Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with malware, it gets back after scannings with popular apps


  • This topic is locked This topic is locked
12 replies to this topic

#1 xor2

xor2

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 11 November 2015 - 06:03 AM

Hello,

 

   I have been doing everything. Scanning with Malware bytes, spybot etc. I was resetting chrome settings. 

It is ok for some time but in a few days they come back again! I just cannot get rid of them. I need your help.

 

I cannot find suspicious apps in my applications window. There are not any schedules to remove...

 

Here is the FRST file and Addivtion file included. 

 

Thanks for help in advance!

 

FRST file:

 

Rezultaty skanowania Farbar Recovery Scan Tool (FRST) (x64) Wersja:07-11-2015
Uruchomiony przez Jan (administrator)  PC_JAN (11-11-2015 11:52:41)
Uruchomiony z C:\Users\Jan\Downloads
Załadowane profile: Jan (Dostępne profile: Jan)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Język: Polski (Polska)
Internet Explorer Wersja 8 (Domyślna przeglądarka: Chrome)
Tryb startu: Normal
 
==================== Procesy (filtrowane) =================
 
(Załączenie wejścia w fixlist spowoduje zamknięcie procesu. Powiązany plik nie zostanie przeniesiony.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(AMD) C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe
(Dassault Systèmes SolidWorks Corp.) C:\Program Files\SolidWorks Corp\SolidWorks\sldworks_fs.exe
(AMD) C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe
(Dropbox, Inc.) C:\Users\Jan\AppData\Roaming\Dropbox\bin\Dropbox.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Desktop.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Rejestr (filtrowane) ===========================
 
(Załączenie wejścia w fixlist spowoduje usunięcie obiektu z rejestru lub przywrócenie jego domyślnej postaci. Powiązany plik nie zostanie przeniesiony.)
 
HKLM\...\Run: [Fences] => C:\Program Files (x86)\Stardock\Fences\Fences.exe [4017368 2012-10-29] (Stardock Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-1093104993-2891267949-3853390956-1000\...\Run: [HydraVisionDesktopManager] => C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe [389120 2013-09-29] (AMD)
ShellIconOverlayIdentifiers: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt64.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt64.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt64.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt64.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt64.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt64.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt64.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt64.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Jan\AppData\Roaming\Dropbox\bin\DropboxExt.26.dll [2015-06-26] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [Uchwyt nakładania ikony podpisu cyfrowego] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\SysWOW64\AcSignIcon.dll [2004-02-25] (Autodesk)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SolidWorks 2014 Fast Start.lnk [2015-08-05]
ShortcutTarget: SolidWorks 2014 Fast Start.lnk -> C:\Windows\Installer\{4FFA60C4-9A8B-4C9E-8265-2241B266304C}\NewShortcut2_87EDF6C81D0A4B7B84F42FE0C6A9D608.exe (Flexera Software LLC)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SolidWorks Pobieracz w tle.lnk [2015-08-05]
ShortcutTarget: SolidWorks Pobieracz w tle.lnk -> C:\Program Files (x86)\Common Files\Menedżer instalacji SolidWorks\BackgroundDownloading\sldBgDwld.exe (Dassault Systèmes SolidWorks Corp.)
Startup: C:\Users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2015-10-22]
ShortcutTarget: Dropbox.lnk -> C:\Users\Jan\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
GroupPolicy: Ograniczenia - Chrome <======= UWAGA
CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
 
==================== Internet (filtrowane) ====================
 
(Załączenie wejścia w fixlist, w przypadku gdy jest to obiekt rejestru, spowoduje usunięcie go z rejestru lub przywrócenie jego domyślnej postaci.)
 
