TorLocker 2.0

Zpráva

Aljushka · #31 Příspěvek od **Aljushka** » 29 říj 2014 20:30

Výpis z fixlistu:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 29-10-2014
Ran by ALA at 2014-10-29 20:26:18 Run:2
Running from C:\Users\ALA\Desktop
Loaded Profile: ALA (Available profiles: ALA)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-3143607116-3805704415-591616805-1000\...\Policies\Explorer: [TaskbarNoNotification] 0
HKU\S-1-5-21-3143607116-3805704415-591616805-1000\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-3143607116-3805704415-591616805-1000\...\MountPoints2: {143d5d34-0bdd-11df-9f69-806e6f6e6963} - E:\AUTORUN.exe
HKU\S-1-5-21-3143607116-3805704415-591616805-1000\...\MountPoints2: {262ea2c0-02cc-11e1-bbdd-806e6f6e6963} - F:\Setup.exe
HKU\S-1-5-21-3143607116-3805704415-591616805-1000\...\MountPoints2: {343fd7f6-d04b-11df-94af-c7b98ae35ca0} - F:\autorun.exe
HKU\S-1-5-21-3143607116-3805704415-591616805-1000\...\MountPoints2: {53cbc8b1-485b-11df-a14c-002622fcf678} - F:\USBAutoRun.exe
HKU\S-1-5-21-3143607116-3805704415-591616805-1000\...\MountPoints2: {a40e874d-75ae-11e1-ac4c-002622fcf678} - I:\LGAutoRun.exe
DPF: HKLM {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onecare.live.com/resour ... cctrl2.cab
DPF: HKLM {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-be ... canner.cab
DPF: HKLM-x32 {3860DD98-0549-4D50-AA72-5D17D200EE10}
DPF: HKLM-x32 {C345E174-3E87-4F41-A01C-B066A90A49B4} http://trial.trymicrosoftoffice.com/tri ... /wrc32.ocx
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR Extension: (SocialPlus!) - C:\Users\ALA\AppData\Local\Google\Chrome\User Data\Default\Extensions\eidogommnbbcgnhfjkcgjnlonijjhmjl [2010-06-30]
CHR Extension: (Peněženka Google) - C:\Users\ALA\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-21]
C:\Users\ALA\Downloads\X-Ray-Scanner.apk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cube World + Crack [CZ]
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\TaskbarNoNotification => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => value deleted successfully.
HKU\S-1-5-21-3143607116-3805704415-591616805-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\TaskbarNoNotification => value deleted successfully.
HKU\S-1-5-21-3143607116-3805704415-591616805-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => value deleted successfully.
"HKU\S-1-5-21-3143607116-3805704415-591616805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{143d5d34-0bdd-11df-9f69-806e6f6e6963}" => Key deleted successfully.
"HKCR\CLSID\{143d5d34-0bdd-11df-9f69-806e6f6e6963}" => Key not found.
"HKU\S-1-5-21-3143607116-3805704415-591616805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{262ea2c0-02cc-11e1-bbdd-806e6f6e6963}" => Key deleted successfully.
"HKCR\CLSID\{262ea2c0-02cc-11e1-bbdd-806e6f6e6963}" => Key not found.
"HKU\S-1-5-21-3143607116-3805704415-591616805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{343fd7f6-d04b-11df-94af-c7b98ae35ca0}" => Key deleted successfully.
"HKCR\CLSID\{343fd7f6-d04b-11df-94af-c7b98ae35ca0}" => Key not found.
"HKU\S-1-5-21-3143607116-3805704415-591616805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{53cbc8b1-485b-11df-a14c-002622fcf678}" => Key deleted successfully.
"HKCR\CLSID\{53cbc8b1-485b-11df-a14c-002622fcf678}" => Key not found.
"HKU\S-1-5-21-3143607116-3805704415-591616805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a40e874d-75ae-11e1-ac4c-002622fcf678}" => Key deleted successfully.
"HKCR\CLSID\{a40e874d-75ae-11e1-ac4c-002622fcf678}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{3860DD98-0549-4D50-AA72-5D17D200EE10}" => Key deleted successfully.
"HKCR\CLSID\{3860DD98-0549-4D50-AA72-5D17D200EE10}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}" => Key deleted successfully.
"HKCR\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{3860DD98-0549-4D50-AA72-5D17D200EE10}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{3860DD98-0549-4D50-AA72-5D17D200EE10}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{C345E174-3E87-4F41-A01C-B066A90A49B4}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{C345E174-3E87-4F41-A01C-B066A90A49B4}" => Key not found.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
C:\Users\ALA\AppData\Local\Google\Chrome\User Data\Default\Extensions\eidogommnbbcgnhfjkcgjnlonijjhmjl => Moved successfully.
C:\Users\ALA\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => Moved successfully.
C:\Users\ALA\Downloads\X-Ray-Scanner.apk => Moved successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cube World + Crack [CZ] => Moved successfully.

