Neznámé soubory ve složce uživatele

[vyosek]

Stahnete RKill http://download.bleepingcomputer.com/grinler/rkill.com

• Pokud ho havet blokuje, pouzijte jeden z nasledujicich - i ty prejmenovane

  Rkill EXE:
  http://download.bleepingcomputer.com/grinler/rkill.exe
  
  Rkill iExplore.exe:
  http://download.bleepingcomputer.com/gr ... xplore.exe
  
  Rkill uSeRiNiT.exe:
  http://download.bleepingcomputer.com/gr ... eRiNiT.exe
  
  Rkill WiNlOgOn.exe:
  http://download.bleepingcomputer.com/gr ... NlOgOn.exe

• Ulozte nejlepena plochu a ukoncete vsechny aplikace (jinak to udela RKill za Vas)
• Spustte tradicne dvojklikem - program probehne do par sekund a ukonci i svou cinnost
• RKill ukonci vsechny ne-systemove procesy - tedy i procesy, pod kterymi bezi havet
• Na plose vznikne log Rkill.txt ten mi sem vlozte
• Ted nerestartujte PC - prisli byste o ucinek RKillu

PROSIM CTETE DUKLADNE NAVOD - TATO UTILITA MA VELKOU SCHOPNOST MAZAT A JE NUTNE JI APLIKOVAT JEN NA DOPORUCENI, JINAK VAM MUZE JIT SYSTEM DO KYTEK
Stahnete a ulozte na plochu Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

• Vypnete vsechny rezidentni bezpecnostní programy - firewally, antiviry, antispywary apod.
• Pokud mate Win XP spustte pod uctem Spravce\Administratora
• Pokud mate Win Vista ci Win 7, kliknete na Combofix pravym a dejte Run As Administrator ci Spustit jako spravce
• Ihned po startu se zobrazi stranka s licencnim ujednanim, pokracujte kliknutim na Ano
• Pokud Vam CF nabidne instalaci Konzoly pro zotaveni, tak souhlaste
• Dale postupujte dle pokynu, behem scanu nechte PC naprosto v klidu - nespoustejte zadne aplikace a neklikejte do zobrazujiciho se okna
• Scan by mel trvat cca 10 min, ale pokud bude PC hodne zaneseno, muze se cas prodlouzit
• Po dokonceni skenu a pripadnem restartu CF zobrazi log, pripadne jej najdete zde C:\ComboFix.txt, jeho obsah sem vlozte
• Detailni postup vc. obrazku mate zde http://www.bleepingcomputer.com/combofi ... t-combofix

[mateuko]

Tady je ten Rkill :
Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 04/17/2014 02:38:19 PM in x64 mode.
Windows Version: Windows 8.1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* MsKeyboardFilter [Missing Service]
* CSC [Missing Service]
* E1G60 [Missing Service]
* HdAudAddService [Missing Service]
* kbldfltr [Missing Service]
* storvsp [Missing Service]
* Vid [Missing Service]
* vmbusr [Missing Service]
* vpcivsp [Missing Service]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 04/17/2014 02:39:53 PM
Execution time: 0 hours(s), 1 minute(s), and 33 seconds(s)

[vyosek]

Pokracujte ComboFixem

[mateuko]

Když sputím ComboFix napíše mi to : Combo Fix is not meant to run in 'Compatibility Mode'.
The program shall now exit.
Co mám dělat?

[vyosek]

Stahnete Service Repair http://kb.eset.com/library/ESET/KB%20Te ... Repair.exe

• Ulozte nejlepe na Plochu
• Spustte a potvrdte Yes abyste potvrdil reinstalaci sluzeb
• Nasledne kliknutim na Yes potvrdte restart PC
• Na Plose vznikne slozka CC Support, najdete tam log SvcRepair.txt - mel by byt CC Support\Logs\SvcRepair.txt - vlozte mi jej sem

Stahnete Farbar Service Scanner http://download.bleepingcomputer.com/farbar/FSS.exe

• Ulozte nejlepe na Plochu
• U vsech polozek udelejte zatrzitko (tim je oznacite pro skenovani)
• Kliknete na Scan
• Po dokonceni skenu se objevi log FSS.txt ten sem vlozte

