FacbookUpdate.exe

[DeadlyCZ]

Zdravim,

vcera jsem, jako kazdy vecer, koukal na stream na twitch.tv (nepodstatne), a protoze spousta lidi do chatu linkuje obrazky (nekdy docela vtipne), tak se na ne obcas kouknu. Kliknul jsem na nejaky na imageshacku, ale ukazalo se ze to nebyl obrazek ale nejaky java programek (?), vypadalo to ze se nic nedeje tak jsem to rychle ukoncil. Jenze od te dobe se zacaly dit divne veci, samy od sebe vyskakuji reklamy, PC je cely zpomaleny, ...

Snazil jsem se tomu prijit na kloub, a zjistil jsem nekolik veci:
1) Neustale mi bezi proces "vbc.exe" - visual basic script. Kdyz ho ukoncim, pusti se znovu
2) Mel by to byt trojan "facbookupdate.exe"
3) V Appdata\roaming je nekolik souboru - ..net ktery kdyz smazu tak se obnovi znovu; FacbookUpdate.exe ktery je soucasti toho viru; Rs - textovy soubor, ve kterem jsou ulozeny zaznamy z keyloggeru. Dale, v C:\Users\<User> jsou tyto soubory: .recently-used.xbel, lbymkqnm.exe, zwopyq.exe. Ten prvni netusim co dela, mozna je systemovy, ale ty druhe dva vytvori aplikaci FacbookUpdate.exe (ktera smazat jde) a novy proces ktery se jmenuje "login".

Bohuzel jsem do te doby nez jsem zjistil pritomnost keyloggeru zadal nekolik dulezitych hesel, takze bych potreboval abych se ho co nejdrive zbavil a hesla zmenil.

Zkousel jsem proskenovat system pres eset smart security, nenaslo to nic, ani kdyz jsem dal skenovat pouze tyto podezrele soubory.

Pridavam jeste log z HJT (s pustenymi procesy "login"): http://pastebin.com/swcX5hYN


Dekuji


EDIT: A ten soubor z tempu (service.exe) by k tomu mel patrit take

[Rudy]

Také zdravím!
Dejte log RSIT: http://forum.viry.cz/viewtopic.php?f=13&t=105895 .

[DeadlyCZ]

Hm, podle toho navodu jsem postupoval (resp. pustil jsem ten program v program files, coz je napsano na konci topicu), ale zkusim tedy znovu.

http://pastebin.com/QsRN3PVw

[Rudy]

Poprosím ještě o log ComboFix:

Stahnete a ulozte nejlepe na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se

jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine

aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode,

pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k

nezadoucim kolizim s rezidentem antispyware

[DeadlyCZ]

Combofix - http://pastebin.com/mQTEgBF3
Znovuspusteny RSIT - http://pastebin.com/Vad5XLcK

Antivir mam vyply uplne, v procesech neni, a stejne to hlasilo varovani Kazdopadne podle vseho to smazalo nektere soubory (Facbookupdate.exe a dalsi)

[Rudy]

Přesuňte ComboFix na plochu. Otevřte poznámkový blok a zkopírujte do něj:

KillAll::

Folder::
c:\program files (x86)\puush

File::
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"puush"=-

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

Regnull::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]

Reboot::

Uložte na plochu jako CFScript.txt. pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkazy ze skriptu.



Btw. nechápu, proč nedáváte logy přímo sem do fóra.

[DeadlyCZ]

Omlouvam se, jsem zvykly davat delsi texty na pastebin :/

Jinak jestli muzu mit dotaz, proc odstranit program "puush"? Docela dost ho pouzivam (http://puush.me/)

[Rudy]

Podle Google je to troják. Pokud jste si jist, že ne, bude skript vypadat takto:

KillAll::

File::
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

Regnull::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]

Reboot::

[DeadlyCZ]

