Zainfekowany Chrome, UniSales i inne

Witam,

Prawdopodobnie przez nieuwagę zainstalowałem jakiś syf i teraz Chrome otwiera mi nowe karty, reklamy, linki itp. W rozszerzeniach Chrome mam “unIISaalies 2.0” (Unisales), którego nie mogę w żaden znany mi sposób usunąć. Próbowałem Ccleanerem, Spybotem i Emsisoftem. Niby Emsisoft znajduje i usuwa syfa ale po restarcie i resecie Chroma wtyczka znów jest aktywna dalej działa. Halp!

 

FRST: http://www.wklej.org/id/1595323/

Addition: http://www.wklej.org/id/1595334/

Shortcut: http://www.wklej.org/id/1595335/

Odinstaluj Spybot - Search & Destroy.Otwórz notatnik systemowy i wklej:

Task: {31398382-D253-454D-85FA-06C741C53689} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates = C:\Program Files (x86)\Spybot - Search amp; Destroy 2\SDUpdate.exe
Task: {416EABC4-9FC9-400A-ACCC-0389985EF8E5} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system = C:\Program Files (x86)\Spybot - Search amp; Destroy 2\SDScan.exe
Task: {7225DB24-7C84-4656-8E1B-A1502EF33957} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization = C:\Program Files (x86)\Spybot - Search amp; Destroy 2\SDImmunize.exe
Task: {EE0FD6FF-317F-4FA1-ADB7-F07E23135895} - System32\Tasks\Price Fountain = C:\Users\User\AppData\Roaming\PRICEF~1\UPDATE~1\UPDATE~1.EXE ==== ATTENTION
Task: C:\Windows\Tasks\Price Fountain.job = C:\Users\User\AppData\Roaming\PRICEF~1\UPDATE~1\UPDATE~1.EXE ==== ATTENTION
HKLM-x32\...\Run: [SDTray] = C:\Program Files (x86)\Spybot - Search Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [emsisoft anti-malware] = c:\program files (x86)\emsisoft anti-malware\a2guard.exe [4997872 2014-12-31] (Emsisoft GmbH)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Serial - Emsisoft Anti-Malware 9.0.0.4570 Full Serial Key.rar.lnk
ShortcutTarget: Serial - Emsisoft Anti-Malware 9.0.0.4570 Full Serial Key.rar.lnk - C:\ProgramData\{6dc7755d-e2a9-c0de-6dc7-7755de2ad577}\Serial - Emsisoft Anti-Malware 9.0.0.4570 Full Serial Key.rar.exe ()
BootExecute: autocheck autochk * sdnclean64.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction ======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mystartsearch.com/?type=hpts=1420899638from=wpcuid=GOODRAMXC40_1CAA07461BDB00587687
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.mystartsearch.com/?type=hpts=1420899638from=wpcuid=GOODRAMXC40_1CAA07461BDB00587687
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mystartsearch.com/web/?type=dsts=1420899638from=wpcuid=GOODRAMXC40_1CAA07461BDB00587687q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.mystartsearch.com/web/?type=dsts=1420899638from=wpcuid=GOODRAMXC40_1CAA07461BDB00587687q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mystartsearch.com/?type=hpts=1420899638from=wpcuid=GOODRAMXC40_1CAA07461BDB00587687
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mystartsearch.com/?type=hpts=1420899638from=wpcuid=GOODRAMXC40_1CAA07461BDB00587687
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mystartsearch.com/web/?type=dsts=1420899638from=wpcuid=GOODRAMXC40_1CAA07461BDB00587687q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mystartsearch.com/web/?type=dsts=1420899638from=wpcuid=GOODRAMXC40_1CAA07461BDB00587687q={searchTerms}
HKU\S-1-5-21-1052654708-1526420757-4155809617-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/
HKU\S-1-5-21-1052654708-1526420757-4155809617-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mystartsearch.com/?type=hpts=1420899638from=wpcuid=GOODRAMXC40_1CAA07461BDB00587687
CHR Extension: (unIISaalies) - C:\ProgramData\gdeikfmgoikgpldebmnkkjghpanppjka\ [2014-12-23]
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 MBAMSwissArmy; \\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 NTIOLib_1_0_C; \\D:\NTIOLib_X64.sys [X]
2015-01-06 20:11 - 2015-01-14 00:38 - 00000000 ____ D () C:\ProgramData\Spybot - Search Destroy
2015-01-06 20:11 - 2015-01-06 20:14 - 00000000 ____ D () C:\Program Files (x86)\Spybot - Search Destroy 2
2015-01-06 20:11 - 2015-01-06 20:11 - 00001395 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-SD Start Center.lnk
2015-01-06 20:11 - 2015-01-06 20:11 - 00001383 _____ () C:\Users\Public\Desktop\Spybot-SD Start Center.lnk
2015-01-06 20:11 - 2015-01-06 20:11 - 00000000 ____ D () C:\Windows\System32\Tasks\Safer-Networking
2015-01-06 20:11 - 2015-01-06 20:11 - 00000000 ____ D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search Destroy 2
2015-01-06 20:11 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
2015-01-06 20:02 - 2015-01-06 20:23 - 156432350 _____ (Emsisoft Ltd. ) C:\Users\User\Downloads\EmsisoftInternetSecuritySetup.exe
2015-01-06 20:01 - 2015-01-06 20:13 - 171776888 _____ (Emsisoft Ltd. ) C:\Users\User\Downloads\EmsisoftAntiMalwareSetup.exe
2015-01-06 19:56 - 2015-01-06 20:04 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\User\Downloads\spybot-2.4.exe
2015-01-06 19:54 - 2015-01-14 12:54 - 00000288 _____ () C:\Windows\Tasks\Price Fountain.job
2015-01-06 19:54 - 2015-01-06 19:54 - 00003236 _____ () C:\Windows\System32\Tasks\Price Fountain
2015-01-06 19:54 - 2015-01-06 19:54 - 00000000 ____ D () C:\Users\User\AppData\Roaming\PriceFountain
2015-01-06 19:53 - 2015-01-06 21:13 - 00000000 ____ D () C:\Users\User\AppData\Local\PriceFountain
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.

Bóg Ci w dzieciach wynagrodzi dobry i piękny człowieku! Problem rozwiązany, temat zamknąć, a Acorusowi lać piwo! Pozdrawiam i dziękuję!

Skasuj folder C:\FRST