Wolne uruchamianie systemu

diabelek33 · 22 Kwiecień 2015 14:01

Komputer siostry bardzo “muli”, miała różnego rodzaju spyware które usunął program ADware ale prosiłbym sprawdzenie jeszcze logów.

Shortcut

http://www.wklej.org/id/1694424/

FRST

http://www.wklej.org/id/1694425/

Additional

http://www.wklej.org/id/1694426/

Acorus · 22 Kwiecień 2015 16:28

Otwórz notatnik systemowy i wklej:

Task: {858C18BE-BD3A-447B-9C6F-CC0E5BEDD796} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-117718020-1572320616-722771558-1000Core = C:\Users\Natalka\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: {B3286F55-75B2-4676-A460-F9961DF37333} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-117718020-1572320616-722771558-1000UA = C:\Users\Natalka\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-117718020-1572320616-722771558-1000Core.job = C:\Users\Natalka\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-117718020-1572320616-722771558-1000UA.job = C:\Users\Natalka\AppData\Local\Facebook\Update\FacebookUpdate.exe
HKLM\...\Run: [SunJavaUpdateSched] = C:\Program Files\Common Files\Java\Java Update\jusched.exe [224128 2014-03-18] (Oracle Corporation)
HKLM\...\Run: [Adobe ARM] = C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
HKU\S-1-5-21-117718020-1572320616-722771558-1000\...\RunOnce: [Adobe Speed Launcher] = 1429707380
HKU\S-1-5-21-117718020-1572320616-722771558-1000\...\MountPoints2: {f6d54140-9bf5-11e2-bcf4-806e6f6e6963} - F:\die\autorun.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2012-11-08]
ShortcutTarget: McAfee Security Scan Plus.lnk - C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe (McAfee, Inc.)
GroupPolicy: Group Policy on Chrome detected ======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction ======= ATTENTION
HKU\S-1-5-21-117718020-1572320616-722771558-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com/?fr=hp-ddc-bdtype=616_pr __alt__ ddc_dsssyc_bd_com
SearchScopes: HKU\.DEFAULT - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-117718020-1572320616-722771558-1000 - {80c554b9-c7f8-4a21-9471-06d606da78a2} URL = http://de.search.yahoo.com/search?p={searchTerms}fr=vc_trans_8140type=foxysecurity
SearchScopes: HKU\S-1-5-21-117718020-1572320616-722771558-1000 - {BFB0CC2F-8510-403A-94EE-CB94336542E2} URL = http://q.search-simple.com/?affID=pr_8a06d665-fe2e-424e-869c-66af5140717fq={searchTerms}
CHR RestoreOnStartup: Default - "hxxp://search.yahoo.com/?fr=hp-ddc-bdtype=616_pr __alt__ ddc_dsssyc_bd_com"
CHR StartupUrls: Default - "hxxp://search.yahoo.com/?fr=hp-ddc-bdtype=616_pr __alt__ ddc_dsssyc_bd_com"
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\42.0.2311.90\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\42.0.2311.90\pdf.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (McAfee Security Scanner +) - C:\Program Files\McAfee Security Scan\3.0.318\npMcAfeeMss.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll No File
U3 a2bua524; C:\Windows\system32\Drivers\a2bua524.sys [0] (Advanced Micro Devices) ==== ATTENTION (zero size file/folder)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
2015-04-22 14:49 - 2015-04-22 14:54 - 00000000 ____ D () C:\AdwCleaner
C:\Users\Natalka\adblockplusie-1.1.exe
C:\Users\Natalka\Kies_2.0.2.11071_128_2.exe
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.

IPSEN · 22 Kwiecień 2015 20:49

Jak skończysz akcje z logami to pokaż log z autorunsa

Uruchom autoruns jako administrator -http://technet.micro…s/autoruns-po skończonym skanie-File>save>plik-AutoRuns.arn- umieść na -http://sendfile.pl/- na forum podaj linka

diabelek33 · 15 Maj 2015 19:38

http://sendfile.pl/pokaz/352695—MQF8.html

IPSEN · 16 Maj 2015 05:28

Uruchom autoruns jako administrator