Restarty komputera, infekcja

kobi16 · 26 Kwiecień 2012 15:21

Mam taki problem wlaczam komputer i po kilku sekundach wylacza sie wszystko wyskakuje informacja o blokadzie kompa i zaplacie 50Euro,dzwonil do policj bo tam pisalo niby ze to oni zablokowali ale jednak to nie oni bo powiedzieli ze duzo takich przypadkow jest i zebym pod rzadnym pozorem nie placil teraz nie wiem co mam zrobic bo jedynie co moge siedziec na awaryjnym bardzo bym prosil o pomoc z gory dziekuje:)

spandaupol · 26 Kwiecień 2012 15:32

Proszę o raporty OTL zgodnie z instrukcją analiza-dezynfekcja-zestaw-narzedzi-nieingerencyjnych-t485632.html#p3059741

kobi16 · 26 Kwiecień 2012 15:50

Raporty OTL 1 http://wklej.to/4az9y raport Extras http://wklej.to/r5nb8

Acorus · 26 Kwiecień 2012 16:08

Odinstaluj Babylon toolbar on IE,Facemoods Toolbar,McAfee Security Scan Plus,Norton Security Scan,SFT_Polska Toolbar,Softonic toolbar on IE and Chrome,Winamp Toolbar,Wincore MediaBar.Uruchom OTL i w okno (Własne opcje skanowania/Script)wklej:

