Virus nahrazujici google vyhledavani

[zralok]

Dobry den,
v ntb se mi misto klasickeho google.com nacita cse.google.com. Už jsem tento vir odstranil pomoci kasperky ale furt se vraci zpet.
Dale chrome porad hlasi problem s pameti, takže tam ten vir asi je. Posilam log. Děkuji za pomoc.

[Rudy]

Zdravím!
Spusťte tuto utilitu:

Stáhněte AdwCleaner https://toolslib.net/downloads/viewdown ... dwcleaner/
Uložte na plochu
Ukončete všechny programy
Klikněte nejprve na >Scan<(hledání) a pak na >Clean< (mazání).
Proběhne skenováni a pak se objeví log, který sem vložte.

[zralok]

# AdwCleaner v6.041 - Log vytvořen 31/12/2016 v 12:54:24
# Aktualizováno dne 16/12/2016 z Malwarebytes
# Databáze : 2016-12-30.1 [Server]
# Operační systém : Windows 10 Home (X64)
# Uživatelské jméno : Nikolka - LAPTOP-B7S5E0C5
# Spuštěno z : C:\Users\Nikolka\Downloads\adwcleaner_6.041 (1).exe
# Mod: Čištění
# Podpora : https://www.malwarebytes.com/support



***** [ Služby ] *****



***** [ Složky ] *****

[-] Složka smazána: C:\Users\defaultuser0\AppData\Local\Host App Service
[-] Složka smazána: C:\Users\Nikolka\AppData\Local\Host App Service
[-] Složka smazána: C:\ProgramData\Host App Service
[#] Složka smazána po restartu: C:\ProgramData\Application Data\Host App Service
[-] Složka smazána: C:\Users\Nikolka\AppData\Roaming\browsers
[#] Složka smazána po restartu: C:\Users\Nikolka\AppData\Local\Host App Service
[-] Složka smazána: C:\Users\Default\AppData\Local\Host App Service


***** [ Soubory ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Zástupci ] *****



***** [ Naplánované úlohy ] *****

[-] Úloha smazána: App Explorer


***** [ Registry ] *****

[-] Klíč smazán: HKU\S-1-5-21-3557882904-3288253174-1366108231-1001\Software\Classes\AppXrh6feys59dqfzsv9p3s9p6aep0hwtb23
[#] Klíč smazán po restartu: HKCU\Software\Classes\AppXrh6feys59dqfzsv9p3s9p6aep0hwtb23
[#] Klíč smazán po restartu: [x64] HKCU\Software\Classes\AppXrh6feys59dqfzsv9p3s9p6aep0hwtb23
[-] Klíč smazán: HKU\S-1-5-21-3557882904-3288253174-1366108231-1001\Software\Host App Service
[-] Klíč smazán: HKU\S-1-5-21-3557882904-3288253174-1366108231-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
[#] Klíč smazán po restartu: HKCU\Software\Host App Service
[#] Klíč smazán po restartu: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
[#] Klíč smazán po restartu: [x64] HKCU\Software\Host App Service
[#] Klíč smazán po restartu: [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
[-] Data obnovena: HKU\S-1-5-21-3557882904-3288253174-1366108231-1001\Software\Microsoft\Internet Explorer\Main [Secondary Start Pages]
[-] Data obnovena: HKU\S-1-5-21-3557882904-3288253174-1366108231-1001\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
[-] Data obnovena: HKCU\Software\Microsoft\Internet Explorer\Main [Secondary Start Pages]
[-] Data obnovena: HKCU\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
[-] Data obnovena: [x64] HKCU\Software\Microsoft\Internet Explorer\Main [Secondary Start Pages]
[-] Data obnovena: [x64] HKCU\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
[-] Klíč smazán: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\akcniceny.cz
[-] Klíč smazán: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.akcniceny.cz
[-] Klíč smazán: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\akcniceny.cz
[-] Klíč smazán: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.akcniceny.cz
[#] Klíč smazán po restartu: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\akcniceny.cz
[#] Klíč smazán po restartu: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.akcniceny.cz
[#] Klíč smazán po restartu: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\akcniceny.cz
[#] Klíč smazán po restartu: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.akcniceny.cz
[-] Hodnota smazána: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce [Wd]


***** [ Prohlížeče ] *****



*************************

:: "Tracing" klíče smazány
:: Winsock nastavení vyčištěno

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [4790 Bajty] - [31/12/2016 12:54:24]
C:\AdwCleaner\AdwCleaner[S0].txt - [5160 Bajty] - [31/12/2016 12:52:15]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [4936 Bajty] ##########

[Rudy]

Dejte log FRST: http://forum.viry.cz/viewtopic.php?f=13&t=133100 .

