Policejni virus - mara.t

[mara.t]

Doufám, že nevadí když se přidák k tématu. Před chvílí u mne nastal obdobný problém.
Zde je log z FRST64:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-08-2013
Ran by daichi (administrator) on 11-08-2013 09:56:08
Running from D:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: Czech
Internet Explorer Version 9
Boot Mode: Safe Mode (minimal)

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Windows\system32\cmd.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13370472 2011-11-18] (Realtek Semiconductor)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1281512 2013-01-27] (Microsoft Corporation)
HKCU\...\Run: [DAEMON Tools Lite] - C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3674320 2013-01-08] (DT Soft Ltd)
HKCU\...\Run: [SDP] - C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe [201808 2013-01-31] (Somoto)
HKCU\...\Run: [Pando Media Booster] - C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe [3093624 2013-03-10] ()
HKCU\...\Winlogon: [Shell] explorer.exe,C:\Users\daichi\AppData\Roaming\AltShell.dat [34816 2011-11-17] () <==== ATTENTION
HKLM-x32\...\Run: [NUSB3MON] - C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [248552 2010-05-14] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [926896 2012-09-23] (Adobe Systems Incorporated)
AppInit_DLLs-x32: c:\progra~3\browse~1\261519~1.190\{c16c1~1\browse~1.dll [2691536 2013-07-26] ()
Startup: C:\Users\daichi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bitcoin.lnk
ShortcutTarget: Bitcoin.lnk -> C:\Program Files (x86)\Bitcoin\bitcoin-qt.exe ()
Startup: C:\Users\daichi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
Startup: C:\Users\daichi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk
ShortcutTarget: Rainmeter.lnk -> C:\Program Files\Rainmeter\Rainmeter.exe ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.delta-search.com/?affID=1198 ... e549ca665b
HKCU\Software\Microsoft\Internet Explorer\Main,bProtector Start Page = http://www.delta-search.com/?affID=1198 ... e549ca665b
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - bProtectorDefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://www.delta-search.com/?q={searchT ... e549ca665b
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 213.46.172.36 213.46.172.37

Chrome:
=======
CHR Extension: (Google Docs) - C:\Users\daichi\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
CHR Extension: (Google Drive) - C:\Users\daichi\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\daichi\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\daichi\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (AdBlock) - C:\Users\daichi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.6.2_0
CHR Extension: (Gmail) - C:\Users\daichi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR Extension: (Steins; Gate Theme2) - C:\Users\daichi\AppData\Local\Google\Chrome\User Data\Default\Extensions\plddppaedppoghagchoehpmpojfmjlnf\2_0
CHR StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) =================

S2 BrowserProtect; C:\ProgramData\BrowserProtect\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe [2847696 2013-07-26] ()
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
S2 OMSI download service; C:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [90112 2009-04-30] ()

==================== Drivers (Whitelisted) ====================

R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2013-03-09] (DT Soft Ltd)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S3 s0017bus; C:\Windows\System32\DRIVERS\s0017bus.sys [113704 2008-10-21] (MCCI Corporation)
S3 s0017mdfl; C:\Windows\System32\DRIVERS\s0017mdfl.sys [19496 2008-10-21] (MCCI Corporation)
S3 s0017mdm; C:\Windows\System32\DRIVERS\s0017mdm.sys [152616 2008-10-21] (MCCI Corporation)
S3 s0017mgmt; C:\Windows\System32\DRIVERS\s0017mgmt.sys [133160 2008-10-21] (MCCI Corporation)
S3 s0017nd5; C:\Windows\System32\DRIVERS\s0017nd5.sys [34856 2008-10-21] (MCCI Corporation)
S3 s0017obex; C:\Windows\System32\DRIVERS\s0017obex.sys [128552 2008-10-21] (MCCI Corporation)
S3 s0017unic; C:\Windows\System32\DRIVERS\s0017unic.sys [145960 2008-10-21] (MCCI Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-11 09:21 - 2013-08-11 09:36 - 00000004 _____ C:\Users\daichi\AppData\Roaming\AltShell.ini
2013-08-08 18:24 - 2013-08-08 18:24 - 00422340 _____ C:\Users\daichi\Desktop\cestovni pojisteni.xps
2013-08-08 07:39 - 2013-08-11 09:36 - 00003432 _____ C:\Windows\System32\Tasks\BrowserProtect
2013-08-07 17:39 - 2013-08-08 16:41 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2013-08-03 10:10 - 2013-08-03 10:10 - 00000000 ____D C:\Users\daichi\Desktop\Obchod
2013-08-02 16:36 - 2013-08-02 16:36 - 00000000 ____D C:\Users\daichi\Desktop\vzdelani
2013-07-13 14:38 - 2013-07-13 14:40 - 126907692 _____ C:\Users\daichi\Desktop\Toradora! - とらンス！.zip

