Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz

Čínský malware, vir - chová se jako správce, FRSTLauncher ne

Máte problém s virem? Vložte sem log z FRST nebo RSIT.

Moderátor: Moderátoři

Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]

Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.

!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Zamčeno
Zpráva
Autor
Márty84
VIP
VIP
Příspěvky: 21679
Registrován: 05 pro 2009 20:08
Bydliště: Ostrava

Re: Čínský malware, vir - chová se jako správce, FRSTLaunche

#31 Příspěvek od Márty84 »

F7R píše:Problém vidím asi v tom že sem vypnul MS Essentialls antivir kvuli scanum logu
Tohle problem neni, rozlezly byl uz predtim. MSE stoji za h....

:arrow: Otevrete si poznamkovy blok a zkopirujte do nej tento skript

Kód: Vybrat vše

KillAll::

File::
c:\windows\system32\drivers\TAOKernel.sys
c:\windows\system32\drivers\TS888.sys
c:\windows\system32\drivers\TAOAccelerator.sys
c:\windows\system32\drivers\TSDefenseBt.sys
c:\windows\system32\drivers\TFsFlt.sys
c:\windows\system32\drivers\TsFltMgr.sys

Folder::
c:\program files\Tencent

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QQPCTray"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"=-

Reboot::
Vlevo nahore kliknete na napis Soubor
Kliknete na napis Ulozit jako...
Napiste spravne ten cerveny nazev CFScript a ulozte na plochu.
Vypnete antivir i dalsi pripadne zabezpeceni.
Pretahntete mysi tento vytvoreny textovy dokument nad ikonu ComboFix a pustte.
ComboFix by se mel spustit a vykonat prikazy.
Az skonci (muze dojit k restartu pc), mel by se objevit novy log, ten mi sem zase zkopirujte.

:!: Kdyby po restartu nenabehl windows, restartujte znovu, mackejte klavesu F8 a zvolte - Posledni znama funkcni konfigurace
:!: Kdyz windows nabehne, ale pri spousteni ruznych programu bude hlasena chyba, staci restartovat pc a bude to v poradku



:arrow: Pak dejte log z toho FRST, bez pouziti Launcheru (klidne z toho nouzoveho rezimu).
Pokud máte dotaz, který není určen pro veřejnost, můžete mi napsat na mail marty84zavináčforum.viry.cz

Možnost podpořit naše fórum https://platba.viry.cz/payment/

Z časových důvodů teď budu na fóru méně často. V případě delšího čekání na odpověď kontaktujte prosím některého z kolegů (většina má mailovou adresu ve svém podpisu).
Nahoru
F7R
Návštěvník
Návštěvník
Příspěvky: 49
Registrován: 17 bře 2016 12:26

Re: Čínský malware, vir - chová se jako správce, FRSTLaunche

#32 Příspěvek od F7R »

