Virus ceska policie a nelze obnovit system

[Zlossynek]

Dobry den stal se mi virus ceska policie.... Drive mi sel odstranit obnovenim systemu ale ted se mi tam dal znova a uz to nejde, nevytvori se pristupovy bod a ani nejde vytvorit protoze ve vlastnostech systemu proste nemam"ochrana systemu" prosim poradte.

[cernohous13]

Vítám tě u nás

Zkusíme zatím úspěšný návod kolegy

Na zdravem PC stahnete Farbar Recovery Scan Tool http://www.bleepingcomputer.com/downloa ... scan-tool/

• Ulozte na nejaky flash disk, primo na jeho koren

Na poskozenem PC nabootujte Nouzovy rezim s prikazovym radkem MS-DOS

Nyni si zjisteme pismeno flash disku

• Zadejte prikaz notepad a odenterujte
• Otevre se poznamkovy blok (notepad)
• Dejte Soubor --> Otevrit --> najdete tento pocitac a otevrete USB klic kde je FRST ulozeny
• Podivejte se, jake pismeno ma USB klic (F:\, G:\ apod)
• Zavrete notepad krizkem

Ted si ziskame log

• Pokud mate stazeny FRST pro 64 bit OS, tak se jmenuje FRST64.exe a je nutne jej tak zadat
• Zadejte prikaz "pismeno disku":\FRST.exe a odenterujte (napr. F:\FRST.exe)
• Spusti se FRST
• Spuste prohledavani kliknutim na Scan
• Po chvili se vytvori na flash disku log FRST.exe
• Ten mi sem vlozte pres zdravy PC

[Zlossynek]

děkuju moc, už jsem to všechno provedl a mam ten soubor, co dál? komu kdyžtaak odeslat? nebo co s tím?

[vyosek]

Zdravim

Jednorazove zaskocim, log vlozte sem jako obcash prispevku (stejne jako pripadne dalsi logy ktere budete postupne ziskavat)

[Zlossynek]

tady je http://leteckaposta.cz/744125257 protože .txt sem nějak nejde :/

[vyosek]

Dejte jej sem JAKO OBSAH = kopirovat, vlozit...pokud je moc dlouhy, tak rozdelit do vice prispevku...

Pripona txt je z bezpecnostnich duvodu zablokovana...

[Zlossynek]

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-06-2013 03
Ran by Tropic (administrator) on 12-06-2013 19:51:40
Running from H:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: Czech
Internet Explorer Version 8
Boot Mode: Safe Mode (minimal)

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Windows\system32\cmd.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2097960 2010-04-23] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s [6245408 2010-05-26] (Realtek Semiconductor)
HKLM\...\Run: [BTMTrayAgent] rundll32.exe "C:\Program Files\Motorola\Bluetooth\btmshell.dll",TrayApp [24783624 2010-06-10] (Motorola, Inc.)
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-06-18] (Hewlett-Packard Company)
HKLM\...\Run: [M-Audio Taskbar Icon] C:\Windows\system32\M-AudioTaskBarIcon.exe [749576 2009-06-22] (Avid Technology, Inc.)
HKCU\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKCU\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-05-19] (Hewlett-Packard Company)
HKCU\...\Run: [Advanced SystemCare 4] "C:\Program Files (x86)\IObit\Advanced SystemCare 4\ASCTray.exe" [412560 2011-05-28] (IObit)
HKCU\...\Run: [Gadwin PrintScreen] C:\Program Files (x86)\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash [487424 2010-10-14] (Gadwin Systems, Inc)
HKCU\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [4910912 2011-08-02] (DT Soft Ltd)
HKCU\...\Run: [WebcamMaxAutoRun] "C:\Program Files (x86)\WebcamMax\WebcamMax.exe" -a [6043888 2010-05-19] (CoolwareMax)
HKCU\...\Run: [Facebook Update] "C:\Users\Tropic\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2013-04-15] (Facebook Inc.)
HKCU\...\Run: [RegClean Expert Scheduler] "C:\Program Files (x86)\Registry Clean Expert\RCHelper.exe" /startup [605464 2012-11-01] (iExpert Software)
HKCU\...\Run: [ctfmon32.exe] C:\PROGRA~3\rundll32.exe C:\PROGRA~3\ioel.dat,XFG00 [135168 2013-06-11] (Microsoft Corporation) <===== ATTENTION
HKCU\...\Policies\system: [DisableLockWorkstation] 0
HKCU\...\Policies\system: [DisableTaskMgr] 0
HKCU\...\Policies\system: [DisableChangePassword] 0
MountPoints2: F - F:\AutoRun.exe
MountPoints2: {239ac0f2-c96f-11e0-a5be-3c4a924e9f8e} - F:\AutoRun.exe
MountPoints2: {2e5b2934-f8ca-11e0-a2ce-3c4a924e9f8e} - F:\autoplay.exe
MountPoints2: {2e5b294d-f8ca-11e0-a2ce-3c4a924e9f8e} - G:\autoplay.exe
HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [602680 2010-07-02] (Hewlett-Packard Company)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2009-12-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [948672 2009-12-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [248552 2010-05-14] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe [2345592 2012-08-01] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1561768 2012-05-04] (Ask)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1226928 2013-05-20] (AVG Secure Search)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2009-11-18] (Hewlett-Packard)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Default User\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Tropic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
ShortcutTarget: OpenOffice.org 3.2.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
Startup: C:\Users\Tropic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk
ShortcutTarget: regmonstd.lnk -> C:\PROGRA~3\ioel.dat (Microsoft Corporation)
BootExecute: autocheck autochk * C:\PROGRA~2\AVG\AVG10\avgchsva.exe /syncC:\PROGRA~2\AVG\AVG10\avgrsa.exe /sync /restart