[zralok]

Zde je log a v dalším postu pošlu soubor additional.txt

[zralok]

Zde je soubor Addition

[Rudy]

Otevřte poznámkový blok a zkopírujte do něj:

Start
HKLM-x32\...\Run: [] => [X]
Toolbar: HKU\S-1-5-21-3557882904-3288253174-1366108231-1001 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - No File
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\System32\Tasks\220368695d8t5438340
C:\ProgramData\220368695d8t5438340
C:\Windows\system32\ApnDatabase.xml
C:\Windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
C:\ProgramData\DP45977C.lfl
C:\Users\defaultuser0\AppData\Local\Temp
C:\Users\Nikolka\AppData\Local\Temp
Task: {8CFA5C54-1D4B-4685-A268-08952CD5A1E1} - System32\Tasks\220368695d8t5438340 => Rundll32.exe "C:\ProgramData\220368695d8t5438340\220368695d8t5438340.dll",DMT <==== ATTENTION

EmptyTemp:
End

Uložte na plochu jako fixlist.txt. Spusťte znovu FRST a klikněte na >Fix<. Po skončení akce se objeví log, který sem zkopírujte.

Z logu:

Velikost slozky "C:\Users\Nikolka\Desktop" je 14911 MB.

To je příliš mnoho a může to způsobovat zpomalení startu systému. Vytvořte v C:\Users\Nikolka novou složku, do níž přesuňte všechna data z plochy (kromě zástupců). Na plochu si pak dejte zástupce té složky pro snazší přístup.

[zralok]

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-12-2016
Ran by Nikolka (31-12-2016 17:08:17) Run:1
Running from C:\Users\Nikolka\Desktop
Loaded Profiles: Nikolka (Available Profiles: defaultuser0 & Nikolka)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
HKLM-x32\...\Run: [] => [X]
Toolbar: HKU\S-1-5-21-3557882904-3288253174-1366108231-1001 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - No File
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\System32\Tasks\220368695d8t5438340
C:\ProgramData\220368695d8t5438340
C:\Windows\system32\ApnDatabase.xml
C:\Windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
C:\ProgramData\DP45977C.lfl
C:\Users\defaultuser0\AppData\Local\Temp
C:\Users\Nikolka\AppData\Local\Temp
Task: {8CFA5C54-1D4B-4685-A268-08952CD5A1E1} - System32\Tasks\220368695d8t5438340 => Rundll32.exe "C:\ProgramData\220368695d8t5438340\220368695d8t5438340.dll",DMT <==== ATTENTION

EmptyTemp:
End
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-21-3557882904-3288253174-1366108231-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4BAAC1B8-0800-42C9-8FA6-08B211F356B8} => value removed successfully
HKCR\CLSID\{4BAAC1B8-0800-42C9-8FA6-08B211F356B8} => key not found.
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA => moved successfully
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore => moved successfully
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => moved successfully
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => moved successfully
C:\Windows\System32\Tasks\220368695d8t5438340 => moved successfully
C:\ProgramData\220368695d8t5438340 => moved successfully
Could not move "C:\Windows\system32\ApnDatabase.xml" => Scheduled to move on reboot.
C:\Windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat => moved successfully
C:\ProgramData\DP45977C.lfl => moved successfully
C:\Users\defaultuser0\AppData\Local\Temp => moved successfully
C:\Users\Nikolka\AppData\Local\Temp => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{8CFA5C54-1D4B-4685-A268-08952CD5A1E1}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8CFA5C54-1D4B-4685-A268-08952CD5A1E1}" => key removed successfully
C:\Windows\System32\Tasks\220368695d8t5438340 => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\220368695d8t5438340" => key removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 103094604 B
Java, Flash, Steam htmlcache => 1298 B
Windows/system/drivers => 78560604 B
Edge => 139809461 B
Chrome => 8026517 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => -50655 B
systemprofile32 => 0 B
LocalService => 25562 B
NetworkService => 8562 B
defaultuser0 => 128 B
Nikolka => 8876852 B

RecycleBin => 0 B
EmptyTemp: => 322.7 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 31-12-2016 17:10:15)

C:\Windows\system32\ApnDatabase.xml => Is moved successfully

==== End of Fixlog 17:10:15 ====

[Rudy]

Smazáno. Nastala nějaká změna?

[zralok]

Ano, už to vypadá vše v pořádku. Děkuju moc, a přeji šťastný nový rok.

[Rudy]

Šťastný a veselý a nemáte zač!