Žádná změna, opět to samé...
Log zase z nouzového režimu

ComboFix 16-03-19.01 - SYSTEM 20.03.2016 11:45:37.2.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.420.1029.18.3070.2545 [GMT 1:00]
Spuštěný z: c:\windows\system32\config\systemprofile\Desktop\ComboFix.exe
Použité ovládací přepínače :: c:\windows\system32\config\systemprofile\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
SP: Microsoft Security Essentials *Disabled/Updated* {CDE0C533-D3CD-62A1-E772-AFADDF863628}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\drivers\TAOAccelerator.sys"
"c:\windows\system32\drivers\TAOKernel.sys"
"c:\windows\system32\drivers\TFsFlt.sys"
"c:\windows\system32\drivers\TS888.sys"
"c:\windows\system32\drivers\TSDefenseBt.sys"
"c:\windows\system32\drivers\TsFltMgr.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_QMIEProtect
-------\Legacy_QMUdisk
-------\Legacy_QQSysMon
-------\Legacy_softaal
-------\Legacy_SRepairDrv
-------\Legacy_TS888
-------\Legacy_TSKSP
-------\Legacy_TSSysKit
-------\Service_QMIEProtect
-------\Service_QMUdisk
-------\Service_QQPCRTP
-------\Service_QQRepair10f7
-------\Service_QQRepair3a0
-------\Service_QQRepairFixSVC
-------\Service_QQSysMon
-------\Service_softaal
-------\Service_SRepairDrv
-------\Service_TS888
-------\Service_TSKSP
-------\Service_TSSysKit
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2016-02-20 do 2016-03-20 )))))))))))))))))))))))))))))))
.
.
2016-03-20 10:52 . 2016-03-20 10:52 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2016-03-20 10:52 . 2016-03-20 10:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2016-03-20 10:52 . 2016-03-20 10:52 -------- d-----w- c:\users\cesko\AppData\Local\temp
2016-03-20 00:09 . 2016-03-20 00:09 -------- d-----w- c:\programdata\Skype
2016-03-19 10:21 . 2016-03-19 11:52 -------- d-----w- c:\users\Default\AppData\Local\Microsoft
2016-03-18 06:36 . 2016-03-17 10:07 100088 ----a-w- c:\windows\system32\drivers\TAOKernel.sys
2016-03-18 06:35 . 2016-03-19 09:07 39928 ----a-w- c:\windows\system32\drivers\TS888.sys
2016-03-17 17:12 . 2016-03-18 08:32 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-03-17 17:10 . 2015-10-05 08:50 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2016-03-17 17:10 . 2015-10-05 08:50 94936 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2016-03-17 17:10 . 2015-10-05 08:50 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2016-03-17 15:00 . 2016-03-17 10:07 116408 ----a-w- c:\windows\system32\drivers\TAOAccelerator.sys
2016-03-17 13:59 . 2016-03-19 09:25 -------- d-----w- c:\program files\AdwCleaner
2016-03-17 10:09 . 2016-03-17 10:07 14008 ------w- c:\windows\system32\drivers\TSDefenseBt.sys
2016-03-17 10:08 . 2016-03-17 10:07 150008 ------w- c:\windows\system32\drivers\TFsFlt.sys
2016-03-17 10:08 . 2016-03-17 10:07 128216 ------w- c:\windows\system32\drivers\TsFltMgr.sys
2016-03-10 09:12 . 2016-02-06 02:11 802304 ----a-w- c:\windows\system32\advapi32.dll
2016-03-10 09:12 . 2016-02-06 02:12 783872 ----a-w- c:\windows\system32\rpcrt4.dll
2016-03-10 09:12 . 2016-02-06 02:11 49664 ----a-w- c:\windows\system32\csrsrv.dll
2016-03-10 09:12 . 2016-02-06 00:32 64000 ----a-w- c:\windows\system32\smss.exe
2016-03-10 09:12 . 2016-02-19 21:34 1208776 ----a-w- c:\windows\system32\ntdll.dll
2016-03-10 09:12 . 2016-02-06 02:17 3609024 ----a-w- c:\windows\system32\ntkrnlpa.exe
2016-03-10 09:12 . 2016-02-06 02:17 3556800 ----a-w- c:\windows\system32\ntoskrnl.exe
2016-03-10 09:08 . 2016-02-06 02:12 19968 ----a-w- c:\windows\system32\seclogon.dll
2016-03-10 09:07 . 2016-02-06 02:11 34304 ----a-w- c:\windows\system32\atmlib.dll
2016-03-10 09:07 . 2016-02-06 00:33 297472 ----a-w- c:\windows\system32\atmfd.dll
2016-03-10 07:22 . 2016-02-03 17:06 89600 ----a-w- c:\windows\system32\olepro32.dll
2016-03-10 07:22 . 2016-02-03 17:06 564736 ----a-w- c:\windows\system32\oleaut32.dll
2016-03-10 07:22 . 2016-02-03 17:05 67072 ----a-w- c:\windows\system32\asycfilt.dll
2016-03-10 07:08 . 2016-02-04 15:25 2068992 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-03-10 20:17 . 2012-12-04 13:02 797376 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2016-03-10 20:17 . 2012-12-04 13:02 142528 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2016-02-04 22:13 . 2016-02-04 22:13 875720 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
2016-02-04 22:13 . 2016-02-04 22:13 536776 ----a-w- c:\windows\system32\msvcp120_clr0400.dll
2016-01-30 03:09 . 2016-02-11 02:34 324608 ----a-w- c:\windows\system32\sdohlp.dll
2016-01-30 03:09 . 2016-02-11 02:34 153088 ----a-w- c:\windows\system32\sbeio.dll
2016-01-30 03:09 . 2016-02-11 02:34 323072 ----a-w- c:\windows\system32\sbe.dll
2016-01-30 03:09 . 2016-02-11 02:34 293376 ----a-w- c:\windows\system32\psisdecd.dll
2016-01-30 03:09 . 2016-02-11 02:34 429056 ----a-w- c:\windows\system32\EncDec.dll
2016-01-30 03:09 . 2016-02-11 02:34 217600 ----a-w- c:\windows\system32\psisrndr.ax
2016-01-30 03:09 . 2016-02-11 02:32 1316864 ----a-w- c:\windows\system32\ole32.dll
2016-01-30 03:08 . 2016-02-11 02:34 107520 ----a-w- c:\windows\system32\mtxoci.dll
2016-01-30 03:08 . 2016-02-11 02:34 80896 ----a-w- c:\windows\system32\MSNP.ax
2016-01-30 03:08 . 2016-02-11 02:34 180224 ----a-w- c:\windows\system32\msorcl32.dll
2016-01-30 03:08 . 2016-02-11 02:34 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2016-01-30 03:08 . 2016-02-11 02:34 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2016-01-30 03:08 . 2016-02-11 02:34 48128 ----a-w- c:\windows\system32\iasdatastore.dll
2016-01-30 03:08 . 2016-02-11 02:34 57344 ----a-w- c:\windows\system32\iasads.dll
2016-01-30 03:08 . 2016-02-11 02:34 119296 ----a-w- c:\windows\system32\iasrecst.dll
2016-01-30 01:32 . 2016-02-11 02:34 17408 ----a-w- c:\windows\system32\iashost.exe
2016-01-09 17:06 . 2016-02-11 02:01 501760 ----a-w- c:\windows\system32\kerberos.dll
2016-01-07 15:18 . 2016-02-11 02:06 115200 ----a-w- c:\windows\system32\drivers\mrxdav.sys
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QQPCTray"="c:\program files\Tencent\QQPCMgr\11.4.17339.217\QQPCTRAY.EXE" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3613717200-223133842-2651324926-1000]
"EnableNotificationsRef"=dword:00000001
.
R1 9704792drv;9704792drv;c:\windows\system32\DRIVERS\9704792drv.sys [2013-01-29 489048]
.
.
--- Ostatní služby/ovladače v paměti ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Obsah adresáře 'Naplánované úlohy'
.
2016-03-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-04 20:18]
.
.
------- Doplňkový sken -------
.
mSearch Bar = https://www.google.com/?trackid=sp-006
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: mojebanka.cz\*
TCP: DhcpNameServer = 10.0.0.138
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2016-03-20 12:24
Windows 6.0.6002 Service Pack 2 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0012\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0013\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0014\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\helppane.exe
.
**************************************************************************
.
Celkový čas: 2016-03-20 12:27:26 - počítač byl restartován
ComboFix-quarantined-files.txt 2016-03-20 11:27
ComboFix2.txt 2016-03-19 21:32
ComboFix3.txt 2016-03-19 20:08
ComboFix4.txt 2016-03-19 19:55
ComboFix5.txt 2016-03-20 10:43
.
Před spuštěním: Volných bajtů: 37 557 964 800
Po spuštění: Volných bajtů: 38 811 545 600
.
- - End Of File - - 0004C920070CDF61F05AD86796C35CE0
5C616939100B85E558DA92B899A0FC36
Nahoru
F7R
Návštěvník
Návštěvník
Příspěvky: 49
Registrován: 17 bře 2016 12:26

Re: Čínský malware, vir - chová se jako správce, FRSTLaunche

#33 Příspěvek od F7R »

