Samo włączający się folder syswow64

camillo2001 · 9 Maja 2014

Podczas każdego uruchamiania windwosa 7 wyłącza mi się ten syswow64 folder. Bardzo mnie to denerwuje. W załączniku dodam OTL i Extras. Proszę o pomoc

OTL.Txt

Extras.Txt

camillo2001 · 10 Maja 2014

Fix nie został wykonany bo nie skopiowałeś całości.

instrukcja w spoilerze.

Odinstaluj

Nero Toolbar Updater

Babylon toolbar on IE

Bing Bar

Ask Toolbar

Google Toolbar for Internet Explorer

MediaCaster by Ask

1. w własne opcje skanowania wklej

:OTL
DRV:[b]64bit:[/b] - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.qone8.com/?type=hp&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qone8.com/web/?type=ds&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&q={searchTerms}
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.qone8.com/web/?type=ds&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&q={searchTerms}
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.qone8.com/?type=hp&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.qone8.com/?type=hp&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qone8.com/web/?type=ds&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&q={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.qone8.com/web/?type=ds&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&q={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qone8.com/web/?type=ds&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&q={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.qone8.com/?type=hp&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qone8.com/web/?type=ds&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&q={searchTerms}
IE - HKLM\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://www.qone8.com/web/?type=ds&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&q={searchTerms}
IE - HKLM\..\SearchScopes\{4845F837-FE34-9F73-D66C-4EA6AD052550}: "URL" = http://search.sweetim.com/search.asp?src=6&crg=3.1010000&q={searchTerms}&barid={307254D4-18A4-464F-BB8A-F4F815F2F55C}
IE - HKLM\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.wisesearch.info/?l=1&q={searchTerms}&pid=964&r=2013/10/17&hid=5935598636926409227&lg=EN&cc=PL&unqvl=39
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=fmtgl&chnl=fmtgl&cd=2XzuyEtN2Y1L1Qzuzzzzzy0F0F0AtAtAyByCyByCyCyEzzzztN0D0Tzu0CtBtDtBtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1286387809
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Backup.Old.Start Page = http://home.sweetim.com/?crg=3.1010000&barid={307254D4-18A4-464F-BB8A-F4F815F2F55C}
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.qone8.com/?type=hp&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.dosearches.com/web/?utm_source=b&utm_medium=cor&utm_campaign=rg&utm_content=ds&from=cor&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&ts=1384086294&type=default&q={searchTerms}
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://search.dosearches.com/web/?utm_source=b&utm_medium=cor&utm_campaign=rg&utm_content=ds&from=cor&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&ts=1384086294&type=default&q={searchTerms}
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.qone8.com/?type=hp&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www.golsearch.com/?q={searchTerms}&babsrc=SP_ss_Btisdt6&mntrId=A436889FFA337676&affID=119357&tt=160913_nocpn&tsp=5010
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://www.qone8.com/web/?type=ds&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&q={searchTerms}
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\..\SearchScopes\{AB887800-5EA0-446E-A083-FD4E614C03F8}: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=402027&p={searchTerms}
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.wisesearch.info/?l=1&q={searchTerms}&pid=964&r=2013/10/17&hid=5935598636926409227&lg=EN&cc=PL&unqvl=39
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll File not found
O2 - BHO: (Funmoods Helper Object) - {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - C:\PROGRA~2\Funmoods\1.5.23.22\bh\escort.dll File not found
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [T] \sa-.exe File not found
O4 - HKLM..\Run: [mobilegeni daemon] C:\Program Files (x86)\Mobogenie\DaemonProcess.exe File not found
O4 - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000..\Run: [T1TT4] \l.exe File not found
O4 - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000..\Run: [T1602065TT4] C:\Windows\SysWOW64\774053878306l.exe ()
O4 - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000..\Run: [se] C:\Users\user\AppData\Roaming\SkypEmoticons\SE.exe  /minimized  File not found
O4 - HKU\.DEFAULT..\RunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601 File not found
O4 - HKU\S-1-5-18..\RunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601 File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O8:[b]64bit:[/b] - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 File not found
O8:[b]64bit:[/b] - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office14\EXCEL.EXE/3000 File not found
O8:[b]64bit:[/b] - Extra context menu item: Wyślij &do programu OneNote - res://C:\PROGRA~2\MICROS~4\Office14\ONBttnIE.dll/105 File not found
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office14\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Wyślij &do programu OneNote - res://C:\PROGRA~2\MICROS~4\Office14\ONBttnIE.dll/105 File not found
O13[b]64bit:[/b] - gopher Prefix: missing
O13 - gopher Prefix: missing
O18:[b]64bit:[/b] - Protocol\Handler\base64 - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\chrome - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\prox - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
O20:[b]64bit:[/b] - AppInit_DLLs: (C:\PROGRA~3\SPEEDS~1\SPEEDS~2.DLL) -  File not found
O20 - AppInit_DLLs: (c:\progra~3\speeds~1\speeds~1.dll) -  File not found
O20 - HKLM Winlogon: UserInit - ("C:\Windows\M60262\Ja280254bLay.com") - C:\Windows\M60262\Ja280254bLay.com ()
O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O27:[b]64bit:[/b] - HKLM IFEO\msconfig.exe: Debugger - C:\Windows\notepad.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\regedit.exe: Debugger - C:\Windows\notepad.exe (Microsoft Corporation)
O27 - HKLM IFEO\msconfig.exe: Debugger - C:\Windows\notepad.exe (Microsoft Corporation)
O27 - HKLM IFEO\regedit.exe: Debugger - C:\Windows\notepad.exe (Microsoft Corporation)
O32 - AutoRun File - [2013/11/18 20:10:27 | 000,000,007 | -HS- | M] () - C:\autoexec.bat -- [ NTFS ]
@Alternate Data Stream - 160 bytes -> C:\ProgramData\MTA San Andreas All:NT2
@Alternate Data Stream - 160 bytes -> C:\ProgramData:NT2
@Alternate Data Stream - 150 bytes -> C:\ProgramData\Temp:5D7E5A8F
@Alternate Data Stream - 149 bytes -> C:\ProgramData\Temp:CDFF58FE
@Alternate Data Stream - 143 bytes -> C:\ProgramData\Temp:93EB7685
@Alternate Data Stream - 141 bytes -> C:\ProgramData\Temp:E36F5B57
@Alternate Data Stream - 140 bytes -> C:\ProgramData\Temp:4D066AD2
@Alternate Data Stream - 135 bytes -> C:\ProgramData\Temp:E1F04E8D
@Alternate Data Stream - 134 bytes -> C:\ProgramData\Temp:1A60DE96
@Alternate Data Stream - 133 bytes -> C:\ProgramData\Temp:05E9FFE5
@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:430C6D84
@Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:0B9176C0
@Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:E3C56885
@Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:798A3728
@Alternate Data Stream - 116 bytes -> C:\ProgramData\Temp:D1B5B4F1
@Alternate Data Stream - 111 bytes -> C:\ProgramData\Temp:DFC5A2B2