==== End of Fixlog ====

#32 Příspěvek od **motji** » 30 říj 2014 07:15

Co počítač?

Aljushka · #33 Příspěvek od **Aljushka** » 30 říj 2014 09:58

motji píše:Co počítač?

žel vir je tam pořád

na ploše stále svítí ten rudej obrázek s hláškou.

spustila jsem opětovně Malwarebytes a dala Threat scan a našlo jen tohle a konečně mi šel udělat log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 30. 10. 2014
Scan Time: 9:28:03
Logfile: log.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.10.29.07
Rootkit Database: v2014.10.22.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: ALA

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 337364
Time Elapsed: 25 min, 40 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.FrostwireTB.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{D4027C7F-154A-4066-A1AD-4243D8127440}, , [46353ae00d6fcf678453559048baac54],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

#34 Příspěvek od **motji** » 30 říj 2014 10:02

Smažte a restart. pak napište. Zkuste ještě v nouzovém režimu ten Zoek.

Aljushka · #35 Příspěvek od **Aljushka** » 30 říj 2014 10:45

motji píše:Smažte a restart. pak napište. Zkuste ještě v nouzovém režimu ten Zoek.

odmazáno, restartováno - beze změny.
zoek nejde ani v nouzovém režimu - vypíná mi Windows a ntb. nevím proč.

#36 Příspěvek od **motji** » 30 říj 2014 11:24

Tak jinak

Spusťte combofix podle tohoto návodu
http://www.bleepingcomputer.com/combofi ... t-combofix

Aljushka · #37 Příspěvek od **Aljushka** » 30 říj 2014 12:51

motji píše:Tak jinak

Spusťte combofix podle tohoto návodu
http://www.bleepingcomputer.com/combofi ... t-combofix

výsledek Combofixu:

ComboFix 14-10-29.01 - ALA . 10. 2014 12:20:35.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1250.420.1029.18.3958.2486 [GMT 1:00]
Spuštěný z: c:\users\ALA\Desktop\ComboFix.exe
AV: ESET Smart Security 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET personal firewall *Disabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\ESET\MiNODLogin
c:\program files (x86)\ESET\MiNODLogin\core.jar
c:\program files (x86)\ESET\MiNODLogin\MiNODLogin.jar
c:\program files (x86)\ESET\MiNODLogin\native-lib.dll
c:\program files (x86)\ESET\MiNODLogin\servidores.xml
c:\users\ALA\AppData\Roaming\inst.exe
c:\users\ALA\AppData\Roaming\vso_ts_preview.xml
c:\windows\IsUn0405.exe
c:\windows\IsUn0407.exe
c:\windows\iun6002.exe
c:\windows\msdownld.tmp
c:\windows\WindowsUpdate.log
D:\install.exe
.
c:\windows\ehome\ehrec.exe . . . je infikován!!
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2014-09-28 do 2014-10-30 )))))))))))))))))))))))))))))))
.
.
2014-10-30 11:35 . 2014-10-30 11:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-29 11:09 . 2014-10-30 11:17 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-29 11:08 . 2014-10-01 10:11 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-10-29 11:08 . 2014-10-01 10:11 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-29 11:08 . 2014-10-01 10:11 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-10-29 11:08 . 2014-10-29 11:09 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-10-29 10:33 . 2014-10-29 10:33 -------- d-----w- C:\zoek_backup
2014-10-29 08:16 . 2014-10-29 08:20 -------- d-----w- C:\AdwCleaner
2014-10-29 08:10 . 2014-10-29 08:10 -------- d-----w- c:\windows\ERUNT
2014-10-28 21:53 . 2014-10-28 21:53 -------- d-----w- c:\program files\CCleaner
2014-10-28 19:43 . 2014-10-28 19:43 110080 ----a-r- c:\users\ALA\AppData\Roaming\Microsoft\Installer\{ACF5FE1B-3772-4068-8B87-2D2A6EFD0A05}\Icon1226A4C5.exe
2014-10-28 19:43 . 2014-10-28 19:43 -------- d-----w- c:\program files\Enigma Software Group
2014-10-28 19:42 . 2014-10-29 11:55 -------- d-----w- c:\windows\ACF5FE1B377240688B872D2A6EFD0A05.TMP
2014-10-28 19:41 . 2014-10-28 19:41 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2014-10-28 18:17 . 2014-10-29 19:27 -------- d-----w- C:\FRST
2014-10-26 17:27 . 2014-10-27 07:55 -------- d-----w- c:\windows\SysWow64\bitstreams
2014-10-26 17:27 . 2013-10-26 20:30 364544 --s-a-w- c:\windows\SysWow64\ssleay32.dll
2014-10-26 17:27 . 2013-06-12 15:15 100864 --s-a-w- c:\windows\SysWow64\zlib1.dll
2014-10-26 17:27 . 2013-10-26 20:30 538126 --s-a-w- c:\windows\SysWow64\libcurl-4.dll
2014-10-26 17:27 . 2013-10-26 20:30 192512 --s-a-w- c:\windows\SysWow64\libidn-11.dll
2014-10-26 17:27 . 2013-10-26 20:30 171008 --s-a-w- c:\windows\SysWow64\libssh2.dll
2014-10-26 17:27 . 2013-10-26 20:30 1704448 --s-a-w- c:\windows\SysWow64\libeay32.dll
2014-10-26 17:27 . 2013-10-26 20:30 133632 --s-a-w- c:\windows\SysWow64\librtmp.dll
2014-10-26 17:27 . 2013-06-12 15:15 119888 --s-a-w- c:\windows\SysWow64\pthreadGC2.dll
2014-10-26 17:27 . 2012-09-25 23:46 472424 --s-a-w- c:\windows\SysWow64\cudart32_50_35.dll
2014-10-26 17:27 . 2012-05-27 01:36 55808 --s-a-w- c:\windows\SysWow64\pthreadVC2.dll
2014-10-13 18:37 . 2014-10-13 18:38 -------- d-----w- c:\program files (x86)\RustCZ
2014-10-11 18:27 . 2014-06-27 02:08 2777088 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2014-10-11 18:27 . 2014-06-27 01:45 2285056 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll
2014-10-11 18:24 . 2014-07-07 02:06 728064 ----a-w- c:\windows\system32\kerberos.dll
2014-10-11 18:24 . 2014-07-07 02:06 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-10-11 18:24 . 2014-07-07 01:40 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-10-11 18:24 . 2014-07-07 01:40 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
2014-10-11 18:24 . 2014-07-07 01:39 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-10-11 18:24 . 2014-09-05 02:10 578048 ----a-w- c:\windows\system32\aepdu.dll
2014-10-11 18:24 . 2014-09-05 02:05 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-10-11 18:24 . 2014-09-09 22:11 2048 ----a-w- c:\windows\system32\tzres.dll