Kód: Vybrat vše

ComboFix 12-12-29.02 - Lukas 30.12.2012  15:29:43.3.4 - x64
Microsoft Windows 7 Ultimate   6.1.7600.0.1250.420.1029.18.4030.2161 [GMT 1:00]
Spuštěný z: c:\users\Lukas\Desktop\ComboFix.exe
Použité ovládací přepínače :: c:\users\Lukas\Desktop\CFScript.txt
AV: ESET Smart Security 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\Tasks\GoogleUpdateTaskMachineCore.job"
"c:\windows\Tasks\GoogleUpdateTaskMachineUA.job"
.
.
(((((((((((((((((((((((((((((((((((((((   Ostatní výmazy   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
.
.
(((((((((((((((((((((((((   Soubory vytvořené od 2012-11-28 do 2012-12-30  )))))))))))))))))))))))))))))))
.
.
2012-12-30 14:35 . 2012-12-30 14:35	--------	d-----w-	c:\users\Default\AppData\Local\temp
2012-12-29 20:10 . 2012-12-29 20:10	--------	d-----w-	c:\users\Lukas\AppData\Local\ESET
2012-12-29 20:07 . 2012-12-29 22:22	--------	d-----w-	c:\program files\trend micro
2012-12-29 20:07 . 2012-12-29 20:08	--------	d-----w-	C:\rsit
2012-12-29 20:06 . 2012-12-29 20:06	--------	d-----w-	c:\program files\ESET
2012-12-29 19:46 . 2012-12-29 19:49	--------	d-----w-	c:\programdata\Spybot - Search & Destroy
2012-12-29 19:45 . 2012-12-29 20:12	--------	d-----w-	c:\program files (x86)\Spybot - Search & Destroy 2
2012-12-29 19:45 . 2012-12-29 19:45	--------	d-----w-	c:\users\Lukas\AppData\Local\Programs
2012-12-29 02:02 . 2009-06-10 21:23	1169224	----a-w-	c:\users\Lukas\AppData\Roaming\..net.exe
2012-12-29 02:02 . 2012-12-29 02:02	--------	d-----w-	c:\windows\Sun
2012-12-28 21:54 . 2012-12-28 21:54	--------	d-----w-	c:\program files\Speccy
2012-12-28 21:32 . 2012-12-28 21:32	--------	d-----w-	c:\program files (x86)\GPU-Z
2012-12-28 21:28 . 2012-12-28 21:28	--------	d-----w-	c:\program files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
2012-12-28 21:28 . 2012-12-28 21:28	--------	d-----w-	c:\program files\CPUID
2012-12-28 20:55 . 2012-12-28 20:55	--------	d-----w-	c:\users\Lukas\AppData\Local\SplitMediaLabs
2012-12-28 20:53 . 2012-12-28 20:53	--------	d-----w-	c:\programdata\SplitMediaLabs
2012-12-28 20:53 . 2012-12-28 20:53	--------	d-----w-	c:\program files (x86)\SplitMediaLabs
2012-12-28 20:51 . 2012-12-28 20:51	--------	d-----w-	c:\users\Lukas\AppData\Roaming\SplitMediaLabs
2012-12-26 11:17 . 2012-12-26 11:17	--------	d-----w-	c:\users\Lukas\AppData\Roaming\Microsoft Games
2012-12-26 11:15 . 2012-12-26 11:20	--------	d-----w-	c:\program files (x86)\GameSpy Arcade
2012-12-26 11:14 . 2012-12-26 11:14	--------	d-----w-	c:\program files (x86)\Microsoft Games
2012-12-26 00:56 . 2012-12-26 11:22	--------	d-----w-	c:\program files (x86)\ExtractNow
2012-12-26 00:56 . 2012-12-26 00:57	--------	d-----w-	c:\users\Lukas\AppData\Local\ExtractNow
2012-12-23 15:33 . 2012-12-23 15:35	--------	d-----w-	c:\users\Lukas\AppData\Roaming\BSplayer
2012-12-23 15:33 . 2012-12-23 15:33	--------	d-----w-	c:\users\Lukas\AppData\Roaming\BSplayer Pro
2012-12-23 15:33 . 2012-12-23 15:33	--------	d-----w-	c:\program files (x86)\Webteh
2012-12-23 15:30 . 2012-12-23 15:30	--------	d-----w-	c:\users\Lukas\AppData\Roaming\Notepad++
2012-12-23 15:30 . 2012-12-23 15:30	--------	d-----w-	c:\program files (x86)\Notepad++
2012-12-22 14:51 . 2012-12-22 14:51	--------	d-----w-	c:\program files (x86)\Common Files\BioWare
2012-12-22 14:50 . 2012-12-22 14:50	--------	d-----w-	c:\users\hedev
2012-12-22 14:12 . 2008-05-30 13:19	511496	----a-w-	c:\windows\system32\XAudio2_1.dll