:Files
C:\Windows\tasks\e0e0a655-8982-4713-80fc-d3529a8a196a-6.job
C:\Windows\tasks\e0e0a655-8982-4713-80fc-d3529a8a196a-5.job
C:\Windows\tasks\e0e0a655-8982-4713-80fc-d3529a8a196a-4.job
C:\Windows\tasks\e0e0a655-8982-4713-80fc-d3529a8a196a-1.job
C:\Windows\tasks\e0e0a655-8982-4713-80fc-d3529a8a196a-2.job
C:\Windows\tasks\e0e0a655-8982-4713-80fc-d3529a8a196a-6.job
C:\Windows\tasks\e0e0a655-8982-4713-80fc-d3529a8a196a-7.job
C:\Windows\tasks\2e10d0f9-1239-4dc7-85f8-42db6a7eaea5-7.job
C:\Windows\tasks\2e10d0f9-1239-4dc7-85f8-42db6a7eaea5-6.job
C:\Windows\tasks\2e10d0f9-1239-4dc7-85f8-42db6a7eaea5-4.job
C:\Windows\tasks\2e10d0f9-1239-4dc7-85f8-42db6a7eaea5-4.job
C:\Windows\tasks\2e10d0f9-1239-4dc7-85f8-42db6a7eaea5-2.job
C:\Windows\tasks\2e10d0f9-1239-4dc7-85f8-42db6a7eaea5-5.job
C:\Windows\tasks\2e10d0f9-1239-4dc7-85f8-42db6a7eaea5-3.job

:Commands
[emptytemp]

wykonaj skrypt, zatwierdź restart i zrób nowe logi bez extras.txt (odznacz rejestr - skan dodatkowy)

upewnij się że skopiowałeś całość code (od :OTL aż do końca.)