2014-10-11 18:24 . 2014-09-09 21:47 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-10-11 18:22 . 2014-08-23 02:07 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-10-11 18:22 . 2014-08-23 01:45 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-10-11 18:22 . 2014-08-23 00:59 3163648 ----a-w- c:\windows\system32\win32k.sys
2014-10-11 18:22 . 2014-08-01 11:53 1031168 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-10-11 18:22 . 2014-08-01 11:35 793600 ----a-w- c:\windows\SysWow64\TSWorkspace.dll
2014-10-11 18:22 . 2014-09-25 02:08 371712 ----a-w- c:\windows\system32\qdvd.dll
2014-10-11 18:22 . 2014-09-25 01:40 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
2014-10-11 18:22 . 2014-06-24 03:29 2565120 ----a-w- c:\windows\system32\d3d10warp.dll
2014-10-11 18:22 . 2014-06-24 02:59 1987584 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2014-10-06 18:14 . 2014-10-06 18:15 -------- d-----w- c:\programdata\Blizzard Entertainment
2014-10-06 18:14 . 2014-10-06 18:14 -------- d-----w- c:\program files (x86)\Phenomedia AG
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-11 18:28 . 2010-02-26 17:48 101694776 ----a-w- c:\windows\system32\MRT.exe
2014-10-02 13:53 . 2010-02-23 16:58 278152 ------w- c:\windows\system32\MpSigStub.exe
2014-09-28 16:37 . 2012-06-02 15:54 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-09-28 16:37 . 2011-08-12 21:50 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-22 12:30 . 2014-09-22 12:31 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-09-09 02:05 . 2014-10-30 11:17 11578928 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C117A6CB-A816-47C7-A31F-786D50913361}\mpengine.dll
2014-08-03 14:23 . 2014-08-03 14:48 107552 ----a-w- c:\windows\SysWow64\EasyAntiCheat.exe
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 5"="c:\program files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" [2011-11-12 1647448]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2014-09-26 6482200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-07-25 256896]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Monitor.lnk - c:\program files (x86)\TOSHIBA\Bluetooth Monitor\BtMon2.exe [2010-9-20 91464]
Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2010-12-21 291896]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe [2009-9-1 481184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 EasyAntiCheat;EasyAntiCheat;c:\windows\system32\EasyAntiCheat.exe;c:\windows\SYSNATIVE\EasyAntiCheat.exe [x]
R3 esihdrv;esihdrv; [x]
R3 FlashUSB;FlashUSB;c:\windows\system32\DRIVERS\FlashUSB_x64.sys;c:\windows\SYSNATIVE\DRIVERS\FlashUSB_x64.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys;c:\windows\SYSNATIVE\drivers\massfilter.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys;c:\windows\SYSNATIVE\DRIVERS\psi_mf.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 Samsung UPD Service;Samsung UPD Service;c:\windows\SYSTEM32\SUPDSVC.EXE;c:\windows\SYSNATIVE\SUPDSVC.EXE [x]
R3 sp_prot;System Protect Filter Driver;c:\windows\SysWOW64\drivers\sp_prot.sys;c:\windows\SysWOW64\drivers\sp_prot.sys [x]
R3 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [x]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD ALERT\TOSSMARTSRV.EXE;c:\program files\TOSHIBA\TOSHIBA HDD SSD ALERT\TOSSMARTSRV.EXE [x]
R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Služba Technologie aktivace Windows;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [x]
R4 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe;c:\program files\TOSHIBA\TECO\TecoService.exe [x]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys;c:\windows\SYSNATIVE\DRIVERS\epfwwfp.sys [x]
S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys;c:\windows\SYSNATIVE\Drivers\SmartDefragDriver.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys;c:\windows\SYSNATIVE\DRIVERS\tos_sps64.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys;c:\windows\SYSNATIVE\DRIVERS\ehdrv.sys [x]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys;c:\windows\SYSNATIVE\DRIVERS\EpfwLWF.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [x]
S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [x]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x64.sys;c:\windows\SYSNATIVE\drivers\cpuz134_x64.sys [x]