Hosts: W pliku Hosts jest więcej niż jedno wejście. Sprawdź sekcję Hosts w Addition.txt
Tcpip\Parameters: [DhcpNameServer] 37.8.214.2 31.11.202.254
Tcpip\..\Interfaces\{6C03B6FC-EDAC-49B1-9B57-14E00B9B06BB}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{BC8B5BEF-40AC-43CB-8FFE-2297F1E94EC3}: [DhcpNameServer] 37.8.214.2 31.11.202.254
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
HKU\S-1-5-21-1093104993-2891267949-3853390956-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1093104993-2891267949-3853390956-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-09-19] (Google Inc.)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-10-12] (Microsoft Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-19] (Google Inc.)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-10-12] (Microsoft Corporation)
BHO-x32: Brak nazwy -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> Brak pliku
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-09-19] (Google Inc.)
Toolbar: HKLM-x32 - Элементы Яндекса - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\Program Files (x86)\Yandex\Elements\bartabhost.dll Brak pliku
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-19] (Google Inc.)
Toolbar: HKU\S-1-5-21-1093104993-2891267949-3853390956-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-09-19] (Google Inc.)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2012-10-01] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-10-12] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-10-12] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_17_0_0_190.dll [2015-06-29] ()
FF Plugin: @caminova.com/DjVuPlugin -> C:\Program Files\Caminova\Document Express DjVu Plug-in\npdjvu.dll [2013-06-03] (Caminova, Inc.)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_190.dll [2015-06-29] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @caminova.com/DjVuPlugin -> C:\Program Files (x86)\Caminova\Document Express DjVu Plug-in\npdjvu.dll [2013-06-03] (Caminova, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll [2015-01-09] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll [2015-01-09] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-17] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2013-09-05] (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default\searchplugins\yandex.com-231615.xml [2015-02-07]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2014-07-14] [Brak podpisu cyfrowego]
FF Extension: Brak nazwy - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default\extensions\4zffxtbr@VideoDownloadConverter_4z.com [nie znaleziono]
FF Extension: Brak nazwy - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default\extensions\8hffxtbr@Allin1Convert_8h.com [nie znaleziono]
FF Extension: Brak nazwy - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default\extensions\vb@yandex.ru.xpi [nie znaleziono]
FF Extension: Brak nazwy - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default\extensions\{518c59b7-17dc-4872-ae04-24f1719066a1}.xpi [nie znaleziono]
FF Extension: Brak nazwy - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default\extensions\d4db60df25f14dae9dd18@185c395f9e794c9ab86be3eb.com [nie znaleziono]
FF Extension: Brak nazwy - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default\extensions\389579c4-efa9-4d96-a1dd-3c86f7bd1a51@gmail.com [nie znaleziono]
FF Extension: Brak nazwy - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default\extensions\iobitascsurfingprotection@iobit.com [nie znaleziono]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.yandex.com/?__PARAM__from=chromehp
CHR StartupUrls: Default -> "hxxp://google.pl/"
CHR DefaultSearchURL: Default -> hxxp://go.mail.ru/search?q={searchTerms}&fr=xtn9
CHR DefaultSearchKeyword: Default -> mail.ru
CHR DefaultSuggestURL: Default -> hxxp://suggests.go.mail.ru/chrome?q={searchTerms}
CHR Profile: C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (AdBlock) - C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2015-10-14]
CHR Extension: (Płatności w sklepie Chrome Web Store) - C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-28]
CHR HKLM-x32\...\Chrome\Extension: [ilamgbdaebkbpkkmfmmfbnaamkhijdek] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2015-10-12]
CHR HKLM-x32\...\Chrome\Extension: [mdeldjolamfbcgnndjmjjiinnhbnbnla] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ofdgafmdegfkhfdfkmllfefmcmcjllec] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [pchfckkccldkbclgdepkaonamkignanh] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [pnooffjhclkocplopffdbcdghmiffhji] - hxxps://clients2.google.com/service/update2/crx
 
Opera: 
=======
OPR Extension: (dgmpjohfgidbnmmihaholohmeccijgog) - C:\Users\Jan\AppData\Roaming\Opera Software\Opera Stable\Extensions\dgmpjohfgidbnmmihaholohmeccijgog [2015-06-29]
OPR Extension: (gcknhkkoolaabfmlnjonogaaifnjlfnp) - C:\Users\Jan\AppData\Roaming\Opera Software\Opera Stable\Extensions\gcknhkkoolaabfmlnjonogaaifnjlfnp [2015-05-13]
 
==================== Usługi (filtrowane) ========================
 
(Załączenie wejścia w fixlist spowoduje jego usunięcie z rejestru. Powiązany plik nie zostanie przeniesiony, o ile nie zostanie załączony z osobna.)
 