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forumswatcher.com/search.htm
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bing.com
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bing.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bing.com
URLSearchHook: (No Name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
URLSearchHook: (No Name) - {01dfd24d-73eb-497f-8dfd-7ea79365af4a} - No File
URLSearchHook: (No Name) - {cc376ed9-9e09-4b39-bad5-083d151eaa86} - No File
SearchScopes: HKLM - {9AD61490-3275-44CA-AA92-87C2C459C6D7} URL = http://cs.wikipedia.org/wiki/Special:Se ... earchTerms}
HKLM-x32 SearchScopes: DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.as ... =CT2239085
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {9AD61490-3275-44CA-AA92-87C2C459C6D7} URL = http://cs.wikipedia.org/wiki/Special:Se ... earchTerms}
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.as ... =CT2239085
HKCU SearchScopes: DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={159F ... 2011-11-28 16:55:57&v=14.2.0.1&pid=avg&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {23DCDCC9-7A3B-4DE8-B39A-0A213E721AF8} URL = http://search.freecause.com/search?ourm ... earchTerms}
SearchScopes: HKCU - {8557A2BB-0CCA-4DA2-8BEE-E2A1975E3BBB} URL = http://www.webhledani.cz/results.aspx?i ... earchTerms}
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={159F ... 2011-11-28 16:55:57&v=14.2.0.1&pid=avg&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {9AD61490-3275-44CA-AA92-87C2C459C6D7} URL = http://cs.wikipedia.org/wiki/Special:Se ... earchTerms}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.as ... =CT2239085
BHO: IMPI - {17E113E6-CD0E-4045-B154-65F0E57959EF} - C:\Program Files\IMPI\Extension64.dll ()
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssiea.dll (AVG Technologies CZ, s.r.o.)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: freevideomaster Toolbar - {01dfd24d-73eb-497f-8dfd-7ea79365af4a} - C:\Program Files (x86)\freevideomaster\tbfree.dll (Conduit Ltd.)
BHO-x32: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO-x32: IMPI - {17E113E6-CD0E-4045-B154-65F0E57959EF} - C:\Program Files\IMPI\Extension32.dll ()
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Pazera Toolbar BHO - {1B169632-4FA6-4BE0-B980-460B5BF7FD08} - C:\Program Files (x86)\Pazera Toolbar\Toolbar.dll ()
BHO-x32: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
BHO-x32: Pomocná služba pro přihlášení ke službě Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\15.2.0.5\AVG Secure Search_toolbar.dll (AVG Secure Search)
BHO-x32: GamePlayLabsBHO Class - {984A9162-8891-4D19-8CFE-17648BB4E1EC} - C:\Users\Tropic\AppData\Local\GamePlayLabs Plugin\BHO.dll No File
BHO-x32: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO-x32: DCA BHO - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files (x86)\Common Files\FreeCause\DCA\dca-bho.dll (Compete, Inc.)
BHO-x32: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
BHO-x32: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM-x32 - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKLM-x32 - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\15.2.0.5\AVG Secure Search_toolbar.dll (AVG Secure Search)
Toolbar: HKLM-x32 - freevideomaster Toolbar - {01dfd24d-73eb-497f-8dfd-7ea79365af4a} - C:\Program Files (x86)\freevideomaster\tbfree.dll (Conduit Ltd.)
Toolbar: HKLM-x32 - Pazera Toolbar - {093B3D46-0F87-44CF-B44B-79537F1597E5} - C:\Program Files (x86)\Pazera Toolbar\Toolbar.dll ()
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
Toolbar: HKCU - No Name - {01DFD24D-73EB-497F-8DFD-7EA79365AF4A} - No File
Toolbar: HKCU - No Name - {093B3D46-0F87-44CF-B44B-79537F1597E5} - No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgppa.dll (AVG Technologies CZ, s.r.o.)
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\15.2.0\ViProtocol.dll (AVG Secure Search)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

