Zainfekowana przeglądarka -pomoc w sprzątaniu


(zakt) #1

Proszę o pomoc w pozbyciu się porywacza przeglądarki i ogólnie posprzątanie w komputerze.
Wklejam logi z FRST
FRST
Addition
Shortcut

Dziękuję


(Acorus) #2

Odinstaluj Adobe Reader 9.4.0 - Polish.Otwórz notatnik systemowy i wklej:

WMI_ActiveScriptEventConsumer_ASEC: <===== UWAGA
ShortcutWithArgument: C:\Users\TOM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\TOM\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension=“C:\Users\TOM\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk” hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\TOM\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\TOM\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension=“C:\Users\TOM\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk” hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\TOM\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\TOM\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension=“C:\Users\TOM\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk” hxxp://qtipr.com/
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension=“C:\Users\TOM\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk” hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension=“C:\Users\TOM\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk” hxxp://qtipr.com/
HKLM…\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [35760 2010-09-23] (Adobe Systems Incorporated)
HKLM…\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [932288 2010-09-20] (Adobe Systems Incorporated)
HKU\S-1-5-21-2425607207-2903724751-1928010653-1001…\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-2425607207-2903724751-1928010653-1001…\MountPoints2: {076e71ac-40a0-11e6-aae8-20cf3069f664} - G:\startme.exe
HKU\S-1-5-21-2425607207-2903724751-1928010653-1001…\MountPoints2: {080ac24b-ea0f-11e5-ae85-806e6f6e6963} - E:\InstAll.exe
HKU\S-1-5-18…\Run: [] => 0
BootExecute: autocheck autochk * sdnclean.exe
HKU\S-1-5-21-2425607207-2903724751-1928010653-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoGk3GzeHhcr-ccZ-jxVP4Aupb7gXeQX7yM7BI9DLpXVSdQxdT4nfr0yjFL9aK6l353buQ3VnNKVwMA3vfHvuQQIKQv9bO1U2zYcFmaDfQUEtrTk1djq0FJMUFIJXTCtE5kwBFKcYxyHG7Pqrsd-YnF_RhcvQ4nsk7wgvGKI,&q={searchTerms}
HKU\S-1-5-21-2425607207-2903724751-1928010653-1001\Software\Microsoft\Internet Explorer\Main,Start Page =
S2 Microsoft DirectX Configuration Service; C:\Windows\system32\dxconfig.exe [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
2017-02-13 21:12 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Users\Public\Desktop\Post Win10 Spybot-install.exe
2017-02-13 19:47 - 2017-02-13 21:18 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy 2
2017-02-13 19:47 - 2017-02-13 21:17 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2017-02-13 19:14 - 2017-02-15 20:11 - 00000000 ____D C:\AdwCleaner
2017-02-13 19:11 - 2017-02-13 19:13 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\TOM\Downloads\spybot-2.4.exe
2017-02-12 13:23 - 2017-02-12 13:23 - 00000000 ____D C:\Users\TOM\AppData\Local\UCBrowser
2017-02-12 13:22 - 2017-02-17 18:49 - 00000441 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2017-02-12 13:22 - 2017-02-12 13:22 - 00000000 ____D C:\Program Files\żěŃą
2017-02-12 13:21 - 2017-02-12 13:21 - 00000000 __SHD C:\Windows\system32%APPDATA%
2017-02-12 13:20 - 2017-02-12 13:20 - 01907987 _____ C:\Users\TOM\AppData\Roaming\Rantrax.tst
2017-02-12 13:20 - 2017-02-12 13:20 - 00126464 _____ C:\Users\TOM\AppData\Roaming\lobby.dat
2017-02-12 13:20 - 2017-02-12 13:20 - 00072787 _____ C:\Users\TOM\AppData\Roaming\Treehold.tst
2017-02-12 13:20 - 2017-02-12 13:20 - 00054272 _____ C:\Users\TOM\AppData\Roaming\ApplicationHosting.dat
2017-02-12 13:21 - 2017-02-12 13:21 - 0032038 _____ () C:\Users\TOM\AppData\Roaming\uninstall_temp.ico
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.
Uruchom jako administrator FRST i kliknij w Fix/Napraw.


(zakt) #3

Zrobione
Zamieszczam log z naprawy Fixlog
Czy coś jeszcze warto zrobić?


(Acorus) #4

Pobierz >>>DelFix<<< http://www.bleepingcomputer.com/download/delfix/dl/281/
Zaznacz opcje:
Remove disinfection tools
Kliknij przycisk Run.
Przeskanuj progr. Malwarebytes Anti-Malware http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/