Złośliwe Lucky serch i Super Optimizer


(magw) #1

 Witam!

 

Znów problem. Tym razem po ściągnięciu kodeków (niby miał to być ffdshadow). Nainstalowało się pełno programików.

Przeskanowałem i MalwareBytes i usunąłem częściowo zagrożenia.

Pozostał jednak Lucky serch i jakiś Super Optimizer v3.2

 

Proszę o sprawdzenie logów:

 

shortcut: http://www.wklej.org/id/1690350/

Additional: http://www.wklej.org/id/1690351/

FRST: http://www.wklej.org/id/1690353/

 

Z góry dziękuję i pozdrawiam,

Marcin


(Acorus) #2

Odinstaluj Adobe Reader 9.3,Super Optimizer v3.2.Otwórz notatnik systemowy i wklej:

Task: {2994BA67-457E-482B-AF78-231305350BB3} - \SmartWeb Upgrade Trigger Task No Task File ==== ATTENTION
Task: {42FE574E-C41A-40E8-8C14-3ED5E2C6C345} - System32\Tasks\Super Optimizer Schedule = C:\Program Files (x86)\Super Optimizer\SupOptLauncher.exe [2015-04-07] (SUPER PC TOOLS LIMITED) ==== ATTENTION
Task: {7E640F13-BF53-4824-B4E6-E03FDDDAAF84} - System32\Tasks\AXUZY = C:\Users\AP4\AppData\Roaming\AXUZY.exe ==== ATTENTION
Task: {A62955B0-E645-486E-8D3C-C25EE16E4EB2} - System32\Tasks\{D0FF9611-C6E4-4C86-8AA9-0976C291675A} = pcalua.exe -a C:\Users\AP4\AppData\Roaming\istartsurf\UninstallManager.exe -c -ptid=obw
Task: {B7077CFF-5947-4A62-842A-9A157B3A8182} - System32\Tasks\RXYNEE = C:\Users\AP4\AppData\Roaming\RXYNEE.exe ==== ATTENTION
Task: C:\Windows\Tasks\AXUZY.job = C:\Users\AP4\AppData\Roaming\AXUZY.exe ==== ATTENTION
Task: C:\Windows\Tasks\RXYNEE.job = C:\Users\AP4\AppData\Roaming\RXYNEE.exe ==== ATTENTION
HKLM-x32\...\Run: [WinCheck] = C:\Users\AP4\AppData\Local\03D40274-1429289991-05EE-0406-390700080009\bnse9B53.exe [370176 2015-04-17] ()
HKU\S-1-5-21-2748154886-3110599433-3543249747-1001\...\Run: [ApwIsoz] = C:\KS.old\APW\Exe\apw_isoz.exe [14309376 2015-03-04] (KAMSOFT S.A.)
HKU\S-1-5-21-2748154886-3110599433-3543249747-1001\...\Run: [Super Optimizer] = C:\Program Files (x86)\Super Optimizer\SupOptLauncher.exe [676912 2015-04-07] (SUPER PC TOOLS LIMITED)
Startup: C:\Users\AP4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqghumeaylnlf.lnk
ShortcutTarget: hqghumeaylnlf.lnk - C:\ProgramData\{46236b37-2690-a3db-4623-36b37269acdc}\hqghumeaylnlf.exe (Super PC Tools Ltd)
ShellIconOverlayIdentifiers: [SkyDrive1] - {F241C880-6982-4CE5-8CF7-7085BA96DA5A} = No File
ShellIconOverlayIdentifiers: [SkyDrive2] - {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} = No File
ShellIconOverlayIdentifiers: [SkyDrive3] - {BBACC218-34EA-4666-9D7A-C78F2274A524} = No File
ShellIconOverlayIdentifiers-x32: [SkyDrive1] - {F241C880-6982-4CE5-8CF7-7085BA96DA5A} = No File
ShellIconOverlayIdentifiers-x32: [SkyDrive2] - {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} = No File
ShellIconOverlayIdentifiers-x32: [SkyDrive3] - {BBACC218-34EA-4666-9D7A-C78F2274A524} = No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction ======= ATTENTION
SearchScopes: HKU\S-1-5-21-2748154886-3110599433-3543249747-1001 - DefaultScope {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL =
SearchScopes: HKU\S-1-5-21-2748154886-3110599433-3543249747-1001 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2748154886-3110599433-3543249747-1001 - {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL =
SearchScopes: HKU\S-1-5-21-2748154886-3110599433-3543249747-1001 - {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL =
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
CHR StartupUrls: Default - "hxxp://www.luckysearches.com/?type=hpts=1429283587from=cmiuid=ADATAXSX900_7E5220001730"
CHR DefaultSearchKeyword: Default - luckysearches
CHR Extension: (No Name) - C:\Users\AP4\AppData\Local\Google\Chrome\User Data\Default\Extensions\akaelkiagnbfcccfnmbimdbplecgbikh [2015-04-17]
CHR Extension: (No Name) - C:\Users\AP4\AppData\Local\Google\Chrome\User Data\Default\Extensions\papbadoldddalgcjcicnikcfenodpghp [2015-04-17]
R2 cae99edb; c:\Program Files (x86)\Super Optimizer\SupOptStats.dll [2247216 2015-04-17] ()
S3 gdrv; \\C:\Windows\gdrv.sys [X]
2015-04-17 17:19 - 2015-04-17 17:19 - 00000000 ____ D () C:\Users\AP4\SupTab
2015-04-17 17:13 - 2015-04-17 18:21 - 00000000 ____ D () C:\Program Files (x86)\XTab
2015-04-17 17:12 - 2015-04-17 18:36 - 00001328 _____ () C:\Windows\Tasks\AXUZY.job
2015-04-17 17:12 - 2015-04-17 18:21 - 00000000 ____ D () C:\Program Files (x86)\033ab7fe-cf21-49fe-a7e8-1a772e38d328
2015-04-17 17:12 - 2015-04-17 17:12 - 00004360 _____ () C:\Windows\System32\Tasks\AXUZY
2015-04-17 17:05 - 2015-04-17 18:38 - 00003250 _____ () C:\Windows\System32\Tasks\Super Optimizer Schedule
2015-04-17 17:05 - 2015-04-17 17:05 - 00003148 _____ () C:\Windows\System32\Tasks\{D0FF9611-C6E4-4C86-8AA9-0976C291675A}
2015-04-17 17:05 - 2015-04-17 17:05 - 00000000 ____ D () C:\Users\AP4\Documents\Super Optimizer
2015-04-17 17:05 - 2015-04-17 17:05 - 00000000 ____ D () C:\Users\AP4\AppData\Roaming\Super Optimizer
2015-04-17 17:00 - 2015-04-17 18:21 - 00000000 ____ D () C:\Program Files (x86)\4b06a38f-b3b7-4fe8-9977-3e425e4ffa38
2015-04-17 17:00 - 2015-04-17 17:00 - 00001090 _____ () C:\Users\AP4\Desktop\Super Optimizer.lnk
2015-04-17 17:00 - 2015-04-17 17:00 - 00000000 ____ D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Super Optimizer
2015-04-17 16:59 - 2015-04-17 18:36 - 00001330 _____ () C:\Windows\Tasks\RXYNEE.job
2015-04-17 16:59 - 2015-04-17 17:16 - 00000000 ____ D () C:\ProgramData\{46236b37-2690-a3db-4623-36b37269acdc}
2015-04-17 16:59 - 2015-04-17 17:13 - 00000000 ____ D () C:\Program Files (x86)\globalUpdate
2015-04-17 16:59 - 2015-04-17 17:13 - 00000000 ____ D () C:\Program Files (x86)\455efaa9-fd87-4fa6-9e3b-d4d03e12979f
2015-04-17 16:59 - 2015-04-17 17:00 - 00000000 ____ D () C:\Program Files (x86)\Super Optimizer
2015-04-17 16:59 - 2015-04-17 16:59 - 00004362 _____ () C:\Windows\System32\Tasks\RXYNEE
2015-04-17 16:59 - 2015-04-17 16:59 - 00000000 ____ D () C:\Users\AP4\AppData\Local\03D40274-1429289991-05EE-0406-390700080009
2015-03-26 21:14 - 2015-03-26 21:14 - 0005542 _____ () C:\Users\AP4\AppData\Roaming\AXUZY
2015-03-26 21:14 - 2015-03-26 21:14 - 0005542 _____ () C:\Users\AP4\AppData\Roaming\RXYNEE
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze.


(magw) #3

Dziękuję!

 

Wygląda, że jest OK.

Skanowanie po usunięciu złośliwości dało taki efekt:

Shortcut: http://www.wklej.org/id/1690390/

Additional: http://www.wklej.org/id/1690392/

FRST: http://www.wklej.org/id/1690394/


(Acorus) #4

Skasuj folder C:\FRST.


(magw) #5

Dziękuję.

 

Pozdrawiam,