Wirus który sam instaluje programy

Dla specjalistów Bezpieczeństwo
#1

Witam.
Mam problem z wirusem który sam instaluje programy i nie potrafię sobie z nim poradzić.
Skan z frst FRST.pdf (456,8 KB)

#2

http://wklej.org/

#3

http://wklej.org/id/3322971/

#4

Wymagane są trzy logi, FRST.txt , Addition.txt , Shortcut.txt
Raport obowiązkowy - Farbar Recovery Scan Tool

#5

http://wklej.org/id/3323672/ - addition
http://wklej.org/id/3323674/ - shortcut

#6
  1. Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist:
CloseProcesses:
HKLM\...\Run: [SERVICE] => [X]
HKLM\...\RunOnce: [OMEWPRODUCT_AFNG2] => "C:\Program Files (x86)\ShutdownTime\DXX6RLOIXT9JSNQ.exe" <==== UWAGA
HKLM\...\RunOnce: [OMEWPRODUCT_SON65] => C:\Users\przem\AppData\Local\Temp\is-V3USF.tmp\up.exe [54784 2017-12-14] (R55) <==== UWAGA
HKLM\...\RunOnce: [OMEWPRODUCT_PTFMB] => C:\Users\przem\AppData\Local\Temp\is-CO0PD.tmp\up.exe [54784 2017-12-14] (R55) <==== UWAGA
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [msiql] => C:\Users\przem\AppData\Local\Temp\00002708\msiql.exe [2072576 2017-12-14] () <==== UWAGA
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [6684215] => C:\Users\przem\AppData\Roaming\31pipfjhumf\gsvzeua3c4w.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [8128873] => C:\Users\przem\AppData\Roaming\khsromgvtqz\ydydfuohh3w.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [XMZFAJTODQ8SMRY] => C:\Program Files\YOMLYLL9JI\YOMLYLL9J.exe [669184 2017-12-14] (R55)
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [6781285] => C:\Users\przem\AppData\Roaming\gsqpy5sb5cz\xrz4ngaghnq.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [2082032] => C:\Users\przem\AppData\Roaming\hgr5tax5iog\5nxsgvxtnkb.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [2137824] => C:\Users\przem\AppData\Roaming\kz4g2p0r3oq\sif51qxnqg4.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [AZ6XF2T87YM5W4O] => C:\Program Files\44HWM7HPZ9\HTOBU6NQY.exe [669184 2017-12-14] (R55)
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [9437007] => C:\Users\przem\AppData\Roaming\lzb23sz0qfw\re5ihpz2adq.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [ZDRL4BIVQ6KX68B] => C:\Program Files\9JCUIV6Y25\7JI4P40MK.exe [669184 2017-12-14] (R55)
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [BrokenBush] => C:\WINDOWS\rss\csrss.exe [7224320 2017-12-14] () <==== UWAGA
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [9091211] => C:\Users\przem\AppData\Roaming\nfdbdja4loz\xgxrsmh5ufr.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [5943864] => C:\Users\przem\AppData\Roaming\soyuxz0ogxv\1vgffwh4pj3.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [FDNYMXCGTEWN4PA] => C:\Program Files\D6U8329HG8\D6U8329HG.exe [669184 2017-12-14] (R55)
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [2983766] => C:\Users\przem\AppData\Roaming\gv1fqqlgkuv\hpfe4jktlkl.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [11VC0XY2FQNVVVC] => C:\Program Files\RTBQHVLN4G\BL6RPYN7X.exe [669184 2017-12-14] (R55)
