zodiac-game.info przy starcie

[patoch 0]

Był już taki temat kilka dni temu... Po starcie systemu samoczynnie odpala się domyślna przeglądarka (u mnie Firefox)

i ruska strona zodiac-game.info.

Nic nie instalowałem ostatnio, wiec syf zapewne z www się podczepił. Antywirus oczywiście nic nie wykrywa

 

Będę wdzięczny za sprawdzenie logów i pomoc.

FRST.txt

Addition.txt

[filutka78 11]

Nic nie instalowałem ostatnio

to nie zupełna prawda, bo używany był STEAM, a właśnie do niego jest przyklejony "zodiac-game".

 

Otwórz Notatnik i wklej w nim:

Task: {D8B7EF1A-7752-42F1-AACA-2550387A2FB2} - System32\Tasks\{5737B1EE-65A8-4A71-AC91-50B6AEBE9816} => pcalua.exe -a "E:\Program Files (x86)\Steam\steam.exe" -c steam://uninstall/43110

Task: {DF72C5CC-524E-4DAC-B1DE-492DFF678BD1} - System32\Tasks\pat7 => /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v pat7 /t REG_SZ /d "explorer.exe hxxp://sd-steam.info" <==== ATTENTION

HKU\S-1-5-21-2812984995-1479176514-251614895-1000\...\Run: [pat7] => explorer.exe hxxp://sd-steam.info <===== ATTENTION

2016-08-16 19:06 - 2016-08-16 19:06 - 00003472 _____ E:\Windows\System32\Tasks\pat7

HKLM-x32\...\Run: [NPSStartup] => [X]

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File

CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://search.dosearches.com/web/?utm_source=b&utm_medium=cor&utm_campaign=rg&utm_content=ds&from=cor&uid=HitachiXHDS721616PLA380_PVE331Z9TLZ77UTLZ77UX&ts=1383933382&type=default&q={searchTerms}

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://search.dosearches.com/web/?utm_source=b&utm_medium=cor&utm_campaign=rg&utm_content=ds&from=cor&uid=HitachiXHDS721616PLA380_PVE331Z9TLZ77UTLZ77UX&ts=1383933382&type=default&q={searchTerms}

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://search.dosearches.com/web/?utm_source=b&utm_medium=cor&utm_campaign=rg&utm_content=ds&from=cor&uid=HitachiXHDS721616PLA380_PVE331Z9TLZ77UTLZ77UX&ts=1383933382&type=default&q={searchTerms}

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://search.dosearches.com/web/?utm_source=b&utm_medium=cor&utm_campaign=rg&utm_content=ds&from=cor&uid=HitachiXHDS721616PLA380_PVE331Z9TLZ77UTLZ77UX&ts=1383933382&type=default&q={searchTerms}

SearchScopes: HKU\S-1-5-21-2812984995-1479176514-251614895-1000 -> {0F531730-94BA-415F-875F-8ECF3980B03D} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2549263&CUI=UN35755511067402832&UM=1

SearchScopes: HKU\S-1-5-21-2812984995-1479176514-251614895-1000 -> {7352F334-46AB-4CD3-872B-751D5B546DBB} URL = hxxp://search.findwide.com/serp?guid={3FFE0635-1CA6-4945-8854-6BE5BAEC4406}&action=default_search&serpv=22&k={searchTerms}

SearchScopes: HKU\S-1-5-21-2812984995-1479176514-251614895-1000 -> {DFEFE03D-1CBB-45AA-BB55-2DBD0FF554C3} URL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=tightropetb&type=10809

BHO: FlexioblEShoopper -> {065e04ef-05de-4872-b2a8-4f577b104d68} -> E:\Program Files (x86)\FlexioblEShoopper\LON2fNu1liwtHm.x64.dll => No File

BHO: ApoptOU -> {2f4bfd73-4c25-42f1-93cf-6041ac26bb29} -> E:\Program Files (x86)\ApoptOU\ZIb41TFoM7Wi2C.x64.dll => No File

BHO: TicTaCouupoon -> {4a4d0341-ed15-4ea6-ba14-7fd347d41478} -> E:\Program Files (x86)\TicTaCouupoon\4jPtCDiFxhjPt5.x64.dll => No File

