Sanderusek
(Kingszymon)
27 Październik 2012 10:59
#1
Witam. Prosiłbym was o pomoc w usunięciu UKASHa oraz sprawdzeniu logów czy nie mam jeszcze innych wirusów.
http://www.wklej.org/id/855852/
Byłbym bardzo wdzięczny
Pozdrawiam.
Acorus
(Acorus)
27 Październik 2012 11:21
#2
Uruchom OTL i w okno (Własne opcje skanowania/Script)wklej:
:OTL O4 - HKLM…\Run: [] File not found O4 - HKLM…\Run: [ApnUpdater] C:\Program Files (x86)\Ask.com \Updater\Updater.exe (Ask) O4 - HKLM…\Run: [NPSStartup] File not found O4 - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\Run: [4gameTray] D:\Program Files (x86)\4game\4game\4GameTray.exe File not found O4 - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\Run: [Facebook Update] C:\Users\Daniel&Artur\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.) O4 - HKU\S-1-5-19…\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - HKU\S-1-5-20…\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - Startup: C:\Users\Daniel&Artur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk = C:\ProgramData\lsass.exe (Microsoft Corporation) [2012-10-26 23:09:54 | 000,044,544 | ---- | C] (Microsoft Corporation) – C:\ProgramData\lsass.exe [2012-10-27 11:33:19 | 083,023,306 | ---- | M] () – C:\ProgramData\0tbpw.pad [2012-10-27 11:32:12 | 000,000,298 | ---- | M] () – C:\Windows\tasks\RMAutoUpdate.job [2012-10-27 09:57:03 | 000,001,106 | ---- | M] () – C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1666134275-1110695157-444640970-1000UA.job :Files C:\Users\Daniel&Artur\AppData\Local\Temp*.html :Commands [emptytemp]
Kliknij Wykonaj skrypt. Zatwierdź restart komputera. Zapisz raport, który pokaże się po restarcie. Następnie uruchom OTL ponownie, tym razem kliknij (Skanuj).
Pokaż nowy log OTL.txt oraz raport z usuwania.
Użyj AdwCleaner http://general-changelog-team.fr/outils/289-adwcleaner z funkcji Delete(w przypadku Visty/Windows7 uruchom z prawokliku jako Administrator).
Leon1
(Leon$)
27 Październik 2012 11:35
#3
OTL w oknie Custom Scans-Fixes (własne opcje skanowania/skrypt)wklej następujący skrypt:
:OTL IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pl.v9.com/?utm_source=b&utm_medium=ins IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://pl.v9.com/?utm_source=b&utm_medium=ins IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.facemoods.com/?a=ddr&s={searchTerms}&f=4 IE - HKLM…\URLSearchHook: {5c5b9468-d672-4eb7-b52f-b5afabf28c5b} - C:\Program Files (x86)\SFT_Polska\prxtbSFT0.dll (Conduit Ltd.) IE - HKLM…\SearchScopes{afdbddaa-5d3f-42ee-b79c-185a7020515b}: “URL” = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3031817 IE - HKU\S-1-5-21-1666134275-1110695157-444640970-1000\SOFTWARE\Microsoft\Internet Explorer\Main,BrowserMngr Start Page = http://search.babylon.com/?affID=110823 … 0000000000 IE - HKU\S-1-5-21-1666134275-1110695157-444640970-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pl.v9.com/?utm_source=b&utm_medium=ins IE - HKU\S-1-5-21-1666134275-1110695157-444640970-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.facemoods.com/?a=ddr IE - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com \GenericAskToolbar.dll (Ask) IE - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\URLSearchHook: {5c5b9468-d672-4eb7-b52f-b5afabf28c5b} - C:\Program Files (x86)\SFT_Polska\prxtbSFT0.dll (Conduit Ltd.) IE - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\SearchScopes,BrowserMngrDefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} IE - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\SearchScopes,DefaultScope = {0D7562AE-8EF6-416d-A838-AB665251703A} IE - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\SearchScopes{0D7562AE-8EF6-416d-A838-AB665251703A}: “URL” = http://start.facemoods.com/?a=ddr&s={searchTerms}&f=4 IE - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\SearchScopes{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: “URL” = http://search.babylon.com/?q={searchTerms}&affID=110823&tt=3612_5&babsrc=SP_ss&mntrId=321d1e7c000000000000000000000000 IE - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\SearchScopes{78D11675-97FE-4274-B0B9-624E9FE110F5}: “URL” = http://websearch.ask.com/redirect?clien … src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=8R&apn_dtid=YYYYYYYYPL&apn_uid=6AD65A95-CA00-4736-94BC-CAA3A2B14C9E&apn_sauid=5B1F5D3E-39C8-4120-BD36-2243E3F4F5B4 IE - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\SearchScopes{95B7759C-8C7F-4BF1-B163-73684A933233}: “URL” = https://isearch.avg.com/search?cid={4066D5F7-E58A-4472-9BA6-0AE57C0D00DE}&mid=b497f030c14c47d0a211bdb90f052383-25377b480edd27200ceb8240cfdab17a9bf7b0f1〈=pl&ds=cv011&pr=sa&d=2012-07-16 13:02:46&v=12.2.5.32&sap=dsp&q={searchTerms} IE - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\SearchScopes{afdbddaa-5d3f-42ee-b79c-185a7020515b}: “URL” = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3031817 IE - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\SearchScopes{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: “URL” = http://mystart.incredibar.com/mb165/?search={searchTerms}&loc=IB_DS&a=6OyNcx6uJv&i=26 FF - prefs.js…browser.search.defaultengine: “Ask.com ” FF - prefs.js…browser.search.defaultenginename: “Search the web (Babylon)” FF - prefs.js…browser.search.order.1: “Search the web (Babylon)” FF - prefs.js…browser.startup.homepage: “http://search.babylon.com/?affID=110823&tt=3612_5&babsrc=HP_ss&mntrId=321d1e7c000000000000000000000000 ” FF - prefs.js…extensions.enabledAddons: ffxtlbr%40incredibar.com:1.5.0 FF - prefs.js…extensions.enabledAddons: %7B336D0C35-8A85-403a-B9D2-65C292C39087%7D:2.0.0.478 FF - prefs.js…extensions.enabledAddons: ffxtlbr%40babylon.com:1.5.0 FF - prefs.js…extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0 [2012-09-08 10:57:43 | 000,000,000 | —D | M] (Babylon) – C:\Users\Daniel&Artur\AppData\Roaming\mozilla\Firefox\Profiles\067d03a0.default\extensions\ffxtlbr@babylon.com [2012-01-18 16:22:30 | 000,000,000 | —D | M] (Facemoods) – C:\Users\Daniel&Artur\AppData\Roaming\mozilla\Firefox\Profiles\067d03a0.default\extensions\ffxtlbr@Facemoods.com [2012-09-05 15:25:11 | 000,000,000 | —D | M] (incredibar.com ) – C:\Users\Daniel&Artur\AppData\Roaming\mozilla\Firefox\Profiles\067d03a0.default\extensions\ffxtlbr@incredibar.com [2012-08-14 11:05:43 | 000,000,000 | —D | M] (VirtualDJ Toolbar) – C:\Users\Daniel&Artur\AppData\Roaming\mozilla\Firefox\Profiles\067d03a0.default\extensions\toolbar@ask.com [2012-08-14 11:05:43 | 000,002,329 | ---- | M] () – C:\Users\Daniel&Artur\AppData\Roaming\mozilla\firefox\profiles\067d03a0.default\searchplugins\askcom.xml [2012-08-12 15:27:18 | 000,002,306 | ---- | M] () – C:\Users\Daniel&Artur\AppData\Roaming\mozilla\firefox\profiles\067d03a0.default\searchplugins\askcomsearch.xml [2012-09-08 10:54:35 | 000,002,212 | ---- | M] () – C:\Users\Daniel&Artur\AppData\Roaming\mozilla\firefox\profiles\067d03a0.default\searchplugins\BabylonMngr.xml [2012-09-05 15:24:37 | 000,002,203 | ---- | M] () – C:\Users\Daniel&Artur\AppData\Roaming\mozilla\firefox\profiles\067d03a0.default\searchplugins\MyStart Search.xml [2012-01-28 12:50:55 | 000,002,060 | ---- | M] () – C:\Users\Daniel&Artur\AppData\Roaming\mozilla\firefox\profiles\067d03a0.default\searchplugins\softonic.xml [2012-09-08 10:53:10 | 000,002,349 | ---- | M] () – C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml [2012-01-18 16:22:34 | 000,002,051 | ---- | M] () – C:\Program Files (x86)\mozilla firefox\searchplugins\fcmdSrch.xml [2010-12-13 14:36:54 | 000,002,035 | ---- | M] () – C:\Program Files (x86)\mozilla firefox\searchplugins\fcmdSrchddr.xml [2012-04-09 19:32:22 | 000,002,415 | ---- | M] () – C:\Program Files (x86)\mozilla firefox\searchplugins\v9.xml CHR - homepage: http://start.facemoods.com/?a=ddr O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.6.9.12\bh\BabylonToolbar.dll (Babylon BHO) O2 - BHO: (SFT_Polska Toolbar) - {5c5b9468-d672-4eb7-b52f-b5afabf28c5b} - C:\Program Files (x86)\SFT_Polska\prxtbSFT0.dll (Conduit Ltd.) O2 - BHO: (CescrtHlpr Object) - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files (x86)\facemoods.com \facemoods\1.4.17.3\bh\facemoods.dll (facemoods.com BHO) O2 - BHO: (Incredibar.com Helper Object) - {6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} - C:\Program Files (x86)\Incredibar.com \incredibar\1.5.11.14\bh\incredibar.dll (Montera Technologeis LTD) O3 - HKLM…\Toolbar: (Softonic Toolbar) - {5018CFD2-804D-4C99-9F81-25EAEA2769DE} - C:\Program Files (x86)\Softonic\softonic\1.5.11.5\softonicTlbr.dll (Softonic.com ) O3 - HKLM…\Toolbar: (SFT_Polska Toolbar) - {5c5b9468-d672-4eb7-b52f-b5afabf28c5b} - C:\Program Files (x86)\SFT_Polska\prxtbSFT0.dll (Conduit Ltd.) O3 - HKLM…\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.6.9.12\BabylonToolbarTlbr.dll (Babylon Ltd.) O3 - HKLM…\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com \GenericAskToolbar.dll (Ask) O3 - HKLM…\Toolbar: (facemoods Toolbar) - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files (x86)\facemoods.com \facemoods\1.4.17.3\facemoodsTlbr.dll (facemoods.com ) O3 - HKLM…\Toolbar: (Incredibar Toolbar) - {F9639E4A-801B-4843-AEE3-03D9DA199E77} - C:\Program Files (x86)\Incredibar.com \incredibar\1.5.11.14\incredibarTlbr.dll (Montera Technologeis LTD) O3 - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\Toolbar\WebBrowser: (SFT_Polska Toolbar) - {5C5B9468-D672-4EB7-B52F-B5AFABF28C5B} - C:\Program Files (x86)\SFT_Polska\prxtbSFT0.dll (Conduit Ltd.) O3 - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com \GenericAskToolbar.dll (Ask) O4 - HKLM…\Run: [] File not found O4 - HKLM…\Run: [ApnUpdater] C:\Program Files (x86)\Ask.com \Updater\Updater.exe (Ask) O4 - HKLM…\Run: [NPSStartup] File not found O4 - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\Run: [4gameTray] D:\Program Files (x86)\4game\4game\4GameTray.exe File not found O4 - HKU\S-1-5-19…\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - HKU\S-1-5-20…\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - Startup: C:\Users\Daniel&Artur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk = C:\ProgramData\lsass.exe (Microsoft Corporation) [2012-10-26 23:09:54 | 000,044,544 | ---- | C] (Microsoft Corporation) – C:\ProgramData\lsass.exe [2012-10-27 11:32:12 | 000,000,298 | ---- | M] () – C:\Windows\tasks\RMAutoUpdate.job [2012-10-27 09:57:03 | 000,001,106 | ---- | M] () – C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1666134275-1110695157-444640970-1000UA.job [2012-10-26 12:57:00 | 000,001,084 | ---- | M] () – C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1666134275-1110695157-444640970-1000Core.job [2012-10-26 23:09:56 | 000,000,810 | ---- | C] () – C:\Users\Daniel&Artur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk [2012-02-03 00:12:42 | 000,000,000 | —D | M] – C:\Users\Daniel&Artur\AppData\Roaming\Babylon [2012-09-08 10:54:36 | 000,000,000 | —D | M] – C:\Users\Daniel&Artur\AppData\Roaming\BabylonToolbar :Files C:\Users\Daniel&Artur\AppData\Local\Temp*.html :Reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] :Commands [emptytemp]
Kliknij w Run Fix (Wykonaj scrypt). Zatwierdź restart komputera.
Pokaż log z usuwania.
potem nowy log OTL robiony opcją Run Scan (Skanuj)
Sanderusek
(Kingszymon)
27 Październik 2012 12:28
#4
Acorus
(Acorus)
27 Październik 2012 12:42
#5
Odinstaluj WebOptimizer.Uruchom OTL i w okno (Własne opcje skanowania/Script)wklej:
:OTL SRV:64bit: - [2012-09-13 15:26:50 | 001,259,888 | ---- | M] () [Auto | Running] – C:\Windows\SysNative\dmwu.exe – (WebOptimizer) IE - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\SearchScopes{FDD119F2-654B-4562-80FA-11F7426E511C}: “URL” = http://search.softonic.com/MON00085/tb_v1?q={searchTerms}&SearchSource=4&cc= [2012-08-22 10:23:58 | 000,000,000 | —D | M] (SFT_Polska Community Toolbar) – C:\Users\Daniel&Artur\AppData\Roaming\mozilla\Firefox\Profiles\067d03a0.default\extensions{5c5b9468-d672-4eb7-b52f-b5afabf28c5b} [2012-01-28 12:51:49 | 000,000,000 | —D | M] (Softonic Toolbar) – C:\Users\Daniel&Artur\AppData\Roaming\mozilla\Firefox\Profiles\067d03a0.default\extensions\ffxtlbra@softonic.com O2 - BHO: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - No CLSID value found. O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O2 - BHO: (Softonic Helper Object) - {E87806B5-E908-45FD-AF5E-957D83E58E68} - C:\Program Files (x86)\Softonic\softonic\1.5.11.5\bh\softonic.dll (Softonic.com ) O3 - HKLM…\Toolbar: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - No CLSID value found. O3 - HKU\S-1-5-21-1666134275-1110695157-444640970-1000…\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found. :Commands [emptytemp]
Kliknij Wykonaj skrypt.W OTL użyj opcji Sprzątanie.
Wyłącz i włącz przywracanie systemu.
http://www.searchengines.pl/Czyszczenie … 41981.html
Przeskanuj progr.Malwarebytes Anti-Malware http://www.malwarebytes.org/products/malwarebytes_free
Przed skanowaniem wykonaj RĘCZNĄ AKTUALIZACJĘ BAZY SYGNATUR WIRUSÓW Malwarebytesa “Uruchom Malwarebytes, przejdź do zakładki Aktualizacja, Sprawdź aktualizacje.”
Zainstaluj aktualizacje do programow wskazanych przez Security Check
analiza-dezynfekcja-zestaw-narzedzi-nieingerencyjnych-t485632.html jako out of date.