==================== Services (Whitelisted) =================

S2 AdvancedSystemCareService; C:\Program Files (x86)\IObit\Advanced SystemCare 4\ASCService.exe [353168 2011-05-28] (IObit)
S3 AVG Security Toolbar Service; C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [7391072 2012-01-31] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [269520 2011-02-08] (AVG Technologies CZ, s.r.o.)
S2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [27192 2010-07-02] ()
S2 IMPI Updater; C:\Program Files\IMPI\ExtensionUpdaterService.exe [185856 2013-02-05] ()
S2 vToolbarUpdater15.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [1015984 2013-05-20] (AVG Secure Search)
S3 aspnet_state; %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [x]

==================== Drivers (Whitelisted) ====================

S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [118864 2011-05-27] (AVG Technologies CZ, s.r.o. )
R0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [26704 2011-02-22] (AVG Technologies CZ, s.r.o. )
S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [29264 2011-02-10] (AVG Technologies CZ, s.r.o. )
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [312160 2012-11-12] (AVG Technologies CZ, s.r.o.)
S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [41552 2011-03-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [37456 2011-03-16] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [377936 2011-04-05] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-05-20] (AVG Technologies)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [270912 2011-11-02] (DT Soft Ltd)
S3 MAUSBMICRO; C:\Windows\System32\DRIVERS\MAudioMicro.sys [185864 2009-06-22] (Avid Technology, Inc.)
S3 MAUSBPRODUCER; C:\Windows\System32\DRIVERS\MAudioProducer.sys [185864 2009-06-22] (Avid Technology, Inc.)
R0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [18232 2011-02-23] ()
S2 Aspi32; System32\drivers\aspi32.sys [x]
S3 Huawei; system32\DRIVERS\ewdcsc.sys [x]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [x]
S3 hwusbdev; system32\DRIVERS\ewusbdev.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-06-12 19:51 - 2013-06-12 19:51 - 00000000 ____D C:\FRST
2013-06-12 09:11 - 2013-06-12 09:11 - 00000000 __SHD C:\found.000
2013-06-11 22:57 - 2013-06-11 23:21 - 95023320 ___AT C:\ProgramData\leoi.pad
2013-06-11 22:57 - 2013-06-11 22:57 - 95023320 ___AT C:\ProgramData\otof0r.pad
2013-06-11 22:57 - 2013-06-11 22:57 - 00135168 ____A (Microsoft Corporation) C:\ProgramData\r0foto.dat
2013-06-11 22:57 - 2013-06-11 22:57 - 00135168 ____A (Microsoft Corporation) C:\ProgramData\ioel.dat
2013-06-11 22:57 - 2013-06-11 22:57 - 00044544 ____A (Microsoft Corporation) C:\ProgramData\rundll32.exe
2013-06-11 22:57 - 2013-06-11 22:57 - 00002621 ____A C:\ProgramData\leoi.js
2013-06-11 22:57 - 2013-06-11 22:57 - 00000150 ____A C:\ProgramData\leoi.reg
2013-06-11 22:57 - 2013-06-11 22:57 - 00000055 ____A C:\ProgramData\leoi.bat
2013-06-11 21:38 - 2013-06-11 21:38 - 00001570 ____A C:\Users\Tropic\Desktop\občanka.txt
2013-06-10 21:55 - 2013-06-10 21:56 - 00000000 ____D C:\Users\Tropic\Desktop\jij
2013-06-10 21:54 - 2013-06-10 21:55 - 16526432 ____A C:\Users\Tropic\Desktop\prilohy_543.zip
2013-06-09 08:47 - 2013-06-11 23:21 - 00000000 ____A C:\ProgramData\kjhy64.txt
2013-06-09 08:47 - 2013-06-09 09:00 - 95023320 ___AT C:\ProgramData\mj1z6of.pad
2013-06-09 08:47 - 2013-06-09 08:47 - 95023320 ___AT C:\ProgramData\ejolofd.pad
2013-06-09 08:47 - 2013-06-09 08:47 - 00137216 ____A (Microsoft Corporation) C:\ProgramData\fo6z1jm.dat
2013-06-09 08:47 - 2013-06-09 08:47 - 00137216 ____A (Microsoft Corporation) C:\ProgramData\dfoloje.dat
2013-06-05 15:15 - 2013-06-05 15:16 - 29639510 ____A C:\Users\Tropic\Desktop\khkhgjg-mix.wav
2013-06-04 22:20 - 2013-06-06 22:33 - 00000000 ____D C:\Users\Tropic\Desktop\makám kurva!
2013-06-04 22:15 - 2013-06-11 23:19 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2013-05-29 22:58 - 2013-05-29 23:05 - 25431308 ____A C:\Users\Tropic\Desktop\fakin.wav
2013-05-21 23:41 - 2013-05-21 23:42 - 00000000 ____D C:\Users\Tropic\AppData\Local\{53A36CC2-54D2-46D9-A9F3-A2BB36A53B63}
2013-05-21 20:26 - 2013-05-21 20:26 - 23933480 ____A C:\Users\Tropic\Desktop\untitled.wav