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:05-03-2016 01
Ran by cesko (administrator) on CESKO-PC (20-03-2016 12:45:06)
Running from C:\Windows\System32\config\systemprofile\Desktop
Loaded Profiles: False (Available Profiles: ) <==== ATTENTION (Temporary Profile?)
Platform: Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) Language: Čeština (Česká republika)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Mozilla Corporation) D:\Tor Browser\Browser\firefox.exe
() D:\Tor Browser\Browser\TorBrowser\Tor\tor.exe
(forum.viry.cz) C:\Windows\System32\config\systemprofile\Desktop\FRSTLauncher.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ QQPCTray] => "C:\Program Files\Tencent\QQPCMgr\11.4.17339.217\QQPCTRAY.EXE" /regrun /qqrepair
HKLM\...\RunOnce: [] => [X]
GroupPolicy: Restriction - Chrome <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 02 C:\Windows\system32\napinsp.dll [50176 2008-01-21] (Společnost Microsoft)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.138
Tcpip\..\Interfaces\{93E4835A-8CC3-420B-91E5-48014E065A30}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{BAE6D55F-F66B-4F39-A3DD-E2F6609718A1}: [DhcpNameServer] 10.0.0.138

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> OldSearch URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
BHO: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll => No File
BHO: IEExtension.VDownloaderBHO -> {7b523e7c-f096-4e36-a0cb-7efeb5c675c1} -> C:\Windows\system32\mscoree.dll [2009-11-08] (Microsoft Corporation)
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll No File []
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll No File []
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll No File []
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll No File []
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL No File
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll No File []
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll No File []
Handler: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL No File
Handler: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL No File
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_21_0_0_182.dll [2016-03-10] ()
FF Plugin: @java.com/DTPlugin,version=10.11.2 -> C:\Windows\system32\npDeployJava1.dll [2013-01-12] (Oracle Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [No File]
FF Plugin: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [No File]
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @qq.com/npAndroidAssistant -> C:\Program Files\Common Files\Tencent\QQPhoneManager\2.0.201.3192\npQQPhoneManagerExt.dll [No File]
FF Plugin: @real.com/nprjplug;version=15.0.4.53 -> C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll [No File]
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.4.53 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [No File]
FF Plugin: @real.com/nprphtml5videoshim;version=15.0.4.53 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll [No File]
FF Extension: No Name - C:\Program Files\TrustMediaViewerV1\TrustMediaViewerV1alpha1447\ff [not found]
FF HKLM\...\Firefox\Extensions: [support@vdownloader.com] - C:\Program Files\VDownloader\Addons\FireFox => not found
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-07-28] [not signed]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
FF HKLM\...\Firefox\Extensions: [{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext => not found

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [eoccbpoodnckjdnackiffhjfkogfhnhh] - C:\Program Files\VDownloader\Addons\Chrome.crx <not found>
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx <not found>