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [218534] => C:\Users\przem\AppData\Roaming\a31ey5gaw0w\dfm1jvejjpu.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [1206392] => C:\Users\przem\AppData\Roaming\a4hmcgdxkdi\zgfv0m32opd.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [DH4UU7YHKMIPZC2] => C:\Program Files\PNZRUPE1CB\PNZRUPE1C.exe [669184 2017-12-14] (R55)
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [8377476] => C:\Users\przem\AppData\Roaming\fsjcpkvkyri\xv3x55p4rzh.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [E7NRI7KJYZ2ON54] => C:\Program Files\3HBQXHUHIL\3HBQXHUHI.exe [669184 2017-12-14] (R55)
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [2606388] => C:\Users\przem\AppData\Roaming\ramffr5cbge\iba45uaphdl.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [2429291] => C:\Users\przem\AppData\Roaming\i1dnsqbg0tz\onxhw0lizex.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [FI7UM8PCRRP343C] => C:\Program Files\KT328W0WV1\KT328W0WV.exe [669184 2017-12-14] (R55)
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [7946372] => C:\Users\przem\AppData\Roaming\rqi3xovs4i4\ockico3xrm2.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [REWAQ45UO4YG2LU] => C:\Program Files\CTXTFKM529\CTXTFKM52.exe [669184 2017-12-14] (R55)
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [4K08KRSJNSL5T4Z] => C:\Program Files\7GH46W9FF8\7GH46W9FF.exe [669184 2017-12-14] (R55)
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [9263360] => C:\Users\przem\AppData\Roaming\5vilzsv1zvs\2arlope0yf3.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [1718598] => C:\Users\przem\AppData\Roaming\m23ksf5viuk\fmgb2oq15zo.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [4531428] => C:\Users\przem\AppData\Roaming\p3pahc4zp3k\mqdj015usz4.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [7QMHAQ5150KFUT3] => C:\Program Files\P9UYWL8OX6\P9UYWL8OX.exe [669184 2017-12-14] (R55)
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [9050773] => C:\Users\przem\AppData\Roaming\tk5zsq0mo1s\y3ghfqkv2my.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [YE4S4JJU04BZ27W] => C:\Program Files\WFL98BDR00\QT2G0F3AV.exe [669184 2017-12-14] (R55)
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [IVR1542NQWYM1YQ] => C:\Program Files\SRWU27MFHX\5G29A6SGG.exe [669184 2017-12-14] (R55)
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [7652621] => C:\Users\przem\AppData\Roaming\tmqzp4vppbo\anle5dbzky4.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [4897616] => C:\Users\przem\AppData\Roaming\4l2yo4nkbp2\5smippy1gzf.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [1832376] => C:\Users\przem\AppData\Roaming\nuztgoisblo\wkz11vfvdpy.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [NGB2Y3BEFK1FN7I] => C:\Program Files\N9WB7S0RPG\N9WB7S0RP.exe [669184 2017-12-14] (R55)
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [3204297] => C:\Users\przem\AppData\Roaming\jtognrxjfl0\dfvaga2pbvt.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [P6RPIIYLLKR87LZ] => C:\Program Files\22P97BOPUE\22P97BOPU.exe [669184 2017-12-14] (R55)