==================== One Month Modified Files and Folders =======

2013-06-12 19:51 - 2013-06-12 19:51 - 00000000 ____D C:\FRST
2013-06-12 19:47 - 2010-08-15 07:48 - 00640422 ____A C:\Windows\System32\perfh005.dat
2013-06-12 19:47 - 2010-08-15 07:48 - 00127076 ____A C:\Windows\System32\perfc005.dat
2013-06-12 19:47 - 2009-07-14 07:13 - 01499262 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-12 16:28 - 2010-08-17 04:51 - 01340636 ____A C:\Windows\WindowsUpdate.log
2013-06-12 09:11 - 2013-06-12 09:11 - 00000000 __SHD C:\found.000
2013-06-11 23:21 - 2013-06-11 22:57 - 95023320 ___AT C:\ProgramData\leoi.pad
2013-06-11 23:21 - 2013-06-09 08:47 - 00000000 ____A C:\ProgramData\kjhy64.txt
2013-06-11 23:20 - 2011-03-27 20:45 - 00000000 ____D C:\Users\Tropic\AppData\Local\GamePlayLabs Plugin
2013-06-11 23:19 - 2013-06-04 22:15 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2013-06-11 23:17 - 2009-07-14 07:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-11 23:17 - 2009-07-14 06:51 - 00181956 ____A C:\Windows\setupact.log
2013-06-11 22:57 - 2013-06-11 22:57 - 95023320 ___AT C:\ProgramData\otof0r.pad
2013-06-11 22:57 - 2013-06-11 22:57 - 00135168 ____A (Microsoft Corporation) C:\ProgramData\r0foto.dat
2013-06-11 22:57 - 2013-06-11 22:57 - 00135168 ____A (Microsoft Corporation) C:\ProgramData\ioel.dat
2013-06-11 22:57 - 2013-06-11 22:57 - 00044544 ____A (Microsoft Corporation) C:\ProgramData\rundll32.exe
2013-06-11 22:57 - 2013-06-11 22:57 - 00002621 ____A C:\ProgramData\leoi.js
2013-06-11 22:57 - 2013-06-11 22:57 - 00000150 ____A C:\ProgramData\leoi.reg
2013-06-11 22:57 - 2013-06-11 22:57 - 00000055 ____A C:\ProgramData\leoi.bat
2013-06-11 21:38 - 2013-06-11 21:38 - 00001570 ____A C:\Users\Tropic\Desktop\občanka.txt
2013-06-11 20:46 - 2013-04-15 20:41 - 00000932 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3324916824-4260146805-1856180507-1000UA.job
2013-06-11 20:46 - 2013-04-15 20:41 - 00000910 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3324916824-4260146805-1856180507-1000Core.job
2013-06-11 20:17 - 2011-02-03 15:55 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2013-06-11 06:39 - 2009-07-14 06:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-11 06:39 - 2009-07-14 06:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-10 21:56 - 2013-06-10 21:55 - 00000000 ____D C:\Users\Tropic\Desktop\jij
2013-06-10 21:55 - 2013-06-10 21:54 - 16526432 ____A C:\Users\Tropic\Desktop\prilohy_543.zip
