problém s USB - asi trojan

Zpráva

rjesa · #1 Příspěvek od **rjesa** » 10 říj 2014 11:35

Dobrý den,

obracím se na Vás s následujícím problémem:

1. na internetu jsem si stáhl zazipovaný software na úpravu audio souborů (na jednom pc, přes flash disk jsem si jej stáhl do druhého pc)
2. instalace se nezdařila a pc se začal chovat "podezřele", tak jsem instalaci násilím ukončil a pc restartoval
3. jakmile jsem na USB disk chtěl nahrát soubory, tak se uložily pouze jako zástupce, ale přitom velikost zabraného místa na disku odpovídala skutečné velikosti souborů.
4. v práci jsem si chtěl z USB soubory nahrát, nicméně firemní antivir je označil za trojana, vč. torbrowser a onoho zazipovaného programu a odstranil
5. od té doby flash ukazuje, že je kapacita obsazena tak jak bylo před tímto problémem, nicméně, když ji otevřu, tak se mi žádný soubor neukáže.

Předem děkuju mockrát za pomoc a zdravím,

Richard

#2 Příspěvek od **vyosek** » 10 říj 2014 16:15

Zdravim

Zacneme logem z FRST http://forum.viry.cz/viewtopic.php?f=13&t=133100

Pak pouzijte USBFix http://forum.viry.cz/viewtopic.php?f=24&t=140144

rjesa · #3 Příspěvek od **rjesa** » 11 říj 2014 10:44

Addition.rar: (2.55 KiB) Staženo 55 x

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 08-10-2014 01
Ran by rysak (administrator) on RYSAK-PC on 11-10-2014 11:31:16
Running from C:\Users\rysak\Desktop
Loaded Profile: rysak (Available profiles: rysak)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Team H2O) C:\Program Files\Syncrosoft\POS\H2O\cledx.exe
(Microsoft Corporation) C:\Windows\System32\wscript.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Windows\System32\wscript.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(forum.viry.cz) C:\Users\rysak\Desktop\FRSTLauncher.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [H2O] => C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe [200069 2005-05-11] (Team H2O)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-06-06] (Adobe Systems Incorporated)
HKLM\...\Run: [AutoKMS] => C:\Windows\AutoKMS.exe [615936 2013-10-31] ()
HKLM\...\Run: [mspkadvkSrv] => C:\Windows\system32\mspkadvk.vbe [583 2013-12-10] ()
HKU\S-1-5-21-2745482378-3565376213-1766315377-1000\...\Run: [process] => wscript.exe //B "C:\Users\rysak\AppData\Local\Temp\process.vbs" <===== ATTENTION
HKU\S-1-5-21-2745482378-3565376213-1766315377-1000\...\MountPoints2: {671eb776-b28a-11e3-976f-00269e59cfba} - "H:\WD Drive Unlock.exe" autoplay=true
Startup: C:\Users\rysak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\process.vbs ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: WinToFlash Suggestor -> {FC36B0BD-27F0-4cdd-8AB1-50651EFC3EFD} -> C:\Program Files\WinToFlash Suggestor\WinToFlashSuggestor.dll (Novicorp LLC)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.43.1

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> D:\Program Files\Acrobat\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