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [376632] => C:\Users\przem\AppData\Roaming\jo1bbusfr0w\d3k2pilgixd.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [2897344] => C:\Users\przem\AppData\Roaming\0outwnnxeto\gjvgnlduqpw.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [ZZYGZPDNXAH9ITV] => C:\Program Files\49CNELAEYG\49CNELAEY.exe [669184 2017-12-14] (R55)
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [8342313] => C:\Users\przem\AppData\Roaming\meuosgiyw4n\yunixjxynrq.exe [784517 2017-12-14] ( )
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\Run: [U2OUKTQGM1T5CRZ] => C:\Program Files\7UG7JBVIOS\7UG7JBVIO.exe [669184 2017-12-14] (R55)
ShellExecuteHooks: Brak nazwy - {5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} - C:\Users\przem\AppData\Roaming\tmp546.dat [2308096 2017-12-06] ()
HKU\S-1-5-21-1344714997-326371934-340289654-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://oem17win10.msn.com/?pc=NMTE
BHO: YoutubeAdBlock -> {C0D38E5A-7CF8-4105-8FE8-31B81443A114} -> C:\Program Files (x86)\gVEKLTxUjIE\tRfAPQB.dll [2017-12-14] ()
BHO-x32: YoutubeAdBlock -> {C0D38E5A-7CF8-4105-8FE8-31B81443A114} -> C:\Program Files (x86)\gVEKLTxUjIE\kEtLkcp.dll [2017-12-14] ()
CHR StartupUrls: Default -> "hxxp://www.ourluckysites.com/?type=hp&ts=1493729382&z=12e9c45b133872c406c5dcdg7z4t0c1m0o9tdcab7o&from=ypid&uid=WDCXWD5000LPCX-24VHAT0_WD-WXB1AA5C166UC166U"
R2 WinDefender; C:\WINDOWS\windefender.exe [3451904 2017-12-14] () [Brak podpisu cyfrowego]
S2 OrA0keFiUaSv Updater; C:\Program Files (x86)\OrA0keFiUaSv Updater\OrA0keFiUaSv Updater.exe [X]
S1 ahtdcnbs; \??\C:\WINDOWS\system32\drivers\ahtdcnbs.sys [X]
2017-12-14 22:16 - 2017-12-14 22:16 - 000000000 ____D C:\Users\przem\AppData\Roaming\mat134awjwl
2017-12-14 22:16 - 2017-12-14 22:16 - 000000000 ____D C:\Program Files\UUUKRO3BJE
2017-12-14 22:16 - 2017-12-14 22:16 - 000000000 ____D C:\Program Files\N9HFY2X7X6
2017-12-14 22:15 - 2017-12-14 22:15 - 000000000 ____D C:\Users\przem\AppData\Roaming\h1lazkigu2n
2017-12-14 22:15 - 2017-12-14 22:15 - 000000000 ____D C:\Users\przem\AppData\Roaming\ek3rr33vq2v
2017-12-14 22:15 - 2017-12-14 22:15 - 000000000 ____D C:\Users\przem\AppData\Roaming\drqa5z5xnue
2017-12-14 22:15 - 2017-12-14 22:15 - 000000000 ____D C:\Program Files\LYESL9YFP5
2017-12-14 22:12 - 2017-12-14 22:12 - 000000000 ____D C:\Program Files\7UG7JBVIOS
2017-12-14 22:11 - 2017-12-14 22:12 - 000000000 ____D C:\Users\przem\AppData\Roaming\meuosgiyw4n
2017-12-14 22:11 - 2017-12-14 22:12 - 000000000 ____D C:\Program Files\49CNELAEYG
2017-12-14 22:11 - 2017-12-14 22:11 - 000000000 ____D C:\Users\przem\AppData\Roaming\jo1bbusfr0w
2017-12-14 22:11 - 2017-12-14 22:11 - 000000000 ____D C:\Users\przem\AppData\Roaming\0outwnnxeto
2017-12-14 22:09 - 2017-12-14 22:09 - 000000000 ____D C:\Users\przem\AppData\Roaming\nuztgoisblo
2017-12-14 22:09 - 2017-12-14 22:09 - 000000000 ____D C:\Users\przem\AppData\Roaming\jtognrxjfl0
2017-12-14 22:09 - 2017-12-14 22:09 - 000000000 ____D C:\Users\przem\AppData\Roaming\4l2yo4nkbp2
2017-12-14 22:09 - 2017-12-14 22:09 - 000000000 ____D C:\Program Files\N9WB7S0RPG
2017-12-14 22:09 - 2017-12-14 22:09 - 000000000 ____D C:\Program Files\22P97BOPUE
2017-12-14 22:07 - 2017-12-14 22:07 - 000000000 ____D C:\Users\przem\AppData\Roaming\tmqzp4vppbo