S2 DragonUpdater;COMODO Dragon Update Service;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe [x]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys;c:\windows\SYSNATIVE\DRIVERS\eamonm.sys [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [x]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe;c:\program files (x86)\Secunia\PSI\PSIA.exe [x]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe;c:\program files (x86)\Secunia\PSI\sua.exe [x]
S2 SP_Service;System Protect Deletion Prevention Service;c:\program files (x86)\System Protect\SysProtect_srv.exe;c:\program files (x86)\System Protect\SysProtect_srv.exe [x]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys;c:\windows\SYSNATIVE\Drivers\SSPORT.sys [x]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys;c:\windows\SYSNATIVE\DRIVERS\TVALZFL.sys [x]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys;c:\windows\SYSNATIVE\Drivers\pcouffin.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192se.sys [x]
.
.
--- Ostatní služby/ovladače v paměti ---
.
*NewlyCreated* - MBAMSWISSARMY
.
Obsah adresáře 'Naplánované úlohy'
.
2014-10-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-02 16:37]
.
2014-10-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3143607116-3805704415-591616805-1000Core.job
- c:\users\ALA\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-04-25 16:30]
.
2014-10-30 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3143607116-3805704415-591616805-1000UA.job
- c:\users\ALA\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-04-25 16:30]
.
2014-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 19:45]
.
2014-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 19:45]
.
2014-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3143607116-3805704415-591616805-1000Core.job
- c:\users\ALA\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-02 11:41]
.
2014-10-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3143607116-3805704415-591616805-1000UA.job
- c:\users\ALA\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-02 11:41]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-09-22 4035152]
.
------- Doplňkový sken -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearchAssistant =
IE: E&xportovať do programu Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
AddRemove-Hejbejte se kosti moje - c:\windows\IsUn0405.exe
AddRemove-Moorhuhn Winter-Edition - c:\windows\IsUn0407.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe
.
.
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{55E19115-8EF8-465C-90AC-DEACC491B0CC}"=hex:51,66,7a,6c,4c,1d,38,12,7b,92,f2,
51,ca,c0,32,03,ef,ba,9d,ec,c1,cf,f4,d8
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,
d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54
"{32099AAC-C132-4136-9E9A-4E364A424E17}"=hex:51,66,7a,6c,4c,1d,38,12,c2,99,1a,
36,00,8f,58,04,e1,8c,0d,76,4f,1c,0a,03
"{0BDA0769-FD72-49F4-9266-E1FB004F4D8F}"=hex:51,66,7a,6c,4c,1d,38,12,07,04,c9,
0f,40,b3,9a,0c,ed,70,a2,bb,05,11,09,9b
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,
aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
"{30F9B915-B755-4826-820B-08FBA6BD249D}"=hex:51,66,7a,6c,4c,1d,38,12,7b,ba,ea,
34,67,f9,48,0d,fd,1d,4b,bb,a3,e3,60,89
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:77,bf,48,a2,f3,fb,cb,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,44,b0,00,2b,35,60,4d,48,ac,fd,0b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,44,b0,00,2b,35,60,4d,48,ac,fd,0b,\
.
[HKEY_USERS\S-1-5-21-3143607116-3805704415-591616805-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0a,08,29,d0,37,5b,44,dc,ab,62,7d,04,65,23,35,de,92,92,f7,5a,fc,b1,bb,
17,8c,09,ea,c9,1d,4d,50,21,4b,37,8c,51,1a,14,1e,ea,9c,2d,4c,e2,46,a8,91,23,\
"??"=hex:c6,6f,c6,bb,22,8b,28,b4,13,5f,f6,ab,49,ad,79,15
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
c:\program files (x86)\Malwarebytes Anti-Malware\mbam.exe
c:\program files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
.
**************************************************************************
.
Celkový čas: 2014-10-30 12:47:12 - počítač byl restartován
ComboFix-quarantined-files.txt 2014-10-30 11:47
.
Před spuštěním: Volných bajtů: 54 557 134 848
Po spuštění: Volných bajtů: 54 154 850 304
.
- - End Of File - - 62F1F10E5E58A1B3995633C1D9053EB5