2013-06-09 19:05 - 2010-08-17 04:53 - 00000000 ____D C:\ProgramData\FLEXnet
2013-06-09 19:05 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\registration
2013-06-09 10:00 - 2013-04-20 12:39 - 00000000 ____D C:\Users\Tropic\Desktop\hhds
2013-06-09 09:59 - 2013-02-09 01:15 - 00000000 ____D C:\Users\Tropic\Desktop\brázky
2013-06-09 09:06 - 2011-01-11 20:45 - 00000000 ____D C:\users\Tropic
2013-06-09 09:00 - 2013-06-09 08:47 - 95023320 ___AT C:\ProgramData\mj1z6of.pad
2013-06-09 08:47 - 2013-06-09 08:47 - 95023320 ___AT C:\ProgramData\ejolofd.pad
2013-06-09 08:47 - 2013-06-09 08:47 - 00137216 ____A (Microsoft Corporation) C:\ProgramData\fo6z1jm.dat
2013-06-09 08:47 - 2013-06-09 08:47 - 00137216 ____A (Microsoft Corporation) C:\ProgramData\dfoloje.dat
2013-06-06 22:33 - 2013-06-04 22:20 - 00000000 ____D C:\Users\Tropic\Desktop\makám kurva!
2013-06-05 15:33 - 2013-04-18 21:29 - 00000000 ____D C:\Users\Tropic\Desktop\muscle
2013-06-05 15:16 - 2013-06-05 15:15 - 29639510 ____A C:\Users\Tropic\Desktop\khkhgjg-mix.wav
2013-06-04 22:15 - 2011-11-28 17:56 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2013-05-29 23:05 - 2013-05-29 22:58 - 25431308 ____A C:\Users\Tropic\Desktop\fakin.wav
2013-05-29 15:18 - 2011-08-12 22:30 - 00000000 ____D C:\Users\Tropic\Documents\PrintScreen Files
2013-05-27 22:20 - 2013-04-27 23:22 - 00000000 ____D C:\Users\Tropic\Desktop\fight
2013-05-26 19:13 - 2011-11-29 18:58 - 00000336 ____A C:\Windows\Tasks\HPCeeScheduleForTropic.job
2013-05-21 23:42 - 2013-05-21 23:41 - 00000000 ____D C:\Users\Tropic\AppData\Local\{53A36CC2-54D2-46D9-A9F3-A2BB36A53B63}
2013-05-21 20:26 - 2013-05-21 20:26 - 23933480 ____A C:\Users\Tropic\Desktop\untitled.wav
2013-05-20 21:55 - 2012-09-04 06:25 - 00045856 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2013-05-19 23:40 - 2011-12-31 13:31 - 00000000 ____D C:\ProgramData\HP

Files to move or delete:
====================
C:\ProgramData\rundll32.exe
C:\Users\Public\gta_sa.exe
C:\ProgramData\dfoloje.dat
C:\ProgramData\ejolofd.pad
C:\ProgramData\fo6z1jm.dat
C:\ProgramData\ioel.dat
C:\ProgramData\leoi.bat
C:\ProgramData\leoi.pad
C:\ProgramData\leoi.reg
C:\ProgramData\mj1z6of.pad
C:\ProgramData\otof0r.pad
C:\ProgramData\r0foto.dat

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-06-03 00:28

==================== End Of Log ============================

[Zlossynek]

co ted?

