ordynat

Z logów wynika, że nie masz żadnej infekcji.

.

Error: (03/31/2019 10:49:48 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Nie można wyodrębnić głównej listy innych firm z pliku cab automatycznej aktualizacji z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>,wystąpił błąd: Certyfikat jest nieprawidłowy przy żądanym sposobie użycia.

Zrób zwykłe Przywracanie Systemu do tego punktu przywracania:

01-09-2018 12:18:33 Punkt kontrolny systemu

 

O ile temat dalej aktualny, bo upłynęło ponad 3 tygodnie od czasu założenia tematu.

.

Tak, jest OK.

 

Tylko drobna kosmetyka:

Uruchom FRST. NA klawiaturze naciśnij jednocześnie CTRL+Y.Otworzy się Notatnik - wklej do niego:

S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 MBAMSwissArmy; \SystemRoot\System32\Drivers\mbamswissarmy.sys [X]
Powershell: wevtutil el | Foreach-Object {wevtutil cl "$_"}
EmptyTemp:

Na klawiaturze naciśnij jednocześnie CTRL+S. W FRST kliknij na Fix (NAPRAW).
 

Po tak długim czasie to pewnie temat już nieaktualny, ale na wszelki wypadek:

Uruchom FRST. NA klawiaturze naciśnij jednocześnie CTRL+Y.Otworzy się Notatnik - wklej do niego:

Task: {73DEAB31-B9A5-4B28-AE24-640B5446D3A9} - System32\Tasks\Estera => cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Estera /t REG_SZ /d "explorer.exe hxxp://exinariuminix.info" <==== UWAGA
HKU\S-1-5-21-3573564862-256916160-1957804418-1002\...\Run: [Estera] => explorer.exe hxxp://exinariuminix.info <==== UWAGA
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== UWAGA
Task: {19356F25-BFE8-46FC-9FB6-08C78035B9BF} - \Microsoft\Windows\UNP\RunCampaignManager -> Brak pliku <==== UWAGA
Task: {19522ADC-971A-460F-9F95-7849CB642DB0} - System32\Tasks\{06CC0EE0-109E-4080-97FE-4A5FB0B2345F} => C:\WINDOWS\system32\pcalua.exe -a D:\Gry\Mafia\Game.exe -d D:\Gry\Mafia
Task: {31A5DA01-BC15-4686-A323-CAA95B37114B} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> Brak pliku <==== UWAGA
Task: {4453EBF2-6001-4AA7-BFFE-3816BE9A0C7D} - \WPD\SqmUpload_S-1-5-21-3573564862-256916160-1957804418-1002 -> Brak pliku <==== UWAGA
Task: {60FEEBEC-C1D6-4384-A415-A8E7E99FA7C6} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Brak pliku <==== UWAGA
Task: {6432F441-16BA-436F-9A51-5B98671F91D2} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> Brak pliku <==== UWAGA
Task: {73DEAB31-B9A5-4B28-AE24-640B5446D3A9} - System32\Tasks\Estera => cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Estera /t REG_SZ /d "explorer.exe hxxp://exinariuminix.info" <==== UWAGA
Task: {8F029A66-34E1-4B24-B7EC-D022B3C6359A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Brak pliku <==== UWAGA
Task: {9BBD1D56-B145-4425-9730-6B4C1059314B} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> Brak pliku <==== UWAGA
Task: {B9F9A05C-005E-402D-BE1A-10CA001273FF} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> Brak pliku <==== UWAGA
Task: {BADE904A-F37C-4E17-9F41-4820668B0F88} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> Brak pliku <==== UWAGA
Task: {C7EA016E-AF26-4E76-8737-C79E8FCA3A0C} - System32\Tasks\{1E6DA5EF-AEBB-4E2D-B2CB-2CFB7C39A230} => C:\WINDOWS\system32\pcalua.exe -a "C:\Users\Estera\Desktop\Skrzynki 3.0.exe" -d C:\Users\Estera\Desktop
Task: {D81F83B5-7100-459E-BE51-78CE867EFED5} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> Brak pliku <==== UWAGA
Task: {DB1465E0-ECFF-4383-9EA6-80F47C453AC0} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Brak pliku <==== UWAGA
Task: {E07ABE06-EE52-4245-8892-797BC505A4A8} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> Brak pliku <==== UWAGA
Task: {F1E4D4EC-27F7-44BC-AD7A-008AA441A6A7} - \Microsoft\*xpsign9adf680a2bdc64b5
Powershell: wevtutil el | Foreach-Object {wevtutil cl "$_"}
EmptyTemp:

Na klawiaturze naciśnij jednocześnie CTRL+S. W FRST kliknij na Fix (NAPRAW).

1) Otwórz Notatnik i wklej w nim:

AutoConfigURL: [S-1-5-21-2566449953-3803799725-1292095823-1000] => hxxp://access-web-quick.com/wpad.dat?6af117d3bc4b0e0864f0fc4ebf71b2b336703799
ManualProxies: 0hxxp://access-web-quick.com/wpad.dat?6af117d3bc4b0e0864f0fc4ebf71b2b336703799
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść w folderze C:\Users\Arturek\Downloads
Uruchom FRST i kliknij przycisk Fix (NAPRAW).

 

2) Uruchom FRST.
W polu SEARCH (SZUKAJ) wklej:

6af117d3bc4b0e0864f0fc4ebf71b2b336703799

kliknij na przycisk "Search Registry" (Szukaj w Rejestrze).
Raport z tego będzie tam, gdzie jest FRST.

.