2012-12-22 14:07 . 2012-12-28 20:52	70344	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-22 14:07 . 2012-12-28 20:52	426184	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2012-12-22 14:07 . 2012-12-22 14:07	--------	d-----w-	c:\windows\SysWow64\Macromed
2012-12-22 14:07 . 2012-12-22 14:07	--------	d-----w-	c:\windows\system32\Macromed
2012-12-21 21:53 . 2012-12-21 21:53	--------	d-----w-	c:\program files (x86)\Common Files\Steam
2012-12-21 21:53 . 2012-12-30 14:38	--------	d-----w-	c:\program files (x86)\Steam
2012-12-21 21:46 . 2012-12-21 21:46	--------	d-----w-	c:\users\Lukas\AppData\Roaming\Thunderbird
2012-12-21 21:46 . 2012-12-21 21:46	--------	d-----w-	c:\users\Lukas\AppData\Local\Thunderbird
2012-12-21 21:46 . 2012-12-21 21:46	--------	d-----w-	c:\program files (x86)\Mozilla Maintenance Service
2012-12-21 21:45 . 2012-12-21 21:45	--------	d-----w-	c:\program files (x86)\Mozilla Thunderbird
2012-12-20 12:00 . 2012-12-26 00:53	--------	d-----w-	c:\users\Lukas\AppData\Roaming\vlc
2012-12-20 11:59 . 2012-12-20 11:59	--------	d-----w-	c:\program files (x86)\VideoLAN
2012-12-17 12:02 . 2012-12-17 12:02	--------	d-----w-	c:\users\Lukas\AppData\Local\Adobe
2012-12-17 11:51 . 2012-12-17 11:51	--------	d-----w-	c:\program files (x86)\Common Files\Adobe
2012-12-17 11:41 . 2012-12-17 11:41	--------	d-----w-	c:\users\Lukas\AppData\Roaming\inkscape
2012-12-13 13:50 . 2012-12-13 13:54	--------	d-----w-	c:\program files (x86)\Inkscape
2012-12-13 13:14 . 2012-12-29 20:21	--------	d-----w-	c:\users\Lukas\AppData\Roaming\Skype
2012-12-13 13:14 . 2012-12-13 13:14	--------	d-----w-	c:\program files (x86)\Common Files\Skype
2012-12-13 13:14 . 2012-12-13 13:14	--------	d-----r-	c:\program files (x86)\Skype
2012-12-13 13:14 . 2012-12-13 13:14	--------	d-----w-	c:\programdata\Skype
2012-12-11 16:31 . 2012-12-11 16:31	--------	d-----w-	c:\users\Lukas\AppData\Local\PunkBuster
2012-12-11 09:09 . 2012-12-12 10:54	--------	d-----w-	c:\users\Lukas\Notebooks
2012-12-11 09:09 . 2012-12-11 09:09	--------	d-----w-	c:\users\Lukas\.config
2012-12-11 09:07 . 2012-12-11 09:08	--------	d-----w-	c:\program files (x86)\Zim Desktop Wiki
2012-12-10 18:46 . 2012-12-10 18:46	--------	d-----w-	c:\program files (x86)\GamePark
2012-12-10 16:06 . 2006-03-31 11:41	3927248	----a-w-	c:\windows\system32\d3dx9_30.dll
2012-12-10 16:05 . 2012-12-11 16:31	66872	----a-w-	c:\windows\SysWow64\PnkBstrA.exe
2012-12-10 15:59 . 2012-12-10 15:59	--------	d-----w-	c:\program files (x86)\Activision
2012-12-06 18:09 . 2012-12-06 18:09	--------	d-----w-	c:\users\Lukas\AppData\Roaming\BANDISOFT
2012-12-06 18:08 . 2012-12-06 18:09	--------	d-----w-	c:\program files (x86)\Bandicam
2012-12-06 18:08 . 2012-12-06 18:08	--------	d-----w-	c:\program files (x86)\BandiMPEG1
2012-12-06 14:16 . 2012-12-06 14:15	916456	----a-w-	c:\windows\system32\deployJava1.dll
2012-12-06 14:16 . 2012-12-06 14:15	289768	----a-w-	c:\windows\system32\javaws.exe
2012-12-06 14:16 . 2012-12-06 14:15	1034216	----a-w-	c:\windows\system32\npDeployJava1.dll
2012-12-06 14:15 . 2012-12-06 14:15	189416	----a-w-	c:\windows\system32\javaw.exe
2012-12-06 14:15 . 2012-12-06 14:15	188904	----a-w-	c:\windows\system32\java.exe
2012-12-06 14:15 . 2012-12-06 14:15	108008	----a-w-	c:\windows\system32\WindowsAccessBridge-64.dll
2012-12-06 14:15 . 2012-12-06 14:15	--------	d-----w-	c:\program files\Java
2012-12-06 14:13 . 2012-12-06 14:13	--------	d-----w-	c:\users\Lukas\AppData\Roaming\OpenOffice.org