:OTL IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pl.v9.com/ins/ins_1334608485_854618 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://pl.v9.com/ins/ins_1334608485_854618 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.facemoods.com/?a=stonicpl&s={searchTerms}&f=4 IE - HKLM…\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll (AOL Inc.) IE - HKLM…\URLSearchHook: {5c5b9468-d672-4eb7-b52f-b5afabf28c5b} - C:\Program Files (x86)\SFT_Polska\prxtbSFT0.dll (Conduit Ltd.) IE - HKLM…\SearchScopes{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}: “URL” = http://dts.search-results.com/sr?src=ie … =2&sr=0&q={searchTerms} IE - HKLM…\SearchScopes{afdbddaa-5d3f-42ee-b79c-185a7020515b}: “URL” = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3031817 IE - HKLM…\SearchScopes{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: “URL” = http://slirsredirect.search.aol.com/red … 685&query={searchTerms}&invocationType=tb50-ie-winamp-chromesbox-en-us&tb_uuid=20111202163841906&tb_oid=02-12-2011&tb_mrud=02-12-2011 IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pl.v9.com/ins/ins_1334608485_854618 IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://pl.v9.com/ins/ins_1334608485_854618 IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll (AOL Inc.) IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\URLSearchHook: {5c5b9468-d672-4eb7-b52f-b5afabf28c5b} - C:\Program Files (x86)\SFT_Polska\prxtbSFT0.dll (Conduit Ltd.) IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\SearchScopes{0D7562AE-8EF6-416d-A838-AB665251703A}: “URL” = http://start.facemoods.com/?a=stonicpl&s={searchTerms}&f=4 IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\SearchScopes{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: “URL” = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=100489&mntrId=5225737a00000000000006224365ec90 IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\SearchScopes{37BEEB1C-78FA-47F5-84E0-E03FB324E16F}: “URL” = http://search.softonic.com/MON00084/tb_v1?q={searchTerms}&SearchSource=4&cc= IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\SearchScopes{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}: “URL” = http://dts.search-results.com/sr?src=ie … =2&sr=0&q={searchTerms} IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\SearchScopes{afdbddaa-5d3f-42ee-b79c-185a7020515b}: “URL” = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3031817 IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\SearchScopes{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: “URL” = http://slirsredirect.search.aol.com/red … 685&query={searchTerms}&invocationType=tb50-ie-winamp-chromesbox-en-us&tb_uuid=20111202163841906&tb_oid=02-12-2011&tb_mrud=02-12-2011 FF - prefs.js…browser.search.defaultenginename: “Search Results” FF - prefs.js…browser.search.order.1: “Search Results” FF - prefs.js…browser.search.selectedEngine: “Search the web (Softonic)” FF - prefs.js…browser.startup.homepage: “http://search.bearshare.com” FF - prefs.js…keyword.URL: “http://dts.search-results.com/sr?src=ffb&appid=707&systemid=2&sr=0&q=” [2011/12/02 18:38:53 | 000,000,000 | —D | M] (Winamp Toolbar) – C:\Users\damian\AppData\Roaming\mozilla\Firefox\Profiles\ulht0j6k.default\extensions{0b38152b-1b20-484d-a11f-5e04a9b0661f} [2012/03/23 20:21:33 | 000,000,000 | —D | M] (SFT_Polska Community Toolbar) – C:\Users\damian\AppData\Roaming\mozilla\Firefox\Profiles\ulht0j6k.default\extensions{5c5b9468-d672-4eb7-b52f-b5afabf28c5b} [2012/02/18 13:25:50 | 000,000,000 | —D | M] (Wincore Mediabar) – C:\Users\damian\AppData\Roaming\mozilla\Firefox\Profiles\ulht0j6k.default\extensions{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} [2011/11/25 19:07:18 | 000,000,000 | —D | M] (Babylon) – C:\Users\damian\AppData\Roaming\mozilla\Firefox\Profiles\ulht0j6k.default\extensions\ffxtlbr@babylon.com [2011/11/26 23:00:18 | 000,000,000 | —D | M] (Facemoods) – C:\Users\damian\AppData\Roaming\mozilla\Firefox\Profiles\ulht0j6k.default\extensions\ffxtlbr@Facemoods.com [2012/02/18 13:25:38 | 000,002,515 | ---- | M] () – C:\Users\damian\AppData\Roaming\Mozilla\Firefox\Profiles\ulht0j6k.default\searchplugins\Search_Results.xml [2012/04/16 22:15:58 | 000,002,060 | ---- | M] () – C:\Users\damian\AppData\Roaming\Mozilla\Firefox\Profiles\ulht0j6k.default\searchplugins\softonic.xml O3 - HKLM…\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.) O3 - HKLM…\Toolbar: (Softonic Toolbar) - {5018CFD2-804D-4C99-9F81-25EAEA2769DE} - C:\Program Files (x86)\Softonic\Softonic\1.5.21.0\SoftonicTlbr.dll (Softonic.com) O3 - HKLM…\Toolbar: (SFT_Polska Toolbar) - {5c5b9468-d672-4eb7-b52f-b5afabf28c5b} - C:\Program Files (x86)\SFT_Polska\prxtbSFT0.dll (Conduit Ltd.) O3 - HKLM…\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarTlbr.dll (Babylon Ltd.) O3 - HKLM…\Toolbar: (Wincore Mediabar) - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\ToolBar\wincorebsdtx.dll () O3 - HKLM…\Toolbar: (facemoods Toolbar) - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll (facemoods.com) O3 - HKLM…\Toolbar: (Winamp Toolbar) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll (AOL Inc.) O3 - HKLM…\Toolbar: (no name) - 10 - No CLSID value found. O3 - HKLM…\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\Toolbar\WebBrowser: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.) O3 - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\Toolbar\WebBrowser: (SFT_Polska Toolbar) - {5C5B9468-D672-4EB7-B52F-B5AFABF28C5B} - C:\Program Files (x86)\SFT_Polska\prxtbSFT0.dll (Conduit Ltd.) O3 - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll (AOL Inc.) O4 - HKLM…\Run: [DATAMNGR] C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\DATAMN~1.EXE (MusicLab, LLC) O4 - HKLM…\Run: [facemoods] C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe (facemoods.com) O4 - HKLM…\Run: [setwallpaper] c:\programdata\SetWallpaper.cmd File not found O4 - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\RunOnce: [Application Restart #0] C:\Windows\System32\ctfmon.exe ctfmon.exe File not found O20 - AppInit_DLLs: (C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\datamngr.dll) - C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\datamngr.dll (MusicLab, LLC) O20 - AppInit_DLLs: (C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\IEBHO.dll) - C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\IEBHO.dll (MusicLab, LLC) [2012/04/16 22:34:44 | 000,000,000 | —D | C] – C:\Program Files (x86)\v9Soft [2012/04/09 19:19:06 | 000,000,454 | -H-- | M] () – C:\Windows\tasks\Norton Security Scan for damian.job [2012/04/16 22:34:45 | 000,001,996 | ---- | C] () – C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Deinstalator Strony V9.lnk :Reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] :Commands [emptytemp]

Kliknij Wykonaj skrypt.Zatwierdź restart komputera. Zapisz raport, który pokaże się po restarcie. Następnie uruchom OTL ponownie, tym razem kliknij (Skanuj).