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2016-01-29] (Microsoft Corporation)
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
S3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [X]
S3 IDriverT; "C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe" [X]
S3 LightScribeService; "C:\Program Files\Common Files\LightScribe\LSSrvc.exe" [X]
S2 MBAMService; "C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe" [X]
S3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [X]
S3 ose; "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [X]
S3 WinDefend; %ProgramFiles%\Windows Defender\mpsvc.dll [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S1 9704792drv; C:\Windows\System32\DRIVERS\9704792drv.sys [489048 2013-01-29] () [File not signed]
R0 amdide; C:\Windows\System32\DRIVERS\amdide.sys [10632 2012-11-01] (Advanced Micro Devices)
S1 cpuidlep; C:\Windows\system32\Drivers\cpuidlep.sys [4484 2013-03-08] ()
R0 FltMgr; C:\Windows\System32\drivers\fltmgr.sys [190424 2009-04-11] (Společnost Microsoft)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-10-05] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [253704 2015-11-13] (Microsoft Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ATKACPI.sys [7680 2007-07-31] (ATK0100) [File not signed]
R3 Ntfs; C:\Windows\system32\Drivers\Ntfs.sys [1082232 2013-03-03] (Společnost Microsoft)
R3 pmkbdfltr; C:\Windows\System32\DRIVERS\pmkbdfltr.sys [15248 2012-11-01] (PenMount)
R0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [36560 2006-09-27] (Sonic Solutions) [File not signed]
S3 s0016bus; C:\Windows\System32\DRIVERS\s0016bus.sys [89256 2008-05-16] (MCCI Corporation)
S3 s0016mdfl; C:\Windows\System32\DRIVERS\s0016mdfl.sys [15016 2008-05-16] (MCCI Corporation)
S3 s0016mdm; C:\Windows\System32\DRIVERS\s0016mdm.sys [120744 2008-05-16] (MCCI Corporation)
S3 s0016mgmt; C:\Windows\System32\DRIVERS\s0016mgmt.sys [114216 2008-05-16] (MCCI Corporation)
S3 s0016nd5; C:\Windows\System32\DRIVERS\s0016nd5.sys [25512 2008-05-16] (MCCI Corporation)
S3 s0016obex; C:\Windows\System32\DRIVERS\s0016obex.sys [110632 2008-05-16] (MCCI Corporation)
S3 s0016unic; C:\Windows\System32\DRIVERS\s0016unic.sys [115752 2008-05-16] (MCCI Corporation)
S3 s0017bus; C:\Windows\System32\DRIVERS\s0017bus.sys [86824 2008-10-21] (MCCI Corporation)
S3 s0017mdfl; C:\Windows\System32\DRIVERS\s0017mdfl.sys [15016 2008-10-21] (MCCI Corporation)
S3 s0017mdm; C:\Windows\System32\DRIVERS\s0017mdm.sys [114600 2008-10-21] (MCCI Corporation)
S3 s0017mgmt; C:\Windows\System32\DRIVERS\s0017mgmt.sys [108328 2008-10-21] (MCCI Corporation)
S3 s0017nd5; C:\Windows\System32\DRIVERS\s0017nd5.sys [26024 2008-10-21] (MCCI Corporation)
S3 s0017obex; C:\Windows\System32\DRIVERS\s0017obex.sys [104616 2008-10-21] (MCCI Corporation)
S3 s0017unic; C:\Windows\System32\DRIVERS\s0017unic.sys [109736 2008-10-21] (MCCI Corporation)
S3 s1018obex; C:\Windows\System32\DRIVERS\s1018obex.sys [104744 2009-03-25] (MCCI Corporation)
S3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1743232 2007-05-25] ()
S2 TAOAccelerator; C:\Windows\system32\Drivers\TAOAccelerator.sys [116408 2016-03-17] (Tencent)
S1 TAOKernelDriver; C:\Windows\system32\Drivers\TAOKernel.sys [100088 2016-03-17] (Tencent Technology(Shenzhen) Company Limited)
S1 TFsFlt; C:\Windows\System32\Drivers\TFsFlt.sys [150008 2016-03-17] (电脑管家)
S1 TSDefenseBt; C:\Windows\System32\DRIVERS\TSDefenseBt.sys [14008 2016-03-17] (Tencent)
R0 TsFltMgr; C:\Windows\System32\drivers\TsFltMgr.sys [128216 2016-03-17] (电脑管家)
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-21] (Microsoft Corporation)
U3 catchme; \??\C:\ComboFix\catchme.sys [X]
U3 mbr; \??\C:\Windows\system32\config\SYSTEM~1\AppData\Local\Temp\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-20 12:37 - 2016-03-20 12:45 - 00000000 ____D C:\FRST
2016-03-20 12:27 - 2016-03-20 12:27 - 00013624 _____ C:\ComboFix.txt
2016-03-19 16:25 - 2016-03-20 12:27 - 00000000 ____D C:\Qoobox
2016-03-19 11:20 - 2016-03-20 12:27 - 00941294 _____ C:\Windows\ntbtlog.txt
2016-03-19 11:20 - 2016-03-20 12:27 - 00941294 _____ C:\Windows\ntbtlog.txt
2016-03-18 18:38 - 2016-03-18 18:38 - 00001613 _____ C:\scan3.txt
2016-03-18 17:55 - 2016-03-18 17:55 - 00001615 _____ C:\scan 2!.txt
2016-03-18 07:36 - 2016-03-17 11:07 - 00100088 _____ (Tencent Technology(Shenzhen) Company Limited) C:\Windows\system32\Drivers\TAOKernel.sys
2016-03-18 07:35 - 2016-03-19 10:07 - 00039928 _____ (Tencent) C:\Windows\system32\Drivers\TS888.sys
2016-03-17 18:12 - 2016-03-18 09:32 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-03-17 18:10 - 2015-10-05 09:50 - 00094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-03-17 18:10 - 2015-10-05 09:50 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-03-17 18:10 - 2015-10-05 09:50 - 00023256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-03-17 16:00 - 2016-03-17 11:07 - 00116408 _____ (Tencent) C:\Windows\system32\Drivers\TAOAccelerator.sys
2016-03-17 14:59 - 2016-03-19 10:25 - 00000000 ____D C:\Program Files\AdwCleaner
2016-03-17 12:48 - 2016-03-17 12:48 - 00688992 ____R (Swearware) C:\Users\cesko\Desktop\dds.exe
2016-03-17 11:09 - 2016-03-17 11:07 - 00014008 _____ (Tencent) C:\Windows\system32\Drivers\TSDefenseBt.sys
2016-03-17 11:08 - 2016-03-17 11:07 - 00150008 _____ (电脑管家) C:\Windows\system32\Drivers\TFsFlt.sys
2016-03-17 11:08 - 2016-03-17 11:07 - 00128216 _____ (电脑管家) C:\Windows\system32\Drivers\TsFltMgr.sys
2016-03-10 10:12 - 2016-02-19 22:34 - 01208776 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-03-10 10:12 - 2016-02-06 03:17 - 03609024 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2016-03-10 10:12 - 2016-02-06 03:17 - 03556800 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-03-10 10:12 - 2016-02-06 03:12 - 00783872 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-03-10 10:12 - 2016-02-06 03:11 - 00802304 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2016-03-10 10:12 - 2016-02-06 03:11 - 00049664 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2016-03-10 10:12 - 2016-02-06 01:32 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2016-03-10 10:10 - 2015-11-20 15:15 - 00922432 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00066400 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-private-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00022368 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-math-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00019808 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-string-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00016224 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00015712 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00015200 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-time-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-2-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-process-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-conio-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-environment-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-2-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l2-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l2-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-2-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011104 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011104 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2016-03-10 10:08 - 2016-02-06 03:12 - 00019968 _____ (Microsoft Corporation) C:\Windows\system32\seclogon.dll
2016-03-10 10:07 - 2016-02-06 03:11 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2016-03-10 10:07 - 2016-02-06 01:33 - 00297472 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2016-03-10 08:23 - 2016-02-02 16:30 - 00071680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\USBSTOR.SYS
2016-03-10 08:22 - 2016-02-03 18:06 - 00564736 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2016-03-10 08:22 - 2016-02-03 18:06 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\olepro32.dll
2016-03-10 08:22 - 2016-02-03 18:05 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\asycfilt.dll
2016-03-10 08:08 - 2016-02-04 16:25 - 02068992 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-03-09 16:08 - 2016-02-09 01:17 - 01815552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-03-09 16:08 - 2016-02-09 01:15 - 12392960 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-03-09 16:08 - 2016-02-09 01:13 - 00367616 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-03-09 16:08 - 2016-02-09 01:12 - 09753600 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-03-09 16:08 - 2016-02-09 01:12 - 01140224 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-03-09 16:08 - 2016-02-09 01:11 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-03-09 16:08 - 2016-02-09 01:10 - 01804800 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-03-09 16:08 - 2016-02-09 01:10 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-03-09 16:08 - 2016-02-09 01:10 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-03-09 16:08 - 2016-02-09 01:10 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-03-09 16:08 - 2016-02-09 01:10 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2016-03-09 16:08 - 2016-02-09 01:10 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-03-09 16:08 - 2016-02-09 01:10 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-03-09 16:08 - 2016-02-09 01:09 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-03-09 16:08 - 2016-02-09 01:09 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-03-09 16:08 - 2016-02-09 01:09 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-03-09 16:08 - 2016-02-09 01:09 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-03-09 16:08 - 2016-02-09 01:09 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-03-09 16:08 - 2016-02-09 01:09 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-03-09 16:08 - 2016-02-09 01:09 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2016-03-09 16:08 - 2016-02-09 01:09 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2016-03-09 16:08 - 2016-02-09 01:09 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-20 12:28 - 2012-06-09 12:09 - 46528000 _____ C:\Windows\system32\perfh005.dat
2016-03-20 12:28 - 2012-06-09 12:09 - 17033994 _____ C:\Windows\system32\perfc005.dat
2016-03-20 12:28 - 2006-11-02 11:33 - 00007044 _____ C:\Windows\system32\PerfStringBackup.INI
2016-03-20 12:22 - 2006-11-02 11:23 - 00000215 _____ C:\Windows\system.ini
2016-03-20 12:22 - 2006-11-02 11:23 - 00000215 _____ C:\Windows\system.ini
2016-03-20 11:52 - 2015-03-10 13:48 - 00000000 ____D C:\Windows\erdnt
2016-03-20 11:52 - 2015-03-10 13:48 - 00000000 ____D C:\Windows\erdnt
2016-03-19 10:42 - 2016-01-01 14:04 - 00000000 ___RD C:\Program Files\Skype
2016-03-19 10:42 - 2015-03-10 15:45 - 00000000 ____D C:\Program Files\Microsoft Security Client
2016-03-19 10:42 - 2011-12-19 01:36 - 00000000 ____D C:\Program Files\Dialogys
2016-03-19 10:42 - 2011-12-19 01:36 - 00000000 ____D C:\Program Files\_jvm
2016-03-19 10:42 - 2011-08-11 13:28 - 00000000 ____D C:\Program Files\Microsoft Office
2016-03-19 10:42 - 2011-08-10 16:06 - 00000012 _____ C:\Windows\bthservsdp.dat
2016-03-19 10:42 - 2011-08-10 16:06 - 00000012 _____ C:\Windows\bthservsdp.dat
2016-03-19 10:42 - 2006-11-02 14:01 - 00032618 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-03-19 10:42 - 2006-11-02 14:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-03-19 10:42 - 2006-11-02 13:47 - 00003760 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-03-19 10:42 - 2006-11-02 13:47 - 00003760 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-03-19 10:42 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Microsoft Games
2016-03-19 10:26 - 2011-08-11 15:04 - 00000000 ____D C:\Program Files\Common Files\LightScribe
2016-03-19 10:26 - 2011-08-10 17:30 - 00000000 ____D C:\Program Files\ATI Technologies
2016-03-19 10:26 - 2006-11-02 12:18 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2016-03-19 10:25 - 2015-10-02 13:28 - 00000000 ____D C:\Users\cesko\Documents\ZPS12
2016-03-19 10:25 - 2015-10-02 13:28 - 00000000 ____D C:\Users\cesko\Documents\ZPS12
2016-03-19 10:25 - 2013-03-20 12:15 - 00000000 ____D C:\Users\cesko\Desktop\Sony
2016-03-19 10:25 - 2013-02-16 06:38 - 00000000 ____D C:\Users\cesko\Tracing
2016-03-19 10:25 - 2011-09-17 12:54 - 00000000 ____D C:\Program Files\7-Zip
2016-03-19 10:25 - 2006-11-02 13:37 - 00000000 ___RD C:\Users\Public\Recorded TV
2016-03-19 10:22 - 2011-08-10 15:39 - 00000000 ____D C:\Users\cesko\AppData\Local\VirtualStore
2016-03-19 10:17 - 2012-12-04 14:02 - 00000914 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-03-19 10:04 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\Performance
2016-03-19 10:04 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\Performance
2016-03-18 08:51 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\inf
2016-03-18 08:51 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\inf
2016-03-17 12:10 - 2015-03-12 15:30 - 00383096 _____ C:\Windows\system32\FNTCACHE.DAT
2016-03-10 21:17 - 2012-12-04 14:02 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2016-03-10 21:17 - 2012-12-04 14:02 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2016-03-10 12:37 - 2013-08-21 17:54 - 00000000 ____D C:\Windows\system32\MRT
2016-03-10 12:27 - 2006-11-02 11:24 - 141270216 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2016-03-10 10:19 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\system32\XPSViewer
2016-02-24 09:49 - 2012-05-01 16:17 - 00001945 _____ C:\Windows\epplauncher.mif
2016-02-24 09:49 - 2012-05-01 16:17 - 00001945 _____ C:\Windows\epplauncher.mif