1) Otwórz Notatnik i wklej w nim:

Task: {018AF635-95A0-4C71-B5A7-1C580E423583} - System32\Tasks\Online Application Guardian => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== UWAGA
Task: {20A1CCAB-AA2E-47D8-B672-6F39DF13CBF9} - System32\Tasks\Online Application v2 Guard => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== UWAGA
Task: {4B456BA7-4D08-4665-999D-E46D37DBF52F} - System32\Tasks\Online Application v209 Guard => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== UWAGA
Task: {50ADFA4F-EC5C-482B-B85F-6CA7A6D4C29B} - System32\Tasks\Online Application Updater => C:\Program Files (x86)\Microleaves\Online.io Application\Online Application Updater.exe [2017-02-15] (Microleaves) <==== UWAGA
Task: {54077AD7-1670-4677-9616-18459F5C8ED7} - System32\Tasks\Traffic Exchange v2 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe [2016-11-22] () <==== UWAGA
Task: {6029363B-B108-491E-8355-A4C2E4BC8927} - System32\Tasks\Online Application => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== UWAGA
Task: {A49AB3B5-2345-4D76-B171-56705AFEF521} - System32\Tasks\Traffic Exchange Guardian => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian.exe [2016-08-17] () <==== UWAGA
Task: {AC33E932-90B8-4A0A-8E8B-FA6879B5DB80} - System32\Tasks\Gerlercultstiliied Server => C:\Program Files (x86)\Wabish\xandercult.exe [2017-04-03] (Glarysoft Ltd)
Task: {AFC434A6-C537-4369-9D87-1AC6D6115442} - System32\Tasks\Traffic Exchange v2 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe [2016-11-22] () <==== UWAGA
Task: {B25C8F83-B152-41FA-BECE-CD31A0AB07B9} - System32\Tasks\Online Application Guard => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== UWAGA
Task: {B63305F8-03CD-4BA9-9AB2-656CB77FC628} - System32\Tasks\Online Application v209 Guardian => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== UWAGA
Task: {B6EE3E6D-EDC1-4486-A9DD-12AB8D4777EA} - System32\Tasks\Traffic Exchange => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian.exe [2016-08-17] () <==== UWAGA
Task: {C3929173-AF6A-4A99-9203-E0F462B7D7AF} - System32\Tasks\Milimili => C:\Program Files (x86)\MIO\MIO.exe [2017-04-10] ()
Task: {C9A937A8-9B23-4726-AFDB-B608C4311653} - System32\Tasks\Online Application v209 => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== UWAGA
Task: {CFB9A366-21E7-494E-A8FE-CF1B949603D2} - System32\Tasks\Traffic Exchange v209 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe [2017-02-07] () <==== UWAGA
Task: {D002DEDD-0C34-4E24-AFCE-2B47B227262B} - System32\Tasks\Shoketainckigaph => msiexec /i hxxp://D2bUH1bF1g584W.clOuDfroNt.net/mmtsk/occup.php?p=395049983_1052515_4C5E4F6A&amp;d=20170403 /q
Task: {D18AE9C4-FF6B-4201-A6A0-E5F466B7E11F} - System32\Tasks\Traffic Exchange v209 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe [2017-02-07] () <==== UWAGA
Task: {DEC28154-028C-45EE-9F0F-070D0C049608} - System32\Tasks\Online Application v2 => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== UWAGA
Task: {E42FB45D-888C-40D6-B487-AFAC57495BB5} - System32\Tasks\Traffic Exchange Updater => C:\Program Files (x86)\Microleaves\Traffic Exchange\Traffic Exchange Updater.exe [2017-02-15] () <==== UWAGA
Task: {F22EE372-7954-4728-A168-21E802A3ADB1} - System32\Tasks\Online Application v2 Guardian => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== UWAGA
Task: {F2C9F7F5-7945-4E84-A532-DF4222EF57D9} - System32\Tasks\Traffic Exchange Guard => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian.exe [2016-08-17] () <==== UWAGA
Task: {F426DC1D-D65F-4702-8179-8C1A05A77723} - System32\Tasks\Traffic Exchange v2 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe [2016-11-22] () <==== UWAGA
Task: {FCC863FD-C1E0-4081-8717-96EE59003A33} - System32\Tasks\Traffic Exchange v209 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe [2017-02-07] () <==== UWAGA
Task: {FEB8D706-15BC-4917-9707-4165DB245592} - System32\Tasks\{E16C1C0B-C861-45EE-82FB-290649C1734F} => pcalua.exe -a C:\Users\New\Desktop\ASUSUpdate_V71513\Setup.exe -d C:\Users\New\Desktop\ASUSUpdate_V71513
Task: C:\Windows\Tasks\Online Application Updater.job =>  <==== UWAGA
Task: C:\Windows\Tasks\Online Application v2 Guard.job =>  <==== UWAGA
Task: C:\Windows\Tasks\Online Application v2 Guardian.job =>  <==== UWAGA
Task: C:\Windows\Tasks\Online Application v2.job =>  <==== UWAGA
Task: C:\Windows\Tasks\Online Application v209 Guard.job =>  <==== UWAGA
Task: C:\Windows\Tasks\Online Application v209 Guardian.job =>  <==== UWAGA
Task: C:\Windows\Tasks\Online Application v209.job =>  <==== UWAGA
Task: C:\Windows\Tasks\Traffic Exchange Updater.job =>  <==== UWAGA
Task: C:\Windows\Tasks\Traffic Exchange v2 - 1.job =>  <==== UWAGA
Task: C:\Windows\Tasks\Traffic Exchange v2 - 2.job =>  <==== UWAGA
Task: C:\Windows\Tasks\Traffic Exchange v2 - 3.job =>  <==== UWAGA
Task: C:\Windows\Tasks\Traffic Exchange v209 - 1.job =>  <==== UWAGA
Task: C:\Windows\Tasks\Traffic Exchange v209 - 2.job =>  <==== UWAGA
Task: C:\Windows\Tasks\Traffic Exchange v209 - 3.job =>  <==== UWAGA
WMI_ActiveScriptEventConsumer_ASEC: <===== UWAGA
ShortcutWithArgument: C:\Users\New\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\New\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\New\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://web-start.org//?ssid=1477497752&a=1024132&src=sh&uuid=566694f9-bd02-45e4-ac49-7e805efea5f4"
ShortcutWithArgument: C:\Users\New\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\New\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\New\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> D:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> D:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> D:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/
HKU\S-1-5-18\...\Run: [] => [X]
HKLM\...\Providers\p6p8yonc: C:\Program Files (x86)\Gerlercultstiliied Server\local64spl.dll [306688 2017-04-03] ()
ShellExecuteHooks: Brak nazwy - {2C97AB4C-1471-11E7-BEC6-64006A5CFC23} - C:\Users\New\AppData\Roaming\Dikerseplenight\Rageried.dll -> Brak pliku
AutoConfigURL: [S-1-5-21-269348825-3932787420-3136110414-1000] => hxxp://nonestops.org/wpad.dat?831a280a1ed35d79e17ca6affb75842c18926201
ManualProxies: 0hxxp://nonestops.org/wpad.dat?831a280a1ed35d79e17ca6affb75842c18926201
SearchScopes: HKU\S-1-5-21-269348825-3932787420-3136110414-1000 -> {B763A38F-4685-435d-B575-D30EB61F9B7D} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=EGMB
R2 WinSAPSvc; C:\Users\New\AppData\Roaming\WinSAPSvc\WinSAP.dll [553984 2017-04-10] (Windows) [Brak podpisu cyfrowego]
R2 SNARER; C:\Users\New\AppData\Local\SNARER\Snarer.dll [792576 2017-04-10] (InterSect Alliance Pty Ltd) [Brak podpisu cyfrowego]
C:\Users\New\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WorldofTanks\WorldofTanks.lnk
RemoveDirectory: C:\Program Files (x86)\Microleaves
RemoveDirectory: C:\Program Files (x86)\MIO
RemoveDirectory: C:\Program Files (x86)\Gerlercultstiliied Server
RemoveDirectory: C:\Users\New\AppData\Roaming\Dikerseplenight
RemoveDirectory: C:\Users\New\AppData\Roaming\WinSAPSvc
RemoveDirectory: C:\Update
RemoveDirectory: C:\Users\New\AppData\Local\SNARER
RemoveDirectory: C:\Program Files\MK
RemoveDirectory: C:\Program Files\p6p8yonc
RemoveDirectory: C:\Windows\SysWOW64\%APPDATA%
RemoveDirectory: C:\Users\New\AppData\Roaming\Microleaves
RemoveDirectory: C:\Users\Default\AppData\Local\AdvinstAnalytics
RemoveDirectory: C:\Users\Default User\AppData\Local\AdvinstAnalytics
RemoveDirectory: C:\Program Files (x86)\Wabish
RemoveDirectory: C:\Users\New\AppData\Local\Gawersy
C:\Users\New\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\WorldofTanks.lnk
C:\Windows\Reimage.ini
C:\Users\New\Downloads\ReimageRepair.exe
HOSTS:
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix (NAPRAW).