S3 Adobe LM Service; C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [72704 2014-09-30] (Adobe Systems) [Brak podpisu cyfrowego]
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
S3 Autodesk Licensing Service; C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe [74360 2014-01-25] (Autodesk, Inc.)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1433216 2015-10-12] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1773696 2015-10-12] (Microsoft Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-07-05] (Intel Corporation)
R2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [133632 2012-02-09] ()
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [174368 2014-02-28] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-08-21] (Intel Corporation)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 SolidWorks Licensing Service; C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2014-01-27] (SolidWorks) [Brak podpisu cyfrowego]
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [22008 2015-09-10] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
S2 Strong Laugh; "C:\Program Files (x86)\Strong Laugh\Strong Laugh.exe" [X]
 
===================== Sterowniki (filtrowane) ==========================
 
(Załączenie wejścia w fixlist spowoduje jego usunięcie z rejestru. Powiązany plik nie zostanie przeniesiony, o ile nie zostanie załączony z osobna.)
 
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2014-01-25] (Disc Soft Ltd)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [43664 2015-07-13] ()
R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [26528 2015-06-28] (REALiX™)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28216 2012-09-01] (Intel Corporation)
R3 ikbevent; C:\Windows\System32\DRIVERS\ikbevent.sys [25536 2012-02-09] ()
R3 imsevent; C:\Windows\System32\DRIVERS\imsevent.sys [25536 2012-02-09] ()
R3 ISCT; C:\Windows\System32\DRIVERS\ISCTD64.sys [44992 2012-02-09] ()
R3 WPRO_41_2001; C:\Windows\System32\drivers\WPRO_41_2001.sys [34752 2015-11-11] ()
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz134; \??\C:\Users\Jan\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S3 esgiguard; \??\C:\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [X]
 
==================== NetSvcs (filtrowane) ===================
 
(Załączenie wejścia w fixlist spowoduje jego usunięcie z rejestru. Powiązany plik nie zostanie przeniesiony, o ile nie zostanie załączony z osobna.)
 
 
==================== Jeden miesiąc - utworzone pliki i foldery ========
 
(Załączenie wejścia w fixlist spowoduje przeniesienie pliku/folderu.)
 
