Samoczynna instalacja aplikacji w tle, zmiana strony głównej

tmzy · 27 Czerwiec 2015 17:58

Witam, ostatnio szukałem sterowników do karty graficznej; pobrałem jakiś syf i teraz instaluje mi programy w tle, mam dziwne procesy które muszę zamykać m.in: CmdShell.exe. Przestawia też w Chromie stronę główną.

Atis · 27 Czerwiec 2015 19:06

Pobierz i uruchom AdwCleaner Kliknij Skanuj i później Usuń.

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

CloseProcesses:
HKLM-x32\...\Run: [gmsd_pl_005010011] => [X]
HKLM-x32\...\Run: [gmsd_pl_005010013] => [X]
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.istartsurf.com/?type=hppp&ts=1435142120&z=6ca9a97507ef2f37d681615g2z6cew0g9zeo7gbo2e&from=face&uid=395049983_397233_04BE55C9
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.istartsurf.com/?type=hppp&ts=1435142120&z=6ca9a97507ef2f37d681615g2z6cew0g9zeo7gbo2e&from=face&uid=395049983_397233_04BE55C9
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=ds&ts=1435142082&z=73c042828084eed14140543g3z7cew9gbzao3e1b8o&from=face&uid=395049983_397233_04BE55C9&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=ds&ts=1435142082&z=73c042828084eed14140543g3z7cew9gbzao3e1b8o&from=face&uid=395049983_397233_04BE55C9&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.istartsurf.com/?type=hppp&ts=1435142120&z=6ca9a97507ef2f37d681615g2z6cew0g9zeo7gbo2e&from=face&uid=395049983_397233_04BE55C9
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.istartsurf.com/?type=hppp&ts=1435142120&z=6ca9a97507ef2f37d681615g2z6cew0g9zeo7gbo2e&from=face&uid=395049983_397233_04BE55C9
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.istartsurf.com/web/?type=ds&ts=1435142082&z=73c042828084eed14140543g3z7cew9gbzao3e1b8o&from=face&uid=395049983_397233_04BE55C9&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.istartsurf.com/web/?type=ds&ts=1435142082&z=73c042828084eed14140543g3z7cew9gbzao3e1b8o&from=face&uid=395049983_397233_04BE55C9&q={searchTerms}
HKU\S-1-5-21-604778635-2897688449-3898253722-1001\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mystartsearch.com/web/?type=dspp&ts=1435086342&z=76c4f1979d74efc8b5a7e83g5zec2w8ecbfq7cfzcw&from=cmi&uid=395049983_397233_04BE55C9&q={searchTerms}
HKU\S-1-5-21-604778635-2897688449-3898253722-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.istartsurf.com/?type=hppp&ts=1435142120&z=6ca9a97507ef2f37d681615g2z6cew0g9zeo7gbo2e&from=face&uid=395049983_397233_04BE55C9
HKU\S-1-5-21-604778635-2897688449-3898253722-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mystartsearch.com/web/?type=dspp&ts=1435086342&z=76c4f1979d74efc8b5a7e83g5zec2w8ecbfq7cfzcw&from=cmi&uid=395049983_397233_04BE55C9&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-604778635-2897688449-3898253722-1001 -> DefaultScope {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=cmi&utm_campaign=install_ie&utm_content=ds&from=cmi&uid=395049983_397233_04BE55C9&ts=1435238681&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-604778635-2897688449-3898253722-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=cmi&utm_campaign=install_ie&utm_content=ds&from=cmi&uid=395049983_397233_04BE55C9&ts=1435238681&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-604778635-2897688449-3898253722-1001 