
Odinstaluj SafeFinder,One System Care.Otwórz notatnik systemowy i wklej:


Task: {06B1C548-0DE2-47E8-8C69-EABD75DBEF3C} - System32\Tasks\Online Application V2G6 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: {1AC8EFC1-3D91-45F8-A47A-7AC808D87E78} - System32\Tasks\dKzcOhNspxyWQAG => rundll32 "C:\Users\Piotr\AppData\Local\Temp\nuFzXzUsNWQKDFDoH\lmCXCfJoJCLmSPlD\OzfcsbU.dll",#1 /adp CXZE2NVZE7CWZE6BXZE7RVZE8QWZE1QVZE0LWZE4IWZE7AWZE3BWZE8JVZE0DVZE1TVZE2ZVZE9 /site_id 756 <==== UWAGA
Task: {2E08A217-14C4-4164-A785-2F43CC004105} - System32\Tasks\Updater_Online_Application => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe <==== UWAGA
Task: {3198ACF3-AB72-493A-A4FD-F1889289B89B} - System32\Tasks\eVSrriCnrZQlODxsGDB2 => rundll32 "C:\Program Files (x86)\WNVwerPrGBZQC\mmkoVQJ.dll",#1
Task: {39481753-DAFB-42E5-9F84-767ED17392C8} - System32\Tasks\Online Application V2G3 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: {4D2ED331-73B8-496D-958F-2824F7D265BB} - System32\Tasks\System\Security\upjf => C:\Users\Piotr\AppData\Roaming\Microsoft\Windows\audiohq.exe [2018-09-07] ()
Task: {4EFAFF00-4BC3-4172-8089-3B3DED323F52} - System32\Tasks\TzltYpotJgryG2 => C:\Windows\system32\wscript.exe "C:\ProgramData\vAtgRIojrOIejiVB\yNMWCpy.wsf"
Task: {56E98B96-A26E-43DC-B285-DB4AE6F9F6AA} - System32\Tasks\bkuRMSwHqIYuVsSRwHv => C:\Users\Piotr\AppData\Local\Temp\dnhy00agnnv\nuwpqicunde.exe [2018-09-07] () <==== UWAGA
Task: {67426322-1635-468C-A42D-28BF5B5A6663} - System32\Tasks\Online Application V2G2 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: {6A260B12-6197-4E30-89FA-4C43912DCFA6} - System32\Tasks\System\smartscreen => C:\Users\Piotr\AppData\Roaming\Microsoft\Network\srcc.exe [2018-09-07] ()
Task: {6CD6BC03-DBCC-44BF-96FD-949034A46C3E} - System32\Tasks\Online Application V2G1 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: {70049C66-1CC7-4423-9FCD-50379A04B9DB} - System32\Tasks\aDPLUEMWQjEAXAG => rundll32 "C:\Users\Piotr\AppData\Local\Temp\nuFzXzUsNWQKDFDoH\xyWQAGOnGXsJGQJr\OmHmrJY.dll",#1 /adp ZWZE4WVZE5CVZE4OVZE5HVZE0XVZE2PVZE9JVZE0DVZE2SWZE5XVZE1TVZE7UUZE6TVZE3ZVZE0 /site_id 756 <==== UWAGA
Task: {7A56A087-A866-4C8F-8C73-3C3AEE2DF8E6} - System32\Tasks\YoutubeDownloader => C:\Users\Piotr\AppData\Roaming\YoutubeDownloader\python\pythonw.exe [2018-08-01] (Python Software Foundation) <==== UWAGA
Task: {89260A95-56B6-4532-905A-222DA89923E4} - System32\Tasks\gkNqfjNoNlLfJVmHB2 => rundll32 "C:\Program Files (x86)\JQNLggXpPPpITxfrDoR\PQNBJkP.dll",#1
Task: {A4F26EFA-4EDB-4377-8964-6BB332D3EBC5} - System32\Tasks\OneSystemCare Task => C:\ProgramData\73FC82~1\SYSTEM~1.EXE <==== UWAGA
Task: {B637459B-6544-4CA4-B570-E57789DCE9DC} - System32\Tasks\YoutubeDownloader_upd => C:\Users\Piotr\AppData\Roaming\YoutubeDownloader_upd\python\pythonw.exe [2018-08-01] (Python Software Foundation) <==== UWAGA
Task: {C0C98D05-0007-485B-B715-935B55213613} - System32\Tasks\xdbGJPONaKkXIL => rundll32 "C:\Program Files (x86)\wunGYWhMeqNU2\XGCDDasyNlplP.dll",#1
