Spyware/adware - proszę o pomoc

Malgo2222 · 28 Marzec 2015 16:46

Witam,

od jakiegoś czasu mam spory problem z moim laptopem, zmieniają się dostawcy wyszukiwania, wyskakują reklamy (aktualnie większość zablokowana Adblock Plusem). Komputer często mi się zawiesza. Tutaj logi:

FRST - http://wklej.to/9eVUV

Addition - http://wklej.to/myAYa

OTL - http://wklej.to/0C0GV

Acorus · 28 Marzec 2015 17:24

Odinstaluj Ask Toolbar Updater,McAfee Security Scan Plus.Otwórz notatnik systemowy i wklej:

Task: {1EB099E5-9584-4B85-8348-6114B0DD23EC} - System32\Tasks\{566E627B-D6DD-46B9-A6AC-F03B174DDDB3} = C:\Users\administraktor\Desktop\SoftonicDownloader_dla_gadu-gadu-10.exe [2012-07-13] (Softonic)
Task: {45CF785B-3F01-4B44-AB74-DB7AC6FD7DC8} - \Update Bonanza No Task File ==== ATTENTION
Task: {6B02FB41-A38F-497E-9435-B048707267B4} - System32\Tasks\Bonanza = C:\Users\ADMINI~1\AppData\Roaming\Bonanza\UPDATE~1\UPDATE~1.EXE ==== ATTENTION
Task: {9296CAD1-85AC-45D0-9EBC-D4DE15435B78} - System32\Tasks\Get Plus Uplifter = C:\Program Files (x86)\PrivateVPN\gpup.exe ==== ATTENTION
Task: C:\Windows\Tasks\Bonanza.job = C:\Users\ADMINI~1\AppData\Roaming\Bonanza\UPDATE~1\UPDATE~1.EXE ==== ATTENTION
HKLM-x32\...\Run: [fst_pl_20] = [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] = C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [335232 2015-03-07] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-21-1091650947-2424825013-4249805897-1000\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-21-1091650947-2424825013-4249805897-1000\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoControlPanel] 0
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk - C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction ======= ATTENTION
ProxyEnable: [S-1-5-21-1091650947-2424825013-4249805897-1000] = Internet Explorer proxy is enabled.
ProxyServer: [S-1-5-21-1091650947-2424825013-4249805897-1000] = 127.0.0.1:8118
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
URLSearchHook: HKU\S-1-5-21-1091650947-2424825013-4249805897-1000 - (No Name) - {5bcf818d-78c8-41b8-ba89-65c5fdac4fc4} - C:\Program Files (x86)\Allin1Convert_8h\bar\1.bin\8hSrcAs.dll No File
SearchScopes: HKLM - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKLM-x32 - DefaultScope value is missing.
SearchScopes: HKLM-x32 - {20B9D1AE-AD1A-38B4-87FE-AF278DA9861D} URL = https://gosearch.me/?q={searchTerms}u=5afc9d3edf8021ce365a1e25e243f085c=up1src=srchinst=1427124354
SearchScopes: HKLM-x32 - {75b4241f-171e-44a3-bf44-23613b6e3e03} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2=^AYY^xdm007^YYA^plsi=CPCKpImEhLkCFYdc3godW3kApQptb=5BA9647D-45C3-4C7C-BEEB-60BF87B0C53Bind=2013081704n=77fd3068psa=st=sbsearchfor={searchTerms}
SearchScopes: HKU\.DEFAULT - {0D656711-D197-47A6-A8BE-462FDAC5BFDD} URL = http://rover.ebay.com/rover/1//4?satitle={searchTerms}
SearchScopes: HKU\.DEFAULT - {8189F259-6DB5-41B6-8F27-FAFA858AFD8B} URL = http://services.zinio.com/search?s={searchTerms}rf=sonyslices
SearchScopes: HKU\.DEFAULT - {F607AB66-9205-4A10-B7CF-B4B073915C8E} URL = http://www.search.ask.com/web?tpid=CME-V7o=APN11293pf=p2=%5EB7N%5EYYYYYY%5EYY%5EPLgct=itbv=12.2.2.604apn_uid=6E8CB2E8-1400-45EC-A807-BE7EFD9409C0apn_ptnrs=%5EB7Napn_dtid=%5EYYYYYY%5EYY%5EPLapn_dbr=iexplore.exe_6_10.0.9200.16660doi=2013-08-17trgb=IEq={searchTerms}psv=barid%253D%257BEC48805C%252D071C%252D11E3%252DBF31%252D78843CE91DE4%257D%2526cargo%253DCME%252DV7%2526spr%253Da
SearchScopes: HKU\S-1-5-21-1091650947-2424825013-4249805897-1000 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1091650947-2424825013-4249805897-1000 - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL No File
BHO-x32: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll [2014-04-09] (McAfee, Inc.)
BHO-x32: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\mcafee\msk\mskapbho.dll [2010-11-25] ()
BHO-x32: Search Assistant BHO - {a4c2fb10-84c3-44eb-9f9e-860fa1d9a797} - C:\Program Files (x86)\Allin1Convert_8h\bar\1.bin\8hSrcAs.dll No File
BHO-x32: Toolbar BHO - {fbcbc43a-dca9-4192-a4c8-b57fd0f77d4d} - C:\PROGRA~2\ALLIN1~2\bar\1.bin\8hbar.dll No File
Toolbar: HKU\S-1-5-21-1091650947-2424825013-4249805897-1000 - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-1091650947-2424825013-4249805897-1000 - No Name - {434D452D-5637-006A-76A7-7A786E7484D7} - No File
FF NewTab: https://gosearch.me/?u=5afc9d3edf8021ce365a1e25e243f085c=up1src=hpinst=1427124354
FF Keyword.URL: hxxp://www.gsrch.com/#q=
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\GoSearch.xml [2015-03-23]
FF Extension: BonanzaDeals - C:\Users\administraktor\AppData\Roaming\Mozilla\Firefox\Profiles\9f902jle.default\Extensions\{f9d03c26-0575-497e-821d-f7956d23e0ca}.xpi [2013-12-26]
FF HKU\S-1-5-21-1091650947-2424825013-4249805897-1000\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
FF Extension: McAfee Security Scan Plus - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014-04-04]
CHR HomePage: Default - hxxp://www.gsrch.com/
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll No File
R2 Live Malware Protection; C:\Windows\mlwps.exe [239104 2015-03-17] (AV Security Software) [File not signed] ==== ATTENTION
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
R2 PrivoxyService; C:\Program Files (x86)\Safesoft Protector\privoxy.exe [371200 2015-03-17] (The Privoxy team - www.privoxy.org) [File not signed] ==== ATTENTION
S3 VUAgent; "C:\Program Files\Sony\VAIO Update\VUAgent.exe" [X]
2015-03-17 14:36 - 2015-03-24 14:57 - 00000000 ____ D () C:\Program Files (x86)\PrivateVPN
2015-03-17 14:36 - 2015-03-17 14:37 - 00000000 ____ D () C:\Program Files (x86)\Safesoft Protector
2015-03-17 14:36 - 2015-03-17 14:36 - 00239104 _____ (AV Security Software) C:\Windows\mlwps.exe
2015-03-17 14:36 - 2015-03-17 14:36 - 00003298 _____ () C:\Windows\System32\Tasks\Malware Cleaner
2015-03-17 14:36 - 2015-03-17 14:36 - 00003278 _____ () C:\Windows\System32\Tasks\Get Plus Uplifter
2015-03-17 14:36 - 2015-03-17 14:36 - 00000000 _____ () C:\Users\administraktor\AppData\Roaming\5EC2.tmp
2015-03-28 16:27 - 2014-06-03 12:13 - 00000000 ____ D () C:\AdwCleaner
2013-09-04 17:25 - 2013-09-04 17:25 - 0174592 _____ () C:\ProgramData\qogtnbvbbqibdwd
2013-09-04 17:28 - 2013-09-04 17:28 - 0192512 _____ () C:\ProgramData\umxpxuxspfurdsx
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.