Dobra za 3 razem zadziałało

http://www.mediafire.com/view/m72wj9pofne81cv/05102014_114720.log

camillo2001 · 10 Maja 2014

No dlatego poprosiłem o nowy log bo nie byłem pewny czy wszystko zostało wywalone.

OTL.Txt

Nezvik · 11 Maja 2014

Wstaw nowy log OTL.

Nezvik · 12 Maja 2014

Jest to normalne w systemie windows 7, że niektóre programy muszą być uruchamiane z uprawnieniami administratora.

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0

Ten wpis świadczył o tym, że nie musiałeś uruchamiać jako administrator, jednak jest on nieporządny i nie powinien istnieć w systemie w powyższej wersji. Komputer jest już wolny od infekcji. Nie mam pojęcia co może powodować problem. Przeskanuj podanym wyżej programem i wykonaj skan ccleanerem. Musi pomóc.

Janusz. · 10 Maja 2014

Fix wygląda na wykonany. zrób nowe logi OTL dla pewności że wszystko zostało usunięte.

Total Files Cleaned = 4,476.00 mb

4,5gb syfu

camillo2001 · 10 Maja 2014

Bo jest zapewne w formacie *.log. zmień je na *.txt albo skopiuj zawartość i wklej na
www.wklej.org

http://www.mediafire.com/view/ptko130409adb1b/05102014_095405.log

Janusz. · 9 Maja 2014

Log źle wykonany.

Boot Mode: Normal | Scan Mode: All users | Quick ScanCompany Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

wykonaj je ponownie upewniając się że wszystko dobrze zaznaczyłeś. nie klikaj "szybki skan" tylko "skanuj".

Nezvik · 13 Maja 2014

Ten folder musi byc wlaczany przez jakas pierdole. Tak czy inaczej system zostal oczyszczony z niezlego syfu i m.in. brontorka, czyli robaka spamujacego. Pomoc z folderem niestety nie potrafie, a wiem ze takie otwieranie czasem wkurza.

camillo2001 · 11 Maja 2014

dalej nic

Po wykonaniu fixa otworzy ci się notatnik. skopiuj jego zawartość i wklej na wklej.org (nie do załącznika, nie wprost do tematu tylko na strone wklej.org.)

i co teraz?

Nezvik · 12 Maja 2014

w OTL wykonaj (kosmetyka):

:OTL
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0

@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:430C6D84
@Alternate Data Stream - 114 bytes -> C:\ProgramData\Temp:D1B5B4F1
@Alternate Data Stream - 111 bytes -> C:\ProgramData\Temp:DFC5A2B2

:Commands
[EMPTYTEMP]
[CLEARALLRESTOREPOINTS]
[CREATERESTOREPOINT]

Log jest już czysty. Wykonaj pełne skanowanie programem Malware Bytes, jeśli problem nadal występuje

Janusz. · 10 Maja 2014

Fix nie został wykonany bo nie skopiowałeś całości.

instrukcja w spoilerze.

Odinstaluj
Nero Toolbar Updater
Babylon toolbar on IE
Bing Bar
Ask Toolbar
Google Toolbar for Internet Explorer
MediaCaster by Ask