2012-12-06 13:57 . 2012-12-06 13:57	--------	d-----w-	c:\program files (x86)\OpenOffice.org 3
2012-12-06 13:53 . 2012-12-06 13:53	--------	d-----w-	C:\OOorginstall
2012-12-05 16:09 . 2012-12-05 16:09	--------	d-----w-	c:\users\Lukas\AppData\Roaming\MAXON
2012-12-05 08:02 . 2012-12-05 08:02	--------	d-----w-	c:\program files (x86)\Common Files\Java
2012-12-05 08:02 . 2012-12-05 08:02	821736	----a-w-	c:\windows\SysWow64\npDeployJava1.dll
2012-12-05 08:02 . 2012-12-05 08:02	746984	----a-w-	c:\windows\SysWow64\deployJava1.dll
2012-12-05 08:02 . 2012-12-05 08:02	95208	----a-w-	c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-12-05 08:02 . 2012-12-05 08:02	--------	d-----w-	c:\program files (x86)\Java
2012-12-04 15:24 . 2012-12-04 15:24	--------	d-----w-	c:\program files (x86)\Microsoft Silverlight
2012-12-04 15:21 . 2012-12-04 15:21	--------	d-----w-	c:\program files\WinRAR
2012-12-04 13:28 . 2012-12-04 13:28	--------	d-----w-	c:\program files\Microsoft Synchronization Services
2012-12-04 13:28 . 2012-12-04 13:28	--------	d-----w-	c:\program files\Microsoft SQL Server Compact Edition
2012-12-04 13:27 . 2012-12-04 13:27	--------	d-----w-	c:\program files (x86)\Microsoft Synchronization Services
2012-12-04 13:27 . 2012-12-04 13:27	--------	d-----w-	c:\program files (x86)\Microsoft SQL Server Compact Edition
2012-12-04 13:26 . 2012-12-04 13:26	112832	----a-w-	c:\programdata\Microsoft\VCExpress\10.0\1033\ResourceCache.dll
2012-12-04 13:25 . 2012-12-04 13:25	--------	d-----w-	c:\program files (x86)\Common Files\Merge Modules
2012-12-04 13:25 . 2012-12-04 13:25	--------	d-----w-	c:\program files (x86)\Microsoft Visual Studio 10.0
2012-12-04 13:24 . 2012-12-04 13:24	--------	d-----w-	c:\windows\symbols
2012-12-04 13:24 . 2012-12-04 13:24	--------	d-----w-	c:\program files\Microsoft Visual Studio 10.0
2012-12-04 13:24 . 2012-12-04 13:24	--------	d-----w-	c:\program files\Microsoft Help Viewer
2012-12-04 13:24 . 2012-12-04 13:24	--------	d-----w-	c:\program files (x86)\Microsoft SDKs
2012-12-04 13:15 . 2012-12-04 13:25	--------	d-----w-	c:\program files (x86)\Microsoft.NET
2012-12-04 13:14 . 2009-11-25 11:47	99176	----a-w-	c:\windows\SysWow64\PresentationHostProxy.dll
2012-12-04 13:14 . 2009-11-25 11:47	49472	----a-w-	c:\windows\SysWow64\netfxperf.dll
2012-12-04 13:14 . 2009-11-25 11:47	48960	----a-w-	c:\windows\system32\netfxperf.dll
2012-12-04 13:14 . 2009-11-25 11:47	297808	----a-w-	c:\windows\SysWow64\mscoree.dll
2012-12-04 13:14 . 2009-11-25 11:47	295264	----a-w-	c:\windows\SysWow64\PresentationHost.exe
2012-12-04 13:14 . 2009-11-25 11:47	1130824	----a-w-	c:\windows\SysWow64\dfshim.dll
2012-12-04 13:14 . 2009-11-25 11:47	109912	----a-w-	c:\windows\system32\PresentationHostProxy.dll
2012-12-04 13:14 . 2009-11-25 11:47	444752	----a-w-	c:\windows\system32\mscoree.dll
2012-12-04 13:14 . 2009-11-25 11:47	320352	----a-w-	c:\windows\system32\PresentationHost.exe
2012-12-04 13:14 . 2009-11-25 11:47	1942856	----a-w-	c:\windows\system32\dfshim.dll
2012-12-04 13:12 . 2012-12-04 13:12	--------	d-----w-	c:\windows\PCHEALTH
2012-12-04 12:46 . 2012-12-14 14:45	--------	d-----w-	c:\users\Lukas\AppData\Local\CrashDumps
2012-12-04 12:12 . 2012-12-04 12:18	--------	d-----w-	c:\users\Lukas\AppData\Roaming\Dev-Cpp
2012-12-04 12:09 . 2012-12-04 12:59	--------	d-----w-	C:\Dev-Cpp
2012-12-03 12:27 . 2012-12-03 12:27	--------	d-----w-	c:\users\Lukas\AppData\Local\Your Freedom
2012-12-03 12:26 . 2012-12-03 12:26	--------	d-----w-	c:\users\Lukas\AppData\Roaming\Proxifier