 

2) Zrób nowe logi FRST.

.

1) Odinstaluj niepotrzebny do niczego Akamai NetSession Interface.

 

2) Otwórz Notatnik i wklej w nim:

Task: {8729059C-FB8A-4CB9-9BDB-EFA50B8F8098} - System32\Tasks\SpyHunter4Startup => C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe
C:\Program Files\Enigma Software Group
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-136798832-305523967-369107754-1000\...\Run: [Akamai NetSession Interface] => C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe [4691384 2015-09-10] (Akamai Technologies, Inc.)
HKU\S-1-5-21-136798832-305523967-369107754-1000\...\Policies\Explorer: []
C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
HKU\S-1-5-21-136798832-305523967-369107754-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\21.7.0.11\IPS\IPSBHO.DLL => Brak pliku
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
C:\ProgramData\mntemp
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix (NAPRAW).

Log FSS nie napawa optymizmem.

 

Platform: Microsoft Windows Embedded Standard  Service Pack 1 (X86) Język: Polski (Polska)

Nie wiem, czy taki System może się różni od zwykłych Systemów, używanych przez Użytkowników, a nie przez przemysł, jak "embedded".

 

Mam też jakąś dziwną, chińską przeglądarke

w logach nie widzę tej przeglądarki.

 

 

 

zaraz to wszystko przejrzę  ...

Sprawdź usługę "winmgmt" lub napraw WMI.

Z "fixlog" wynika, że usługa "winmgmt" jest OK.

Obawiam się, że uszkodzone jest WMI, a to już problem nie na moją głowę, naprawa przekracza moje umiejętności.

Daj jeszcze log z Farbar Service Scanner >http://download.bleepingcomputer.com/farbar/FSS.exe (do skanowania zaznacz wszystko).

 

Otwórz Notatnik i wklej w nim:

 

2017-01-17 09:52 - 2017-01-17 09:57 - 00000000 ____D c:\Program Files\żěŃą
2017-01-17 09:52 - 2017-01-17 09:52 - 00000000 ____D C:\Users\Ada\AppData\Roaming\Softlink
2017-01-17 09:51 - 2017-02-10 16:11 - 00000000 ____D C:\ProgramData\Microleaves
2017-01-17 09:48 - 2017-01-17 09:48 - 00000000 __SHD C:\Windows\system32\%APPDATA%
EmptyTemp:

>>Menu Notatnika >> Plik >>
>>Zapisz jako >>
Nazwa pliku: fixlist
Zapisz jako typ: Dokumenty tekstowe
Kodowanie: UTF-8
>>Zapisz
Plik umieść w folderze C:\Users\Ada\Desktop
Uruchom FRST i kliknij przycisk Fix (NAPRAW).

 

Mam też jakąś dziwną, chińską przeglądarke, jej logo to wiewiórka na pomarańczowym tle, ale nie mam zainstalowanej takiej przegladarki, nie moge tego usunac

 

Zrób nowe logi FRST

Przed skanem zaznacz "Addition.txt" oraz "Shortcut.txt"

.

.

został jeszcze folder ''Żęną'' i te chińskie programy.

Ja tego w logach nie widzę.

 

1) Wejdź w Tryb Awaryjny (F8 przed startem Systemu)

 

2) Otwórz Notatnik i wklej w nim:

AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x86.sys [84370]
AlternateDataStreams: C:\Windows\system32\drivers:x86 [1213218]
Reg: reg query HKLM\SYSTEM\CurrentControlSet\services\Winmgmt /s
R1 ucdrv; C:\Windows\System32\drivers:ucdrv-x86.sys [84370 ] (UC Web Inc.) <==== UWAGA
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix (NAPRAW).
Powstanie plik fixlog.txt.
Daj ten log.