Pokaż nowy log OTL.txt oraz raport z usuwania.

kobi16 · 26 Kwiecień 2012 20:32

Zrobilem wedugl istrukcji po czynosci sam komputer sie zrestartowal i probowalem wesc normalnie nie na awaryjnym ale po krotkim czasie weszedl mi komunikat czy chce uruchomic OTL dalem tak i wyskoczyl mi dokument w ktorym byly Error i tak co chwile cancelowalem i po chwili wyskoczylo mi to samo niewiem co mam teraz zrobic przepraszam za takie opuznienia ale mialem wazne sprawy do zalatwienia i nie moglem odpisac odrazu

– Dodane 26.04.2012 (Cz) 22:10 –

tu jest tem raport z usowania po restarcieo to ten raport http://wklej.to/KTlyJ

Acorus · 27 Kwiecień 2012 07:16

Powtórz usuwanie.Nie wkleiłeś :OTL

kobi16 · 27 Kwiecień 2012 14:18

Tu jest raport OTL z powtornego skanowania po probie restartowania kompa http://wklej.to/OccuN przepraszam za opoznienia

– Dodane 27.04.2012 (Pt) 15:22 –

zapomnialem wkleic jeszcze jednego do dopiero co doszedl xD Extras http://wklej.to/PFTj3

Acorus · 27 Kwiecień 2012 16:32

Uruchom OTL i w okno (Własne opcje skanowania/Script)wklej:

:OTL IE:64bit: - HKLM…\SearchScopes{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}: “URL” = http://dts.search-results.com/sr?src=ie … =2&sr=0&q={searchTerms} IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pl.v9.com/ins/ins_1334608485_854618 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://pl.v9.com/ins/ins_1334608485_854618 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.facemoods.com/?a=stonicpl&s={searchTerms}&f=4 IE - HKLM…\SearchScopes{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}: “URL” = http://dts.search-results.com/sr?src=ie … =2&sr=0&q={searchTerms} IE - HKLM…\SearchScopes{afdbddaa-5d3f-42ee-b79c-185a7020515b}: “URL” = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3031817 IE - HKLM…\SearchScopes{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: “URL” = http://slirsredirect.search.aol.com/red … 685&query={searchTerms}&invocationType=tb50-ie-winamp-chromesbox-en-us&tb_uuid=20111202163841906&tb_oid=02-12-2011&tb_mrud=02-12-2011 IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pl.v9.com/ins/ins_1334608485_854618 IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://pl.v9.com/ins/ins_1334608485_854618 IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\SearchScopes{0D7562AE-8EF6-416d-A838-AB665251703A}: “URL” = http://start.facemoods.com/?a=stonicpl&s={searchTerms}&f=4 IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\SearchScopes{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: “URL” = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=100489&mntrId=5225737a00000000000006224365ec90 IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\SearchScopes{37BEEB1C-78FA-47F5-84E0-E03FB324E16F}: “URL” = http://search.softonic.com/MON00084/tb_v1?q={searchTerms}&SearchSource=4&cc= IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\SearchScopes{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}: “URL” = http://dts.search-results.com/sr?src=ie … =2&sr=0&q={searchTerms} IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\SearchScopes{afdbddaa-5d3f-42ee-b79c-185a7020515b}: “URL” = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3031817 IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\SearchScopes{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: “URL” = http://slirsredirect.search.aol.com/red … 685&query={searchTerms}&invocationType=tb50-ie-winamp-chromesbox-en-us&tb_uuid=20111202163841906&tb_oid=02-12-2011&tb_mrud=02-12-2011 FF - prefs.js…browser.search.order.1: “Search Results” FF - prefs.js…browser.search.selectedEngine: “Search the web (Softonic)” FF - prefs.js…browser.startup.homepage: “http://search.bearshare.com” FF - prefs.js…keyword.URL: “http://dts.search-results.com/sr?src=ffb&appid=707&systemid=2&sr=0&q=” [2011/12/02 18:38:53 | 000,000,000 | —D | M] (Winamp Toolbar) – C:\Users\damian\AppData\Roaming\mozilla\Firefox\Profiles\ulht0j6k.default\extensions{0b38152b-1b20-484d-a11f-5e04a9b0661f} [2012/03/23 20:21:33 | 000,000,000 | —D | M] (SFT_Polska Community Toolbar) – C:\Users\damian\AppData\Roaming\mozilla\Firefox\Profiles\ulht0j6k.default\extensions{5c5b9468-d672-4eb7-b52f-b5afabf28c5b} [2012/02/18 13:25:50 | 000,000,000 | —D | M] (Wincore Mediabar) – C:\Users\damian\AppData\Roaming\mozilla\Firefox\Profiles\ulht0j6k.default\extensions{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} [2011/11/25 19:07:18 | 000,000,000 | —D | M] (Babylon) – C:\Users\damian\AppData\Roaming\mozilla\Firefox\Profiles\ulht0j6k.default\extensions\ffxtlbr@babylon.com [2012/02/18 13:25:38 | 000,002,515 | ---- | M] () – C:\Users\damian\AppData\Roaming\Mozilla\Firefox\Profiles\ulht0j6k.default\searchplugins\Search_Results.xml [2012/04/16 22:15:58 | 000,002,060 | ---- | M] () – C:\Users\damian\AppData\Roaming\Mozilla\Firefox\Profiles\ulht0j6k.default\searchplugins\softonic.xml O3 - HKLM…\Toolbar: (Wincore Mediabar) - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\ToolBar\wincorebsdtx.dll File not found O3 - HKLM…\Toolbar: (no name) - 10 - No CLSID value found. O3 - HKLM…\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\Toolbar\WebBrowser: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found. O3 - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\Toolbar\WebBrowser: (no name) - {5C5B9468-D672-4EB7-B52F-B5AFABF28C5B} - No CLSID value found. O4 - HKLM…\Run: [setwallpaper] c:\programdata\SetWallpaper.cmd File not found O4 - HKLM…\RunOnce: [removeBearSharedatamngr] cmd.exe /c RD /S /Q “C:\Program Files (x86)\BearShare Applications\MediaBar” File not found O4 - HKLM…\RunOnce: [removeBearSharetoolbar] cmd.exe /c RD /S /Q “C:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\ToolBar” File not found O4 - HKU\S-1-5-19…\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - HKU\S-1-5-20…\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\RunOnce: [Application Restart #0] C:\Windows\System32\ctfmon.exe ctfmon.exe File not found [2012/04/16 22:34:44 | 000,000,000 | —D | C] – C:\Program Files (x86)\v9Soft :Commands [emptytemp]