#38 Příspěvek od **motji** » 30 říj 2014 13:17

Odinstalujte nelegální eset a nahradte nějakým free antivirem

Otestujte na http://www.virustotal.com
c:\windows\ehome\ehrec.exe

Nahlašte stav pc, vše funguje, nikde nic nevyskakuje? (samozřejmě kromě těch zašifrovaných souborů)

Aljushka · #39 Příspěvek od **Aljushka** » 30 říj 2014 14:19

motji píše: Odinstalujte nelegální eset a nahradte nějakým free antivirem

Otestujte na http://www.virustotal.com
c:\windows\ehome\ehrec.exe

Nahlašte stav pc, vše funguje, nikde nic nevyskakuje? (samozřejmě kromě těch zašifrovaných souborů)

no jo, jenomže jakým? Mikrosofťáckej je k ničemu. Špatná zkušenost.

Aplikace otestována - nenalezena žádná hrozba.

NTB vypadá, že funguje jak má, okno zmizelo, žádné další nevyskakuje.
Na při přehlídce na disku D: jsem našla taky napadené složky s obrázkami a videi. Tudíž virus zasáhnul i tam.

A ještě se chci zeptat: ty prográmky, co jsem instalovala mám nechat nebo je můžu odinstalovat?

#40 Příspěvek od **motji** » 30 říj 2014 14:26

Avast je taky dobrý, nebo si Eset zaplaťte

.

Odinstalujte combofix přes Start - Spustit
- zkopírujte do okénka:

ComboFix /Uninstall

-stiskněte Enter
-To odinstaluje ComboFix a smaže s ním související soubory a složky.

***********

Stáhněte T-Cleaner
http://tharifas.sweb.cz/T-Cleaner.exe

-Spusťte,pro potvrzení volby mačkejte klávesu A, Enter
-po použití prográmek vymažte.Pozor,antiviry ho mohou falešně označit za vir

-Můžete pc ještě zkontrolovat tímto http://forum.viry.cz/viewtopic.php?f=29&t=132523

napadené soubory zatím nemažte, uvidíme, zda to pujde dešifrovat.

pročištěte registry ccleanerem

Aljushka · #41 Příspěvek od **Aljushka** » 31 říj 2014 00:53

* Combofix odinstalovanej, T - Cleaner po použití smazanej.

* Pak nainstalovanej HitmanPro - puštěný normálně a pak i přes Boot USB disk (ten už nenašel žádné hrozby - jen asi 7 položek označil za podozrivé ale ponechal je jako ignorovat.)

Výpis z toho normálního scanu:

HitmanPro 3.7.9.232
www.hitmanpro.com

Computer name . . . . : ALA-TOSH
Windows . . . . . . . : 6.1.1.7601.X64/4
User name . . . . . . : ALA-TOSH\ALA
UAC . . . . . . . . . : Disabled
License . . . . . . . : Free

Scan date . . . . . . : 2014-10-30 23:41:33
Scan mode . . . . . . : Normal
Scan duration . . . . : 8m 16s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 0
Traces . . . . . . . : 31

Objects scanned . . . : 2 223 689
Files scanned . . . . : 85 715
Remnants scanned . . : 502 698 files / 1 635 276 keys

Suspicious files ____________________________________________________________

C:\Users\ALA\AppData\Local\PunkBuster\GRO\pb\pbcl.dll
Size . . . . . . . : 957 254 bytes
Age . . . . . . . : 649.2 days (2013-01-19 19:59:59)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 119B810057B5BEB396E0788D092661B805D7E9AF1AD066BA3BD952DBA6064C82
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.

C:\Users\ALA\AppData\Local\PunkBuster\GRO\pb\PnkBstrK.sys
Size . . . . . . . : 141 072 bytes
Age . . . . . . . : 649.2 days (2013-01-19 20:00:34)
Entropy . . . . . : 7.8
SHA-256 . . . . . : C3A38891678AC34784E90D385B3DDEAC690E11E05A7657F9D287E7DC373D2592
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.

C:\Users\ALA\AppData\Local\PunkBuster\WAW\pb\pbcl.dll
Size . . . . . . . : 733 004 bytes
Age . . . . . . . : 283.4 days (2014-01-20 14:35:55)
Entropy . . . . . : 7.5
SHA-256 . . . . . : 8715126E77E8E6F98B4487C11B4656ADAC59145A86D56A0370F2FAE86E40FDC7
Fuzzy . . . . . . : 25.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.