[mateuko]

Log Opened: 2014-04-19 @ 09:48:44
09:48:44 - -----------------
09:48:44 - | Begin Logging |
09:48:44 - -----------------
09:48:44 - Fix started on a WIN_8 X64 computer
09:48:44 - Prep in progress. Please Wait.
09:48:48 - Prep complete
09:48:48 - Repairing Services Now. Please wait...
09:48:49 - Services Repair Complete.
09:48:51 - Reboot Initiated

[mateuko]

FSS :
Farbar Service Scanner Version: 25-02-2014
Ran by Uzivatel (administrator) on 19-04-2014 at 09:57:15
Running from "C:\Users\Uzivatel\Desktop\Viry.Cz"
Microsoft Windows 8.1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2014-04-15 17:56] - [2014-04-15 17:56] - 2519384 ____A (Microsoft Corporation) FEEFE783D87C9063CDAC6DBDCF95F533

C:\Windows\System32\dnsrslvr.dll
[2014-04-15 17:56] - [2014-04-15 17:56] - 0254464 ____A (Microsoft Corporation) FE7656474448BE6A6C68E5C9BEB7CA94

C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll
[2014-04-15 17:56] - [2014-04-15 17:56] - 0827392 ____A (Microsoft Corporation) BBE15881FE11BE37112F8320C41DAFB9

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\wscsvc.dll
[2014-03-18 17:42] - [2014-03-18 17:42] - 0134144 ____A (Microsoft Corporation) 515583507D3828E827FF6352C9ACCEFA

C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll
[2014-04-18 11:31] - [2014-04-09 05:21] - 3408896 ____A (Microsoft Corporation) 779FB2F26E4339A4DD3EEF57E4E593FA

C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2014-04-17 13:22] - [2013-10-25 08:48] - 1571328 ____A (Microsoft Corporation) 8077537B1600AF493E7EE1A7A5C90799

C:\Program Files\Windows Defender\MsMpEng.exe
[2014-04-17 13:22] - [2013-10-31 02:29] - 0023824 ____A (Microsoft Corporation) 7CE5405B192AC912B9405F72386C7D4B

C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2014-03-18 17:42] - [2014-03-18 17:42] - 0753664 ____A (Microsoft Corporation) 81979817943D830BF24571B7C1B28A1A



**** End of log ****

[vyosek]

Stahnete Malwarebytes Anti-Rootkit http://www.bleepingcomputer.com/downloa ... i-rootkit/

• Ulozte nejlepe na Plochu a rozbalte
• Spustte kliknutim na mbar
• Nyni postupne kliknete na Next a Update
• Po dokonceni update (aktualizace) databaze kliknete opet na Next
• Nechte zaskrtnute vsechny tri moznosti a klinete na Scan cimz spustite prohledavani PC
• Po dokonceni skenu (cca 5 minutek) zkontrolujte, zda-li je u vsech nalezu (samozrejme pokud budou) zatrzitko
• Tez zkontrolujte, jetsli je zatrzitko u Create Restore point
• Nyni kliknete na CleanUp cimz nalezenou infekci odstranime
• PC bude restartovan
• Slozka mbar by mela obsahovat log (a zrejme se i sam otevre) mbar-log-rok-mesic-den (hodina-minuta-sekunda).txt, ten mi sem dejte

[mateuko]

mbar :
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org

Database version: v2014.04.20.03

Windows 8 x64 NTFS
Internet Explorer 11.0.9600.17031
Uzivatel :: LENOVO [administrator]

20. 4. 2014 10:55:55
mbar-log-2014-04-20 (10-55-55).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 293413
Time elapsed: 42 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run|MSStp (Trojan.Agent.SCR) -> Data: C:\WINDOWS\inf\msstp.vbe -> Delete on reboot.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Windows\Inf\mncqrorc (Trojan.Agent.BCM) -> Delete on reboot.
C:\Windows\Inf\mncqrorc\bitstreams (Trojan.Agent.BCM) -> Delete on reboot.