 

3) Zrób nowe logi FRST.

 

4) Napisz gdzie są (ścieżki) te "chińczyki".

.

Otwórz Notatnik i wklej w nim:

Task: {616E17BD-6F99-42AD-87A7-58197BB1E41D} - System32\Tasks\UCBrowserUpdater => c:\Program Files\UCBrowser\Application\update_task.exe [2017-01-16] (UCWeb Inc) <==== UWAGA
RemoveDirectory: c:\Program Files\UCBrowser
Task: {86903A27-B674-4706-B2C9-64F590D7C664} - System32\Tasks\UCBrowserSecureUpdater => c:\Program Files\UCBrowser\Security\uclauncher.exe [2017-02-10] (UC Web Inc.) <==== UWAGA
Task: {883436FE-B32B-4E5B-9FB2-015D295EE3A9} - System32\Tasks\{5A19993A-6CA1-4043-90E4-2AB9F4FBFF2D} => pcalua.exe -a C:\Users\Ada\AppData\Local\Temp\Temp1_Realtek_Ethernet_Win7_7092_05202015.zip\Install_Win7_7092_05202015\setup.exe <==== UWAGA
Task: {965924C4-7CF0-43C6-A388-5CC37595A5C3} - System32\Tasks\{EAD2E91C-54C0-4DF0-B514-7F0A1E4DF38C} => pcalua.exe -a "C:\Program Files\Lavalys\EVEREST Home Edition\everest.exe" -d C:\Users\Ada\Desktop
Task: {AFE4E1DD-7F83-4427-AE87-252AC6FE4E6C} - System32\Tasks\UCBrowserUpdaterCore => c:\Program Files\UCBrowser\Application\update_task.exe [2017-01-16] (UCWeb Inc) <==== UWAGA
Task: {D25F9842-1D13-4BA1-B09A-0BBAF0F06208} - \Traffic Exchange -> Brak pliku <==== UWAGA
Task: C:\Windows\Tasks\UCBrowserUpdater.job => c:\Program Files\UCBrowser\Application\update_task.exe <==== UWAGA
Task: C:\Windows\Tasks\UCBrowserUpdaterCore.job => c:\Program Files\UCBrowser\Application\update_task.exe <==== UWAGA
ShortcutWithArgument: C:\Users\Ada\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\Ada\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\Ada\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\Ada\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Users\Ada\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\Ada\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://qtipr.com/
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\Ada\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://qtipr.com/
WMI_ActiveScriptEventConsumer_ASEC: <===== UWAGA
AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x86.sys [84370]
AlternateDataStreams: C:\Windows\system32\drivers:x86 [1213218]
MSCONFIG\Services: UCBrowserSvc => 2
FirewallRules: [{4F4373A9-0F9F-4DC2-AD7C-A6C877DD94C5}] => c:\Program Files\UCBrowser\Application\UCBrowser.exe
FirewallRules: [{55E02CEE-E958-4949-B2E7-EFD53194494A}] => c:\Program Files\UCBrowser\Application\UCBrowser.exe
Reg: reg query HKLM\SYSTEM\CurrentControlSet\services\Winmgmt /s
HKLM\...\Policies\Explorer: []
HKU\S-1-5-18\...\Run: [] => 0
ShellIconOverlayIdentifiers: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} =>  -> Brak pliku
ShellIconOverlayIdentifiers: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} =>  -> Brak pliku
ShellIconOverlayIdentifiers: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} =>  -> Brak pliku
ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} =>  -> Brak pliku
S4 UCBrowserSvc; c:\Program Files\UCBrowser\Application\UCService.exe [930704 2017-01-16] ()
R1 ucdrv; C:\Windows\System32\drivers:ucdrv-x86.sys [84370 ] (UC Web Inc.) <==== UWAGA
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\spyhunter.fix
c:\Program Files\Enigma Software Group
C:\Users\Ada\Downloads\SpyHunter-Installer.exe
CMD: attrib /d /s -r -s -h C:\FOUND.*
CMD: for /d %f in (C:\FOUND.*) do rd /s /q "%f"
C:\found.000
C:\Users\Ada\Desktop\Microleaves
C:\Users\Ada\AppData\Local\UCBrowser
C:\Users\Ada\AppData\Roaming\UCChannel
Task: {2B7F089C-822B-4D68-B459-08A807D53D9E} - \KuaiZip_Update -> Brak pliku <==== UWAGA
Task: {3C489DF7-DEA9-4BDF-BEFE-34B58F17B708} - \Traffic Exchange Guardian -> Brak pliku <==== UWAGA
Task: {424D015C-7759-4CF8-BDD3-E36B99623A05} - \Traffic Exchange Guard -> Brak pliku <==== UWAGA
C:\Users\Ada\AppData\Roaming\Microleaves
C:\Users\Ada\AppData\Roaming\Installer.dat
C:\Users\Ada\AppData\Roaming\InstallationConfiguration.xml
C:\Users\Ada\Desktop\Gry\APK\Spyware Terminator 2015.lnk
C:\Users\Ada\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\UC浏览器.lnk
HOSTS:
EmptyTemp:

>>Menu Notatnika >> Plik >>
>>Zapisz jako >>
Nazwa pliku: fixlist
Zapisz jako typ: Dokumenty tekstowe
Kodowanie: UTF-8
>>Zapisz
Plik umieść w folderze C:\Users\Ada\Downloads
Uruchom FRST i kliknij przycisk Fix (NAPRAW).

 

Zrób nowe logi FRST - już bez Shortcut.

.

Zrób logi z FRST /Zak%C5%82adanie-tematu-og%C3%B3lne-raporty-systemowe-t55253/

Przed skanem zaznacz "Addition.txt" oraz "Shortcut.txt"

 

.

Logi z FRST są nieaktualne, bo po ich zrobieniu użyłeś Adw-Cleaner - a kolejność miała być odwrotna.