RemoveDirectory: E:\Program Files (x86)\ApoptOU

RemoveDirectory: E:\Program Files (x86)\TicTaCouupoon

RemoveDirectory: E:\Program Files (x86)\FlexioblEShoopper

RemoveDirectory: E:\Program Files (x86)\downloaiditkkeieP

RemoveDirectory: E:\Program Files (x86)\deaalpeak

BHO: downloaiditkkeieP -> {937d2791-3670-47ab-bbb4-1c296200ce55} -> E:\Program Files (x86)\downloaiditkkeieP\qgb2YbtMSFd511.x64.dll => No File

BHO: deaalpeak -> {dd59485b-617d-427a-a8a9-7a66e733ca1f} -> E:\Program Files (x86)\deaalpeak\bR0fpgYoEDgkXs.x64.dll => No File

BHO-x32: FlexioblEShoopper -> {065e04ef-05de-4872-b2a8-4f577b104d68} -> E:\Program Files (x86)\FlexioblEShoopper\LON2fNu1liwtHm.dll => No File

BHO-x32: ApoptOU -> {2f4bfd73-4c25-42f1-93cf-6041ac26bb29} -> E:\Program Files (x86)\ApoptOU\ZIb41TFoM7Wi2C.dll => No File

BHO-x32: TicTaCouupoon -> {4a4d0341-ed15-4ea6-ba14-7fd347d41478} -> E:\Program Files (x86)\TicTaCouupoon\4jPtCDiFxhjPt5.dll => No File

BHO-x32: downloaiditkkeieP -> {937d2791-3670-47ab-bbb4-1c296200ce55} -> E:\Program Files (x86)\downloaiditkkeieP\qgb2YbtMSFd511.dll => No File

BHO-x32: deaalpeak -> {dd59485b-617d-427a-a8a9-7a66e733ca1f} -> E:\Program Files (x86)\deaalpeak\bR0fpgYoEDgkXs.dll => No File

Toolbar: HKU\S-1-5-21-2812984995-1479176514-251614895-1000 -> No Name - {EEA08745-2531-4A5A-A4AC-579ED16BA7DB} - No File

StartMenuInternet: IEXPLORE.EXE - E:\Program Files\Internet Explorer\iexplore.exe hxxp://www.dosearches.com/?utm_source=b&utm_medium=cor&utm_campaign=rg&utm_content=sc&from=cor&uid=HitachiXHDS721616PLA380_PVE331Z9TLZ77UTLZ77UX&ts=1383933382

FF Plugin-x32: Adobe Reader -> E:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [No File]

FF Plugin HKU\S-1-5-21-2812984995-1479176514-251614895-1000: ubisoft.com/uplaypc -> E:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll [No File]

FF user.js: detected! => E:\Users\pat7\AppData\Roaming\Mozilla\Firefox\Profiles\98ne0yuq.default-1426264099539\user.js [2015-03-14]

FF SearchPlugin: E:\Users\pat7\AppData\Roaming\Mozilla\Firefox\Profiles\98ne0yuq.default-1426264099539\searchplugins\katcr.xml [2015-09-04]

S3 EagleX64; \??\E:\Windows\system32\drivers\EagleX64.sys [X]

S3 EverestDriver; \??\D:\Programy_D\EVEREST Ultimate Edition\kerneld.amd64 [X]

S3 Nbdrv; system32\DRIVERS\nbdrv.sys [X]

S3 VGPU; System32\drivers\rdvgkmd.sys [X]

S3 XFDriver64; \??\E:\Program Files (x86)\Xfire2\XFDriver64.sys [X]

E:\ProgramData\Ament.ini

EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST.exe

Uruchom FRST i kliknij przycisk Fix (NAPRAW).

 

Jeśli będzie OK, to będziemy kończyć:

Otwórz Notatnik i wklej w nim:

DeleteQuarantine:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST. Uruchom FRST i kliknij w Fix (NAPRAW).

przez SHIFT+DEL usuń pozostały folder C:\FRST.

 

F.

[patoch 0]

Problem zniknął.

Dziękuję za pomoc.