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=cmi&utm_campaign=install_ie&utm_content=ds&from=cmi&uid=395049983_397233_04BE55C9&ts=1435238681&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-604778635-2897688449-3898253722-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=cmi&utm_campaign=install_ie&utm_content=ds&from=cmi&uid=395049983_397233_04BE55C9&ts=1435238681&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-604778635-2897688449-3898253722-1001 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=cmi&utm_campaign=install_ie&utm_content=ds&from=cmi&uid=395049983_397233_04BE55C9&ts=1435238681&type=default&q={searchTerms}
BHO-x32: LuckyTab Class -> {51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F} -> C:\Program Files (x86)\MiuiTab\SupTab.dll [2015-06-16] (Thinknice Co. Limited)
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe http://www.istartsurf.com/?type=sc&ts=1435142082&z=73c042828084eed14140543g3z7cew9gbzao3e1b8o&from=face&uid=395049983_397233_04BE55C9
CHR Extension: (GoHD) - C:\Users\ksiaze tomasz\AppData\Local\Google\Chrome\User Data\Default\Extensions\fijhlnmmmgflacagjecncpmpnhjieggk [2015-06-24]
S4 IHProtect Service; C:\Program Files (x86)\MiuiTab\ProtectService.exe [125112 2015-06-16] (XTab system) [File not signed]
R2 kywidelo; C:\Users\ksiaze tomasz\AppData\Roaming\BD20D368-1434890280-11D5-9E99-F6F9653C30BE\knse2E1F.tmp [276992 2015-06-26] () [File not signed]
R2 xoperoze; C:\Users\ksiaze tomasz\AppData\Roaming\BD20D368-1434890280-11D5-9E99-F6F9653C30BE\jnsnE766.tmp [219136 2015-06-21] () [File not signed]
R2 zedepory; C:\Users\ksiaze tomasz\AppData\Roaming\BD20D368-1434890280-11D5-9E99-F6F9653C30BE\hnsnFE90.tmp [166912 2015-06-21] () [File not signed]
2015-06-24 12:46 - 2015-06-24 18:46 - 00000000 ____ D C:\ProgramData\{663239eb-eb57-18be-6632-239ebeb5e7af}
2015-06-24 12:42 - 2015-06-24 12:42 - 00000000 __SHD C:\Users\ksiaze tomasz\AppData\Roaming\AnyProtectEx
2015-06-24 12:39 - 2015-06-27 19:37 - 00001052 _____ C:\Windows\Tasks\qTmoRMtpHoETsoQbH7hW8BiC.job
2015-06-24 12:39 - 2015-06-24 12:39 - 00004102 _____ C:\Windows\System32\Tasks\qTmoRMtpHoETsoQbH7hW8BiC
2015-06-24 12:38 - 2015-06-24 12:38 - 00000000 ____ D C:\Users\ksiaze tomasz\AppData\Local\globalUpdate
2015-06-24 12:36 - 2015-06-24 12:36 - 00000000 ____ D C:\ProgramData\IHProtectUpDate
2015-06-24 12:35 - 2015-06-25 15:24 - 00000000 ____ D C:\Program Files (x86)\MiuiTab
2015-06-24 12:35 - 2015-06-24 12:35 - 00000000 ____ D C:\ProgramData\WindowsMangerProtect
2015-06-24 12:34 - 2015-06-26 16:46 - 00000000 ____ D C:\Users\ksiaze tomasz\AppData\Local\SmartWeb
2015-06-24 12:34 - 2015-06-24 13:05 - 00000000 ____ D C:\ProgramData\MailUpdate
2015-06-24 12:34 - 2015-06-24 12:34 - 00000000 ____ D C:\Users\ksiaze tomasz\AppData\Roaming\MailUpdate
2015-06-23 21:38 - 2015-06-24 12:45 - 00000000 ____ D C:\Program Files (x86)\0e6b7beb-8109-4cdb-8ee3-f75a74c8e1f8
2015-06-21 20:29 - 2015-06-24 12:02 - 00000000 ____ D C:\AdwCleaner
2015-06-21 14:51 - 2015-06-21 14:51 - 00000000 _____ C:\Windows\prleth.sys