2017-12-14 22:07 - 2017-12-14 22:07 - 000000000 ____D C:\Program Files\SRWU27MFHX
2017-12-14 22:00 - 2017-12-14 22:00 - 000000000 ____D C:\Program Files (x86)\vknAtWNPMhpU2
2017-12-14 22:00 - 2017-12-14 22:00 - 000000000 ____D C:\Program Files (x86)\OGqwJxyzdjgEZIvrFER
2017-12-14 22:00 - 2017-12-14 22:00 - 000000000 ____D C:\Program Files (x86)\gVEKLTxUjIE
2017-12-14 22:00 - 2017-12-14 22:00 - 000000000 ____D C:\Program Files (x86)\FpGcSjfNZDUn
2017-12-14 22:00 - 2017-12-14 22:00 - 000000000 ____D C:\Program Files (x86)\ExRIRmygU
2017-12-14 21:58 - 2017-12-14 21:59 - 000000000 ____D C:\Program Files\WFL98BDR00
2017-12-14 21:58 - 2017-12-14 21:58 - 000000000 ____D C:\Users\przem\AppData\Roaming\tk5zsq0mo1s
2017-12-14 21:58 - 2017-12-14 21:58 - 000000000 ____D C:\Users\przem\AppData\Roaming\p3pahc4zp3k
2017-12-14 21:58 - 2017-12-14 21:58 - 000000000 ____D C:\Users\przem\AppData\Roaming\m23ksf5viuk
2017-12-14 21:58 - 2017-12-14 21:58 - 000000000 ____D C:\Program Files\P9UYWL8OX6
2017-12-14 21:57 - 2017-12-14 21:57 - 000000000 ____D C:\Users\przem\AppData\Roaming\5vilzsv1zvs
2017-12-14 21:57 - 2017-12-14 21:57 - 000000000 ____D C:\Program Files\7GH46W9FF8
2017-12-14 21:56 - 2017-12-14 21:56 - 000000000 ____D C:\Users\przem\AppData\Roaming\rqi3xovs4i4
2017-12-14 21:56 - 2017-12-14 21:56 - 000000000 ____D C:\Users\przem\AppData\Roaming\ramffr5cbge
2017-12-14 21:56 - 2017-12-14 21:56 - 000000000 ____D C:\Users\przem\AppData\Roaming\i1dnsqbg0tz
2017-12-14 21:56 - 2017-12-14 21:56 - 000000000 ____D C:\Program Files\KT328W0WV1
2017-12-14 21:56 - 2017-12-14 21:56 - 000000000 ____D C:\Program Files\CTXTFKM529
2017-12-14 21:49 - 2017-12-14 21:49 - 000000000 ____D C:\Users\przem\AppData\Roaming\fsjcpkvkyri
2017-12-14 21:49 - 2017-12-14 21:49 - 000000000 ____D C:\Users\przem\AppData\Roaming\a4hmcgdxkdi
2017-12-14 21:49 - 2017-12-14 21:49 - 000000000 ____D C:\Users\przem\AppData\Roaming\a31ey5gaw0w
2017-12-14 21:49 - 2017-12-14 21:49 - 000000000 ____D C:\Program Files\PNZRUPE1CB
2017-12-14 21:49 - 2017-12-14 21:49 - 000000000 ____D C:\Program Files\3HBQXHUHIL
2017-12-14 21:43 - 2017-12-14 21:43 - 000000000 ____D C:\Users\przem\AppData\Roaming\gv1fqqlgkuv
2017-12-14 21:43 - 2017-12-14 21:43 - 000000000 ____D C:\Program Files\RTBQHVLN4G
2017-12-14 21:43 - 2017-12-14 21:43 - 000000000 ____D C:\Program Files\D6U8329HG8
2017-12-14 21:42 - 2017-12-14 21:42 - 000000000 ____D C:\Users\przem\AppData\Roaming\soyuxz0ogxv
2017-12-14 21:42 - 2017-12-14 21:42 - 000000000 ____D C:\Users\przem\AppData\Roaming\nfdbdja4loz
2017-12-14 21:41 - 2017-12-14 21:41 - 000003372 _____ C:\WINDOWS\System32\Tasks\i2z30hi52ey
2017-12-14 21:39 - 2017-12-14 21:39 - 000003530 _____ C:\WINDOWS\System32\Tasks\trrz35tyacc
2017-12-14 21:39 - 2017-12-14 21:39 - 000003402 _____ C:\WINDOWS\System32\Tasks\dlknxjrckl3
2017-12-14 21:39 - 2017-12-14 21:39 - 000003362 _____ C:\WINDOWS\System32\Tasks\ir2miewl1a4
2017-12-14 21:39 - 2017-12-14 21:39 - 000003276 _____ C:\WINDOWS\System32\Tasks\ew2qry0pp1u
2017-12-14 21:37 - 2017-12-14 21:37 - 003451904 ____H C:\WINDOWS\windefender.exe