Task: {D383EBE5-1B17-4DDB-B724-C08432DA9996} - System32\Tasks\Online Application V2G4 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: {EDB55001-8A5E-42C2-812A-F5EFF6ED868A} - System32\Tasks\yKMtMHoPoUUExsP2 => rundll32 "C:\Program Files (x86)\vEuomKaIU\GDayll.dll",#1
Task: {FBB3C761-72D5-46DC-9C7E-CB73DF37C294} - System32\Tasks\ApplicationUpdateCallback => C:\ProgramData\syscall.exe [2018-09-07] () <==== UWAGA
Task: C:\Windows\Tasks\aDPLUEMWQjEAXAG.job => C:\Users\Piotr\AppData\Local\Temp\nuFzXzUsNWQKDFDoH\xyWQAGOnGXsJGQJr\OmHmrJY.dll <==== UWAGA
Task: C:\Windows\Tasks\bkuRMSwHqIYuVsSRwHv.job => 
Task: C:\Windows\Tasks\dKzcOhNspxyWQAG.job => C:\Users\Piotr\AppData\Local\Temp\nuFzXzUsNWQKDFDoH\lmCXCfJoJCLmSPlD\OzfcsbU.dll <==== UWAGA
Task: C:\Windows\Tasks\Online Application V2G1.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: C:\Windows\Tasks\Online Application V2G2.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: C:\Windows\Tasks\Online Application V2G3.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: C:\Windows\Tasks\Online Application V2G4.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: C:\Windows\Tasks\Online Application V2G5.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: C:\Windows\Tasks\Online Application V2G6.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== UWAGA
Task: C:\Windows\Tasks\Trujillo.job => C:\Program Files\Trujillo\Trujillo.exe
Task: C:\Windows\Tasks\Updater_Online_Application.job => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe <==== UWAGA
ShortcutWithArgument: C:\Users\Piotr\AppData\Local\Microsoft\Start Menu\Вoйти в Интeрнeт.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> "hxxp://ownerga.ru/?utm_source=startlink03&utm_content=56d4932828e64bd8a225d89b67407067&utm_term=51D8F22E7176ED4AD329FC526DC88B06&utm_d=20170308"
ShortcutWithArgument: C:\Users\Piotr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> %SNF%
Hosts:
HKLM-x32\...\Run: [] => [X]
HKLM\...\RunOnce: [4tx3mktpc11] => C:\Program Files (x86)\Dominate\8281573.exe [822784 2018-09-07] ()
HKLM\...\RunOnce: [54ah343vwwa] => C:\Program Files (x86)\Dominate\2883870.exe [822784 2018-09-07] ()
HKLM\...\RunOnce: [OMEWPRODUCT_] => C:\Program Files\fik Trujillo Updater\JJ2J821T3FEZ\tq4uj_Norj.exe [169984 2018-09-07] ()
HKLM\...\RunOnce: [hssfqrrquyg] => C:\Program Files (x86)\Dominate\9963857.exe [822784 2018-09-07] ()
HKU\S-1-5-21-1214104027-1760152306-2203761175-1000\...\Run: [YoutubeDownloader] => C:\Users\Piotr\AppData\Roaming\YoutubeDownloader\python\pythonw.exe [95904 2018-08-01] (Python Software Foundation) <==== UWAGA
HKU\S-1-5-21-1214104027-1760152306-2203761175-1000\...\MountPoints2: I - I:\setup.exe
HKU\S-1-5-21-1214104027-1760152306-2203761175-1000\...\MountPoints2: {665ef1a3-cd3d-11e6-8c45-002522bf88aa} - I:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-18\...\Run: [kHmoB-çyWy.exe] => C:\Program Files\Windows Photo Viewer\6D6JA4P3USTXK939ITM2WGQ96IJ3GRFCKI4RQSDW\kHmoB-çyWy.exe [329216 2018-09-07] ()
GroupPolicy: Ograniczenia - Windows Defender <==== UWAGA
GroupPolicy\User: Ograniczenia ? <==== UWAGA