1. w własne opcje skanowania wklej

:OTL
DRV:[b]64bit:[/b] - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.qone8.com/?type=hp&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qone8.com/web/?type=ds&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&q={searchTerms}
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.qone8.com/web/?type=ds&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&q={searchTerms}
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.qone8.com/?type=hp&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.qone8.com/?type=hp&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qone8.com/web/?type=ds&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&q={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.qone8.com/web/?type=ds&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&q={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qone8.com/web/?type=ds&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&q={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.qone8.com/?type=hp&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qone8.com/web/?type=ds&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&q={searchTerms}
IE - HKLM\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://www.qone8.com/web/?type=ds&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&q={searchTerms}
IE - HKLM\..\SearchScopes\{4845F837-FE34-9F73-D66C-4EA6AD052550}: "URL" = http://search.sweetim.com/search.asp?src=6&crg=3.1010000&q={searchTerms}&barid={307254D4-18A4-464F-BB8A-F4F815F2F55C}
IE - HKLM\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.wisesearch.info/?l=1&q={searchTerms}&pid=964&r=2013/10/17&hid=5935598636926409227&lg=EN&cc=PL&unqvl=39
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=fmtgl&chnl=fmtgl&cd=2XzuyEtN2Y1L1Qzuzzzzzy0F0F0AtAtAyByCyByCyCyEzzzztN0D0Tzu0CtBtDtBtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1286387809
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Backup.Old.Start Page = http://home.sweetim.com/?crg=3.1010000&barid={307254D4-18A4-464F-BB8A-F4F815F2F55C}
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.qone8.com/?type=hp&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.dosearches.com/web/?utm_source=b&utm_medium=cor&utm_campaign=rg&utm_content=ds&from=cor&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&ts=1384086294&type=default&q={searchTerms}
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://search.dosearches.com/web/?utm_source=b&utm_medium=cor&utm_campaign=rg&utm_content=ds&from=cor&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&ts=1384086294&type=default&q={searchTerms}
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.qone8.com/?type=hp&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www.golsearch.com/?q={searchTerms}&babsrc=SP_ss_Btisdt6&mntrId=A436889FFA337676&affID=119357&tt=160913_nocpn&tsp=5010
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://www.qone8.com/web/?type=ds&ts=1399216012&from=ild&uid=HitachiXHTS545050B9A300_110124PBN403171P4JWEX&q={searchTerms}
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\..\SearchScopes\{AB887800-5EA0-446E-A083-FD4E614C03F8}: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=402027&p={searchTerms}
IE - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.wisesearch.info/?l=1&q={searchTerms}&pid=964&r=2013/10/17&hid=5935598636926409227&lg=EN&cc=PL&unqvl=39
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll File not found
O2 - BHO: (Funmoods Helper Object) - {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - C:\PROGRA~2\Funmoods\1.5.23.22\bh\escort.dll File not found
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [T] \sa-.exe File not found
O4 - HKLM..\Run: [mobilegeni daemon] C:\Program Files (x86)\Mobogenie\DaemonProcess.exe File not found
O4 - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000..\Run: [T1TT4] \l.exe File not found
O4 - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000..\Run: [T1602065TT4] C:\Windows\SysWOW64\774053878306l.exe ()
O4 - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000..\Run: [se] C:\Users\user\AppData\Roaming\SkypEmoticons\SE.exe  /minimized  File not found
O4 - HKU\.DEFAULT..\RunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601 File not found
O4 - HKU\S-1-5-18..\RunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601 File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O8:[b]64bit:[/b] - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 File not found
O8:[b]64bit:[/b] - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office14\EXCEL.EXE/3000 File not found
O8:[b]64bit:[/b] - Extra context menu item: Wyślij &do programu OneNote - res://C:\PROGRA~2\MICROS~4\Office14\ONBttnIE.dll/105 File not found
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office14\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Wyślij &do programu OneNote - res://C:\PROGRA~2\MICROS~4\Office14\ONBttnIE.dll/105 File not found
O13[b]64bit:[/b] - gopher Prefix: missing
O13 - gopher Prefix: missing
O18:[b]64bit:[/b] - Protocol\Handler\base64 - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\chrome - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\prox - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
O20:[b]64bit:[/b] - AppInit_DLLs: (C:\PROGRA~3\SPEEDS~1\SPEEDS~2.DLL) -  File not found
O20 - AppInit_DLLs: (c:\progra~3\speeds~1\speeds~1.dll) -  File not found
O20 - HKLM Winlogon: UserInit - ("C:\Windows\M60262\Ja280254bLay.com") - C:\Windows\M60262\Ja280254bLay.com ()
O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O27:[b]64bit:[/b] - HKLM IFEO\msconfig.exe: Debugger - C:\Windows\notepad.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\regedit.exe: Debugger - C:\Windows\notepad.exe (Microsoft Corporation)
O27 - HKLM IFEO\msconfig.exe: Debugger - C:\Windows\notepad.exe (Microsoft Corporation)
O27 - HKLM IFEO\regedit.exe: Debugger - C:\Windows\notepad.exe (Microsoft Corporation)
O32 - AutoRun File - [2013/11/18 20:10:27 | 000,000,007 | -HS- | M] () - C:\autoexec.bat -- [ NTFS ]
@Alternate Data Stream - 160 bytes -> C:\ProgramData\MTA San Andreas All:NT2
@Alternate Data Stream - 160 bytes -> C:\ProgramData:NT2
@Alternate Data Stream - 150 bytes -> C:\ProgramData\Temp:5D7E5A8F
@Alternate Data Stream - 149 bytes -> C:\ProgramData\Temp:CDFF58FE
@Alternate Data Stream - 143 bytes -> C:\ProgramData\Temp:93EB7685
@Alternate Data Stream - 141 bytes -> C:\ProgramData\Temp:E36F5B57
@Alternate Data Stream - 140 bytes -> C:\ProgramData\Temp:4D066AD2
@Alternate Data Stream - 135 bytes -> C:\ProgramData\Temp:E1F04E8D
@Alternate Data Stream - 134 bytes -> C:\ProgramData\Temp:1A60DE96
@Alternate Data Stream - 133 bytes -> C:\ProgramData\Temp:05E9FFE5
@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:430C6D84
@Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:0B9176C0
@Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:E3C56885
@Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:798A3728
@Alternate Data Stream - 116 bytes -> C:\ProgramData\Temp:D1B5B4F1
@Alternate Data Stream - 111 bytes -> C:\ProgramData\Temp:DFC5A2B2