2012-12-03 12:26 . 2012-11-22 17:57	76392	----a-w-	c:\windows\system32\PrxerDrv.dll
2012-12-03 12:26 . 2012-11-22 17:57	57448	----a-w-	c:\windows\system32\PrxerNsp.dll
2012-12-03 12:26 . 2012-11-22 17:57	103016	----a-w-	c:\windows\system32\ProxifierShellExt.dll
2012-12-03 12:26 . 2012-11-22 17:57	91240	----a-w-	c:\windows\SysWow64\ProxifierShellExt.dll
2012-12-03 12:26 . 2012-11-22 17:57	70248	----a-w-	c:\windows\SysWow64\PrxerDrv.dll
2012-12-03 12:26 . 2012-11-22 17:57	56424	----a-w-	c:\windows\SysWow64\PrxerNsp.dll
2012-12-03 12:26 . 1997-06-06 14:52	11264	----a-w-	c:\windows\SysWow64\SPORDER.DLL
2012-12-03 12:26 . 2012-12-03 12:26	--------	d-----w-	c:\program files (x86)\Proxifier
2012-12-03 12:25 . 2012-12-03 12:26	--------	d-----w-	c:\program files (x86)\Your Freedom
2012-12-03 12:16 . 2012-12-03 12:16	--------	d-----w-	c:\programdata\Synaptics
2012-12-03 11:43 . 2012-12-03 11:43	--------	d-----w-	c:\users\Lukas\AppData\Local\BMExplorer
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M výpis   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-24 15:16 . 2012-11-24 15:16	466520	----a-w-	c:\windows\system32\wrap_oal.dll
2012-11-24 15:16 . 2012-11-24 15:16	445016	----a-w-	c:\windows\SysWow64\wrap_oal.dll
2012-11-24 15:16 . 2012-11-24 15:16	123480	----a-w-	c:\windows\system32\OpenAL32.dll
2012-11-24 15:16 . 2012-11-24 15:16	109144	----a-w-	c:\windows\SysWow64\OpenAL32.dll
2012-11-19 00:01 . 2012-11-24 15:52	9125352	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{13EA206F-8AE2-4B92-8A19-AC660DF60401}\mpengine.dll
2012-10-15 16:44 . 2012-11-24 15:29	3584	----a-w-	c:\windows\SysWow64\sigfile.exe
2012-10-03 17:39 . 2012-11-24 15:29	311176	----a-w-	c:\windows\SysWow64\vsnp2uvc.dll
2012-10-03 17:39 . 2012-11-24 15:29	25992	----a-w-	c:\windows\snuvcdsm.exe
2012-10-03 17:39 . 2012-11-24 15:29	401800	----a-w-	c:\windows\SysWow64\rsnp2uvc.dll
2012-10-03 17:39 . 2012-11-24 15:29	400264	----a-w-	c:\windows\system32\rsnp2uvc.dll
2012-10-03 17:39 . 2012-11-24 15:29	377736	----a-w-	c:\windows\system32\vsnp2uvc.dll
2012-10-03 17:39 . 2012-11-24 15:29	1864328	----a-w-	c:\windows\system32\drivers\snp2uvc.sys
2012-10-03 17:39 . 2012-11-24 15:29	245640	----a-w-	c:\windows\system32\csnp2uvc.dll
.
.
((((((((((((((((((((((((((((((((((   Spouštěcí body v registru   )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"puush"="c:\program files (x86)\puush\puush.exe" [2012-11-26 565480]
"Spotify Web Helper"="c:\users\Lukas\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-11-24 1199576]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-11-09 17888944]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-12-21 1354736]
"Spotify"="c:\users\Lukas\AppData\Roaming\Spotify\spotify.exe" [2012-11-24 7880664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-13 343168]
"QLBController"="c:\program files (x86)\Hewlett-Packard\HP Hotkey Support\QLBController.exe" [2012-06-20 333728]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-23 926896]
.
c:\users\Lukas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"midi3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk *\0\0sdnclean64.exe
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-11-09 160944]
R3 AthBTPort;Qualcomm Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys [2012-08-19 88728]
R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys [2012-08-19 344216]
R3 btath_avdt;Qualcomm Atheros Bluetooth AVDT Service;c:\windows\system32\drivers\btath_avdt.sys [2012-08-19 114840]
