Win10 - v prohlížeči je vyhledavac SearchPile

[Dr.Miguelius]

Zoek.exe v5.0.0.1 Updated 31-December-2015
Tool run by zdravotnici on p  01.01.2016 at 17:55:32,66.
Microsoft Windows 10 Pro 10.0.10586 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\zdravotnici\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

1.1.2016 17:58:47 Zoek.exe System Restore Point Created Successfully.

==== Reset Hosts File ======================

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

==== Empty Folders Check ======================

C:\PROGRA~2\Atari deleted successfully
C:\PROGRA~2\Beamdog deleted successfully
C:\PROGRA~2\Blender Foundation deleted successfully
C:\PROGRA~2\Frozenbyte deleted successfully
C:\PROGRA~2\Kalypso deleted successfully
C:\PROGRA~2\Kalypso Media deleted successfully
C:\PROGRA~2\MeteorEntertainment deleted successfully
C:\PROGRA~2\MSXML 4.0 deleted successfully
C:\PROGRA~2\NCSoft deleted successfully
C:\PROGRA~2\Remedy Entertainment deleted successfully
C:\PROGRA~2\Sierra deleted successfully
C:\PROGRA~2\COMMON~1\Symantec Shared deleted successfully
C:\Program Files\Siber Systems deleted successfully
C:\PROGRA~3\Bluetooth deleted successfully
C:\PROGRA~3\Comms deleted successfully
C:\PROGRA~3\dbg deleted successfully
C:\PROGRA~3\KASTNER software deleted successfully
C:\PROGRA~3\SoftwareDistribution deleted successfully
C:\PROGRA~3\{93E26451-CD9A-43A5-A2FA-C42392EA4001} deleted successfully
C:\PROGRA~3\{C4ABDBC8-1C81-42C9-BFFC-4A68511E9E4F} deleted successfully
C:\Users\zdravotnici\AppData\Local\ActiveSync deleted successfully
C:\Users\zdravotnici\AppData\Local\CrashDumps deleted successfully
C:\Users\zdravotnici\AppData\Local\Downloaded Installations deleted successfully
C:\Users\zdravotnici\AppData\Local\GHISLER deleted successfully
C:\Users\zdravotnici\AppData\Local\PeerDistRepub deleted successfully
C:\Users\zdravotnici\AppData\Local\Skype deleted successfully
C:\Users\zdravotnici\AppData\Local\Solid State Networks deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\PeerDistPub deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\PeerDistRepub deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-3084071653-3103866287-4052346625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} deleted successfully
HKEY_USERS\S-1-5-21-3084071653-3103866287-4052346625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} deleted successfully
HKEY_USERS\S-1-5-21-3084071653-3103866287-4052346625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9030D464-4C02-4ABF-8ECC-5164760863C6} deleted successfully
HKEY_USERS\S-1-5-21-3084071653-3103866287-4052346625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9030D464-4C02-4ABF-8ECC-5164760863C6} deleted successfully
HKEY_USERS\S-1-5-21-3084071653-3103866287-4052346625-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F4E39681-15F8-4fda-B8A3-B5C98378F2F3} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{9030D464-4C02-4ABF-8ECC-5164760863C6} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{9030D464-4C02-4ABF-8ECC-5164760863C6} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== Deleting Files \ Folders ======================

C:\PROGRA~2\Atari not found
C:\PROGRA~2\Beamdog not found
C:\PROGRA~2\Blender Foundation not found
C:\PROGRA~2\Frozenbyte not found
C:\PROGRA~2\Kalypso not found
C:\PROGRA~2\Kalypso Media not found
C:\PROGRA~2\MeteorEntertainment not found
C:\PROGRA~2\NCSoft not found
C:\PROGRA~2\Remedy Entertainment not found
C:\PROGRA~2\Sierra not found
C:\PROGRA~3\{93E26451-CD9A-43A5-A2FA-C42392EA4001} not found
C:\PROGRA~3\{C4ABDBC8-1C81-42C9-BFFC-4A68511E9E4F} not found
C:\Users\zdravotnici\AppData\Roaming\ProtectDISC deleted
C:\PROGRA~2\ProtectDisc Driver Installer deleted
C:\PROGRA~2\HitLeap deleted
C:\PROGRA~2\Wise\Wise Registry Cleaner deleted
C:\user.js deleted
C:\PROGRA~3\InstallMate deleted
C:\PROGRA~3\{01BD4FC9-2F86-4706-A62E-774BB7E9D308} deleted
C:\PROGRA~3\{FE8D473A-6F06-4F99-B5F4-BED72B2A038C} deleted
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\windows\SysNative\Tasks\avastBCLRestartS-1-5-21-3084071653-3103866287-4052346625-1000 deleted
C:\windows\SysNative\GroupPolicy\machine deleted
C:\windows\SysNative\GroupPolicy\gpt.ini deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [10.12.2015 19:53]

==== Chromium Look ======================

Google Chrome Version: 46.0.2490.86

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[27.04.2015 05:07]

Angry Birds - zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj
Photo Zoom for Facebook - zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Extensions\elioihkkcdgakfbahdoddophfngopipi
Hexxagon - zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkinhbdhadoapeilebnpcddplcbjnnod

