x-kom hosting

Infekcja yiursites123 ..proszę o pomoc.

novy07
utworzono
utworzono

Jak napisałem w temacie proszę o pomoc w usunięciu yoursites123 z komputera.W załącznikach przesyłam pliki z FRST.

Twój_Anioł_Stróż
komentarz
komentarz (edytowane)

1) Odinstaluj te programy:

Browsers Protector (HKLM\...\Browsers Protector) (Version: 1.0.0.0 - Publisher Name) <==== UWAGA

StartSearch Toolbar 1.3 (HKLM\...\StartSearch Toolbar) (Version: 1.3 - startsear.ch) <==== UWAGA

 

2) Otwórz Notatnik i wklej w nim:

DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software
ShortcutWithArgument: C:\Users\PROBOOK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT <==== UWAGA
ShortcutWithArgument: C:\Users\PROBOOK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk -> C:\Users\PROBOOK\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT <==== UWAGA
ShortcutWithArgument: C:\Users\PROBOOK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT <==== UWAGA
ShortcutWithArgument: C:\Users\PROBOOK\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT <==== UWAGA
ShortcutWithArgument: C:\Users\PROBOOK\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Users\PROBOOK\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yoursites123.com/?type=sc&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT <==== UWAGA
ShortcutWithArgument: C:\Users\PROBOOK\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera.lnk -> C:\Program Files\Opera\launcher.exe (Opera Software) -> hxxp://www.yoursites123.com/?type=sc&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT <==== UWAGA
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk -> C:\Program Files\Opera\launcher.exe (Opera Software) -> hxxp://www.yoursites123.com/?type=sc&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT <==== UWAGA
ShortcutWithArgument: C:\Users\Public\Desktop\Opera.lnk -> C:\Program Files\Opera\launcher.exe (Opera Software) -> hxxp://www.yoursites123.com/?type=sc&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT <==== UWAGA
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.istartpageing.com/web/?type=ds&ts=1448220806&z=255acabdcf07488a02e7ef6g0z1z6b5o3o8eab8e1q&from=cornl&uid=fujitsuxmhz2250bhxg2_k617t953u3kt&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.istartpageing.com/web/?type=ds&ts=1448220806&z=255acabdcf07488a02e7ef6g0z1z6b5o3o8eab8e1q&from=cornl&uid=fujitsuxmhz2250bhxg2_k617t953u3kt&q={searchTerms}
HKU\S-1-5-21-2147684360-3398328516-471063904-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT&q={searchTerms}
HKU\S-1-5-21-2147684360-3398328516-471063904-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.istartpageing.com/?type=hp&ts=1448220806&z=255acabdcf07488a02e7ef6g0z1z6b5o3o8eab8e1q&from=cornl&uid=fujitsuxmhz2250bhxg2_k617t953u3kt
www.google.com
HKU\S-1-5-21-2147684360-3398328516-471063904-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT
HKU\S-1-5-21-2147684360-3398328516-471063904-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT
HKU\S-1-5-21-2147684360-3398328516-471063904-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT&q={searchTerms}
SearchScopes: HKLM -> DefaultScope - brak wartości
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://startsear.ch/?aff=2&src=sp&cf=0f03bd2c-67c2-11e1-8f50-00247e7ec486&q={searchTerms}
SearchScopes: HKLM -> {9D0421B0-2C59-4228-91A3-36D1B1E2DDFB} URL = hxxp://startsear.ch/?aff=2&src=sp&cf=0f03bd2c-67c2-11e1-8f50-00247e7ec486&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2147684360-3398328516-471063904-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://startsear.ch/?aff=2&src=sp&cf=0f03bd2c-67c2-11e1-8f50-00247e7ec486&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2147684360-3398328516-471063904-1000 -> {0D7562AE-8EF6-416d-A838-AB665251703A} URL = hxxp://start.facemoods.com/?a=ironto&s={searchTerms}&f=4