==================== One Month Modified Files and Folders =======

2013-08-11 09:55 - 2013-08-11 09:55 - 00000000 ____D C:\FRST
2013-08-11 09:36 - 2013-08-11 09:21 - 00000004 _____ C:\Users\daichi\AppData\Roaming\AltShell.ini
2013-08-11 09:36 - 2013-08-08 07:39 - 00003432 _____ C:\Windows\System32\Tasks\BrowserProtect
2013-08-11 09:36 - 2013-04-08 23:14 - 00000000 ____D C:\Users\daichi\AppData\Roaming\Bitcoin
2013-08-11 09:36 - 2013-03-02 14:23 - 02090158 _____ C:\Windows\WindowsUpdate.log
2013-08-11 09:35 - 2013-03-10 15:48 - 00000000 ____D C:\Users\daichi\AppData\Local\PMB Files
2013-08-11 09:33 - 2009-07-14 06:45 - 00015152 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-11 09:33 - 2009-07-14 06:45 - 00015152 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-11 09:28 - 2013-04-08 23:15 - 00000000 ____D C:\ProgramData\boost_interprocess
2013-08-11 09:24 - 2013-03-02 14:50 - 00000948 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-08-11 09:24 - 2013-03-02 14:27 - 00000000 ___RD C:\Users\daichi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-08-11 09:23 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-11 09:23 - 2009-07-14 06:51 - 00033016 _____ C:\Windows\setupact.log
2013-08-11 09:21 - 2013-03-02 14:50 - 00000952 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-08-11 01:06 - 2013-03-10 15:48 - 00000000 ____D C:\ProgramData\PMB Files
2013-08-09 16:02 - 2013-03-02 21:31 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-08-08 18:24 - 2013-08-08 18:24 - 00422340 _____ C:\Users\daichi\Desktop\cestovni pojisteni.xps
2013-08-08 16:41 - 2013-08-07 17:39 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2013-08-08 07:39 - 2013-03-03 10:03 - 00000000 ____D C:\Users\daichi\AppData\Roaming\uTorrent
2013-08-07 23:47 - 2013-04-13 15:48 - 00000000 ____D C:\Users\daichi\AppData\Roaming\Mumble
2013-08-03 20:59 - 2013-05-12 18:57 - 00000000 ___HD C:\Users\daichi\Desktop\Game of Thrones S03E05 HDTV x264-2HD[ettv]
2013-08-03 10:10 - 2013-08-03 10:10 - 00000000 ____D C:\Users\daichi\Desktop\Obchod
2013-08-02 16:40 - 2009-07-14 17:18 - 00666298 _____ C:\Windows\system32\perfh005.dat
2013-08-02 16:40 - 2009-07-14 17:18 - 00139994 _____ C:\Windows\system32\perfc005.dat
2013-08-02 16:40 - 2009-07-14 07:13 - 01576946 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-02 16:36 - 2013-08-02 16:36 - 00000000 ____D C:\Users\daichi\Desktop\vzdelani
2013-08-02 16:35 - 2013-03-09 23:23 - 00000000 ____D C:\ProgramData\BrowserProtect
2013-08-02 16:35 - 2013-03-02 15:10 - 00023510 _____ C:\Windows\PFRO.log
2013-07-29 23:31 - 2013-06-02 09:53 - 00000000 ____D C:\Users\daichi\Desktop\Game.of.Thrones.Season.3.Episode.10.Mhysa.XviD-MGD[ettv]
2013-07-13 14:40 - 2013-07-13 14:38 - 126907692 _____ C:\Users\daichi\Desktop\Toradora! - とらンス！.zip
2013-07-13 02:16 - 2013-03-02 14:50 - 00003948 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-07-13 02:16 - 2013-03-02 14:50 - 00003696 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

Files to move or delete:
====================
C:\Users\daichi\AppData\Roaming\AltShell.dat
C:\Users\daichi\AppData\Roaming\AltShell.ini

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-08-02 17:44

Předem děkuju

[vyosek]

Zdravim

Vadi, ze se pripojujete do ciziho tematu. Kdo se v tom ma pak vyznat

Pravidla fora

4. Na svůj problém si založte jen jedno téma - založením témat do více sekcí řešení neuspíší, ba naopak problém znepřehledníte a jen přidáte práci rádcům a moderátorům. Taktéž nevkládejte žádost o pomoc do cizího tématu, jen tím uděláte rádci v tématu guláš.