2017-12-14 21:36 - 2017-12-14 21:36 - 000000000 ____D C:\Windat
2017-12-14 21:36 - 2017-12-14 21:36 - 000000000 ____D C:\Users\przem\AppData\Roaming\lzb23sz0qfw
2017-12-14 21:36 - 2017-12-14 21:36 - 000000000 ____D C:\Program Files\9JCUIV6Y25
2017-12-14 21:36 - 2017-12-14 21:36 - 000000000 ____D C:\Program Files\44HWM7HPZ9
2017-12-14 21:36 - 2017-12-14 21:36 - 000000000 ____D C:\Disk
2017-12-14 21:35 - 2017-12-14 21:35 - 000000000 ____D C:\Users\przem\AppData\Roaming\kz4g2p0r3oq
2017-12-14 21:35 - 2017-12-14 21:35 - 000000000 ____D C:\Users\przem\AppData\Roaming\hgr5tax5iog
2017-12-14 21:35 - 2017-12-14 21:35 - 000000000 ____D C:\Users\przem\AppData\Roaming\gsqpy5sb5cz
2017-12-14 21:35 - 2017-12-14 21:35 - 000000000 ____D C:\Program Files\YOMLYLL9JI
2017-12-14 21:36 - 2017-12-14 21:36 - 000000000 ___HD C:\WINDOWS\rss
2017-12-14 21:21 - 2017-12-14 21:21 - 000000000 ____D C:\Users\przem\AppData\Roaming\DreamScreen
2017-12-14 21:21 - 2017-12-14 21:21 - 000000000 ____D C:\ProgramData\DreamScreen
2017-12-14 21:20 - 2017-12-14 21:42 - 000000000 ____D C:\Program Files (x86)\ShutdownTime
2017-12-14 21:20 - 2017-12-14 21:20 - 000000000 ____D C:\Users\przem\AppData\Roaming\khsromgvtqz
2017-12-14 21:20 - 2017-12-14 21:20 - 000000000 ____D C:\Program Files (x86)\UCBrowser
2017-12-14 21:19 - 2017-12-14 21:19 - 000000000 ____D C:\Users\przem\AppData\Roaming\31pipfjhumf
2017-12-14 21:19 - 2017-12-06 13:27 - 002308096 ___SH C:\Users\przem\AppData\Roaming\tmp546.dat
2017-12-14 21:17 - 2017-12-14 21:17 - 000000000 ____D C:\ProgramData\Microleaves
2017-12-14 21:17 - 2017-12-14 21:17 - 000000000 ____D C:\ProgramData\d1780ad6-0393-1
2017-12-14 21:17 - 2017-12-14 21:17 - 000000000 ____D C:\ProgramData\d1780ad6-0033-0
2017-12-14 21:17 - 2017-12-14 21:17 - 000000000 ____D C:\ProgramData\6f61d012-62d3-1
2017-12-14 21:17 - 2017-12-14 21:17 - 000000000 ____D C:\ProgramData\6f61d012-06a5-0
2017-12-14 21:16 - 2017-12-14 21:19 - 000000000 ____D C:\Program Files (x86)\YeaDesktop
2017-12-14 21:15 - 2017-12-14 22:15 - 000930816 _____ C:\Users\przem\AppData\Local\po.db
2017-12-14 21:15 - 2017-12-14 21:15 - 000011568 _____ C:\Users\przem\AppData\Local\InstallationConfiguration.xml
2017-12-14 21:15 - 2017-12-14 21:15 - 000140800 _____ C:\Users\przem\AppData\Local\installer.dat
2017-12-14 21:15 - 2017-12-14 21:15 - 000000000 ____D C:\Program Files (x86)\Microleaves
2017-12-14 21:14 - 2017-12-14 21:14 - 000000000 ____D C:\WinSys
2017-12-14 21:14 - 2017-12-14 21:14 - 000000000 ____D C:\Users\przem\AppData\Roaming\Microleaves
2017-12-14 21:14 - 2017-12-14 21:14 - 000000000 ____D C:\Users\przem\AppData\Local\AdvinstAnalytics
2017-12-14 21:14 - 2017-12-14 21:14 - 000000000 ____D C:\Applications
2017-12-14 21:13 - 2017-12-14 21:34 - 000000000 ____D C:\Users\przem\AppData\Local\AdService
2017-12-14 21:19 - 2017-12-06 13:27 - 002308096 ___SH () C:\Users\przem\AppData\Roaming\tmp546.dat
Online Application (HKLM-x32\...\{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}) (Version: 2.7.0 - Microleaves) Hidden <==== UWAGA
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> Brak pliku