SearchScopes: HKU\S-1-5-21-2147684360-3398328516-471063904-1000 -> {61A62570-ED5D-4DD7-81B8-ADBBC162A186} URL = hxxp://startsear.ch/?aff=1&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2147684360-3398328516-471063904-1000 -> {9673D2BB-92AC-418C-842E-158ECBC74716} URL = hxxp://startsear.ch/?aff=1&src=sp&cf=0f03bd2c-67c2-11e1-8f50-00247e7ec486&q={searchTerms}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.istartsurf.com/?type=sc&ts=1447840541&z=f86529f4e9287a33995331dg8z6z2m0b5zae3oac9b&from=cor&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT
CHR StartupUrls: Default -> "hxxp://www.yoursites123.com/?type=hp&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT"
StartMenuInternet: Google Chrome - C:\Users\PROBOOK\AppData\Local\Google\Chrome\Application\chrome.exe hxxp://www.yoursites123.com/?type=sc&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT
StartMenuInternet: (HKLM) OperaStable - C:\Program Files\Opera\Launcher.exe hxxp://www.yoursites123.com/?type=sc&ts=1450087671&z=e9d66a51298cb558f0f8943g0z2w0e3e5bem9q4m0c&from=wpm07173&uid=FUJITSUXMHZ2250BHXG2_K617T953U3KT
R2 ihpmServer; C:\Program Files\RayDld\ihpmServer.exe [271592 2015-11-19] (Ray you)
R2 IhPul; C:\Users\PROBOOK\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-08] (tsvr.com)
R2 SSFK; C:\Program Files\SFK\SSFK.exe [170144 2015-11-27] (TODO: <公司名>)
R2 WdMan; C:\ProgramData\WWdMW\WdMan.exe [333312 2015-12-04] (TFuns LIMITED) [Brak podpisu cyfrowego]
DeleteKey: HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes
DeleteKey: HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes
DeleteKey: HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes
CustomCLSID: HKU\S-1-5-21-2147684360-3398328516-471063904-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\PROBOOK\AppData\Local\Google\Update\1.3.25.5\psuser.dll => Brak pliku
CustomCLSID: HKU\S-1-5-21-2147684360-3398328516-471063904-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\PROBOOK\AppData\Local\Google\Update\1.3.27.5\psuser.dll => Brak pliku
CustomCLSID: HKU\S-1-5-21-2147684360-3398328516-471063904-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\PROBOOK\AppData\Local\Google\Update\1.3.23.9\psuser.dll => Brak pliku
CustomCLSID: HKU\S-1-5-21-2147684360-3398328516-471063904-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\PROBOOK\AppData\Local\Google\Update\1.3.28.1\psuser.dll => Brak pliku
CustomCLSID: HKU\S-1-5-21-2147684360-3398328516-471063904-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\PROBOOK\AppData\Local\Google\Update\1.3.28.13\psuser.dll => Brak pliku
CustomCLSID: HKU\S-1-5-21-2147684360-3398328516-471063904-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\PROBOOK\AppData\Local\Google\Update\1.3.24.15\psuser.dll => Brak pliku
CustomCLSID: HKU\S-1-5-21-2147684360-3398328516-471063904-1000_Classes\CLSID\{A45426FB-E444-42B2-AA56-419F8FBEEC61}\InprocServer32 -> C:\Users\PROBOOK\AppData\Local\Google\Update\1.3.22.3\psuser.dll => Brak pliku
CustomCLSID: HKU\S-1-5-21-2147684360-3398328516-471063904-1000_Classes\CLSID\{A54D478D-4F70-4F72-9A74-17C9986E35AB}\InprocServer32 -> C:\Users\PROBOOK\AppData\Local\Google\Update\1.3.21.165\psuser.dll => Brak pliku
CustomCLSID: HKU\S-1-5-21-2147684360-3398328516-471063904-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\PROBOOK\AppData\Local\Google\Update\1.3.26.9\psuser.dll => Brak pliku
CustomCLSID: HKU\S-1-5-21-2147684360-3398328516-471063904-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\PROBOOK\AppData\Local\Google\Update\1.3.25.11\psuser.dll => Brak pliku
CustomCLSID: HKU\S-1-5-21-2147684360-3398328516-471063904-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\PROBOOK\AppData\Local\Google\Update\1.3.28.15\psuser.dll => Brak pliku
CustomCLSID: HKU\S-1-5-21-2147684360-3398328516-471063904-1000_Classes\CLSID\{EB06378B-ABB6-4B3C-9B40-D488DD8A6E93}\InprocServer32 -> C:\Users\PROBOOK\AppData\Local\Google\Update\1.3.22.5\psuser.dll => Brak pliku
CustomCLSID: HKU\S-1-5-21-2147684360-3398328516-471063904-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\PROBOOK\AppData\Local\Google\Update\1.3.24.7\psuser.dll => Brak pliku
Task: {24AEE5C5-0212-4E89-96FE-82CBCD2A9C4A} - System32\Tasks\{F29E5627-7227-41A1-B8AB-D66BC19B38F0} => pcalua.exe -a "C:\Program Files\NCH Swift Sound\Switch\uninst.exe"