[vyosek]

Chtel jsem to nechat na kolegovi, temata si neprebirame, ale kdyz jste online, tak o kousicek popojedem

Dejte mi par minut nez napisi skript na vycisteni

[vyosek]

Tvorba fixlistu pro FRST

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  HKCU\...\Run: [ctfmon32.exe] C:\PROGRA~3\rundll32.exe C:\PROGRA~3\ioel.dat,XFG00 [135168 2013-06-11] (Microsoft Corporation) <===== ATTENTION
  HKCU\...\Policies\system: [DisableLockWorkstation] 0
  HKCU\...\Policies\system: [DisableTaskMgr] 0
  HKCU\...\Policies\system: [DisableChangePassword] 0
  HKLM-x32\...\Run: [] [x]
  HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1561768 2012-05-04] (Ask)
  HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1226928 2013-05-20] (AVG Secure Search)
  Startup: C:\Users\Tropic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk
  ShortcutTarget: regmonstd.lnk -> C:\PROGRA~3\ioel.dat (Microsoft Corporation)
  HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forumswatcher.com/search.htm
  HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bing.com
  HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com
  HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bing.com
  HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com
  HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bing.com
  URLSearchHook: (No Name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
  URLSearchHook: (No Name) - {01dfd24d-73eb-497f-8dfd-7ea79365af4a} - No File
  URLSearchHook: (No Name) - {cc376ed9-9e09-4b39-bad5-083d151eaa86} - No File
  SearchScopes: HKLM - {9AD61490-3275-44CA-AA92-87C2C459C6D7} URL = http://cs.wikipedia.org/wiki/Special:Search?search={searchTerms}
  HKLM-x32 SearchScopes: DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2239085
  SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
  SearchScopes: HKLM-x32 - {9AD61490-3275-44CA-AA92-87C2C459C6D7} URL = http://cs.wikipedia.org/wiki/Special:Search?search={searchTerms}
  SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2239085
  HKCU SearchScopes: DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={159F3A7F-5AA4-4B2B-9C7A-4034EF54C54C}&mid=a0864d3361a447d69e8ded03d4aa767d-254dc9b8b8b3f1f72fd4cf971448c0dfa1911f22&lang=cz&ds=AVG&pr=pa&d=2011-11-28 16:55:57&v=14.2.0.1&pid=avg&sg=&sap=dsp&q={searchTerms}
  SearchScopes: HKCU - {23DCDCC9-7A3B-4DE8-B39A-0A213E721AF8} URL = http://search.freecause.com/search?ourm ... e=63263&p={searchTerms}
  SearchScopes: HKCU - {8557A2BB-0CCA-4DA2-8BEE-E2A1975E3BBB} URL = http://www.webhledani.cz/results.aspx?i=42&tp=ie&q={searchTerms}
  SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={159F3A7F-5AA4-4B2B-9C7A-4034EF54C54C}&mid=a0864d3361a447d69e8ded03d4aa767d-254dc9b8b8b3f1f72fd4cf971448c0dfa1911f22&lang=cz&ds=AVG&pr=pa&d=2011-11-28 16:55:57&v=14.2.0.1&pid=avg&sg=&sap=dsp&q={searchTerms}
  SearchScopes: HKCU - {9AD61490-3275-44CA-AA92-87C2C459C6D7} URL = http://cs.wikipedia.org/wiki/Special:Search?search={searchTerms}
  SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2239085
  BHO: IMPI - {17E113E6-CD0E-4045-B154-65F0E57959EF} - C:\Program Files\IMPI\Extension64.dll ()
  BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssiea.dll (AVG Technologies CZ, s.r.o.)
  BHO-x32: freevideomaster Toolbar - {01dfd24d-73eb-497f-8dfd-7ea79365af4a} - C:\Program Files (x86)\freevideomaster\tbfree.dll (Conduit Ltd.)
  BHO-x32: Pazera Toolbar BHO - {1B169632-4FA6-4BE0-B980-460B5BF7FD08} - C:\Program Files (x86)\Pazera Toolbar\Toolbar.dll ()
  BHO-x32: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
  BHO-x32: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\15.2.0.5\AVG Secure Search_toolbar.dll (AVG Secure Search)
  BHO-x32: GamePlayLabsBHO Class - {984A9162-8891-4D19-8CFE-17648BB4E1EC} - C:\Users\Tropic\AppData\Local\GamePlayLabs Plugin\BHO.dll No File
  BHO-x32: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
  Toolbar: HKLM-x32 - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
  Toolbar: HKLM-x32 - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
  Toolbar: HKLM-x32 - AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\15.2.0.5\AVG Secure Search_toolbar.dll (AVG Secure Search)
  Toolbar: HKLM-x32 - freevideomaster Toolbar - {01dfd24d-73eb-497f-8dfd-7ea79365af4a} - C:\Program Files (x86)\freevideomaster\tbfree.dll (Conduit Ltd.)
  Toolbar: HKLM-x32 - Pazera Toolbar - {093B3D46-0F87-44CF-B44B-79537F1597E5} - C:\Program Files (x86)\Pazera Toolbar\Toolbar.dll ()
  Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
  Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
  Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
  Toolbar: HKCU - No Name - {01DFD24D-73EB-497F-8DFD-7EA79365AF4A} - No File
  Toolbar: HKCU - No Name - {093B3D46-0F87-44CF-B44B-79537F1597E5} - No File
  S3 AVG Security Toolbar Service; C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()
  S2 vToolbarUpdater15.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [1015984 2013-05-20] (AVG Secure Search)
  2013-06-12 09:11 - 2013-06-12 09:11 - 00000000 __SHD C:\found.000
  C:\Program Files (x86)\Common Files\AVG Secure Search
  C:\Program Files (x86)\Pazera Toolbar
  C:\Program Files (x86)\AVG Secure Search
  C:\Program Files (x86)\Ask.com
  C:\ProgramData\rundll32.exe
  C:\Users\Public\gta_sa.exe
  C:\ProgramData\dfoloje.dat
  C:\ProgramData\ejolofd.pad
  C:\ProgramData\fo6z1jm.dat
  C:\ProgramData\ioel.dat
  C:\ProgramData\leoi.bat
  C:\ProgramData\leoi.pad
  C:\ProgramData\leoi.reg
  C:\ProgramData\mj1z6of.pad
  C:\ProgramData\otof0r.pad
  C:\ProgramData\r0foto.dat
  