==================== Files in the root of some directories =======

2006-11-02 14:02 - 2016-03-19 14:11 - 0002032 _____ () C:\Windows\system32\config\systemprofile\AppData\Local\d3d9caps.dat

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed



===***===***===***=== Extract of Additional scan result of Farbar Recovery Scan Tool ===***===***===***===

==================== Drive and Memory info ===================



==================== MBR and Partition Table ==================


==================== Scheduled Tasks (whitelisted) ==================

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Alternate Data Streams (whitelisted) ==================

AlternateDataStreams: C:\Users\cesko\Downloads:Shareaza.GUID [16]

==================== Security Center ==================

AV: 电脑管家系统防护 (Enabled - Up to date) {6F9C3F92-B625-0E47-F0B1-447602EC65F5}
AV: Microsoft Security Essentials (Disabled - Up to date) {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
AS: Microsoft Security Essentials (Disabled - Up to date) {CDE0C533-D3CD-62A1-E772-AFADDF863628}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: 电脑管家系统防护 (Enabled - Up to date) {D4FDDE76-901F-01C9-CA01-7F04796B2F48}



===***===***===***=== Supplementary Scan createdy by FRSTLauncher ===***===***===***===
Posledni aktualizace FRSTLauncheru: 25_11_2013 (01)
Posledni aktualizace Modifikacniho skriptu: 30_09_2013 (01)


***** Velikost "Plochy" *****

Velikost slozky "C:\Windows\system32\config\systemprofile\Desktop" je 7 MB.


***** Startup Programs *****

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe
C:\Windows\ehome\ehTray.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [x]


***** Firewall rules *****

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
EnableFirewall REG_DWORD 0x1
DisableNotifications REG_DWORD 0x0
DoNotAllowExceptions REG_DWORD 0x0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
EnableFirewall REG_DWORD 0x1
DisableNotifications REG_DWORD 0x0
DoNotAllowExceptions REG_DWORD 0x0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]


***** System Restore *****

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=dword:00000000
"Generalize_DisableSR"=dword:00000000


==================== End Of Log ==============================
Přílohy
Addition.rar
(5.51 KiB) Staženo 37 x
Nahoru
Uživatelský avatar
JaRon
Moderátor
Moderátor
Příspěvky: 15797
Registrován: 29 bře 2005 13:39
Bydliště: BB-SK

Re: Čínský malware, vir - chová se jako správce, FRSTLaunche

#34 Příspěvek od JaRon »

zaskocim za kolegu nech si vychutna nedelne popoludnie
pouzi CFScript:

Kód: Vybrat vše

KillAll::

Driver::
TAOKernel
TS888
TAOAccelerator
TSDefenseBt
TFsFlt
TsFltMgr

Folder::
c:\program files\Tencent



Reboot::
FRST |ADWCleaner |MBAM |CCleaner |AVPTool

V prípade spokojnosti je možné podporiť fórum https://platba.viry.cz/payment/
Nahoru
F7R
Návštěvník
Návštěvník
Příspěvky: 49
Registrován: 17 bře 2016 12:26

Re: Čínský malware, vir - chová se jako správce, FRSTLaunche

#35 Příspěvek od F7R »

Díky!
Stále stejný stav, log z nouzáku...