Malgo2222 · 29 Marzec 2015 08:53

Na większość problemów pomogło, dzięki. Mam jeszcze problem z Bing barem który cały czas samoistnie pojawia się w “dostawcach wyszukiwania” ile razy go stamtąd usuwam. Odinstalowanie go również nic nie dało, da się tego świństwa jakoś pozbyć?

Acorus · 29 Marzec 2015 09:10

Pokaż nowe logi z FRST.

Malgo2222 · 29 Marzec 2015 18:18

FRST: http://wklej.to/REYPu

Addition: http://wklej.to/B6KQs

Acorus · 30 Marzec 2015 07:45

Otwórz notatnik systemowy i wklej:

HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-1091650947-2424825013-4249805897-1000\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-21-1091650947-2424825013-4249805897-1000\...\Policies\Explorer: [NoControlPanel] 0
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\S-1-5-19 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1091650947-2424825013-4249805897-1000 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll [2011-10-21] (Microsoft Corporation.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll [2011-10-21] (Microsoft Corporation.)
2015-03-28 20:27 - 2015-03-28 20:32 - 00000000 ____ D () C:\AdwCleaner

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.

Malgo2222 · 30 Marzec 2015 10:52

Zrobione, raport z usuwania: http://wklej.to/KK4ER

Acorus · 30 Marzec 2015 11:09

Skasuj folder C:\FRST