==== Chromium Fix ======================

C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_outrageousdeal-a.akamaihd.net_0.localstorage deleted successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_outrageousdeal-a.akamaihd.net_0.localstorage-journal deleted successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_c.betrad.com_0.localstorage deleted successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_c.betrad.com_0.localstorage-journal deleted successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_c.betrad.com_0.localstorage deleted successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_c.betrad.com_0.localstorage-journal deleted successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.kingtopdeals.com_0.localstorage deleted successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.kingtopdeals.com_0.localstorage-journal deleted successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_en.softonic.com_0.localstorage deleted successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_en.softonic.com_0.localstorage-journal deleted successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_folder-lock.en.softonic.com_0.localstorage deleted successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_folder-lock.en.softonic.com_0.localstorage-journal deleted successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_n.softonic.com_0.localstorage deleted successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_n.softonic.com_0.localstorage-journal deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkID= ... 0000000000"
"Search Page"="http://www.google.com/search?q={searchT ... d=ie7&rlz="

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"
"Start Page"="http://go.microsoft.com/fwlink/?LinkID= ... 0000000000"

==== All HKLM and HKCU SearchScopes ======================

HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} - http://www.bing.com/search?q={searchTer ... DF&pc=MSE1
HKCU\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTer ... ORM=IE11SR
HKCU\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} - http://www.google.com/search?q={searchT ... d=ie7&rlz=

==== Reset Google Chrome ======================

C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Profile 1\Preferences was reset successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal was reset successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Profile 1\Web Data was reset successfully

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\Software\wow6432node\Policies\Google deleted successfully
HKEY_CURRENT_USER\Software\Policies\Google deleted successfully

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\zdravotnici\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\zdravotnici\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

C:\Users\zdravotnici\AppData\Local\Opera Software\Opera Stable\Cache emptied successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Profile 1\Cache emptied successfully

==== Empty All Flash Cache ======================

No Flash Cache Found

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=284 folders=219 449357312 bytes)

==== Empty Temp Folders ======================

C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\ZDRAVO~1\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on p  01.01.2016 at 18:18:03,68 ======================

[Dr.Miguelius]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows 10 Pro x64
Ran by zdravotnici (Administrator) on p  01.01.2016 at 18:20:21,37
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on p  01.01.2016 at 18:24:13,35
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Rudy]

OK. Změnilo se něco nyní?

[Dr.Miguelius]

bohužel ne, stále stejné.
zajímavé je, že SearchPile se objevuje, jen jako startovní stránka v prohlížecí a při zadávání hledaného výrazu do řádku kam se píše adresa. Jako by byl napaden vyhledavač google.
Kdyz dam neco vyhledat napr. v seznamu, vše se vyhledá tak jak ma. Když zadám adresu napr. viry.cz, najede normalní stránka viry.cz

v příspěvku jiného uzivatel, kde taky pomáháte, si stěžuje na vyskakovací reklamy ve win10. Ja mam stejný problém, ale při inst. Win10 se tato funkce reklamy dala vypnout. Měl jsem za to že jsem funkci vypnul. pak jsem ji zkoušel vypnout i dle návodu na win10, ale reklamy stale vyskakují, hlavně při vyhledávání určitého zboží - reklamy na podobné zboží v jiných obchodech, jestli nejde o chybu v systému. To jen tak na okraj.

[Rudy]

Udělejte kompletní sken MBAM: http://www.malwarebytes.org/mbam.php a dejte log. Předem nic nemažte.

[Dr.Miguelius]

Malwarebytes Anti-Malware
www.malwarebytes.org

Datum skenování: 2.1.2016
Čas skenování: 8:09
Protokol:
Správce: Ano

Verze: 2.2.0.1024
Databáze malwaru: v2016.01.02.02
Databáze rootkitů: v2015.12.26.01
Licence: Zkušební verze
Ochrana proti malwaru: Zapnuto
Ochrana proti škodlivým webovým stránkám: Zapnuto
Ochrana programu: Vypnuto

OS: Windows 10
CPU: x64
Souborový systém: NTFS
Uživatel: zdravotnici

Typ skenu: Sken hrozeb
Výsledek: Dokončeno
Prohledaných objektů: 417805
Uplynulý čas: 23 min, 58 sek

Paměť: Zapnuto
Po spuštění: Zapnuto
Souborový systém: Zapnuto
Archivy: Zapnuto
Rootkity: Vypnuto
Heuristika: Zapnuto
PUP: Zapnuto
PUM: Zapnuto

Procesy: 0
(Nenalezeny žádné škodlivé položky)

Moduly: 0
(Nenalezeny žádné škodlivé položky)

Klíče registru: 1
PUP.Optional.Yontoo, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Util SourceApp, , [b62474c04e4bdd59dd1a36de64a050b0],

Hodnoty registru: 0
(Nenalezeny žádné škodlivé položky)

Data registru: 0
(Nenalezeny žádné škodlivé položky)