R3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys [2012-08-19 178840]
R3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys [2012-08-19 77464]
R3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys [2012-08-19 135832]
R3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys [2012-08-19 567808]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2012-11-24 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2012-11-24 79360]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2011-08-04 62496]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2011-08-04 146432]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys [2011-08-04 38288]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-10-13 204288]
S2 AtherosSvc;AtherosSvc;c:\program files (x86)\Bluetooth Suite\adminservice.exe [2012-08-19 211584]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2011-08-09 202576]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe [2011-08-09 974944]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2012-05-16 197536]
S2 hpHotkeyMonitor;hpHotkeyMonitor;c:\program files (x86)\Hewlett-Packard\HP Hotkey Support\HPHotkeyMonitor.exe [2012-06-20 523680]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2012-09-24 31040]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-08-08 2656536]
S2 ZAtheros Bt&Wlan Coex Agent;ZAtheros Bt&Wlan Coex Agent;c:\program files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [2012-08-19 323584]
S3 BTATH_BUS;Qualcomm Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys [2012-08-19 33944]
S3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd64.sys [2011-08-31 12306848]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2012-08-24 175928]
S3 RivaTuner64;RivaTuner64;c:\program files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner64.sys [2012-12-28 19952]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2012-04-11 708200]
S3 XENfiltv;XENfiltv;c:\windows\system32\drivers\XENfiltv.sys [2009-07-31 25600]
.
.
--- Ostatní služby/ovladače v paměti ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-08-31 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-08-31 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-08-31 416024]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2012-09-20 1664000]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"BtTray"="c:\program files (x86)\Bluetooth Suite\BtTray.exe" [2012-08-19 764032]
"BtvStack"="c:\program files (x86)\Bluetooth Suite\BtvStack.exe" [2012-08-19 127616]
"RivaTunerStartupDaemon"="c:\program files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe" [2009-08-22 24576]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-08-09 4030008]
.
------- Doplňkový sken -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = 10.0.1.2:3128
uInternet Settings,ProxyOverride = localhost;<local>
LSP: %SystemRoot%\system32\PrxerDrv.dll
TCP: DhcpNameServer = 192.168.1.254
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Google\Update\GoogleUpdate.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Celkový čas: 2012-12-30  15:43:29 - počítač byl restartován
ComboFix-quarantined-files.txt  2012-12-30 14:43
ComboFix2.txt  2012-12-29 22:19
.
Před spuštěním: Volných bajtů: 39 251 869 696
Po spuštění: Volných bajtů: 39 232 311 296
.
- - End Of File - - 0B2AEFCC0D15CC92C67DD7AAB88F125F

[Rudy]

Log již vypadá čistý.

[DeadlyCZ]

Super, dekuji moc za pomoc

[Rudy]

Nemáte zač!