C:\Users\ALA\Desktop\FRST-OlderVersion\FRST64.exe
Size . . . . . . . : 2 113 024 bytes
Age . . . . . . . : 2.2 days (2014-10-28 19:11:36)
Entropy . . . . . : 7.5
SHA-256 . . . . . : 9414025AB0585D2AEF7C95651E20EE27AC2C02D8A57B0E42C3F50D35E02D6850
Needs elevation . : Yes
Fuzzy . . . . . . : 24.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
Forensic Cluster
0.0s C:\Users\ALA\Desktop\FRST-OlderVersion\FRST64.exe
0.0s C:\Users\ALA\Desktop\FRST-OlderVersion\FRST64.exe
0.0s C:\Users\ALA\Desktop\FRST-OlderVersion\FRST64.exe

C:\Users\ALA\GSplay\csko\cstrike\dlls\mp.dll
Size . . . . . . . : 1 316 152 bytes
Age . . . . . . . : 106.2 days (2014-07-16 18:44:25)
Entropy . . . . . : 6.7
SHA-256 . . . . . : B995320A5053343062590F3F144C64FA1E0A73608EA6EA41888E20E4E58750B6
RSA Key Size . . . : 1024
Authenticode . . . : Invalid
Fuzzy . . . . . . : 26.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\ALA\GSplay\csko\hw.dll
Size . . . . . . . : 1 840 440 bytes
Age . . . . . . . : 106.2 days (2014-07-16 18:45:01)
Entropy . . . . . : 6.8
SHA-256 . . . . . : 7802A1FCC2AB1749399E455FAAE907C0DF3194386160DC4FA0164C427662FDC2
RSA Key Size . . . : 1024
Authenticode . . . : Invalid
Fuzzy . . . . . . : 26.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\ALA\GSplay\csko\swds.dll
Size . . . . . . . : 1 668 968 bytes
Age . . . . . . . : 106.2 days (2014-07-16 18:45:27)
Entropy . . . . . : 6.9
SHA-256 . . . . . : B4F7C407482FC016E7D77CB0D1AEDAA99E11154B836D6FE3EDA282212504BCEF
RSA Key Size . . . : 1024
Authenticode . . . : Invalid
Fuzzy . . . . . . : 26.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

Potential Unwanted Programs _________________________________________________

C:\ProgramData\BitGuard\ (SpeedUpMyPC)
C:\ProgramData\BrowserProtect\ (Claro)
facemoods.com
C:\Users\ALA\AppData\Local\Google\Chrome\User Data\Default\Web Data

C:\Users\ALA\AppData\Roaming\Uniblue\SpeedUpMyPC\ (SpeedUpMyPC)
C:\Users\ALA\AppData\Roaming\Uniblue\SpeedUpMyPC\error.log (SpeedUpMyPC)
C:\Users\ALA\AppData\Roaming\Uniblue\SpeedUpMyPC\settings.dat (SpeedUpMyPC)
C:\Users\ALA\AppData\Roaming\Uniblue\SpeedUpMyPC\state.sqlite (SpeedUpMyPC)
C:\Users\ALA\AppData\Roaming\Uniblue\SpeedUpMyPC\track_installs.txt (SpeedUpMyPC)
HKLM\SOFTWARE\Classes\AppID\escort.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\iMesh.exe\ (iMesh)
HKLM\SOFTWARE\Classes\AppID\{C41C967C-1BD4-404c-8393-A34F94156193}\ (iMesh)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escort.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\iMesh.exe\ (iMesh)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{C41C967C-1BD4-404c-8393-A34F94156193}\ (iMesh)
HKLM\SOFTWARE\Wow6432Node\iMesh\ (iMesh)
HKLM\SOFTWARE\Wow6432Node\Uniblue\SpeedUpMyPC\ (SpeedUpMyPC)
HKU\.DEFAULT\Software\AppDataLow\Software\AskToolbar\ (AskBar)
HKU\.DEFAULT\Software\AppDataLow\Software\Conduit\ (Conduit)
HKU\.DEFAULT\Software\AskToolbar\ (AskBar)
HKU\S-1-5-18\Software\AppDataLow\Software\AskToolbar\ (AskBar)
HKU\S-1-5-18\Software\AppDataLow\Software\Conduit\ (Conduit)
HKU\S-1-5-18\Software\AskToolbar\ (AskBar)
HKU\S-1-5-21-3143607116-3805704415-591616805-1000\Software\MozillaPlugins\iMeshPlugin\ (iMesh)