Chrome:
=======
CHR HomePage: Default -> F9727453D9DEE32FE31F0A845AB62D141852DC201FC8FE329AEF28DD9542658E
CHR Profile: C:\Users\rysak\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (WinToFlash Suggestor) - C:\Users\rysak\AppData\Local\Google\Chrome\User Data\Default\Extensions\acaoakiamfeidcmgooclgeleejkbaecf [2014-03-23]
CHR Extension: (Google Docs) - C:\Users\rysak\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-09-23]
CHR Extension: (Google Drive) - C:\Users\rysak\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-09-23]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\rysak\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-01]
CHR Extension: (YouTube) - C:\Users\rysak\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-09-23]
CHR Extension: (Google Search) - C:\Users\rysak\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-09-23]
CHR Extension: (Google Wallet) - C:\Users\rysak\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-23]
CHR Extension: (Gmail) - C:\Users\rysak\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-09-23]
CHR HKLM\...\Chrome\Extension: [acaoakiamfeidcmgooclgeleejkbaecf] - C:\Program Files\WinToFlash Suggestor\WinToFlashSuggestor.crx [2012-04-09]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 CLEDX; C:\Windows\System32\DRIVERS\cledx.sys [33792 2005-05-09] (Team H2O) [File not signed]
R3 L1E; C:\Windows\System32\DRIVERS\L1E62x86.sys [47104 2009-07-14] (Atheros Communications, Inc.)
S2 Nsynas32; C:\Windows\system32\Drivers\Nsynas32.sys [17784 2001-04-09] (Syncrosoft Hard- und Software GmbH) [File not signed]
S3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [35288 2013-08-22] (The OpenVPN Project)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-11 11:31 - 2014-10-11 11:32 - 00007055 _____ () C:\Users\rysak\Desktop\FRST.txt
2014-10-11 11:30 - 2014-10-11 11:31 - 00000000 ___DC () C:\FRST
2014-10-11 11:27 - 2014-10-11 11:27 - 00112640 _____ (forum.viry.cz) C:\Users\rysak\Desktop\FRSTLauncher.exe
2014-10-11 11:25 - 2014-10-11 11:25 - 01101312 _____ (Farbar) C:\Users\rysak\Desktop\FRST.exe
2014-10-10 06:27 - 2014-10-10 06:27 - 00000000 ____D () C:\Users\rysak\AppData\Roaming\Publish Providers
2014-10-10 06:22 - 2014-10-10 06:22 - 00159271 _____ () C:\Windows\EXPStudio Audio Editor 3.8 Uninstaller.exe.bak
2014-10-10 06:22 - 2014-10-10 06:22 - 00000000 ___DC () C:\Program Files\Common Files\AVSMedia
2014-10-10 06:16 - 2014-10-10 06:21 - 00002432 _____ () C:\Users\rysak\Documents\Register Sound Forge Audio Studio.htm
2014-10-10 06:14 - 2014-10-10 06:15 - 00000000 ____D () C:\Users\rysak\AppData\Local\Sony
2014-10-10 06:14 - 2014-10-10 06:14 - 00000000 ___DC () C:\Program Files\Sony
2014-10-10 06:14 - 2014-10-10 06:14 - 00000000 ____D () C:\ProgramData\Sony
2014-10-10 06:14 - 2014-10-10 06:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sony
2014-10-10 06:10 - 2014-10-10 06:27 - 00000000 ____D () C:\Users\rysak\AppData\Roaming\Sony
2014-10-08 19:08 - 2014-10-08 19:28 - 00000000 ___DC () C:\Program Files\CyberGhost 5
2014-10-08 18:55 - 2014-10-08 18:55 - 00000000 ____D () C:\Users\rysak\AppData\Roaming\AutoHideIP
2014-10-08 18:55 - 2014-10-08 18:55 - 00000000 ____D () C:\ProgramData\AutoHideIP
2014-09-16 11:38 - 2014-08-18 23:45 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-09-16 11:37 - 2014-08-19 19:39 - 00327872 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-09-16 11:37 - 2014-08-19 00:26 - 17455104 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-09-16 11:37 - 2014-08-19 00:08 - 04232704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-09-16 11:37 - 2014-08-18 23:57 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-09-16 11:37 - 2014-08-18 23:57 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-09-16 11:37 - 2014-08-18 23:46 - 00454656 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-09-16 11:37 - 2014-08-18 23:44 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-09-16 11:37 - 2014-08-18 23:44 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-09-16 11:37 - 2014-08-18 23:42 - 02185728 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-09-16 11:37 - 2014-08-18 23:39 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-09-16 11:37 - 2014-08-18 23:39 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-09-16 11:37 - 2014-08-18 23:37 - 00440320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-09-16 11:37 - 2014-08-18 23:36 - 00112128 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-09-16 11:37 - 2014-08-18 23:36 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-09-16 11:37 - 2014-08-18 23:35 - 00597504 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-09-16 11:37 - 2014-08-18 23:30 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-09-16 11:37 - 2014-08-18 23:27 - 00365056 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-09-16 11:37 - 2014-08-18 23:22 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-09-16 11:37 - 2014-08-18 23:19 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-09-16 11:37 - 2014-08-18 23:17 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-09-16 11:37 - 2014-08-18 23:17 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-09-16 11:37 - 2014-08-18 23:15 - 11769856 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-09-16 11:37 - 2014-08-18 23:09 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-09-16 11:37 - 2014-08-18 23:08 - 02014208 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-09-16 11:37 - 2014-08-18 23:08 - 00673792 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-09-16 11:37 - 2014-08-18 23:07 - 01068032 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-09-16 11:37 - 2014-08-18 22:46 - 01812992 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-09-16 11:37 - 2014-08-18 22:38 - 01190400 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-09-16 11:37 - 2014-08-18 22:36 - 00678400 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-09-12 18:53 - 2014-07-07 03:40 - 01059840 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-09-12 18:53 - 2014-07-07 03:40 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-11 11:27 - 2013-11-27 12:59 - 00000000 ____D () C:\Users\rysak\Documents\Soubory aplikace Outlook
2014-10-11 11:24 - 2010-11-20 23:01 - 00713888 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-11 10:57 - 2013-09-23 21:57 - 01772276 _____ () C:\Windows\WindowsUpdate.log
2014-10-11 10:52 - 2013-09-23 22:47 - 00000938 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-10 17:19 - 2009-07-14 06:34 - 00034128 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-10 17:19 - 2009-07-14 06:34 - 00034128 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-10 17:15 - 2014-04-14 17:22 - 00000000 ____D () C:\Users\rysak\Desktop\k prodeji
2014-10-10 17:12 - 2014-08-30 10:43 - 00002274 _____ () C:\Windows\setupact.log
2014-10-10 17:12 - 2013-09-23 22:47 - 00000934 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-10 17:12 - 2009-07-14 06:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-09 19:16 - 2010-11-20 23:48 - 00020764 _____ () C:\Windows\PFRO.log
2014-10-08 18:59 - 2013-09-23 22:26 - 00000000 ____D () C:\Users\rysak\AppData\Local\VirtualStore
2014-09-19 20:26 - 2009-07-14 04:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-09-15 09:06 - 2013-09-23 22:43 - 00231568 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-09-12 19:20 - 2013-09-23 22:50 - 00002129 _____ () C:\Users\Public\Desktop\Google Chrome.lnk