Kliknij Wykonaj skrypt.Zatwierdź restart komputera. Zapisz raport, który pokaże się po restarcie. Następnie uruchom OTL ponownie, tym razem kliknij (Skanuj).

Pokaż nowy log OTL.txt oraz raport z usuwania.

Użyj AdwCleaner http://general-changelog-team.fr/outils/289-adwcleaner z funkcji Delete.

Nowy log pokaż po akcji AdwCleanera.

kobi16 · 28 Kwiecień 2012 12:31

Witam, po pewnych problemach i blue screenach wylądowałem ponownie w trybie awaryjnym, ale mam raporty tj.:

raport po wykonaniu scryptu w OTL http://wklej.to/CaZQU

2 raport adwcleaner http://wklej.to/6nWaB

3 nowy raport scan OTL: http://wklej.to/eqyvL

4.nowy raport scan extras:http://wklej.to/5z5wO

Przepraszam za opoznienia ale nie mialem zbyd duzo czasu,dzisaj mam wiecej

Acorus · 28 Kwiecień 2012 13:09

Odinstaluj Deinstalator Strony V9.Uruchom OTL i w okno (Własne opcje skanowania/Script)wklej:

:OTL IE - HKU\S-1-5-21-897122238-1676268606-552659193-1000…\URLSearchHook: {5c5b9468-d672-4eb7-b52f-b5afabf28c5b} - No CLSID value found [2011/11/26 23:00:19 | 000,002,051 | ---- | M] () – C:\Program Files (x86)\mozilla firefox\searchplugins\fcmdSrch.xml [2012/02/18 13:25:38 | 000,002,515 | ---- | M] () – C:\Program Files (x86)\mozilla firefox\searchplugins\Search_Results.xml [2012/04/16 22:34:46 | 000,002,415 | ---- | M] () – C:\Program Files (x86)\mozilla firefox\searchplugins\v9.xml O2 - BHO: (no name) - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - No CLSID value found. O3:64bit: - HKLM…\Toolbar: (no name) - 10 - No CLSID value found. O3:64bit: - HKLM…\Toolbar: (no name) - Locked - No CLSID value found. [2012/04/16 22:34:45 | 000,001,996 | ---- | C] () – C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Deinstalator Strony V9.lnk :Commands [emptytemp]

Kliknij Wykonaj skrypt.W OTL użyj opcji Sprzątanie.Przeskanuj progr.Malwarebytes Anti-Malware

http://www.malwarebytes.org/products/malwarebytes_free

Przed skanowaniem wykonaj RĘCZNĄ AKTUALIZACJĘ BAZY SYGNATUR WIRUSÓW Malwarebytesa “Uruchom Malwarebytes, przejdź do zakładki Aktualizacja, Sprawdź aktualizacje.”

Przeskanuj programem Dr.WEB CureIt http://www.dobreprogramy.pl/Dr.WEB-Cure … 12976.html