Cookies _____________________________________________________________________

C:\Users\ALA\AppData\Roaming\Microsoft\Windows\Cookies\YRP5Z09U.txt

______________________

* Soubory nechávám nadále na disku - jelikož je to vlastně většina - tudíž to už bych pak mohla rovnou dát čistej reinstal, ale mě jde o ty data.

#42 Příspěvek od **motji** » 31 říj 2014 09:35

Tak pc je od virů čistý, reinstal vůbec dělat nemusíte.
Píšete, že většina dat je zašifrovaná?
Pc už můžete normálně používat, ty zašifrovaná data si dejte třeba na jeden disk a vyčkejte. Zatím nemám žádné info.

Aljushka · #43 Příspěvek od **Aljushka** » 31 říj 2014 11:50

ano, většina dat prostě se buď dá otevřít, ale jsou nečitelná (třeba .txt soubory) nebo mi Windows napíše při otvírání hlášky typu:
* nemohl otevřít obrázek/ soubor, protože tenhle typ / formát souboru není podporován
* když chci rozbalit soubory zabalené v .rar archivu, tak mi Winrar vyhodí hlášku, že je v neznámém formátu nebo že je archiv poškozen
* když pustím video soubor v přehrávači vypíše, že soubor se nepodařilo přehrát

No a data žel nemám kam přesunout - nedostatek místa na obou jednotkách disku.

tudíž to nechávám tak - s tím, že soubory nelze používat.

Jinak se dá ntb používat normálně. Nechápu proč, ale co jsme se synem zkoušeli spustit ty hry, tak ty jako jediné vypadají, že nebyly napadené a zašifrované nebo jinak upravené na nečitelnou podobu - tudíž se může opět hrát s kamarády. No dostal zákaz cokoliv bez mého vědomí stahovat a instalovat.

Takže problém s odstráněním viru je tímto asi vyřešen.
Už jen zůstává čekat jestli se povede rozšifrovat ty soubory.

#44 Příspěvek od **motji** » 31 říj 2014 18:09

Zašifrovává jen určité typy souborů, hlavně doc, txt a pod. Tady to můžeme ukončit, pokud by se soubory podařilo rozšifrovat, ozvu se Vám

Aljushka · #45 Příspěvek od **Aljushka** » 01 lis 2014 10:05

motji píše:Zašifrovává jen určité typy souborů, hlavně doc, txt a pod. Tady to můžeme ukončit, pokud by se soubory podařilo rozšifrovat, ozvu se Vám

jenomže proč pak nejdou normálně otevřít i ty fotky, obrázky, videa atd. ? přijde mi to divné.

Myslíte, že pokud bude objeven klíč k dešifrování, tak to pak pomůže a zabere na všechny soubory?

A máte pravdu, že se to tu už může lock, jelikož virus jako takovej je z ntb odstraněn a tým pádem problém je vyřešen.

Moc děkuji za Vaši pomoc.

VIRY.CZ

TorLocker 2.0

Re: TorLocker 2.0

Re: TorLocker 2.0

Re: TorLocker 2.0

Re: TorLocker 2.0

Re: TorLocker 2.0

Re: TorLocker 2.0

Re: TorLocker 2.0

Re: TorLocker 2.0

Re: TorLocker 2.0

Re: TorLocker 2.0

Re: TorLocker 2.0

Re: TorLocker 2.0

Re: TorLocker 2.0

Re: TorLocker 2.0

Re: TorLocker 2.0