ComboFix 16-03-19.01 - SYSTEM 20.03.2016 15:02:41.2.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.420.1029.18.3070.2255 [GMT 1:00]
Spuštěný z: c:\windows\system32\config\systemprofile\Desktop\ComboFix.exe
Použité ovládací přepínače :: c:\windows\system32\config\systemprofile\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
SP: Microsoft Security Essentials *Disabled/Updated* {CDE0C533-D3CD-62A1-E772-AFADDF863628}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_TAOACCELERATOR
-------\Legacy_TFSFLT
-------\Legacy_TS888
-------\Legacy_TSDEFENSEBT
-------\Legacy_TSFLTMGR
-------\Service_TAOAccelerator
-------\Service_TFsFlt
-------\Service_TSDefenseBt
-------\Service_TsFltMgr
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2016-02-20 do 2016-03-20 )))))))))))))))))))))))))))))))
.
.
2016-03-20 14:08 . 2016-03-20 14:08 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2016-03-20 14:08 . 2016-03-20 14:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2016-03-20 14:08 . 2016-03-20 14:08 -------- d-----w- c:\users\cesko\AppData\Local\temp
2016-03-20 11:37 . 2016-03-20 11:45 -------- d-----w- C:\FRST
2016-03-20 00:09 . 2016-03-20 00:09 -------- d-----w- c:\programdata\Skype
2016-03-19 10:21 . 2016-03-19 11:52 -------- d-----w- c:\users\Default\AppData\Local\Microsoft
2016-03-18 06:36 . 2016-03-17 10:07 100088 ----a-w- c:\windows\system32\drivers\TAOKernel.sys
2016-03-18 06:35 . 2016-03-19 09:07 39928 ----a-w- c:\windows\system32\drivers\TS888.sys
2016-03-17 17:12 . 2016-03-18 08:32 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-03-17 17:10 . 2015-10-05 08:50 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2016-03-17 17:10 . 2015-10-05 08:50 94936 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2016-03-17 17:10 . 2015-10-05 08:50 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2016-03-17 15:00 . 2016-03-17 10:07 116408 ----a-w- c:\windows\system32\drivers\TAOAccelerator.sys
2016-03-17 13:59 . 2016-03-19 09:25 -------- d-----w- c:\program files\AdwCleaner
2016-03-17 10:09 . 2016-03-17 10:07 14008 ------w- c:\windows\system32\drivers\TSDefenseBt.sys
2016-03-17 10:08 . 2016-03-17 10:07 150008 ------w- c:\windows\system32\drivers\TFsFlt.sys
2016-03-17 10:08 . 2016-03-17 10:07 128216 ------w- c:\windows\system32\drivers\TsFltMgr.sys
2016-03-10 09:12 . 2016-02-06 02:11 802304 ----a-w- c:\windows\system32\advapi32.dll
2016-03-10 09:12 . 2016-02-06 02:12 783872 ----a-w- c:\windows\system32\rpcrt4.dll
2016-03-10 09:12 . 2016-02-06 02:11 49664 ----a-w- c:\windows\system32\csrsrv.dll
2016-03-10 09:12 . 2016-02-06 00:32 64000 ----a-w- c:\windows\system32\smss.exe
2016-03-10 09:12 . 2016-02-19 21:34 1208776 ----a-w- c:\windows\system32\ntdll.dll
2016-03-10 09:12 . 2016-02-06 02:17 3609024 ----a-w- c:\windows\system32\ntkrnlpa.exe
2016-03-10 09:12 . 2016-02-06 02:17 3556800 ----a-w- c:\windows\system32\ntoskrnl.exe
2016-03-10 09:08 . 2016-02-06 02:12 19968 ----a-w- c:\windows\system32\seclogon.dll
2016-03-10 09:07 . 2016-02-06 02:11 34304 ----a-w- c:\windows\system32\atmlib.dll
2016-03-10 09:07 . 2016-02-06 00:33 297472 ----a-w- c:\windows\system32\atmfd.dll
2016-03-10 07:22 . 2016-02-03 17:06 89600 ----a-w- c:\windows\system32\olepro32.dll
2016-03-10 07:22 . 2016-02-03 17:06 564736 ----a-w- c:\windows\system32\oleaut32.dll
2016-03-10 07:22 . 2016-02-03 17:05 67072 ----a-w- c:\windows\system32\asycfilt.dll
2016-03-10 07:08 . 2016-02-04 15:25 2068992 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-03-10 20:17 . 2012-12-04 13:02 797376 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2016-03-10 20:17 . 2012-12-04 13:02 142528 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2016-02-04 22:13 . 2016-02-04 22:13 875720 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
2016-02-04 22:13 . 2016-02-04 22:13 536776 ----a-w- c:\windows\system32\msvcp120_clr0400.dll
2016-01-30 03:09 . 2016-02-11 02:34 324608 ----a-w- c:\windows\system32\sdohlp.dll
2016-01-30 03:09 . 2016-02-11 02:34 153088 ----a-w- c:\windows\system32\sbeio.dll
2016-01-30 03:09 . 2016-02-11 02:34 323072 ----a-w- c:\windows\system32\sbe.dll
2016-01-30 03:09 . 2016-02-11 02:34 293376 ----a-w- c:\windows\system32\psisdecd.dll
2016-01-30 03:09 . 2016-02-11 02:34 429056 ----a-w- c:\windows\system32\EncDec.dll
2016-01-30 03:09 . 2016-02-11 02:34 217600 ----a-w- c:\windows\system32\psisrndr.ax
2016-01-30 03:09 . 2016-02-11 02:32 1316864 ----a-w- c:\windows\system32\ole32.dll
2016-01-30 03:08 . 2016-02-11 02:34 107520 ----a-w- c:\windows\system32\mtxoci.dll
2016-01-30 03:08 . 2016-02-11 02:34 80896 ----a-w- c:\windows\system32\MSNP.ax
2016-01-30 03:08 . 2016-02-11 02:34 180224 ----a-w- c:\windows\system32\msorcl32.dll
2016-01-30 03:08 . 2016-02-11 02:34 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2016-01-30 03:08 . 2016-02-11 02:34 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2016-01-30 03:08 . 2016-02-11 02:34 48128 ----a-w- c:\windows\system32\iasdatastore.dll
2016-01-30 03:08 . 2016-02-11 02:34 57344 ----a-w- c:\windows\system32\iasads.dll
2016-01-30 03:08 . 2016-02-11 02:34 119296 ----a-w- c:\windows\system32\iasrecst.dll
2016-01-30 01:32 . 2016-02-11 02:34 17408 ----a-w- c:\windows\system32\iashost.exe
2016-01-09 17:06 . 2016-02-11 02:01 501760 ----a-w- c:\windows\system32\kerberos.dll
2016-01-07 15:18 . 2016-02-11 02:06 115200 ----a-w- c:\windows\system32\drivers\mrxdav.sys
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QQPCTray"="c:\program files\Tencent\QQPCMgr\11.4.17339.217\QQPCTRAY.EXE" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3613717200-223133842-2651324926-1000]
"EnableNotificationsRef"=dword:00000001
.
R1 9704792drv;9704792drv;c:\windows\system32\DRIVERS\9704792drv.sys [2013-01-29 489048]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Obsah adresáře 'Naplánované úlohy'
.
2016-03-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-04 20:18]
.
.
------- Doplňkový sken -------
.
mSearch Bar = https://www.google.com/?trackid=sp-006
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: mojebanka.cz\*
TCP: DhcpNameServer = 10.0.0.138
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2016-03-20 15:24
Windows 6.0.6002 Service Pack 2 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0012\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0013\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0014\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Celkový čas: 2016-03-20 15:27:12 - počítač byl restartován
ComboFix-quarantined-files.txt 2016-03-20 14:27
ComboFix2.txt 2016-03-20 11:27
ComboFix3.txt 2016-03-19 21:32
ComboFix4.txt 2016-03-19 20:08
ComboFix5.txt 2016-03-20 14:01
.
Před spuštěním: Volných bajtů: 38 389 407 744
Po spuštění: Volných bajtů: 38 241 583 104
.
- - End Of File - - 0BC7E907980D903104CEAB5507BAFD6C
5C616939100B85E558DA92B899A0FC36
Nahoru
Uživatelský avatar
JaRon
Moderátor
Moderátor
Příspěvky: 15797
Registrován: 29 bře 2005 13:39
Bydliště: BB-SK

