELXSSDSC2CW120A3_CVCV425003FP120BGNq={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=dsts=1425729575from=faceuid=INTELXSSDSC2CW120A3_CVCV425003FP120BGNq={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.istartsurf.com/web/?type=dsts=1425729575from=faceuid=INTELXSSDSC2CW120A3_CVCV425003FP120BGNq={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.istartsurf.com/web/?type=dsts=1425729575from=faceuid=INTELXSSDSC2CW120A3_CVCV425003FP120BGNq={searchTerms}
HKU\S-1-5-21-2146358183-2713517906-901313987-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\S-1-5-21-2146358183-2713517906-901313987-1000 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.istartsurf.com/web/?utm_source=butm_medium=faceutm_campaign=install_ieutm_content=dsfrom=faceuid=INTELXSSDSC2CW120A3_CVCV425003FP120BGNts=1425729601type=defaultq={searchTerms}
SearchScopes: HKU\S-1-5-21-2146358183-2713517906-901313987-1000 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.istartsurf.com/web/?utm_source=butm_medium=faceutm_campaign=install_ieutm_content=dsfrom=faceuid=INTELXSSDSC2CW120A3_CVCV425003FP120BGNts=1425729601type=defaultq={searchTerms}
SearchScopes: HKU\S-1-5-21-2146358183-2713517906-901313987-1000 - {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.istartsurf.com/web/?utm_source=butm_medium=faceutm_campaign=install_ieutm_content=dsfrom=faceuid=INTELXSSDSC2CW120A3_CVCV425003FP120BGNts=1425729601type=defaultq={searchTerms}
SearchScopes: HKU\S-1-5-21-2146358183-2713517906-901313987-1000 - {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.istartsurf.com/web/?utm_source=butm_medium=faceutm_campaign=install_ieutm_content=dsfrom=faceuid=INTELXSSDSC2CW120A3_CVCV425003FP120BGNts=1425729601type=defaultq={searchTerms}
BHO-x32: IETabPage Class - {3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C} - C:\Program Files (x86)\XTab\SupTab.dll (Thinknice Co. Limited)
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe http://www.omniboxes.com/?type=scts=1425728886from=obwuid=INTELXSSDSC2CW120A3_CVCV425003FP120BGN
FF DefaultSearchEngine: istartsurf
FF SelectedSearchEngine: istartsurf
FF SearchPlugin: C:\Users\hawajski\AppData\Roaming\Mozilla\Firefox\Profiles\pqpr42vs.default\searchplugins\avg-secure-search.xml
FF SearchPlugin: C:\Users\hawajski\AppData\Roaming\Mozilla\Firefox\Profiles\pqpr42vs.default\searchplugins\istartsurf.xml
FF SearchPlugin: C:\Users\hawajski\AppData\Roaming\Mozilla\Firefox\Profiles\pqpr42vs.default\searchplugins\omniboxes.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\wtu-secure-search.xml
FF Extension: SavePass 1.1 - C:\Users\hawajski\AppData\Roaming\Mozilla\Firefox\Profiles\pqpr42vs.default\Extensions\389579c4-efa9-4d96-a1dd-3c86f7bd1a51@gmail.com [2015-03-07]
FF Extension: AVG Web TuneUp - C:\Users\hawajski\AppData\Roaming\Mozilla\Firefox\Profiles\pqpr42vs.default\Extensions\avg@toolbar [2014-08-17]
FF Extension: Fast Start - C:\Users\hawajski\AppData\Roaming\Mozilla\Firefox\Profiles\pqpr42vs.default\Extensions\istart_ffnt@gmail.com [2015-03-07]
FF Extension: Search Enginer - C:\Users\hawajski\AppData\Roaming\Mozilla\Firefox\Profiles\pqpr42vs.default\Extensions\searchengine@gmail.com [2015-03-07]
FF HKLM-x32\...\Firefox\Extensions: [searchengine@gmail.com] - C:\Users\hawajski\AppData\Roaming\Mozilla\Firefox\Profiles\pqpr42vs.default\extensions\searchengine@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [istart_ffnt@gmail.com] - C:\Users\hawajski\AppData\Roaming\Mozilla\Firefox\Profiles\pqpr42vs.default\extensions\istart_ffnt@gmail.com
R2 cimicutu; C:\Users\hawajski\AppData\Roaming\03000200-1425732435-0500-0006-000700080009\jnsxFA36.tmp [195584 2015-03-07] () [File not signed]
S2 globalUpdate; C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe [68608 2015-03-07] (globalUpdate) [File not signed]
S3 globalUpdatem; C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe [68608 2015-03-07] (globalUpdate) [File not signed]
R2 vToolbarUpdater3.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\3.2.0\ToolbarUpdater.exe [1843736 2014-08-17] (AVG Secure Search)
R4 WindowsMangerProtect; C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [493712 2015-03-07] (SysTool PasSame LIMITED)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
2015-03-07 13:01 - 2015-03-07 13:01 - 00613255 _____ (CMI Limited) C:\Users\hawajski\AppData\Local\nsh8EF8.tmp
2015-03-07 13:01 - 2015-03-07 13:01 - 00002834 _____ () C:\Windows\System32\Tasks\APSnotifierPP1
2015-03-07 13:01 - 2015-03-07 13:01 - 00002832 _____ () C:\Windows\System32\Tasks\APSnotifierPP3
2015-03-07 13:01 - 2015-03-07 13:01 - 00002832 _____ () C:\Windows\System32\Tasks\APSnotifierPP2
2015-03-07 13:01 - 2015-03-07 13:01 - 00000376 _____ () C:\Windows\Tasks\APSnotifierPP3.job
2015-03-07 13:01 - 2015-03-07 13:01 - 00000376 _____ () C:\Windows\Tasks\APSnotifierPP2.job
2015-03-07 13:01 - 2015-03-07 13:01 - 00000000 __SHD () C:\Users\hawajski\AppData\Roaming\AnyProtectEx
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.

hawajski · 7 Marzec 2015 14:01

wykonałem skrypt, w AdwCleaner usunąłem wykryte pozycje wklejam jeszcze raz logi z FRST czy wszystko jest w porządku

Addition: http://wklej.org/id/1656606/

FRST: http://wklej.org/id/1656607/

Acorus · 7 Marzec 2015 14:07

Otwórz notatnik systemowy i wklej:

SearchScopes: HKU\.DEFAULT - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50976 2014-08-17] (AVG Technologies)
2015-03-07 14:18 - 2015-03-07 14:20 - 00000000 ____ D () C:\AdwCleaner

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.

hawajski · 7 Marzec 2015 14:13

dziękuję bardzo za pomoc

Pozdrawiam