 

Otwórz Notatnik i wklej w nim:

HKU\S-1-5-21-2127561691-812862515-3127793605-1000\...\ChromeHTML: -> "C:\Program Files (x86)\Fishhas\Application\chrome.exe" "%1" <==== UWAGA
RemoveDirectory: C:\Program Files (x86)\Fishhas
DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Ujjdmedia
DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Udgtmedia
RemoveDirectory: C:\Users\Komp1\AppData\Local\Undbmedia
RemoveDirectory: C:\Users\Komp1\AppData\Local\Ujjdmedia
2017-01-22 16:15 - 2017-01-22 16:15 - 00000040 _____ C:\Program Files (x86)\settings.dat
2017-01-22 16:15 - 2017-01-22 16:15 - 00000000 ____D C:\Program Files (x86)\reports
2017-01-22 16:15 - 2017-01-22 16:15 - 00000000 _____ C:\Program Files (x86)\metadata
2017-01-22 16:12 - 2016-11-24 14:53 - 00000000 _____ C:\Users\Public\Documents\temp.dat
C:\Users\Komp1\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix (NAPRAW).

 

----------------------
Jeśli będzie OK, to będziemy kończyć:
Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix (NAPRAW).
przez SHIFT+DEL usuń pozostały folder C:\FRST.

W Adw-Cleaner kliknij u góry po lewej na PLIK, potem na ODINSTALUJ.

.

1) Spróbuj odinstalować ten program:

amuleC (HKLM-x32\...\{19539992-061C-4E8B-9053-07B175303AF4}) (Version: 1.0.1 - amuleC) <==== UWAGA

 

2) CHR Profile: C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-01-07] <==== UWAGA

Uruchom Google Chrome
> Naciśnij klawisze: lewy Alt+F i kliknij przycisk Ustawienia >
> Sekcja: OSOBY
>zaznacz (wybierz): user0
kliknij znaczek X znajdujący się po prawej stronie

 

3) Działają u Ciebie przeglądarki, które wyglądają jak Google Chrome oraz Mozilla Firefox, ale w rzeczywistości to Trojany.

Daję je do usuwania, i także skróty, które przekierowują na nie.

Potem zrobisz sobie nowe skróty Mozili i Chrome'a.

 

Otwórz Notatnik i wklej w nim:

DeleteKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{19539992-061C-4E8B-9053-07B175303AF4}
DeleteKey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{19539992-061C-4E8B-9053-07B175303AF4}
Task: {CA1007BE-8FB3-4A51-819B-3B74C2D14488} - System32\Tasks\WinTOOL => C:\ProgramData\wintools\WintoolUprI.exe [2017-01-18] ()
Task: {CEDBE78A-BC47-49BC-98B8-838604780613} - System32\Tasks\2c9d9e339999c7c157828a17266b5419 => Rundll32.exe "C:\Program Files (x86)\Java\owrkt0.dll",e62dc6c6547f46bda862da2d05af6862 <==== UWAGA
C:\Program Files (x86)\Common Files\Services\iThemes.dll
AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x64.sys [80850]
AlternateDataStreams: C:\Windows\system32\drivers:x64 [360536]
AlternateDataStreams: C:\Windows\system32\drivers:x86 [1156450]
MSCONFIG\startupreg: app => C:\Program Files (x86)\wanttoxiamen\uc.exe
RemoveDirectory: c:\program files (x86)\gubed
RemoveDirectory: C:\Program Files (x86)\wanttoxiamen
RemoveDirectory: C:\Users\Komp1\AppData\Local\Undbmedia
RemoveDirectory: C:\Users\Komp1\AppData\Local\Ujjdmedia
RemoveDirectory: C:\Program Files (x86)\Fishhas
RemoveDirectory: C:\Program Files (x86)\Firefox
MSCONFIG\startupreg: svchost0 => C:\Program Files (x86)\wanttoxiamen\uc.exe
MSCONFIG\startupreg: Udgtmedia => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Komp1\AppData\Local\Undbmedia\symcrtServices.dll
MSCONFIG\startupreg: Ujjdmedia => regsvr32.exe C:\Users\Komp1\AppData\Local\Ujjdmedia\symcrtServices.dll
MSCONFIG\startupreg: Undbmedia => C:\Users\Komp1\AppData\Local\Undbmedia\4ee9eec868cba7357454a1538a2e0bd9.exe
FirewallRules: [{D3766CB3-95B5-4F90-9818-38658186162D}] => C:\Program Files (x86)\Fishhas\Application\chrome.exe
FirewallRules: [{78B26909-1D37-4E2A-B2F8-0FED11710180}] => C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe
FirewallRules: [{F96F5528-F091-4FBB-907E-685A7675B1BC}] => C:\Program Files (x86)\Firefox\Firefox.exe
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2127561691-812862515-3127793605-1000\...\Winlogon: [Shell] C:\Windows\explorer.exe [2871808 2011-02-25] (Microsoft Corporation) <==== UWAGA
HKU\S-1-5-18\...\Run: [] => 0
HKLM\...\Providers\1ufe4nuj: C:\1\local64spl.dll
HKLM\...\Providers\1ysm3bvu: P:\GIMP\\local64spl.dll
HKLM\...\Providers\38javz7u: P:\GIMP\\local64spl.dll
HKLM\...\Providers\6ma92wo7: C:\1\local64spl.dll
HKLM\...\Providers\8goldu3w: P:\NFSW\\local64spl.dll
HKLM\...\Providers\b5ykv2f2: P:\Program Files\UDPdp\UDPnp4\\local64spl.dll
HKLM\...\Providers\b69bu78m: C:\\local64spl.dll
HKLM\...\Providers\b6blfsst: C:\\local64spl.dll
HKLM\...\Providers\b6niomg7: P:\GIMP1\local64spl.dll
HKLM\...\Providers\bnaqpwpt: P:\Program Files\UDPdp\UDPnp4\\local64spl.dll
HKLM\...\Providers\ctn4sgwi: P:\NFSW\\local64spl.dll
HKLM\...\Providers\cxdsisto: P:\NFSW\\local64spl.dll
HKLM\...\Providers\doliyt2s: P:\Program Files\UDPdp\UDPnp41\local64spl.dll
HKLM\...\Providers\e12vvmqh: P:\aktu1\local64spl.dll
HKLM\...\Providers\etxqmgfo: P:\Gry - Steam\\local64spl.dll
HKLM\...\Providers\ge118pvl: P:\GIMP1\local64spl.dll
HKLM\...\Providers\hdqfi91o: P:\aktu1\local64spl.dll
HKLM\...\Providers\i5nubbpx: P:\Gry - Steam1\local64spl.dll
HKLM\...\Providers\j82tiyuo: P:\Program Files\UDPdp\UDPnp41\local64spl.dll
HKLM\...\Providers\jwunmjw4: P:\Program Files\UDPdp\UDPnp4\\local64spl.dll
HKLM\...\Providers\n0o4ciq4: P:\Program Files\UDPdp\UDPnp41\local64spl.dll
HKLM\...\Providers\p0kmtxo2: P:\NFSW1\local64spl.dll
HKLM\...\Providers\q1dh6x5l: P:\Gry - Steam\\local64spl.dll
HKLM\...\Providers\v3rlxe8x: P:\NFSW1\local64spl.dll
HKLM\...\Providers\wup9y1yd: P:\aktu\\local64spl.dll
HKLM\...\Providers\x2esm3pd: P:\Gry - Steam1\local64spl.dll
HKLM\...\Providers\y904s2xq: P:\aktu\\local64spl.dll
HKLM\...\Providers\yjz9ew9q: P:\NFSW1\local64spl.dll
IFEO\MRT.exe: [Debugger] C:\Windows\TEMP\wea1824.tmp\Gubed.exe -Yrrehs
ShellExecuteHooks: Brak nazwy - {D05DB088-9EBF-11E6-B6CD-64006A5CFC23} -  -> Brak pliku
C:\1\local64spl.dll
P:\GIMP\\local64spl.dll
P:\NFSW\\local64spl.dll
P:\Program Files\UDPdp\UDPnp4\\local64spl.dll
C:\\local64spl.dll
P:\GIMP1\local64spl.dll
P:\Gry - Steam\\local64spl.dll
P:\aktu1\local64spl.dll
P:\NFSW1\local64spl.dllP:\aktu\\local64spl.dll
ShellIconOverlayIdentifiers: [KzShlobj2] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} =>  -> Brak pliku
GroupPolicy: Ograniczenia - Chrome <======= UWAGA
CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
Tcpip\..\Interfaces\{5A840FED-9075-49A4-B566-32A8B1FA277E}: [NameServer] 188.120.241.135,8.8.8.8
Tcpip\..\Interfaces\{AD912212-D013-4EAA-81B6-56D7B9B0C894}: [NameServer] 188.120.241.135,8.8.8.8
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.amisites.com/?type=hp&ts=1484063254&z=44cdac3f47131e1d1594899g1z7bdzaeaq3c3o0w7q&from=archer1028&uid=TOSHIBAXDT01ACA050_Z5GY4KXASXXZ5GY4KXASX
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.amisites.com/?type=hp&ts=1484063254&z=44cdac3f47131e1d1594899g1z7bdzaeaq3c3o0w7q&from=archer1028&uid=TOSHIBAXDT01ACA050_Z5GY4KXASXXZ5GY4KXASX
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.amisites.com/search/?type=ds&ts=1480503129&z=5bc3047abfa72c1d0deddecgczbb4e2wde5c5g7gbb&from=archer1028&uid=TOSHIBAXDT01ACA050_Z5GY4KXASXXZ5GY4KXASX&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.amisites.com/search/?type=ds&ts=1480503129&z=5bc3047abfa72c1d0deddecgczbb4e2wde5c5g7gbb&from=archer1028&uid=TOSHIBAXDT01ACA050_Z5GY4KXASXXZ5GY4KXASX&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.amisites.com/?type=hp&ts=1484063254&z=44cdac3f47131e1d1594899g1z7bdzaeaq3c3o0w7q&from=archer1028&uid=TOSHIBAXDT01ACA050_Z5GY4KXASXXZ5GY4KXASX
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.amisites.com/?type=hp&ts=1484063254&z=44cdac3f47131e1d1594899g1z7bdzaeaq3c3o0w7q&from=archer1028&uid=TOSHIBAXDT01ACA050_Z5GY4KXASXXZ5GY4KXASX
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.amisites.com/search/?type=ds&ts=1480503129&z=5bc3047abfa72c1d0deddecgczbb4e2wde5c5g7gbb&from=archer1028&uid=TOSHIBAXDT01ACA050_Z5GY4KXASXXZ5GY4KXASX&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.amisites.com/search/?type=ds&ts=1480503129&z=5bc3047abfa72c1d0deddecgczbb4e2wde5c5g7gbb&from=archer1028&uid=TOSHIBAXDT01ACA050_Z5GY4KXASXXZ5GY4KXASX&q={searchTerms}
HKU\S-1-5-21-2127561691-812862515-3127793605-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.amisites.com/?type=hp&ts=1484063254&z=44cdac3f47131e1d1594899g1z7bdzaeaq3c3o0w7q&from=archer1028&uid=TOSHIBAXDT01ACA050_Z5GY4KXASXXZ5GY4KXASX
HKU\S-1-5-21-2127561691-812862515-3127793605-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.amisites.com/?type=hp&ts=1484063254&z=44cdac3f47131e1d1594899g1z7bdzaeaq3c3o0w7q&from=archer1028&uid=TOSHIBAXDT01ACA050_Z5GY4KXASXXZ5GY4KXASX