Re: Čínský malware, vir - chová se jako správce, FRSTLaunche

#36 Příspěvek od JaRon »

Mas tam mbam - vycisti nim pc opatovne
FRST |ADWCleaner |MBAM |CCleaner |AVPTool

V prípade spokojnosti je možné podporiť fórum https://platba.viry.cz/payment/
Nahoru
F7R
Návštěvník
Návštěvník
Příspěvky: 49
Registrován: 17 bře 2016 12:26

Re: Čínský malware, vir - chová se jako správce, FRSTLaunche

#37 Příspěvek od F7R »

Ten mám na svým účtu cesko, do kterýho se nemohu dostat...
Musím ho nainstalovat znovu...
Nahoru
Márty84
VIP
VIP
Příspěvky: 21679
Registrován: 05 pro 2009 20:08
Bydliště: Ostrava

Re: Čínský malware, vir - chová se jako správce, FRSTLaunche

#38 Příspěvek od Márty84 »

Tohle provedte v tom nouzaku
:arrow: Otevrete si poznamkovy blok a zkopirujte do nej tento skript

Kód: Vybrat vše

Start
CloseProcesses:
CreateRestorePoint:

HKLM\...\Run: [ QQPCTray] => "C:\Program Files\Tencent\QQPCMgr\11.4.17339.217\QQPCTRAY.EXE" /regrun /qqrepair
HKLM\...\RunOnce: [] => [X]
GroupPolicy: Restriction - Chrome <======= ATTENTION

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dl ... r=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dl ... ar=msnhome

FF Plugin: @qq.com/npAndroidAssistant -> C:\Program Files\Common Files\Tencent\QQPhoneManager\2.0.201.3192\npQQPhoneManagerExt.dll [No File]
FF HKLM\...\Firefox\Extensions: [support@vdownloader.com] - C:\Program Files\VDownloader\Addons\FireFox => not found

CHR HKLM\...\Chrome\Extension: [eoccbpoodnckjdnackiffhjfkogfhnhh] - C:\Program Files\VDownloader\Addons\Chrome.crx <not found>

S1 9704792drv; C:\Windows\System32\DRIVERS\9704792drv.sys [489048 2013-01-29] () [File not signed]
S2 TAOAccelerator; C:\Windows\system32\Drivers\TAOAccelerator.sys [116408 2016-03-17] (Tencent)
S1 TAOKernelDriver; C:\Windows\system32\Drivers\TAOKernel.sys [100088 2016-03-17] (Tencent Technology(Shenzhen) Company Limited)
S1 TFsFlt; C:\Windows\System32\Drivers\TFsFlt.sys [150008 2016-03-17] (电脑管家)
S1 TSDefenseBt; C:\Windows\System32\DRIVERS\TSDefenseBt.sys [14008 2016-03-17] (Tencent)
R0 TsFltMgr; C:\Windows\System32\drivers\TsFltMgr.sys [128216 2016-03-17] (电脑管家)

2016-03-18 07:36 - 2016-03-17 11:07 - 00100088 _____ (Tencent Technology(Shenzhen) Company Limited) C:\Windows\system32\Drivers\TAOKernel.sys
2016-03-18 07:35 - 2016-03-19 10:07 - 00039928 _____ (Tencent) C:\Windows\system32\Drivers\TS888.sys
2016-03-17 16:00 - 2016-03-17 11:07 - 00116408 _____ (Tencent) C:\Windows\system32\Drivers\TAOAccelerator.sys
2016-03-17 11:09 - 2016-03-17 11:07 - 00014008 _____ (Tencent) C:\Windows\system32\Drivers\TSDefenseBt.sys
2016-03-17 11:08 - 2016-03-17 11:07 - 00150008 _____ (电脑管家) C:\Windows\system32\Drivers\TFsFlt.sys
2016-03-17 11:08 - 2016-03-17 11:07 - 00128216 _____ (电脑管家) C:\Windows\system32\Drivers\TsFltMgr.sys