2015-06-21 14:51 - 2015-06-21 14:51 - 00000000 _____ C:\Windows\hgfs.sys
2015-06-21 14:49 - 2015-06-21 14:49 - 00000000 ____ D C:\Users\ksiaze tomasz\AppData\Local\9A9F1D1C-DD28-4A38-8C7A-3FDF8930732E
2015-06-21 14:40 - 2015-06-24 12:43 - 00000004 _____ C:\Windows\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
2015-06-21 14:38 - 2015-06-26 16:17 - 00000000 ____ D C:\Users\ksiaze tomasz\AppData\Roaming\BD20D368-1434890280-11D5-9E99-F6F9653C30BE
2015-06-21 14:38 - 2009-06-10 23:00 - 00000824 _____ C:\Windows\system32\Drivers\etc\hp.bak
C:\Users\ksiaze tomasz\AppData\Roaming\*.exe
C:\Users\ksiaze tomasz\AppData\Local\*.tmp
Task: {0DEBB26C-C816-4908-A365-C1D3734CD859} - System32\Tasks\APSnotifierPP1 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {1BE68692-7A5F-4387-95CD-2B7C35DE9BA3} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-06-12] (Adobe Systems Incorporated)
Task: {3B696805-C257-4464-BC22-D28631CFA588} - System32\Tasks\Bidaily Synchronize Task[74c7] => c:\programdata\{57e1090d-74e2-d2ba-57e1-1090d74e2435}\hqghumeaylnlf.exe <==== ATTENTION
Task: {45A0EF31-BFE5-4A25-9640-F30E78E7111B} - System32\Tasks\SmartWeb Upgrade Trigger Task => C:\Users\ksiaze tomasz\AppData\Local\SmartWeb\SmartWebHelper.exe <==== ATTENTION
Task: {4D912DF5-8864-4DA0-B664-3687F2573C5C} - System32\Tasks\APSnotifierPP3 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {8FEC66F1-4A56-4A7E-A6E4-20724D801B23} - System32\Tasks\{D9B202E4-DB51-444C-B37F-3BFCB872D307} => C:\Program Files (x86)\RCP\RegCleanPro.exe <==== ATTENTION
Task: {B6C20D89-DE09-4152-B386-A3225B80F4BA} - System32\Tasks\APSnotifierPP2 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {C37A83C3-F6FF-4DD6-BB1C-96EB9EB13A5C} - System32\Tasks\Bidaily Synchronize Task[973b] => c:\programdata\{663239eb-eb57-18be-6632-239ebeb5e7af}\setup.exe [2014-06-24] () <==== ATTENTION
Task: {D0C62A6B-BA74-4862-9AFF-087BB588D642} - System32\Tasks\qTmoRMtpHoETsoQbH7hW8BiC => C:\Users\ksiaze tomasz\AppData\Roaming\qTmoRMtpHoETsoQbH7hW8BiC.exe [2015-04-20] () <==== ATTENTION
Task: {D1F550F4-2E07-4655-A844-1C1C872FB100} - System32\Tasks\{F6426736-F4ED-4FB7-A183-DD8C9FE57C8B} => pcalua.exe -a "C:\Users\ksiaze tomasz\Downloads\SoundMAX_Audio_V51016480_XP\AsusSetup.exe" -d "C:\Users\ksiaze tomasz\Downloads\SoundMAX_Audio_V51016480_XP"
Task: {F3F30E39-AF0D-4C42-B865-2AFE50778725} - System32\Tasks\{72861826-B53F-4A1F-AE1A-33B9D715796B} => pcalua.exe -a D:\Drivers\Win\Audio\setup.exe -d D:\Drivers\Win\Audio
Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP3.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\Bidaily Synchronize Task[74c7].job => c:\programdata\{57e1090d-74e2-d2ba-57e1-1090d74e2435}\hqghumeaylnlf.exe <==== ATTENTION
Task: C:\Windows\Tasks\Bidaily Synchronize Task[973b].job => c:\programdata\{663239eb-eb57-18be-6632-239ebeb5e7af}\setup.exe <==== ATTENTION
Task: C:\Windows\Tasks\qTmoRMtpHoETsoQbH7hW8BiC.job => C:\Users\ksiaze tomasz\AppData\Roaming\qTmoRMtpHoETsoQbH7hW8BiC.exe <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dilletmia => ""="service"
EmptyTemp:

Uruchom FRST i kliknij Fix. Pokaż raport z usuwania Fixlog.

Kliknij Scan i pokaż nowy raport z FRST bez Addition i Shortcut.