HKU\S-1-5-21-1214104027-1760152306-2203761175-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoGk3GzeHhcr-ccZ-i9-QbL5WSMboYldefqI9YOGqI3ixwWsCYzQtvFnItFKZ1_WgsY4KzWsQ3NeV9zs1INLS-Q6I-rh45eEAsrRgpzIdRXg--SkjjAja3weOOZwT67yRP4n7Wv9dk76Uibuai1XxD8U_tTzABdY561H-ciw5d9qI&q={searchTerms}
HKU\S-1-5-21-1214104027-1760152306-2203761175-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoGk3GzeHhcr-ccZ-i9-QbL5WSMboYldefqI9YOGqI3ixwWsCYzQtvFnItFKZ1_WgsY4KzWsQ3NeV9zs5GLJcJ-eKP_6PqGnjR2dva_58AxAxSkYF1dn3XPKFThUF5KfjE1j35vrbNOF8s08JZY-V1UqQuNQ-1RqRdFRYuJzNseY_
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL = 
SearchScopes: HKU\S-1-5-21-1214104027-1760152306-2203761175-1000 -> DefaultScope {ielnksrch} URL = 
"hiohgvqu" => serwis został odblokowany. <==== UWAGA
S2 EventSvc; C:\ProgramData\Microsoft\Windows\EventSvc\eventsvc.exe [360448 2018-07-24] (CloudBees, Inc.) [Brak podpisu cyfrowego] <==== UWAGA
S2 hiohgvqu; C:\Windows\SysWOW64\hiohgvqu\qkmjdzjo.exe [0 ] (Microsoft Corporation) <==== UWAGA (zerobajtowy plik/folder)
R2 MicroService; C:\Users\Piotr\AppData\Local\XService\XService.dll [585728 2018-09-07] () [Brak podpisu cyfrowego] <==== UWAGA
R2 PowerSvc; C:\ProgramData\Microsoft\Windows\Power\PowerSvc.exe [6406448 2018-06-25] () [Brak podpisu cyfrowego] <==== UWAGA
2018-09-07 20:19 - 2018-09-07 21:39 - 000177664 _____ () C:\ProgramData\Dagetur.exe
2018-09-07 19:53 - 2018-09-07 19:53 - 001114403 _____ () C:\ProgramData\fdfggf.exe
2018-09-07 19:57 - 2018-09-07 19:57 - 000177664 ___SH () C:\ProgramData\syscall.exe
2018-09-07 19:57 - 2018-09-07 19:57 - 000000116 _____ () C:\ProgramData\ythdg.exe
2018-09-07 19:51 - 2018-09-07 19:51 - 007781888 _____ () C:\Users\Piotr\AppData\Local\agent.dat
2018-09-07 19:51 - 2018-09-07 19:51 - 002297856 _____ (TODO: <Company name>) C:\Users\Piotr\AppData\Local\Airfresh.exe
2018-09-07 19:51 - 2018-09-07 19:51 - 002018693 _____ () C:\Users\Piotr\AppData\Local\Airfresh.tst
2018-09-07 19:51 - 2018-09-07 19:51 - 000070896 _____ () C:\Users\Piotr\AppData\Local\Config.xml
2018-09-07 19:51 - 2018-09-07 19:51 - 001895381 _____ () C:\Users\Piotr\AppData\Local\FaseFresh.bin
2018-09-07 19:51 - 2018-09-07 19:51 - 000016416 _____ () C:\Users\Piotr\AppData\Local\InstallationConfiguration.xml
2018-09-07 19:51 - 2018-09-07 19:51 - 000140800 _____ () C:\Users\Piotr\AppData\Local\installer.dat
2018-09-07 19:51 - 2018-09-07 19:51 - 000018432 _____ () C:\Users\Piotr\AppData\Local\Main.dat
2018-09-07 19:51 - 2018-09-07 19:51 - 000005568 _____ () C:\Users\Piotr\AppData\Local\md.xml
2018-09-07 19:51 - 2018-09-07 19:51 - 000126464 _____ () C:\Users\Piotr\AppData\Local\noah.dat
2018-09-07 19:51 - 2018-09-07 19:51 - 001413120 _____ () C:\Users\Piotr\AppData\Local\sham.db
2018-09-07 19:51 - 2018-09-07 19:51 - 000032038 _____ () C:\Users\Piotr\AppData\Local\uninstall_temp.ico
2018-09-07 19:51 - 2018-09-07 19:51 - 002297856 _____ (TODO: <Company name>) C:\Users\Piotr\AppData\Local\Ventotone.exe
2018-09-07 19:51 - 2018-09-07 19:51 - 000278511 _____ () C:\Users\Piotr\AppData\Local\Ventotone.tst
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze. 
Uruchom jako administrator FRST i kliknij w Fix/Napraw.
Pokaż nowe logi z FRST.