Task: {87E165C6-E421-488B-8D77-8CEDCBA2D5FD} - System32\Tasks\{FB8B60C2-C5F0-429A-9F87-A87EB5CE46E8} => pcalua.exe -a C:\Users\PROBOOK\Desktop\switchsetup.exe -d C:\Users\PROBOOK\Desktop
Task: {F2DB0A35-BEA9-4D77-AC9A-FC9F3544903C} - System32\Tasks\FoxTab => C:\Users\PROBOOK\AppData\Roaming\FoxTab\UPDATE~1\UPDATE~1.EXE <==== UWAGA
C:\Users\PROBOOK\AppData\Roaming\FoxTab
AlternateDataStreams: C:\ProgramData:3f80b7866a646e
AlternateDataStreams: C:\ProgramData:fe93a19e34e9a
AlternateDataStreams: C:\Users\All Users:3f80b7866a646e
AlternateDataStreams: C:\Users\All Users:fe93a19e34e9a
AlternateDataStreams: C:\Users\PROBOOK:fbd10aca14da3f
AlternateDataStreams: C:\ProgramData\Application Data:3f80b7866a646e
AlternateDataStreams: C:\ProgramData\Application Data:fe93a19e34e9a
AlternateDataStreams: C:\ProgramData\Dane aplikacji:3f80b7866a646e
AlternateDataStreams: C:\ProgramData\Dane aplikacji:fe93a19e34e9a
AlternateDataStreams: C:\Users\PROBOOK\Dane aplikacji:03118b400fe1
AlternateDataStreams: C:\Users\PROBOOK\Ustawienia lokalne:0f26ec73976c36e
AlternateDataStreams: C:\Users\PROBOOK\AppData\Local:0f26ec73976c36e
AlternateDataStreams: C:\Users\PROBOOK\AppData\Roaming:03118b400fe1
AlternateDataStreams: C:\Users\PROBOOK\AppData\Local\Dane aplikacji:0f26ec73976c36e
AlternateDataStreams: C:\Users\PROBOOK\AppData\Local\Historia:d9bdc038250d
AlternateDataStreams: C:\Users\PROBOOK\AppData\Local\Temp:9c1b8aa784a8
C:\Program Files\RayDld
C:\Users\PROBOOK\AppData\Roaming\TSv
C:\ProgramData\WWdMW
C:\Program Files\SFK
HKU\S-1-5-21-2147684360-3398328516-471063904-1000\...\Run: [BingSvc] => C:\Users\PROBOOK\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-16] (© 2015 Microsoft Corporation)
CHR HKU\S-1-5-21-2147684360-3398328516-471063904-1000\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
Toolbar: HKU\S-1-5-21-2147684360-3398328516-471063904-1000 -> Brak nazwy - {32099AAC-C132-4136-9E9A-4E364A424E17} -  Brak pliku
Toolbar: HKU\S-1-5-21-2147684360-3398328516-471063904-1000 -> Brak nazwy - {7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} -  Brak pliku
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\fcmdSrch.xml [2011-05-01]
cHR Extension: (vshare plugin) - C:\Users\PROBOOK\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpionmjnkbpcdpcflammlgllecmejgjj [2015-11-23]
S3 CpqDfw; system32\drivers\CpqDfw.sys [X]
S1 wfdrvr_vt_1_10_0_28; system32\drivers\wfdrvr_vt_1_10_0_28.sys [X]
2015-12-14 11:08 - 2015-12-14 11:08 - 00000001 _____ C:\Windows\system32\pl.html
2015-12-14 11:08 - 2015-12-14 11:08 - 00000000 ____D C:\Users\PROBOOK\AppData\Roaming\WinZipper
2015-12-14 11:08 - 2015-12-14 11:08 - 00000000 ____D C:\Users\PROBOOK\AppData\Roaming\TSv
2015-12-14 11:07 - 2015-12-14 11:07 - 00000000 ____D C:\ProgramData\3WdM3
2015-11-22 20:34 - 2015-11-22 20:34 - 00000000 ____D C:\Program Files\RayDld
2015-11-18 10:55 - 2015-12-14 11:08 - 00000074 _____ C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
2015-11-18 10:55 - 2015-12-14 11:07 - 00000000 ____D C:\ProgramData\pWMiniProp
2015-11-18 10:55 - 2015-11-18 11:23 - 00000000 ____D C:\Users\PROBOOK\AppData\Roaming\istartsurf
EmptyTemp:

Plik zapisz pod nazwą [b]fixlist.txt[/b] i umieść obok FRST.exe
Uruchom [b]FRST[/b] i kliknij przycisk [b]Fix[/b] (NAPRAW).


----------------------
Jeśli będzie OK, to będziemy kończyć:
Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix (NAPRAW).
przez SHIFT+DEL usuń pozostały folder C:\FRST.


Jeśli natomiast problem nie zniknie, to przeinstalujesz przeglądarkę, na której to jeszcze będzie.
.




 
novy07
komentarz
komentarz

Infekcja usunięta.Wielkie dzięki za pomoc.

Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!

Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.

×
×
  • Dodaj nową pozycję...

Powiadomienie o plikach cookie

Strona wykorzystuje pliki cookies w celu prawidłowego świadczenia usług i wygody użytkowników. Warunki przechowywania i dostępu do plików cookies możesz zmienić w ustawieniach przeglądarki.