Složky: 2
PUP.Optional.Yontoo.ChrPRST, C:\Users\zdravotnici\AppData\Roaming\Opera Software\Opera Stable\Extensions\ndafbepnifhdehefbpadphhmkdmlghnb\1.0.5825.31813_0, , [a733a78dd4c5d95d2d144f7938cc8c74],
PUP.Optional.Yontoo.ChrPRST, C:\Users\zdravotnici\AppData\Roaming\Opera Software\Opera Stable\Extensions\ndafbepnifhdehefbpadphhmkdmlghnb, , [a733a78dd4c5d95d2d144f7938cc8c74],

Soubory: 14
PUP.Optional.Yontoo, C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.kingtopdeals.com_0.localstorage, , [b8220133dfba3303b69de4d8dc2602fe],
PUP.Optional.Yontoo, C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.kingtopdeals.com_0.localstorage-journal, , [b9211d173366e94d3f1489330bf7b848],
PUP.Optional.KingTopDeals, C:\Users\zdravotnici\AppData\Roaming\Opera Software\Opera Stable\Local Storage\http_pstatic.kingtopdeals.com_0.localstorage, , [0cced1634f4a70c6feb1be22857efc04],
PUP.Optional.KingTopDeals, C:\Users\zdravotnici\AppData\Roaming\Opera Software\Opera Stable\Local Storage\http_pstatic.kingtopdeals.com_0.localstorage-journal, , [ffdb8da732677eb8feb11dc316ed1fe1],
PUP.Optional.Yontoo.ChrPRST, C:\Users\zdravotnici\AppData\Roaming\Opera Software\Opera Stable\Local Storage\https_outrageousdeal-a.akamaihd.net_0.localstorage, , [6c6e2a0aeaaf77bfd8d8dc3131d39a66],
PUP.Optional.Yontoo.ChrPRST, C:\Users\zdravotnici\AppData\Roaming\Opera Software\Opera Stable\Local Storage\https_outrageousdeal-a.akamaihd.net_0.localstorage-journal, , [627864d01683f4420da3ae5f53b1946c],
PUP.Optional.Yontoo.ChrPRST, C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_outrageousdeal-a.akamaihd.net_0.localstorage, , [21b9f73d1d7c5fd77d355db01de7bf41],
PUP.Optional.Yontoo.ChrPRST, C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_outrageousdeal-a.akamaihd.net_0.localstorage-journal, , [14c686ae0a8fb68051615fae24e0fc04],
PUP.Optional.PriceMoon, C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.pricemoon.co_0.localstorage, , [dcfed65e950458dee4e4ce4cac58a15f],
PUP.Optional.PriceMoon, C:\Users\zdravotnici\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.pricemoon.co_0.localstorage-journal, , [e1f94ce84356ea4c5177fd1d0301d729],
PUP.Optional.Yontoo.ChrPRST, C:\Users\zdravotnici\AppData\Roaming\Opera Software\Opera Stable\Extensions\ndafbepnifhdehefbpadphhmkdmlghnb\1.0.5825.31813_0\manifest.json, , [a733a78dd4c5d95d2d144f7938cc8c74],
PUP.Optional.Yontoo.ChrPRST, C:\Users\zdravotnici\AppData\Roaming\Opera Software\Opera Stable\Extensions\ndafbepnifhdehefbpadphhmkdmlghnb\1.0.5825.31813_0\background.js, , [a733a78dd4c5d95d2d144f7938cc8c74],
PUP.Optional.Yontoo.ChrPRST, C:\Users\zdravotnici\AppData\Roaming\Opera Software\Opera Stable\Extensions\ndafbepnifhdehefbpadphhmkdmlghnb\1.0.5825.31813_0\content.js, , [a733a78dd4c5d95d2d144f7938cc8c74],
PUP.Optional.Yontoo.ChrPRST, C:\Users\zdravotnici\AppData\Roaming\Opera Software\Opera Stable\Extensions\ndafbepnifhdehefbpadphhmkdmlghnb\1.0.5825.31813_0\icon.png, , [a733a78dd4c5d95d2d144f7938cc8c74],

Fyzické sektory: 0
(Nenalezeny žádné škodlivé položky)


(end)

[Rudy]

Smažte všechny nálezy.

[Dr.Miguelius]

smazano, SearchPile již nevyskakuje, ale MAB blokuje škodlivé stránky, zřejmě tu ještě neco bude

[Rudy]

V desítkách už spustíme jen AVPTool: http://www.viry.cz/forum/viewtopic.php?f=29&t=58179 . Osvědčený ComboFix tu nefunguje. Stáhněte, spusťte a co najde, smažte. Bude to trvat delší dobu.

[Dr.Miguelius]

tak bohužel ani Kaspersky nepomohl, stav je stale stejný jako po použitu MAB
co zkusit tohle?
http://trojan-killer.net/cs/get-rid-of- ... ull-guide/

[Rudy]

Můžete to zkusit, pokud půjde spustit.

[Dr.Miguelius]

Na jiných strankach zase doporučovali SpyHunter4, tak ted zkousim jeho, budu zkoušet a dam vedet. Zatím děkuji;)

[Rudy]

OK, zatím není zač!