Some content of TEMP:
====================
C:\Users\rysak\AppData\Local\Temp\arctic-loop.exe
C:\Users\rysak\AppData\Local\Temp\setup.exe
C:\Users\rysak\AppData\Local\Temp\setupv.exe
C:\Users\rysak\AppData\Local\Temp\Sony Sound Forge Pro 10.0.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

===***===***===***=== Extract of Additional scan result of Farbar Recovery Scan Tool ===***===***===***===

==================== Drive and Memory info ===================

==================== MBR and Partition Table ==================

==================== Scheduled Tasks (whitelisted) ==================

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Alternate Data Streams (whitelisted) ==================

==================== Security Center ==================

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

===***===***===***=== Supplementary Scan createdy by FRSTLauncher ===***===***===***===
Posledni aktualizace FRSTLauncheru: 25_11_2013 (01)
Posledni aktualizace Modifikacniho skriptu: 30_09_2013 (01)

***** Velikost "Plochy" *****

Velikost slozky "C:\Users\rysak\Desktop" je 11 MB.

***** Startup Programs *****

***** Firewall rules *****

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
EnableFirewall REG_DWORD 0x1
DisableNotifications REG_DWORD 0x0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
EnableFirewall REG_DWORD 0x1
DisableNotifications REG_DWORD 0x0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

***** System Restore *****

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"Generalize_DisableSR"=dword:00000000

==================== End Of Log ==============================

rjesa · #4 Příspěvek od **rjesa** » 11 říj 2014 10:57

a tady posilam log z USBFix. Pro jistotu jsem nic krome logu dal nic nedelal (+ radeji zminuji predem, Win 7 prof mam koser - pc mam z byvale prace)

############################## | UsbFix V 7.183 | [Research]

User: rysak (Administrator) # RYSAK-PC
Updated 30/09/2014 by El Desaparecido - SosVirus
Started at 11:51:39 | 11/10/2014

Website : http://www.en.usbfix.net/
Changelog : http://www.en.usbfix.net/changelog/
Support : http://www.sosvirus.net/
Upload Malware : http://www.sosvirus.net/upload_malware.php
Live detection : http://how-to-remove.us/
Contact : http://www.en.usbfix.net/contact/