Task: {0F4A7E34-D718-4D6C-A9E9-BC3230A49E3C} - System32\Tasks\Updater_Online_Application => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe [2017-11-02] (Microleaves) <==== UWAGA
Task: {285A584B-2DE4-42D4-8BCC-F6AC80375241} - System32\Tasks\dlknxjrckl3 => C:\Users\przem\AppData\Local\Temp\\mj3zplnbjt3\jx4ztncvqsn.exe [2017-12-14] () <==== UWAGA
Task: {32DCF9BD-ACEE-4519-B4FF-614F8AA309B9} - System32\Tasks\ew2qry0pp1u => C:\Users\przem\AppData\Local\Temp\is-17IJU.tmp\setup.exe [2017-12-14] () <==== UWAGA
Task: {4BB1FD7F-CCD0-4B0A-B0CC-32EB1D79C19A} - System32\Tasks\BmHhCekqquvtRi => rundll32 "C:\Program Files (x86)\vknAtWNPMhpU2\GsjspeqLeCurZ.dll",#1
Task: {4D2439F9-A509-4235-B10B-57FD4876D1A9} - System32\Tasks\Online Application V2G5 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe [2017-11-02] () <==== UWAGA
Task: {4FBC1A6C-3379-4AE6-818E-BA92FFFEFCA1} - System32\Tasks\boQbXxbEJPaDgWztw => rundll32 "C:\Program Files (x86)\OGqwJxyzdjgEZIvrFER\PyUaSls.dll",#1
Task: {5EE8E238-991E-424C-B8DE-F1834B0D4B14} - System32\Tasks\jVVcebPoCjhHKmi => rundll32 "C:\Program Files (x86)\ExRIRmygU\sseLCr.dll",#1
Task: {6E5D5FB4-53C1-4A97-BE74-D34FB48D9DB8} - System32\Tasks\Online Application V2G6 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe [2017-11-02] () <==== UWAGA
Task: {767B987C-43B7-4E2A-B373-241C5AAC09BE} - System32\Tasks\jVVcebPoCjhHKmi2 => rundll32 "C:\Program Files (x86)\ExRIRmygU\sseLCr.dll",#1
Task: {8D78C69B-1F2C-4877-8D09-E69BB897BE89} - System32\Tasks\space(title, t_delayed) => C:\Program Files (x86)\SystemHealer\SystemHealer.exe
Task: {90752D79-5210-405C-AB48-6EA9F02047CB} - System32\Tasks\LaCieS => C:\Disk\WebService.exe [2017-10-17] (TODO: <Company name>)
Task: {A1414852-0995-488A-AC9F-20AE5B80722E} - System32\Tasks\Online Application V2G2 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe [2017-11-02] () <==== UWAGA
Task: {A7A335FF-BF96-4372-9EBB-83D06A57285F} - System32\Tasks\ShadowsocksS => C:\Applications\Service.exe [2017-09-18] (TODO: <Company name>)
Task: {BF38B738-C1AC-47F7-95AE-1892B68972D6} - System32\Tasks\trrz35tyacc => C:\Users\przem\AppData\Local\Temp\\nhg4shvedvv\linker.exe [2017-12-14] (TODO: <Company name>) <==== UWAGA
Task: {BF9E8C9C-06D8-46DD-B289-946F1D8B77EC} - System32\Tasks\Online Application V2G4 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe [2017-11-02] () <==== UWAGA
Task: {C2B4607A-DB7B-4D65-B6E5-AD13EAB738D4} - System32\Tasks\i2z30hi52ey => C:\Users\przem\AppData\Local\Temp\\a2nlf5bw1wt\OneSystemCare.exe [2017-12-14] () <==== UWAGA
Task: {C89DDDC0-BEA9-4190-8131-DD2CFDE05F40} - System32\Tasks\Online Application V2G1 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe [2017-11-02] () <==== UWAGA
Task: {D29C1B9B-9377-43FE-83B4-0903FA0A1F01} - System32\Tasks\Online Application V2G3 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe [2017-11-02] () <==== UWAGA
Task: {E0EF8B15-DE86-48FF-910B-65B5F1FED4E8} - System32\Tasks\boQbXxbEJPaDgWztw2 => rundll32 "C:\Program Files (x86)\OGqwJxyzdjgEZIvrFER\PyUaSls.dll",#1
Task: {EF007B6B-FE2E-452A-9250-8687B5729647} - System32\Tasks\ir2miewl1a4 => C:\Users\przem\AppData\Local\Temp\\xr0kkv1jdxp.exe [2017-12-14] ( ) <==== UWAGA