2015-11-11 11:52 - 2015-11-11 11:52 - 02198528 _____ (Farbar) C:\Users\Jan\Downloads\FRST64.exe
2015-11-11 11:52 - 2015-11-11 11:52 - 00023236 _____ C:\Users\Jan\Downloads\FRST.txt
2015-11-11 11:52 - 2015-11-11 11:52 - 00000000 ____D C:\FRST
2015-11-10 21:34 - 2015-11-11 08:54 - 00008543 _____ C:\Users\Jan\Desktop\Pomysły styczeń  2016.odt
2015-11-10 20:50 - 2015-11-10 20:50 - 01283072 _____ C:\Users\Jan\Downloads\Kudrjavcev_Podgotovka_specialistov_k_sozdaniju_innovacij_na_reguljarnoj_osnove.pps
2015-11-10 12:52 - 2015-08-03 18:42 - 00000027 _____ C:\Windows\system32\Drivers\etc\hosts.20151110-125250.backup
2015-11-09 18:45 - 2015-11-09 18:45 - 00000000 ____D C:\Users\Jan\Desktop\Materiały dla Wrocławia
2015-11-06 08:02 - 2015-11-09 18:40 - 00000000 ____D C:\Users\Jan\Desktop\Wrocław
2015-11-06 07:58 - 2015-11-11 08:34 - 00094656 _____ (CACE Technologies) C:\Windows\system32\WPRO_41_2001woem.tmp
2015-11-05 18:04 - 2015-11-05 18:04 - 00000000 ____D C:\Users\Jan\Documents\Nowy folder
2015-11-04 20:17 - 2015-11-04 20:17 - 00006156 _____ C:\Users\Jan\Desktop\Zadania Denisa.odt
2015-11-04 20:01 - 2015-11-11 11:51 - 09224704 _____ C:\Users\Jan\Desktop\Szkolenie na I stopień - Użytkownik TRIZ cz.1 nova.ppt
2015-11-04 19:51 - 2015-11-04 22:04 - 00007489 _____ C:\Users\Jan\Desktop\Teksty do uzupełniania.odt
2015-11-04 19:19 - 2015-11-04 19:26 - 00008671 _____ C:\Users\Jan\Desktop\Zadania dla Ostrowca.odt
2015-11-04 18:54 - 2015-11-04 18:55 - 09703424 _____ C:\Users\Jan\Desktop\Szkolenie TRIZ Polit. Wrocław.ppt
2015-11-03 17:10 - 2015-11-04 10:44 - 00000000 ____D C:\Users\Jan\Desktop\Plik do prób
2015-11-03 07:26 - 2015-11-03 07:27 - 00000000 ____D C:\Users\Jan\AppData\OICE_15_974FA576_32C1D314_3FFC
2015-10-29 07:34 - 2015-11-11 11:06 - 00005072 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for PC_JAN-Jan PC_JAN
2015-10-28 09:39 - 2015-10-28 09:44 - 05692416 _____ C:\Users\Jan\Desktop\TRIZ-w Polsce.ppt
2015-10-27 12:59 - 2015-11-04 19:59 - 00295424 _____ C:\Users\Jan\Desktop\Patrzeć- widzieć- wiedzieć, wyciągać wnioski.ppt
2015-10-27 12:52 - 2015-11-04 19:58 - 00737280 _____ C:\Users\Jan\Desktop\Patrzeć- widzieć- wiedzieć.ppt
2015-10-27 09:53 - 2015-10-27 09:53 - 01067490 _____ C:\Users\Jan\Desktop\Laser FA i T.odt
2015-10-26 16:18 - 2015-10-26 16:18 - 00929872 _____ (Google Inc.) C:\Users\Jan\Downloads\ChromeSetup (2).exe
2015-10-21 19:45 - 2015-10-21 19:46 - 04320072 _____ (Google) C:\Users\Jan\Downloads\chrome_cleanup_tool.exe
2015-10-20 20:15 - 2015-10-21 11:56 - 00000266 __RSH C:\ProgramData\ntuser.pol
2015-10-20 20:14 - 2015-10-20 20:14 - 00000000 ____D C:\Windows\Tasks\360Disabled
2015-10-20 20:13 - 2015-10-20 20:14 - 00000000 ___HD C:\Users\Jan\AppData\Roaming\GoldenGate
2015-10-20 20:11 - 2015-10-26 16:13 - 00000000 ____D C:\Windows\System32\Tasks\Lenovo
2015-10-20 20:11 - 2015-10-20 20:13 - 00000000 __SHD C:\ProgramData\360Quarant
2015-10-20 20:11 - 2015-10-20 20:13 - 00000000 __SHD C:\$360Section
2015-10-20 20:11 - 2015-10-20 20:11 - 00000000 ____D C:\Users\Jan\REACHit
2015-10-20 20:11 - 2015-10-20 20:11 - 00000000 ____D C:\Users\Jan\AppData\Local\Lenovo
2015-10-20 20:11 - 2015-10-20 20:11 - 00000000 ____D C:\Users\Jan\AppData\Local\Downloaded Installations
2015-10-20 20:10 - 2015-10-22 08:38 - 00000000 ____D C:\Program Files (x86)\360
2015-10-20 20:10 - 2015-10-20 20:10 - 00110301 _____ C:\Users\Jan\Downloads\MIO SPIRIT 490 LM user guide [1].exe
2015-10-19 07:01 - 2015-10-22 19:28 - 00000148 _____ C:\Windows\Reimage.ini
2015-10-19 06:50 - 2015-10-19 06:50 - 20033086 _____ C:\Users\Jan\Downloads\TL-WN751ND_V2.0_Easy_Setup_Ass.rar
2015-10-15 18:47 - 2015-10-15 18:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2015-10-12 08:59 - 2015-10-12 08:59 - 00000000 ___HD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo ThinkVantage Tools
 
==================== Jeden miesiąc - zmodyfikowane pliki i foldery ========
 
(Załączenie wejścia w fixlist spowoduje przeniesienie pliku/folderu.)
 