################## | System information |

MB: Acer ()
CPU: Intel(R) Atom(TM) CPU N270 @ 1.60GHz
GC: Mobile Intel(R) 945 Express Chipset Family
RAM -> [Total : 1012 Mo | Free : 233 Mo]
Bios: Acer
Boot: Normal boot

OS: Microsoft™ Windows 7 Professional (6.1.7601 32-Bit) Service Pack 1
WB: Internet Explorer : 11.00.9600.16428
WB: Google Chrome : 37.0.2062.120

################## | Security Information |

AS: Windows Defender [Enabled |Updated]
FW: Windows Firewall [Enabled]
SC: Security Center [Enabled]
WU: Windows Update [Enabled]

################## | Disk Information |

C:\ (%SystemDrive%) -> Fixed disk # 15 Gb (204 Mb free - 1%) [] # NTFS
D:\ -> Fixed disk # 213 Gb (33 Gb free - 15%) [] # NTFS
E:\ -> Removable disk # 7 Gb (457 Mb free - 6%) [] # FAT32

################## | Regedit Run |

F2 - HKLM\..\Winlogon : [Shell] explorer.exe
F2 - HKLM\..\Winlogon : [Userinit] C:\Windows\system32\userinit.exe,
04 - HKCU\..\Run : [process] wscript.exe //B "C:\Users\rysak\AppData\Local\Temp\process.vbs"
04 - HKLM\..\Run : [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
04 - HKLM\..\Run : [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
04 - HKLM\..\Run : [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
04 - HKLM\..\Run : [AutoKMS] C:\Windows\AutoKMS.exe
04 - HKLM\..\Run : [mspkadvkSrv] "C:\Windows\system32\mspkadvk.vbe" msqhaq msunso
04 - HKLM\..\Run : [IgfxTray] C:\Windows\system32\igfxtray.exe
04 - HKLM\..\Run : [HotKeysCmds] C:\Windows\system32\hkcmd.exe
04 - HKLM\..\Run : [Persistence] C:\Windows\system32\igfxpers.exe
04 - HKU\S-1-5-19\..\Run : [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
04 - HKU\S-1-5-20\..\Run : [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
04 - HKU\S-1-5-21-2745482378-3565376213-1766315377-1000\..\Run : [process] wscript.exe //B "C:\Users\rysak\AppData\Local\Temp\process.vbs"
04 - HKU\S-1-5-19\..\RunOnce : [mctadmin] C:\Windows\System32\mctadmin.exe
04 - HKU\S-1-5-20\..\RunOnce : [mctadmin] C:\Windows\System32\mctadmin.exe

################## | Generic Research |

Found! C:\Users\rysak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\process.vbs
Found! E:\process.vbs
Found! C:\Users\rysak\AppData\Local\Temp\process.vbs
Found! C:\Windows\system32\mspkadvk.vbe
Found! E:\technician.lnk
Found! E:\cmfd.lnk
Found! E:\System Volume Information.lnk
Found! E:\Tor Browser.lnk
Found! C:\Users\rysak\AppData\Local\Temp\RarSFX0\process.vbs

################## | Registry |

Found! HKU\S-1-5-21-2745482378-3565376213-1766315377-1000\Software\Microsoft\Windows\CurrentVersion\Run|process
Found! HKCU\Software\Microsoft\Windows\CurrentVersion\Run|process
Found! HKLM\Software\Microsoft\Windows\CurrentVersion\Run|mspkadvkSrv

################## | UsbFix - Information |

Info : How to remove shortcut virus on flash disk (Video)
Info : Shortcut virus on flash disk, What is it ?

################## | Hijack |

Hijacked! [SHD] E:\cmfd
Hijacked! [SH] E:\technician.xml
Hijacked! [SHD] E:\Tor Browser
Hijacked! [SH] E:\process.vbs

################## | E.O.F | http://www.sosvirus.net/ | [url=http://www.en.usbfix.net/

#5 Příspěvek od **vyosek** » 12 říj 2014 16:48

V USBFixu pouzijte funkci Clean, log pak sem

rjesa · #6 Příspěvek od **rjesa** » 14 říj 2014 07:01

vkladam log. Jen pro info log z FRST byl v poradku?