Dejte mi chvili, mrknu na log

[vyosek]

Tvorba fixlistu pro FRST

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  HKCU\...\Run: [DAEMON Tools Lite] - C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3674320 2013-01-08] (DT Soft Ltd)
  HKCU\...\Run: [SDP] - C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe [201808 2013-01-31] (Somoto)
  HKCU\...\Run: [Pando Media Booster] - C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe [3093624 2013-03-10] ()
  HKCU\...\Winlogon: [Shell] explorer.exe,C:\Users\daichi\AppData\Roaming\AltShell.dat [34816 2011-11-17] () <==== ATTENTION
  KLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [248552 2010-05-14] (Sun Microsystems, Inc.)
  HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [926896 2012-09-23] (Adobe Systems Incorporated)
  AppInit_DLLs-x32: c:\progra~3\browse~1\261519~1.190\{c16c1~1\browse~1.dll [2691536 2013-07-26] ()
  Startup: C:\Users\daichi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bitcoin.lnk
  ShortcutTarget: Bitcoin.lnk -> C:\Program Files (x86)\Bitcoin\bitcoin-qt.exe ()
  Startup: C:\Users\daichi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
  ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
  Startup: C:\Users\daichi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk
  ShortcutTarget: Rainmeter.lnk -> C:\Program Files\Rainmeter\Rainmeter.exe ()
  HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.delta-search.com/?affID=1198 ... e549ca665b
  HKCU\Software\Microsoft\Internet Explorer\Main,bProtector Start Page = http://www.delta-search.com/?affID=1198 ... e549ca665b
  StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
  SearchScopes: HKCU - bProtectorDefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
  SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://www.delta-search.com/?q={searchTerms}&affID=119816&babsrc=SP_ss&mntrId=760114d800000000000050e549ca665b
  2013-08-11 09:24 - 2013-03-02 14:50 - 00000948 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.jo
  2013-08-08 07:39 - 2013-08-11 09:36 - 00003432 _____ C:\Windows\System32\Tasks\BrowserProtect
  C:\Users\daichi\AppData\Roaming\AltShell.dat
  C:\Users\daichi\AppData\Roaming\AltShell.ini
  Hosts:
  CMD: shutdown /r /f /t 2
  

• Ulozte vytvoreny TXT jako fixlist.txt
• Presunte vytvoreny fixlist vedle FRST

Spustte znovu FRST.exe

• Kliknete na Fix
• Probehne oprava a vytvori log Fixlog.txt

Restart PC a dejte mi sem fixlog.txt

[mara.t]

Za to se omlouvám. viděl jsem, že se řeší stejná věc.
Jinak budu vděčný za pomoc

.
.
.
.Ok, děkuju..hned to bude

[mara.t]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-08-2013
Ran by daichi at 2013-08-11 10:35:32 Run:1
Running from D:\
Boot Mode: Safe Mode (minimal)
==============================================

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\DAEMON Tools Lite => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\SDP => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Pando Media Booster => Value deleted successfully.
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Adobe ARM => Value deleted successfully.
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs => Value was restored successfully.
C:\Users\daichi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bitcoin.lnk => Moved successfully.
C:\Program Files (x86)\Bitcoin\bitcoin-qt.exe => Moved successfully.
C:\Users\daichi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk => Moved successfully.
C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe => Moved successfully.
C:\Users\daichi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk => Moved successfully.
C:\Program Files\Rainmeter\Rainmeter.exe => Moved successfully.
HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Main\\bProtector Start Page => Value deleted successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => Value was restored successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\bProtectorDefaultScope => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} => Key deleted successfully.
HKCR\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} => Key not found.
"C:\Windows\Tasks\GoogleUpdateTaskMachineCore.jo" => File/Directory not found.
C:\Windows\System32\Tasks\BrowserProtect => Moved successfully.
C:\Users\daichi\AppData\Roaming\AltShell.dat => Moved successfully.
C:\Users\daichi\AppData\Roaming\AltShell.ini => Moved successfully.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.

========= shutdown /r /f /t 2 =========


========= End of CMD: =========


==== End of Fixlog ====

[mara.t]

Jenom se zeptam, ten bitcoin a hlavně Rainmeter byly "napadene"? Nevadí když rainmeter nainstaluju znovu? Měl jsem ho místo gadgetů ve win.

A když teď spustím Operu..browser kde jsem právě chytl tento virus..nachytnu ho znovu? Pravděpodobně s emi teď automaticky otevřou všechna okna co jsem otevíral..

[vyosek]

Na bitcoin bacha http://www.viry.cz/tezba-bitcoinu-bez-v ... le-i-v-cr/

Rainmeter muzete preinstalovat, pripadne jej muzeme obnovit ze zalohy

Stahnete Junkware Removal Tool http://thisisudax.org/downloads/JRT.exe

• Ulozte nejlepe na plochu
• Po spusteni se zobrazi licencni podminky, stisknete libovolnou klavesu
• Probehne vytvoreni zalohy a nasledne prohledavani
• Probehne skenovani a pak se objevi log, pripadne bude ulozen v c:\JRT jako JRT.txt, ten sem vlozte

Stahnete AdwCleaner http://general-changelog-team.fr/fr/dow ... adwcleaner

• Ulozte nejlepe na plochu
• Ukoncete vsechny programy
• Kliknete na Prohledat
• Probehne skenovani a pak se objevi log, pripadne bude ulozen na systemovem disku jako AdwCleaner[R?].txt, ten sem vlozte