:Files
C:\Windows\tasks\e0e0a655-8982-4713-80fc-d3529a8a196a-6.job
C:\Windows\tasks\e0e0a655-8982-4713-80fc-d3529a8a196a-5.job
C:\Windows\tasks\e0e0a655-8982-4713-80fc-d3529a8a196a-4.job
C:\Windows\tasks\e0e0a655-8982-4713-80fc-d3529a8a196a-1.job
C:\Windows\tasks\e0e0a655-8982-4713-80fc-d3529a8a196a-2.job
C:\Windows\tasks\e0e0a655-8982-4713-80fc-d3529a8a196a-6.job
C:\Windows\tasks\e0e0a655-8982-4713-80fc-d3529a8a196a-7.job
C:\Windows\tasks\2e10d0f9-1239-4dc7-85f8-42db6a7eaea5-7.job
C:\Windows\tasks\2e10d0f9-1239-4dc7-85f8-42db6a7eaea5-6.job
C:\Windows\tasks\2e10d0f9-1239-4dc7-85f8-42db6a7eaea5-4.job
C:\Windows\tasks\2e10d0f9-1239-4dc7-85f8-42db6a7eaea5-4.job
C:\Windows\tasks\2e10d0f9-1239-4dc7-85f8-42db6a7eaea5-2.job
C:\Windows\tasks\2e10d0f9-1239-4dc7-85f8-42db6a7eaea5-5.job
C:\Windows\tasks\2e10d0f9-1239-4dc7-85f8-42db6a7eaea5-3.job

:Commands
[emptytemp]

wykonaj skrypt, zatwierdź restart i zrób nowe logi bez extras.txt (odznacz rejestr - skan dodatkowy)

upewnij się że skopiowałeś całość code (od :OTL aż do końca.)

camillo2001 · 11 Maja 2014

Wykonaj:

:OTL
PRC - [2012/06/28 14:53:52 | 000,695,448 | ---- | M] () -- C:\Users\Ana\AppData\Roaming\BrowserCompanion\tcbhn.exe
MOD - [2014/04/06 20:29:52 | 004,296,192 | ---- | M] () -- c:\progra~2\gssupp~1\assist~1.dll
MOD - [2012/06/28 14:53:52 | 000,695,448 | ---- | M] () -- C:\Users\Ana\AppData\Roaming\BrowserCompanion\tcbhn.exe
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKLM\..\SearchScopes,DefaultScope = {33BB0A4E-99AF-4226-BDF6-49120163DE86}
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter},
O1 - Hosts: 46.23.70.78 pagead2.googlesyndication.com
O1 - Hosts: 46.23.70.78 pagead2.googlesyndication.com
O2 - BHO: (Browser Companion Helper) - {00cbb66b-1d3b-46d3-9577-323a336acb50} - C:\Program Files (x86)\BrowserCompanion\jsloader.dll ( )
O2 - BHO: (Safeweb) - {896CB78A-53EA-A4DA-8A2F-2ACD2D89F29D} - C:\Program Files (x86)\Safeweb\qehi_72.dll ()
O2 - BHO: (Browser Companion Helper Verifier) - {963B125B-8B21-49A2-A3A8-E37092276531} - C:\Program Files (x86)\BrowserCompanion\updatebhoWin32.dll ( )
O2 - BHO: (GrreattSaave4U) - {A88D8F51-79DF-D0F1-F939-A60416902DF0} - C:\ProgramData\GrreattSaave4U\NB4Xx5N6.dll ()
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (Funmoods Toolbar) - {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - C:\PROGRA~2\Funmoods\1.5.23.22\escorTlbr.dll File not found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1320080679-4065846851-3746739224-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - Startup: C:\Users\Ana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sql.cmd ()
O4 - Startup: C:\Users\Ana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tcbhn.lnk = C:\Users\Ana\AppData\Roaming\BrowserCompanion\tcbhn.exe ()
O20 - AppInit_DLLs: (c:\progra~2\gssupp~1\assist~1.dll) - c:\progra~2\gssupp~1\assist~1.dll ()
O31 - SafeBoot: AlternateShell - 774053878306l.exe
[2014/04/25 19:40:45 | 000,000,000 | -HSD | C] -- C:\Users\Ana\AppData\Local\EmieUserList
[2014/04/25 19:40:45 | 000,000,000 | -HSD | C] -- C:\Users\Ana\AppData\Local\EmieSiteList
[2014/04/21 20:35:58 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Local\{540DDB29-6A21-49AB-B251-B160E6CEEE6A}
[2014/04/21 20:31:45 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Local\{86E125D2-3651-4660-8CAF-3C7740894916}
[2014/04/21 17:02:16 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Local\{C57A27EE-F7F5-4D57-ACF0-DB28B2FD3A40}
[2014/04/21 15:56:56 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Local\{89F4237F-A23A-41FB-A531-98DFBC864200}
[2014/04/19 19:13:20 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Local\{3B4B4C49-1264-4D24-A62D-25B5FFC4E59D}
[2014/04/17 12:05:08 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Local\{974AD7C0-BF9C-43C4-99C6-C80A58380468}
[2014/04/16 17:47:29 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Local\{2B31FB38-A1DB-437B-A6E5-7E53F360B639}
[2014/04/16 17:44:51 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Local\{DF384D49-E4A2-44D8-9AAC-CA37F7ECD351}
[2014/04/16 17:44:09 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Local\{2FEE5F01-45B6-4670-A978-78C1EBCEC12C}
[2014/04/15 15:11:02 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Local\{E3932390-B07D-413D-AF62-8C3FCE5C1DC0}
[2014/04/13 16:56:54 | 000,000,000 | ---D | C] -- C:\ProgramData\GrreattSaave4U
[2014/05/10 16:32:02 | 000,000,196 | ---- | M] () -- C:\Windows\tasks\AutoKMS.job
[2014/05/10 16:31:48 | 000,000,202 | ---- | M] () -- C:\Windows\tasks\AutoKMSDaily.job
[2014/05/10 16:31:41 | 000,078,848 | ---- | M] () -- C:\Windows\KMSEmulator.exe
[2014/05/10 16:30:44 | 000,000,280 | ---- | M] () -- C:\Windows\tasks\Driver Booster Update.job
[2014/05/07 19:00:07 | 000,000,282 | ---- | M] () -- C:\Windows\tasks\RMSchedule.job
[2014/04/08 20:46:35 | 000,647,168 | ---- | C] () -- C:\Windows\AutoKMS.exe
[2014/04/08 20:46:35 | 000,000,184 | ---- | C] () -- C:\Windows\AutoKMS.ini
[2014/04/08 20:43:27 | 000,078,848 | ---- | C] () -- C:\Windows\KMSEmulator.exe
[2014/01/09 16:40:01 | 000,000,000 | -H-- | C] () -- C:\ProgramData\DP45977C.lfl
[2013/12/18 11:59:03 | 000,574,464 | ---- | C] () -- C:\Windows\uninstall.exe
[2013/11/18 20:08:18 | 000,000,000 | -HS- | C] () -- C:\Windows\Ti878306ta.exe
[2013/09/08 18:52:46 | 000,001,233 | ---- | C] () -- C:\Users\Ana\AppData\Local\JunkAtx.bin
[2013/09/08 18:52:37 | 000,012,393 | ---- | C] () -- C:\Users\Ana\AppData\Local\Update.17.Bron.Tok.bin
[2013/09/08 18:22:28 | 000,012,393 | ---- | C] () -- C:\Users\Ana\AppData\Local\Bron.tok.A17.em.bin
 