• Ulozte vytvoreny TXT jako fixlist.txt
• Presunte vytvoreny log na flashku k FRST

Spustte znovu FRST.exe na tom poskozenem PC

• Kliknete na Fix
• Probehne oprava a na flash disku se vytvori log Fixlog.txt

Pokuste se nastartovat do bezneho rezimu

Dejte log z RSIT http://forum.viry.cz/viewtopic.php?f=24&t=130784

[Zlossynek]

Takže co mám kopírovat, uložím jako fixlist.txt a pak v poznámkovém bloku spustim?

[vyosek]

Omlouvam se, nedal jsem vse do code (zeleny text), nyni je to OK...

Usnadnim Vam to pac jsem tam udelal chybku - stahnete tento soubor http://leteckaposta.cz/296545447 ulozte primo na flash disk

Spustte znovu FRST.exe na tom poskozenem PC jako minule

• Kliknete na Fix
• Probehne oprava a na flash disku se vytvori log Fixlog.txt

Poznamkovy blok spoustet nemusite jen spustite FRST a kliknete na fix - on si sam naste ten fixlist a provede prikazy z nej

Po restartu nechte PC nabehnout do bezneho rezimu

[Zlossynek]

děkuju a tohle už odstraní virus takže nebude potřeba obnova systému?

[vyosek]

Ano, tohle odstrani to nejhorsi, ze se pak dostanete do normalniho rezimu, kde se to docisti...

Obnova nebude treba

[Zlossynek]

Super, běží děkuju! a co ten log z RSIT, mam také udělat? popř. jak?