Files Detected: 16
C:\Windows\SysWOW64\dcgmncfynrt.exe (Trojan.BitMiner) -> Delete on reboot.
C:\Windows\Inf\msstp.vbe (Trojan.Agent.SCR) -> Delete on reboot.
C:\Windows\Inf\mncqrorc\diablo130302.cl (Trojan.Agent.BCM) -> Delete on reboot.
C:\Windows\Inf\mncqrorc\diakgcn121016.cl (Trojan.Agent.BCM) -> Delete on reboot.
C:\Windows\Inf\mncqrorc\libcurl-4.dll (Trojan.Agent.BCM) -> Delete on reboot.
C:\Windows\Inf\mncqrorc\libeay32.dll (Trojan.Agent.BCM) -> Delete on reboot.
C:\Windows\Inf\mncqrorc\libidn-11.dll (Trojan.Agent.BCM) -> Delete on reboot.
C:\Windows\Inf\mncqrorc\librtmp.dll (Trojan.Agent.BCM) -> Delete on reboot.
C:\Windows\Inf\mncqrorc\libssh2.dll (Trojan.Agent.BCM) -> Delete on reboot.
C:\Windows\Inf\mncqrorc\mncqrorc.exe (Trojan.Agent.BCM) -> Delete on reboot.
C:\Windows\Inf\mncqrorc\phatk121016.cl (Trojan.Agent.BCM) -> Delete on reboot.
C:\Windows\Inf\mncqrorc\poclbm130302.cl (Trojan.Agent.BCM) -> Delete on reboot.
C:\Windows\Inf\mncqrorc\scrypt130511.cl (Trojan.Agent.BCM) -> Delete on reboot.
C:\Windows\Inf\mncqrorc\ssleay32.dll (Trojan.Agent.BCM) -> Delete on reboot.
C:\Windows\Inf\mncqrorc\zlib1.dll (Trojan.Agent.BCM) -> Delete on reboot.
C:\Windows\Inf\mncqrorc\bitstreams\fpgaminer_top_fixed7_197MHz.ncd (Trojan.Agent.BCM) -> Delete on reboot.

Physical Sectors Detected: 0
(No malicious items detected)

(end)

[mateuko]

Do složky uživatele přibili dva nové soubory : rgut, stut .

[vyosek]

Co je v tech slozkach??

[mateuko]

Nic jsou to nějaké neznámé soubory.

[vyosek]

Stahnete Malwarebytes' Anti-Malware (zkracene MBAM) http://forum.viry.cz/viewtopic.php?f=29&t=115222

• Provedte aktualizaci
• Provedte uplny sken - nic nemazte
• MBAM miva obcas falesne detekce, proto vlozte log do prispevku a pockejte na posouzeni

[mateuko]

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 22. 4. 2014
Scan Time: 17:30:55
Logfile: MBAM.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.22.04
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Uzivatel

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 298504
Time Elapsed: 14 min, 52 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 1
PUP.Optional.Qone8, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES|DefaultScope, {33BB0A4E-99AF-4226-BDF6-49120163DE86}, Good: ({0633EE93-D776-472f-A0FF-E1416B8B2E3A}), Bad: ({33BB0A4E-99AF-4226-BDF6-49120163DE86}),,[5ffdeb423447c96d0523cb606c9830d0]

Folders: 0
(No malicious items detected)

Files: 3
PUP.Optional.Bitcoin, C:\Windows\SysWOW64\acumncfynrt.exe, , [13492eff0c6f2b0bac7849276899936d],
PUP.BitCoinMiner, C:\Windows\SysWOW64\lcpmncfynrt.exe, , [441825082d4e77bf7fbdf5141fe23cc4],
PUP.Optional.Somoto.A, C:\Users\Uzivatel\AppData\Local\Application Data\Bundled software uninstaller\bi_client.exe, , [114bfc314833fc3a40d6a96a1ce5a957],

Physical Sectors: 0
(No malicious items detected)


(end)

[vyosek]

Poprosim novy FRST http://forum.viry.cz/viewtopic.php?f=13&t=133100