############################## | UsbFix V 7.183 | [Clean]

User: rysak (Administrator) # RYSAK-PC
Updated 30/09/2014 by El Desaparecido - SosVirus
Started at 07:55:33 | 14/10/2014

Website : http://www.en.usbfix.net/
Changelog : http://www.en.usbfix.net/changelog/
Support : http://www.sosvirus.net/
Upload Malware : http://www.sosvirus.net/upload_malware.php
Live detection : http://how-to-remove.us/
Contact : http://www.en.usbfix.net/contact/

################## | System information |

MB: Acer ()
CPU: Intel(R) Atom(TM) CPU N270 @ 1.60GHz
GC: Mobile Intel(R) 945 Express Chipset Family
RAM -> [Total : 1012 Mo | Free : 314 Mo]
Bios: Acer
Boot: Normal boot

OS: Microsoft™ Windows 7 Professional (6.1.7601 32-Bit) Service Pack 1
WB: Internet Explorer : 11.00.9600.16428
WB: Google Chrome : 37.0.2062.120

################## | Security Information |

AS: Windows Defender [Enabled |Updated]
FW: Windows Firewall [Enabled]
SC: Security Center [Enabled]
WU: Windows Update [Enabled]

################## | Disk Information |

C:\ (%SystemDrive%) -> Fixed disk # 15 Gb (614 Mb free - 4%) [] # NTFS
D:\ -> Fixed disk # 213 Gb (33 Gb free - 16%) [] # NTFS
E:\ -> Removable disk # 7 Gb (458 Mb free - 6%) [] # FAT32

################## | Generic Research |

(!) Temporary files deleted. (0.125126838684082 MB)

################## | Registry |

################## | Regedit Run |

F2 - HKLM\..\Winlogon : [Shell] explorer.exe
F2 - HKLM\..\Winlogon : [Userinit] C:\Windows\system32\userinit.exe,
04 - HKLM\..\Run : [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
04 - HKLM\..\Run : [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
04 - HKLM\..\Run : [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
04 - HKLM\..\Run : [AutoKMS] C:\Windows\AutoKMS.exe
04 - HKLM\..\Run : [IgfxTray] C:\Windows\system32\igfxtray.exe
04 - HKLM\..\Run : [HotKeysCmds] C:\Windows\system32\hkcmd.exe
04 - HKLM\..\Run : [Persistence] C:\Windows\system32\igfxpers.exe
04 - HKU\S-1-5-19\..\Run : [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
04 - HKU\S-1-5-20\..\Run : [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
04 - HKU\S-1-5-19\..\RunOnce : [mctadmin] C:\Windows\System32\mctadmin.exe
04 - HKU\S-1-5-20\..\RunOnce : [mctadmin] C:\Windows\System32\mctadmin.exe

################## | UsbFix - Information |

Info : How to remove shortcut virus on flash disk (Video)
Info : Shortcut virus on flash disk, What is it ?

################## | Hijack |

################## | C:\ %SystemDrive% - Fixed drive (NTFS) |

[10/06/2009 - 23:42:20 | AC | 0 Ko] - C:\config.sys
[10/10/2014 - 17:12:14 | ASH | 777180 Ko] - C:\hiberfil.sys
[10/10/2014 - 17:12:17 | ASH | 811956 Ko] - C:\pagefile.sys
[23/09/2013 - 22:27:01 | SHDC] - C:\$Recycle.Bin
[10/06/2009 - 23:42:20 | AC | 0 Ko] - C:\autoexec.bat
[14/07/2009 - 04:37:05 | DC] - C:\PerfLogs
[14/07/2009 - 06:53:55 | SHD] - C:\Documents and Settings
[23/09/2013 - 22:26:33 | SHD] - C:\Recovery
[23/09/2013 - 22:26:48 | RD] - C:\Users
[23/09/2013 - 22:43:46 | DC] - C:\Intel
[25/09/2013 - 13:17:27 | RHDC] - C:\MSOCache
[30/07/2014 - 10:45:46 | DC] - C:\UpdateChromeLinksLogs
[11/10/2014 - 11:30:32 | D] - C:\Windows
[11/10/2014 - 11:31:21 | DC] - C:\FRST
[11/10/2014 - 15:35:20 | SHD] - C:\System Volume Information
[11/10/2014 - 15:35:56 | RDC] - C:\Program Files
[11/10/2014 - 15:35:56 | HD] - C:\ProgramData
[14/10/2014 - 07:52:52 | DC] - C:\UsbFix