2015-11-11 11:42 - 2014-02-04 17:20 - 00000000 ____D C:\Users\Jan\Documents\Pliki programu Outlook
2015-11-11 10:56 - 2014-02-02 11:29 - 00000000 ____D C:\Users\Jan\Documents\Outlook Files
2015-11-11 08:43 - 2009-07-14 05:45 - 00028320 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-11-11 08:43 - 2009-07-14 05:45 - 00028320 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-11-11 08:41 - 2011-04-12 14:21 - 00743636 _____ C:\Windows\system32\perfh015.dat
2015-11-11 08:41 - 2011-04-12 14:21 - 00156648 _____ C:\Windows\system32\perfc015.dat
2015-11-11 08:41 - 2009-07-14 06:13 - 01679476 _____ C:\Windows\system32\PerfStringBackup.INI
2015-11-11 08:38 - 2014-01-25 13:42 - 01582197 _____ C:\Windows\WindowsUpdate.log
2015-11-11 08:35 - 2014-04-08 07:48 - 00000000 ___RD C:\Users\Jan\Dropbox
2015-11-11 08:35 - 2014-04-08 07:46 - 00000000 ____D C:\Users\Jan\AppData\Roaming\Dropbox
2015-11-11 08:34 - 2015-09-19 11:41 - 00000196 _____ C:\Windows\Tasks\AutoKMS.job
2015-11-11 08:34 - 2014-01-25 15:30 - 00034752 _____ C:\Windows\system32\Drivers\WPRO_41_2001.sys
2015-11-11 08:34 - 2010-11-21 04:47 - 00533094 _____ C:\Windows\PFRO.log
2015-11-11 08:34 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-11-11 08:34 - 2009-07-14 05:51 - 00136399 _____ C:\Windows\setupact.log
2015-11-10 16:39 - 2014-01-25 15:58 - 00000000 ____D C:\Users\Jan\AppData\Local\CrashDumps
2015-11-10 11:40 - 2015-07-13 22:19 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-11-10 08:55 - 2015-07-14 10:21 - 00000024 _____ C:\Users\Jan\AppData\Roaming\appdataFr25.bin
2015-11-10 08:25 - 2015-09-19 11:41 - 00000202 _____ C:\Windows\Tasks\AutoKMSDaily.job
2015-11-09 09:46 - 2014-03-03 10:45 - 00003578 _____ C:\Users\Jan\Documents\plot.log
2015-11-06 15:31 - 2015-09-26 16:53 - 00464864 _____ C:\Users\Jan\Desktop\TRIZ - Pedgaogika -  artykuł do UPRP.odt
2015-10-30 20:03 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\NDF
2015-10-29 08:07 - 2014-01-25 16:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2015-10-29 07:29 - 2015-07-13 22:19 - 00001112 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-10-29 07:29 - 2015-07-13 22:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-29 07:29 - 2015-07-13 22:19 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-10-28 20:22 - 2015-02-15 12:34 - 00000000 ____D C:\Users\Jan\Desktop\Progres - oferta
2015-10-27 20:27 - 2015-07-27 09:06 - 00035278 _____ C:\Windows\system32\ScanResults.xml
2015-10-27 20:24 - 2015-07-27 08:59 - 00000464 _____ C:\Windows\system32\ScannerSettings
2015-10-27 06:50 - 2009-07-14 06:08 - 00032604 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-10-26 16:18 - 2015-01-09 09:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-10-26 16:13 - 2014-11-05 10:28 - 00000000 ____D C:\Program Files (x86)\Lenovo
2015-10-20 20:11 - 2015-05-12 08:58 - 00000000 ____D C:\Windows\Downloaded Installations
2015-10-20 20:11 - 2014-01-25 15:19 - 00000000 ____D C:\ProgramData\Package Cache
2015-10-20 20:11 - 2014-01-25 13:41 - 00000000 ____D C:\Users\Jan
2015-10-20 16:51 - 2014-01-29 22:10 - 00000000 ____D C:\Users\Jan\AppData\Local\TempSW Katalog dla kopii zapasowych
2015-10-19 14:01 - 2015-09-06 14:18 - 00000000 ____D C:\Users\Jan\Desktop\TRIZ dla przedszkolanek
2015-10-17 19:37 - 2015-06-28 12:53 - 00000000 ____D C:\Users\Jan\Desktop\Książki Świetłany Gin
2015-10-17 16:42 - 2014-12-30 16:58 - 00000000 ____D C:\Users\Public\Downloads\Maps
2015-10-15 20:28 - 2014-02-23 12:41 - 00000000 ____D C:\Users\Jan\AppData\Roaming\Skype
2015-10-15 18:47 - 2014-11-03 18:15 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-10-15 18:47 - 2014-02-23 12:40 - 00000000 ____D C:\ProgramData\Skype
2015-10-12 08:59 - 2014-11-05 10:29 - 00000000 ____D C:\ProgramData\Lenovo
2015-10-12 08:59 - 2014-11-05 10:28 - 00000000 ____D C:\Windows\System32\Tasks\TVT
 