Task: {F68EC08F-59CA-4668-87E5-F7F354E83A90} - System32\Tasks\space(title, t_monitor) => C:\Program Files (x86)\SystemHealer\HealerConsole.exe
Task: {F8A3A579-DB49-4067-9C5D-A11DD3EF982C} - System32\Tasks\SVC Update => C:\WINDOWS\explorer.exe "hxxp://sh.st/AeotZ" <==== UWAGA
Task: {FE034092-0F4E-4BE7-B084-21EBEBCCECAA} - System32\Tasks\{2BDF47F7-7209-41AF-9D13-EF50C3F97A9F} => C:\WINDOWS\system32\pcalua.exe -a "C:\Users\przem\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" -c /uninstall
Task: C:\WINDOWS\Tasks\boQbXxbEJPaDgWztw.job => C:\Program Files (x86)\OGqwJxyzdjgEZIvrFER\PyUaSls.dll
Task: C:\WINDOWS\Tasks\jVVcebPoCjhHKmi.job => C:\Program Files (x86)\ExRIRmygU\sseLCr.dll
Task: C:\WINDOWS\Tasks\Online Application V2G1.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: C:\WINDOWS\Tasks\Online Application V2G2.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: C:\WINDOWS\Tasks\Online Application V2G3.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: C:\WINDOWS\Tasks\Online Application V2G4.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: C:\WINDOWS\Tasks\Online Application V2G5.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: C:\WINDOWS\Tasks\Online Application V2G6.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: C:\WINDOWS\Tasks\Updater_Online_Application.job => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe <==== UWAGA
ShortcutWithArgument: C:\Users\przem\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://pop.yeawindows.com/
ShortcutWithArgument: C:\Users\przem\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://pop.yeawindows.com/
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://pop.yeawindows.com/
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://pop.yeawindows.com/
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\StartupApproved\Run: => "2983766"
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\StartupApproved\Run: => "5943864"
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\StartupApproved\Run: => "9091211"
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\StartupApproved\Run: => "9437007"
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\StartupApproved\Run: => "2137824"
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\StartupApproved\Run: => "2082032"
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\StartupApproved\Run: => "6781285"
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\StartupApproved\Run: => "8128873"
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\StartupApproved\Run: => "6684215"
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\StartupApproved\Run: => "msiql"
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\StartupApproved\Run: => "11VC0XY2FQNVVVC"
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\StartupApproved\Run: => "FDNYMXCGTEWN4PA"
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\StartupApproved\Run: => "ZDRL4BIVQ6KX68B"
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\StartupApproved\Run: => "AZ6XF2T87YM5W4O"
HKU\S-1-5-21-1344714997-326371934-340289654-1001\...\StartupApproved\Run: => "XMZFAJTODQ8SMRY"
Hosts:
EmptyTemp:

Uruchom FRST i kliknij Napraw (Fix). Pokaż raport z usuwania Fixlog.

  1. Pobierz i uruchom AdwCleaner Kliknij Skanuj (Scan) i później Oczyść (Clean).

  2. Kliknij Skanuj (Scan) i pokaż nowy raport z FRST bez Addition i Shortcut.

#7

Fix- http://wklej.org/id/3323769/
Nowy frst- http://wklej.org/id/3323771/

#8

Pokaż cały log.

#9

Wywala mi program w tym momencie zawsze. Nie mogę przeskanować do końca.

#10

Spróbuj w trybie awaryjnym:
https://support.eset.pl/kb2268/#Win10

#11

Ok udało się.
http://wklej.org/id/3324019/

#12

Naprawę również wykonaj w trybie awaryjnym.

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist:
http://wklej.org/id/3324047/txt/
Uruchom FRST i kliknij Napraw (Fix). Pokaż raport z usuwania Fixlog.
Kliknij Skanuj (Scan) i pokaż nowy raport z FRST bez Addition i Shortcut.

#13

Raporty:
http://wklej.org/id/3324066/
http://wklej.org/id/3324070/

#14

Teraz nie widać nic szkodliwego.
Uruchom system w normalnym trybie i utwórz nowy raport FRST i Addition.

#15

Nowe raporty:
http://wklej.org/id/3324085/

http://wklej.org/id/3324086/

#16

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist:

Task: {2A5B2E9B-1E3A-4124-BC9C-DEA9108F7DC7} - \jVVcebPoCjhHKmi -> Brak pliku <==== UWAGA
Task: {6BD66460-E961-40B4-BF70-30304764C7F6} - \boQbXxbEJPaDgWztw2 -> Brak pliku <==== UWAGA
Task: {AF496C99-7E0B-43B9-AC4C-D2768FB0F2F3} - \boQbXxbEJPaDgWztw -> Brak pliku <==== UWAGA
Task: {DAE0ABA3-89A9-4FFB-ABBF-AFC92EDBA06B} - \BmHhCekqquvtRi -> Brak pliku <==== UWAGA
Task: {F681D6D5-3DA6-4CC4-854F-E43826D91683} - \jVVcebPoCjhHKmi2 -> Brak pliku <==== UWAGA
FirewallRules: [{7BF4519A-E934-4979-A8FE-CE623CA99991}] => (Allow) C:\WINDOWS\rss\csrss.exe
FirewallRules: [{27AD5C47-2C14-4456-A734-BC26A1207877}] => (Allow) C:\Users\przem\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe
DeleteQuarantine:

Uruchom FRST i kliknij Napraw (Fix). Później skasuj folder C:\FRST
Włącz przywracanie systemu dla dysku systemowego C:
https://www.tenforums.com/tutorials/4533-turn-off-system-protection-drives-windows-10-a.html