################## | D:\ - Fixed drive (NTFS) |

[08/10/2014 - 18:47:24 | A | 0 Ko] - [VirusTotal - (0/51)] - D:\ioSpecial.ini
[23/09/2013 - 22:27:01 | SHD] - D:\$RECYCLE.BIN
[23/09/2013 - 19:48:55 | SHD] - D:\System Volume Information
[29/01/2014 - 15:43:25 | D] - D:\Skolni
[10/02/2014 - 23:18:29 | D] - D:\Bordel
[14/02/2014 - 14:15:40 | D] - D:\Tvorba
[22/03/2014 - 21:07:35 | D] - D:\RYsak mob
[23/03/2014 - 15:36:09 | D] - D:\Film
[23/03/2014 - 15:36:09 | D] - D:\Foto
[14/04/2014 - 23:08:45 | D] - D:\Dokumenty
[17/04/2014 - 23:42:53 | D] - D:\Pracovni
[25/04/2014 - 17:08:16 | D] - D:\Knihy
[10/10/2014 - 05:40:56 | D] - D:\Programy
[10/10/2014 - 07:13:00 | D] - D:\Hudba
[10/10/2014 - 17:14:05 | D] - D:\Program Files
[11/10/2014 - 11:50:58 | D] - D:\Download

################## | E:\ - Removable drive (FAT32) |

[28/04/2014 - 13:49:10 | N | 280 Ko] - E:\technician.xml
[22/08/2014 - 12:02:24 | D] - E:\cmfd
[19/09/2014 - 10:55:14 | SHD] - E:\System Volume Information
[25/09/2014 - 10:31:14 | D] - E:\Tor Browser

################## | Vaccin |

C:\Autorun.inf -> Vaccine created by UsbFix (El Desaparecido)
D:\Autorun.inf -> Vaccine created by UsbFix (El Desaparecido)
E:\Autorun.inf -> Vaccine created by UsbFix (El Desaparecido)

################## | E.O.F | http://www.sosvirus.net/ | http://www.en.usbfix.net/ |

Dekuji moc a preji pekny den.

Richard

#7 Příspěvek od **vyosek** » 14 říj 2014 09:41

Tvorba fixlistu pro FRST

Spustte poznamkovy blok (Start-spustit-notepad)
Zkopirujte skript nize

Kód: Vybrat vše

Start
CloseProcesses:

HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-06-06] (Adobe Systems Incorporated)
HKLM\...\Run: [AutoKMS] => C:\Windows\AutoKMS.exe [615936 2013-10-31] ()
HKLM\...\Run: [mspkadvkSrv] => C:\Windows\system32\mspkadvk.vbe [583 2013-12-10] ()
HKU\S-1-5-21-2745482378-3565376213-1766315377-1000\...\Run: [process] => wscript.exe //B "C:\Users\rysak\AppData\Local\Temp\process.vbs" <===== ATTENTION
HKU\S-1-5-21-2745482378-3565376213-1766315377-1000\...\MountPoints2: {671eb776-b28a-11e3-976f-00269e59cfba} - "H:\WD Drive Unlock.exe" autoplay=true
Startup: C:\Users\rysak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\process.vbs ()

C:\Windows\AutoKMS.exe
C:\Windows\system32\mspkadvk.vbe
C:\Users\rysak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\process.vbs
2014-10-11 11:31 - 2014-10-11 11:32 - 00007055 _____ () C:\Users\rysak\Desktop\FRST.txt
2014-10-11 11:27 - 2014-10-11 11:27 - 00112640 _____ (forum.viry.cz) C:\Users\rysak\Desktop\FRSTLauncher.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

Hosts:
EmptyTemp:
Reboot:
End

Ulozte vytvoreny TXT jako fixlist.txt
Presunte vytvoreny fixlist vedle FRST

Spustte znovu FRST.exe

Kliknete na Fix
Probehne oprava a vytvori log Fixlog.txt

Restart PC a dejte mi sem fixlog.txt

rjesa · #8 Příspěvek od **rjesa** » 14 říj 2014 19:14

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-10-2014 01
Ran by rysak at 2014-10-14 20:03:34 Run:1
Running from C:\Users\rysak\Desktop
Loaded Profile: rysak (Available profiles: rysak)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Start
CloseProcesses:

HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-06-06] (Adobe Systems Incorporated)
HKLM\...\Run: [AutoKMS] => C:\Windows\AutoKMS.exe [615936 2013-10-31] ()
HKLM\...\Run: [mspkadvkSrv] => C:\Windows\system32\mspkadvk.vbe [583 2013-12-10] ()
HKU\S-1-5-21-2745482378-3565376213-1766315377-1000\...\Run: [process] => wscript.exe //B "C:\Users\rysak\AppData\Local\Temp\process.vbs" <===== ATTENTION
HKU\S-1-5-21-2745482378-3565376213-1766315377-1000\...\MountPoints2: {671eb776-b28a-11e3-976f-00269e59cfba} - "H:\WD Drive Unlock.exe" autoplay=true
Startup: C:\Users\rysak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\process.vbs ()

C:\Windows\AutoKMS.exe
C:\Windows\system32\mspkadvk.vbe
C:\Users\rysak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\process.vbs
2014-10-11 11:31 - 2014-10-11 11:32 - 00007055 _____ () C:\Users\rysak\Desktop\FRST.txt
2014-10-11 11:27 - 2014-10-11 11:27 - 00112640 _____ (forum.viry.cz) C:\Users\rysak\Desktop\FRSTLauncher.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

Hosts:
EmptyTemp:
Reboot:
End
*****************

Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe ARM => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\AutoKMS => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\mspkadvkSrv => Value not found.
HKU\S-1-5-21-2745482378-3565376213-1766315377-1000\Software\Microsoft\Windows\CurrentVersion\Run\\process => Value not found.
"HKU\S-1-5-21-2745482378-3565376213-1766315377-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{671eb776-b28a-11e3-976f-00269e59cfba}" => Key deleted successfully.
"HKCR\CLSID\{671eb776-b28a-11e3-976f-00269e59cfba}" => Key not found.
C:\Users\rysak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\process.vbs not found.
C:\Windows\AutoKMS.exe => Moved successfully.
"C:\Windows\system32\mspkadvk.vbe" => File/Directory not found.
"C:\Users\rysak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\process.vbs" => File/Directory not found.
"C:\Users\rysak\Desktop\FRST.txt" => File/Directory not found.
"C:\Users\rysak\Desktop\FRSTLauncher.exe" => File/Directory not found.
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => Moved successfully.
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => Moved successfully.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 384 MB temporary data.

The system needed a reboot.

==== End of Fixlog ====

#9 Příspěvek od **vyosek** » 15 říj 2014 19:57

Tak jeste uklidime

T-Cleaner http://vyosek.tym.cz/pro_usery/T-Cleaner.exe

Stahnete a spustte
Pro potvrzeni volby mackejte A, Enter
Po pouziti utilitu smazte
Antiviry touhou utilitu chybne oznacit jako vir - jedna se o falesny poplach - takze v pohode stahnete (pripadne vypnete pri stahovani antivir)

OTC http://oldtimer.geekstogo.com/OTC.exe

Stahnete a spustte
Kliknete na CleanUp a potvrdte YES
Program uklidi a restartuje PC

TFC http://oldtimer.geekstogo.com/TFC.exe

Stahnete a spustte
Kliknete na Start a potvrdte OK
Program uklidi a restartuje pc
Po pouziti utilitu smazte

Stahnete Ccleaner http://forum.viry.cz/viewtopic.php?t=7478
Panel čistič

Vse nechte jak je, jen dejte Analyzovat a pote Spustit CCleaner

Panel registry

dejte Hledej problémy
nasledne Opravit problémy - zalohu registru doporucuji udelat, opravte vsechny problemy
postup opakujte dokud nebude bez problemu - vetsinou cca 3x

Panel nástroje

Zde muzete odinstalovat nepotrebne programy

CCleaner doporucuji pouzivat cca jednou za tyden

A pokud nejsou problemy ci dotazy, je to z me strany vse

VIRY.CZ

problém s USB - asi trojan

problém s USB - asi trojan

Re: problém s USB - asi trojan

Re: problém s USB - asi trojan

Re: problém s USB - asi trojan

Re: problém s USB - asi trojan

Re: problém s USB - asi trojan

Re: problém s USB - asi trojan

Re: problém s USB - asi trojan

Re: problém s USB - asi trojan