==================== Pliki w katalogu głównym wybranych folderów =======
 
2014-02-02 11:08 - 2014-02-02 11:08 - 0003711 _____ () C:\Program Files (x86)\Mozilla Firefoxavg-secure-search.xml
2015-06-14 11:32 - 2014-08-15 11:34 - 1745904 _____ () C:\Program Files (x86)\wrar511b1.exe
2015-07-14 10:21 - 2015-11-10 08:55 - 0000024 _____ () C:\Users\Jan\AppData\Roaming\appdataFr25.bin
2014-02-23 16:31 - 2014-02-26 20:35 - 0037075 _____ () C:\Users\Jan\AppData\Roaming\Wartości oddzielone przecinkami.ADR
2015-04-14 17:28 - 2015-04-14 17:28 - 0004387 _____ () C:\Users\Jan\AppData\Roaming\xxvtzXhcKLZqsOU09XChh
2014-01-25 15:55 - 2014-01-25 15:55 - 0007597 _____ () C:\Users\Jan\AppData\Local\Resmon.ResmonCfg
2015-05-21 15:05 - 2015-05-21 15:05 - 0000000 _____ () C:\Users\Jan\AppData\Local\Temp.dat
2015-01-11 10:06 - 2015-01-11 10:06 - 0000000 _____ () C:\Users\Jan\AppData\Local\{C9341451-B62D-4F2F-A122-E67EA2E25139}
 
Niektóre pliki w TEMP:
====================
C:\Users\Jan\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpytv7el.dll
 
 
==================== Bamital & volsnap =================
 
(Brak automatycznej naprawy dla plików które nie przeszły weryfikacji.)
 
C:\Windows\system32\winlogon.exe => Plik podpisany cyfrowo
C:\Windows\system32\wininit.exe => Plik podpisany cyfrowo
C:\Windows\SysWOW64\wininit.exe => Plik podpisany cyfrowo
C:\Windows\explorer.exe => Plik podpisany cyfrowo
C:\Windows\SysWOW64\explorer.exe => Plik podpisany cyfrowo
C:\Windows\system32\svchost.exe => Plik podpisany cyfrowo
C:\Windows\SysWOW64\svchost.exe => Plik podpisany cyfrowo
C:\Windows\system32\services.exe => Plik podpisany cyfrowo
C:\Windows\system32\User32.dll => Plik podpisany cyfrowo
C:\Windows\SysWOW64\User32.dll => Plik podpisany cyfrowo
C:\Windows\system32\userinit.exe => Plik podpisany cyfrowo
C:\Windows\SysWOW64\userinit.exe => Plik podpisany cyfrowo
C:\Windows\system32\rpcss.dll => Plik podpisany cyfrowo
C:\Windows\system32\dnsapi.dll => Plik podpisany cyfrowo
C:\Windows\SysWOW64\dnsapi.dll => Plik podpisany cyfrowo
C:\Windows\system32\Drivers\volsnap.sys => Plik podpisany cyfrowo
 
 
LastRegBack: 2015-11-10 07:14
 
==================== Koniec  FRST.txt ============================

Attached Files


Edited by xor2, 11 November 2015 - 06:07 AM.


BC AdBot (Login to Remove)

 


#2 xor2

xor2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 11 November 2015 - 06:07 AM

I forgot about Addition file. Here is included.



#3 xor2

xor2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 13 November 2015 - 04:55 AM

Anyone? Please, could someone take a look at these files?



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:05 PM

Posted 15 November 2015 - 09:47 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

UWAGA: Przywracanie systemu jest wylaczone

How to: Turn System Restore ON - Windows
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7