SearchScopes: HKU\S-1-5-21-2127561691-812862515-3127793605-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.amisites.com/search/?type=ds&ts=1480503129&z=5bc3047abfa72c1d0deddecgczbb4e2wde5c5g7gbb&from=archer1028&uid=TOSHIBAXDT01ACA050_Z5GY4KXASXXZ5GY4KXASX&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2127561691-812862515-3127793605-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.amisites.com/search/?type=ds&ts=1480503129&z=5bc3047abfa72c1d0deddecgczbb4e2wde5c5g7gbb&from=archer1028&uid=TOSHIBAXDT01ACA050_Z5GY4KXASXXZ5GY4KXASX&q={searchTerms}
FF Homepage: Firefox\Firefox\Profiles\dbg7p6fn.default -> hxxp://www.searchinme.com/?type=hp&ts=1484840704758&z=&from=official&uid=TOSHIBAXDT01ACA050_Z5GY4KXASXXZ5GY4KXASX
FF Extension: (FF Adr) - C:\Users\Komp1\AppData\Roaming\Firefox\Firefox\Profiles\dbg7p6fn.default\Extensions\@H99KV4DO-UCCF-9PFO-9ZLK-8RRP4FVOKD9O.xpi [2017-01-18] [Brak podpisu cyfrowego]
FF Extension: (English (US) Language Pack) - C:\Users\Komp1\AppData\Roaming\Firefox\Firefox\Profiles\dbg7p6fn.default\Extensions\langpack-en-US@firefox.mozilla.org.xpi [2017-01-19] [Brak podpisu cyfrowego]
FF SearchPlugin: C:\Users\Komp1\AppData\Roaming\Firefox\Firefox\Profiles\dbg7p6fn.default\searchplugins\searchinme.xml [2017-01-18]
CHR Profile: C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-01-07] <==== UWAGA
CHR Extension: (Prezentacje Google) - C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-11-11]
CHR Extension: (Dysk Google) - C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-01-24]
CHR Extension: (YouTube) - C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-01-24]
CHR Extension: (Adblock Plus) - C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-11-11]
CHR Extension: (Background Theme Changer (NO ADs)) - C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\cnoidmlhdpcdlmnkdecpdalonkmgcodd [2016-11-11]
CHR Extension: (Google Search) - C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-01-24]
CHR Extension: (Tampermonkey) - C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2016-11-11]
CHR Extension: (Slither.io) - C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\dmplapbomebhmdffmlhgbelgcnfajapj [2016-04-24]
CHR Extension: (Avast SafePrice) - C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2016-11-11]
CHR Extension: (Dokumenty Google offline) - C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (Avast Online Security) - C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-11-11]
CHR Extension: (jquery-injector) - C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\indebdooekgjhkncmgbkeop[beeep]ofdoid [2016-04-03]
CHR Extension: (Płatności w sklepie Chrome Web Store) - C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR Extension: (Enhanced Steam) - C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\okadibdjfemgnhjiembecghcbfknbfhg [2016-11-11]
CHR Extension: (Gmail) - C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-01-24]
CHR Extension: (Chrome Media Router) - C:\Users\Komp1\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-11]
R2 GubedZL; C:\Program Files (x86)\Gubed\GubedZL.dll [124416 2017-01-19] () [Brak podpisu cyfrowego]
R3 iThemes5; C:\Program Files (x86)\Common Files\Services\iThemes.dll [583680 2017-01-19] () [Brak podpisu cyfrowego] <==== UWAGA
Reg: reg delete HKLM\SYSTEM\CurrentControlSet\Services\Themes /v DependOnService /f
S4 ed2kidle; "C:\Program Files (x86)\amuleC1\ed2k.exe" -downloadwhenidle [X]
S2 FirefoxU; "C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe" [X]
C:\Program Files (x86)\amuleC1
R1 ucdrv; C:\Windows\System32\drivers:ucdrv-x64.sys [80850 ] (UC Web Inc.) <==== UWAGA
S3 cpuz138; \??\C:\Users\Komp1\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 MSICDSetup; \??\D:\CDriver64.sys [X]
S3 NTIOLib_1_0_C; \??\D:\NTIOLib_X64.sys [X]
S1 p1481293715am; \??\C:\Users\Komp1\AppData\Local\Temp\bk976F.tmp\p1481293715am.sys [X]
S1 p1481740824am; \??\C:\Users\Komp1\AppData\Local\Temp\bkC764.tmp\p1481740824am.sys [X]
S1 p1481812824am; \??\C:\Users\Komp1\AppData\Local\Temp\bkE15A.tmp\p1481812824am.sys [X]
S1 p1482162155am; \??\C:\Users\Komp1\AppData\Local\Temp\bkEA6E.tmp\p1482162155am.sys [X]
S1 p1482162218am; \??\C:\Users\Komp1\AppData\Local\Temp\bkE1D7.tmp\p1482162218am.sys [X]
S1 p1482853697am; \??\C:\Users\Komp1\AppData\Local\Temp\bk23F5.tmp\p1482853697am.sys [X]
S1 p1483113289am; \??\C:\Users\Komp1\AppData\Local\Temp\bk2D38.tmp\p1483113289am.sys [X]
S1 p1483113374am; \??\C:\Users\Komp1\AppData\Local\Temp\bk7B96.tmp\p1483113374am.sys [X]
S1 p1483459680am; \??\C:\Users\Komp1\AppData\Local\Temp\bkA286.tmp\p1483459680am.sys [X]
S1 p1483975862am; \??\C:\Users\Komp1\AppData\Local\Temp\bk82C6.tmp\p1483975862am.sys [X]
S1 p1483976003am; \??\C:\Users\Komp1\AppData\Local\Temp\bkA90B.tmp\p1483976003am.sys [X]
S1 p1484062649am; \??\C:\Users\Komp1\AppData\Local\Temp\bk5FBC.tmp\p1484062649am.sys [X]
S1 p1484062773am; \??\C:\Users\Komp1\AppData\Local\Temp\bk4450.tmp\p1484062773am.sys [X]
S1 p1484062887am; \??\C:\Users\Komp1\AppData\Local\Temp\bk187.tmp\p1484062887am.sys [X]
S1 p1484753808am; \??\C:\Users\Komp1\AppData\Local\Temp\bk4E6E.tmp\p1484753808am.sys [X]
S1 p1484840338am; \??\C:\Users\Komp1\AppData\Local\Temp\bk4E01.tmp\p1484840338am.sys [X]
S3 taphss6; system32\DRIVERS\taphss6.sys [X]
S1 UCGuard; system32\DRIVERS\ucguard.sys [X] <==== UWAGA
2017-01-19 16:44 - 2017-01-19 16:44 - 00000000 ____D C:\Users\Komp1\AppData\Local\Fishhas
2017-01-18 16:43 - 2017-01-18 16:43 - 00000000 ____D C:\Users\Komp1\AppData\Local\Applefat
2017-01-18 16:43 - 2017-01-18 16:43 - 00000000 ____D C:\ProgramData\wintools
2017-01-09 16:37 - 2017-01-21 13:01 - 00000000 ____D C:\Program Files (x86)\WinArcher
2017-01-09 16:37 - 2017-01-09 16:37 - 00000000 ____D C:\Users\Komp1\AppData\Local\Bigflat
2017-01-08 19:47 - 2017-01-17 17:51 - 00000000 ____D C:\Program Files (x86)\reports
2017-01-03 17:52 - 2017-01-21 16:06 - 00000040 _____ C:\Program Files (x86)\settings.dat
2017-01-03 17:52 - 2017-01-17 17:52 - 00000114 _____ C:\Program Files (x86)\metadata
2017-01-03 17:12 - 2017-01-03 17:12 - 00000000 ____D C:\Users\Komp1\AppData\Local\Zooarm
2016-12-31 10:20 - 2016-12-31 10:20 - 00000037 ___SH C:\Users\Komp1\AppData\Local\20986331705021ca58edc424.96250074
2016-12-31 10:20 - 2016-12-31 10:20 - 00000000 __SHD C:\Users\Komp1\AppData\Local\icsxml
C:\ProgramData\Ament.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
C:\Users\Komp1\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\UC浏览器.lnk
C:\Users\Komp1\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Google Chrome.lnk
C:\Users\Komp1\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Mozilla Firefox.lnk
C:\Users\Komp1\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\bf3a7c50bf661075\Google Chrome.lnk
C:\Users\Komp1\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9501e18d7c2ab92e\Google Chrome.lnk
C:\Users\Komp1\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\744210bf2d2512fa\Google Chrome.lnk
HOSTS:
EmptyTemp:

>>Menu Notatnika >> Plik >>
>>Zapisz jako >>
Nazwa pliku: fixlist
Zapisz jako typ: Dokumenty tekstowe
Kodowanie: UTF -8
>>Zapisz
Plik umieść w folderze C:\Users\Komp1\Downloads
Uruchom FRST i kliknij przycisk Fix (NAPRAW).

 

4) Użyj >Adw-cleaner
najpierw kliknij na SKANUJ (SCAN), a dopiero po zakończeniu skanowania, gdy uaktywni się przycisk OCZYŚĆ (CLEANING), to kliknij na niego.
Pokaż raport z niego "C"

 

5) Zrób nowe logi FRST.

przed skanem zaznacz: Additional.txt Shortcut.txt,

.

W logach nic nie wskazuje na istnienie jakiegokolwiek "reklamiarza".

 

Tylko kosmetyka:

Otwórz Notatnik i wklej w nim:

Task: {098C9EAB-F511-41C7-A48F-DDADFB61CD25} - System32\Tasks\{DBB97911-FA5B-4361-BDFD-E7C9D2BDC96A} => pcalua.exe -a "C:\Gry\Total War - SHOGUN 2\Shogun2.exe" -d "C:\Gry\Total War - SHOGUN 2"
Task: {515CB463-A194-49E0-B14A-5DED366EBBE7} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> Brak pliku <==== UWAGA
Task: {5A66B35B-8780-450B-923D-47121C2998D8} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> Brak pliku <==== UWAGA
Task: {6E0FF698-A404-40FC-98E7-6B5A7604F2CF} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> Brak pliku <==== UWAGA
Task: {8280AF9F-6A3A-407C-83DB-6AA058B7A940} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> Brak pliku <==== UWAGA
Task: {88EF4662-B063-4F2F-9354-385B649E0E78} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Brak pliku <==== UWAGA
Task: {966F1839-9709-435B-8236-D806DAA45A60} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> Brak pliku <==== UWAGA
Task: {99B0E6C6-2534-47A3-ABC3-5EFE0A814EA8} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Brak pliku <==== UWAGA
Task: {9EAFC258-2267-4639-B525-EEF79F39802D} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> Brak pliku <==== UWAGA
Task: {B03A6AA3-C086-44A6-8B51-85EF13154EC8} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> Brak pliku <==== UWAGA
Task: {B6260DB2-CB96-4D37-AFAB-9ED53D5DDA04} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> Brak pliku <==== UWAGA
Task: {BC43CF10-6437-4437-9B88-509AEB6E800D} - \CCleanerSkipUAC -> Brak pliku <==== UWAGA
Task: {E460454C-E776-4D14-89DA-11A58CE89EA0} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Brak pliku <==== UWAGA
Task: {F125959C-7425-4467-AFA7-857B57B30680} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> Brak pliku <==== UWAGA
Task: {F8D3D23C-23D1-414C-9E15-AF80AD1042E4} - \LuckyTab -> Brak pliku <==== UWAGA
HOSTS:
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe
Uruchom FRST i kliknij przycisk Fix (NAPRAW).

.

Tylko kosmetyka:

 

Uruchom OTL i w oknie Własne opcje skanowania/Skrypt wklej to:

:OTL
[2012-03-19 15:14:13 | 000,000,000 | -HSD | M] -- C:\Users\euro\AppData\Roaming\.#
[2013-06-27 11:07:37 | 000,003,728 | ---- | C] () -- C:\Program Files (x86)\Mozilla Firefoxavg-secure-search.xml
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll File not found
O2:64bit: - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL File not found
O2:64bit: - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
[2013-08-27 11:10:46 | 000,000,000 | ---D | M] (Fast Discountz) -- C:\Users\euro\AppData\Roaming\mozilla\Firefox\Profiles\kaxqsqz6.default\extensions\{2a4808f0-e451-4d0b-982a-bb0f44d3354d}
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found

:Commands
[emptytemp]

Kliknij w Wykonaj Skrypt.