[2013/08/14 12:28:40 | 000,043,520 | ---- | C] () -- C:\Windows\SysWow64\CmdLineExt03.dll
[2012/07/20 12:00:45 | 000,384,844 | ---- | C] () -- C:\Users\Ana\AppData\Local\funmoods-speeddial.crx
[2012/07/20 12:00:39 | 000,031,465 | ---- | C] () -- C:\Users\Ana\AppData\Local\funmoods.crx
[2006/03/16 21:17:36 | 000,000,000 | ---- | C] () -- C:\Users\Ana\AppData\Local\winlogon.exe
[2006/03/16 21:17:36 | 000,000,000 | ---- | C] () -- C:\Users\Ana\AppData\Local\smss.exe
[2006/03/16 21:17:36 | 000,000,000 | ---- | C] () -- C:\Users\Ana\AppData\Local\services.exe
[2006/03/16 21:17:36 | 000,000,000 | ---- | C] () -- C:\Users\Ana\AppData\Local\lsass.exe
[2006/03/16 21:17:36 | 000,000,000 | ---- | C] () -- C:\Users\Ana\AppData\Local\inetinfo.exe
 

:Files
C:\Users\Ana\AppData\Local\Bron*
C:\Users\Ana\AppData\Roaming\BrowserCompanion\tcbhn.exe

Wstaw nowy log OTL, powiedz czy błąd nadal występuje.

uruchomiłem ponownie komputer i nic dalej folder sam się włącza.

camillo2001 · 10 Maja 2014

Z extras?

Fix wygląda na wykonany. zrób nowe logi OTL dla pewności że wszystko zostało usunięte.
Total Files Cleaned = 4,476.00 mb
4,5gb syfu

Z extras ?

Nezvik · 11 Maja 2014

Wykonaj jeszcze raz podany przeze mnie fix. Wstaw tym razem log z usuwania.

camillo2001 · 9 Maja 2014

Log źle wykonany.
Boot Mode: Normal | Scan Mode: All users | Quick ScanCompany Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
wykonaj je ponownie upewniając się że wszystko dobrze zaznaczyłeś. nie klikaj "szybki skan" tylko "skanuj".

OTL.Txt

camillo2001 · 9 Maja 2014

napisałem żebyś usuwał? poprosiłem o przeskanowanie ich na virustotal.com

Pisze mi że skanowałem te pliki. A co do skanowania zrobiłem ss link :

https://fbcdn-sphotos-e-a.akamaihd.net/hphotos-ak-ash3/t1.0-9/10339633_1404331423184313_7268119884458475424_n.jpg

https://scontent-a-cdg.xx.fbcdn.net/hphotos-ash3/t1.0-9/10301971_1404341516516637_45829312999000740_n.jpg

Janusz. · 10 Maja 2014

bez różnicy.

ps. odinstalowałeś te adware o które prosiłem?

camillo2001 · 10 Maja 2014

bez różnicy.

ps. odinstalowałeś te adware o które prosiłem?

które?

Janusz. · 10 Maja 2014

~~winą mogą być te wpisy~~

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (c:\windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)

~~a zwłaszcza ten 2. wolę ich nie ruszać.~~ może @rafor4 będzie miał jakiś pomysł :x

Janusz. · 10 Maja 2014

Wyślij mi jeszcze fixloga (znajdziesz go w folderze OTL na dysku C)

Janusz. · 11 Maja 2014

Prosiłem o FIXLOGA. dostarcz go.

camillo2001 · 12 Maja 2014

Wstaw nowy log OTL.

OTL.Txt

Zaloguj się

👋 Witaj na MPCForum!

Samo włączający się folder syswow64

Pytanie

47 odpowiedzi na to pytanie

Rekomendowane odpowiedzi

Zarchiwizowany