===

Remove this program in gold using the Control Panel > Programs and Features applet if present.
globalupdate Helper (x32 Version: 1.3.25.0 - globalupdate Inc.) Hidden <==== UWAGA
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
GroupPolicy: Ograniczenia - Chrome <======= UWAGA
CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
HKU\S-1-5-21-1093104993-2891267949-3853390956-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Brak nazwy -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> Brak pliku
Toolbar: HKLM-x32 - ???????? ??????? - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\Program Files (x86)\Yandex\Elements\bartabhost.dll Brak pliku
FF SearchPlugin: C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default\searchplugins\yandex.com-231615.xml [2015-02-07]
FF Extension: Brak nazwy - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default\extensions\4zffxtbr@VideoDownloadConverter_4z.com [nie znaleziono]
FF Extension: Brak nazwy - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default\extensions\8hffxtbr@Allin1Convert_8h.com [nie znaleziono]
FF Extension: Brak nazwy - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default\extensions\vb@yandex.ru.xpi [nie znaleziono]
FF Extension: Brak nazwy - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default\extensions\{518c59b7-17dc-4872-ae04-24f1719066a1}.xpi [nie znaleziono]
FF Extension: Brak nazwy - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default\extensions\d4db60df25f14dae9dd18@185c395f9e794c9ab86be3eb.com [nie znaleziono]
FF Extension: Brak nazwy - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default\extensions\389579c4-efa9-4d96-a1dd-3c86f7bd1a51@gmail.com [nie znaleziono]
FF Extension: Brak nazwy - C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\4ljtzmi2.default\extensions\iobitascsurfingprotection@iobit.com [nie znaleziono]
CHR HomePage: Default -> hxxp://www.yandex.com/?__PARAM__from=chromehp
CHR HKLM-x32\...\Chrome\Extension: [mdeldjolamfbcgnndjmjjiinnhbnbnla] - hxxp://clients2.google.com/service/update2/crx
S2 Strong Laugh; "C:\Program Files (x86)\Strong Laugh\Strong Laugh.exe" [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz134; \??\C:\Users\Jan\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S3 esgiguard; \??\C:\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [X]
FirewallRules: [{53C96534-9189-44B5-BC78-06C198F5BA9B}] => (Allow) C:\Users\Default\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
C:\Users\Jan\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpytv7el.dll

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.
===

How is the computer running now?

#5 xor2

xor2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 15 November 2015 - 03:16 PM

Thank You. 

 

I have included files you requested. At the moment is okay. I will let you know if anything bad is happening.

 

Can you confirm basing on these two files that all relevant entries have been fixed?

 

Thank you for your help again!

 

P.S. I don't know if that is important but somehow I noticed different pages shown in chrome and in one of them there was an address:

http://--silent-debugger-extension-api/

 

What is that?

 

P.S.2 To uninstall: globalupdate Helper first I had to remove SystemComponent flag by using FRST. Otherwise I couldn't find that program on the list.

Attached Files


Edited by xor2, 15 November 2015 - 03:40 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:05 PM

Posted 16 November 2015 - 08:28 AM

Looking good.

globalupdate Helper first I had to remove SystemComponent flag by using FRST. Otherwise I couldn't find that program on the list.

It's probably not there any more. If all is well forget about it.

===

Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.

How is Chrome acting now?

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:05 PM

Posted 22 November 2015 - 08:06 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:05 PM

Posted 22 November 2015 - 08:06 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

#9 xor2

xor2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 03 January 2016 - 04:30 PM

Hello again,

 

After last clearing everything seemed to be perfect except for the fact that Ads by Dealsy appeared and nothing I could do to get rid of that.

 

I am using chrome web browser. So ads appear when I am surfing using this application.

 

What I have also noticed so far, redirecting to:

 

Reimage Repair
fullresultfun.net
 
I included two files again.
Thanks for help in advance!
 

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:05 PM

Posted 04 January 2016 - 08:40 AM



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Task: {B9A1562B-B5C0-478E-9E9F-C541A6BD4DB5} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS.exe
Task: {E6252F78-81D2-445F-A34C-A30F202C15F1} - System32\Tasks\AutoKMSDaily => C:\Windows\AutoKMS.exe
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS.exe
Task: C:\Windows\Tasks\AutoKMSDaily.job => C:\Windows\AutoKMS.exe
AlternateDataStreams: C:\Users\Jan\Desktop\??? ????????:com.dropbox.attributes
C:\Windows\AutoKMS.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===


Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Control Panel > Programs and Features applet.
Java 8 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)

How is the computer running now?

#11 xor2

xor2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 04 January 2016 - 01:44 PM

Thank You for the answer.

Here are the files included. I will shortly let you know if that solves the problem.

 

Thank You Again! :)

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:05 PM

Posted 11 January 2016 - 09:23 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:05 PM

Posted 17 January 2016 - 09:47 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users