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: {AB9FA6EF-F256-4DDE-94AE-218721DA82F2} - \SW-Booster-S-1095609242 -> No File <==== ATTENTION

AlternateDataStreams: C:\Users\cesko\Downloads:Shareaza.GUID [16]

FirewallRules: [{28B6D336-7AEF-404E-8C48-5E722F8E2BA7}] => (Allow) C:\program files\common files\tencent\qqdownload\130\bugreport_xf.exe
FirewallRules: [{2BD2E642-D46F-411F-8D7A-A0DA26CB6765}] => (Allow) C:\program files\common files\tencent\qqdownload\131\bugreport_xf.exe
FirewallRules: [{B56A2B23-692C-432A-BF58-E3CE20DE241D}] => (Allow) C:\program files\common files\tencent\qqdownload\131\tencentdl.exe

C:\program files\common files\tencent
C:\Program Files\Tencent

Hosts:
EmptyTemp:
Reboot:
End
Vlevo nahore kliknete na napis Soubor
Kliknete na napis Ulozit jako...
Napiste spravne ten cerveny nazev fixlist a ulozte na plochu.
Vypnete antivir i dalsi pripadne zabezpeceni.
Spustte FRST jako spravce, kliknete na napis Fix a program vykona prikazy.
Po restartu pc by se mel objevit novy log - s nazvem fixlog, ten mi sem zase zkopirujte.
Pokud máte dotaz, který není určen pro veřejnost, můžete mi napsat na mail marty84zavináčforum.viry.cz

Možnost podpořit naše fórum https://platba.viry.cz/payment/

Z časových důvodů teď budu na fóru méně často. V případě delšího čekání na odpověď kontaktujte prosím některého z kolegů (většina má mailovou adresu ve svém podpisu).
Nahoru
F7R
Návštěvník
Návštěvník
Příspěvky: 49
Registrován: 17 bře 2016 12:26

Re: Čínský malware, vir - chová se jako správce, FRSTLaunche

#39 Příspěvek od F7R »

MBAM log C a D (Nic jsme nemazal, neodstranoval, protože po příkazu co jsem zadal od Marty84 proběhl restart a já už ten vysledek MBAM nikde nemám, tedy už odstranit nemohu nyní)

Malwarebytes Anti-Malware
www.malwarebytes.org

Datum skenování: 20.3.2016
Čas skenování: 23:29:25
Protokol: MBAm
Správce: Ano

Verze: 2.2.1.1043
Databáze malwaru: v2016.03.20.05
Databáze rootkitů: v2016.03.12.01
Licence: Zkušební verze
Ochrana proti malwaru: Vypnuto
Ochrana proti škodlivým webovým stránkám: Vypnuto
Ochrana programu: Vypnuto

OS: Windows Vista Service Pack 2
CPU: x86
Souborový systém: NTFS
Uživatel: cesko

Typ skenu: Vlastní sken
Výsledek: Dokončeno
Prohledaných objektů: 430915
Uplynulý čas: 2 hod, 12 min, 53 sek

Paměť: Zapnuto
Po spuštění: Zapnuto
Souborový systém: Zapnuto
Archivy: Zapnuto
Rootkity: Zapnuto
Heuristika: Zapnuto
PUP: Zapnuto
PUM: Zapnuto

Procesy: 0
(Nenalezeny žádné škodlivé položky)

Moduly: 0
(Nenalezeny žádné škodlivé položky)

Klíče registru: 0
(Nenalezeny žádné škodlivé položky)

Hodnoty registru: 0
(Nenalezeny žádné škodlivé položky)

Data registru: 0
(Nenalezeny žádné škodlivé položky)

Složky: 0
(Nenalezeny žádné škodlivé položky)

Soubory: 4
PUP.Optional.Amonetize, D:\XS 3.2 Full Version Free Download Cracked for Soney Ericson__15047_i1898263547_il182096.exe, , [e2237b0fe4b5ed495501020b9f632bd5],
Trojan.Dropper, D:\FAR with JDF plugin.zip, , [49bc36549504c96de0c5a6c6df21bd43],
PUP.Optional.Amonetize, D:\$RECYCLE.BIN\S-1-5-21-3613717200-223133842-2651324926-1000\$RPFTRRE.exe, , [24e17218940513233c1a0effbf43c838],
Trojan.Dropper, D:\JDF\Plugins\Just Da Flasher\2020_52\qamaker.exe, , [0afbb3d77c1d191d7c292f3ddb258977],

Fyzické sektory: 0
(Nenalezeny žádné škodlivé položky)


(end)
Naposledy upravil(a) F7R dne 21 bře 2016 03:29, celkem upraveno 1 x.
Nahoru
F7R
Návštěvník
Návštěvník
Příspěvky: 49
Registrován: 17 bře 2016 12:26

Re: Čínský malware, vir - chová se jako správce, FRSTLaunche

#40 Příspěvek od F7R »

Při ukládaní texťáku Fixlog mi to napsalo hlášku něco ve smyslu, že uložením se ztratí unicode a že to mám udělat nějak jinak...přesto jsem dal OK a uložil)

restart zase do černé obrazovky, log z nouzaku-

Fix result of Farbar Recovery Scan Tool (x86) Version:05-03-2016 01
Ran by cesko (2016-03-21 03:06:04) Run:1
Running from C:\Windows\System32\config\systemprofile\Desktop
Loaded Profiles: False (Available Profiles: )
Boot Mode: Safe Mode (with Networking)

==============================================

fixlist content:
*****************
Start
CloseProcesses:
CreateRestorePoint:

HKLM\...\Run: [ QQPCTray] => "C:\Program Files\Tencent\QQPCMgr\11.4.17339.217\QQPCTRAY.EXE" /regrun /qqrepair
HKLM\...\RunOnce: [] => [X]
GroupPolicy: Restriction - Chrome <======= ATTENTION

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dl ... r=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dl ... ar=msnhome

FF Plugin: @qq.com/npAndroidAssistant -> C:\Program Files\Common Files\Tencent\QQPhoneManager\2.0.201.3192\npQQPhoneManagerExt.dll [No File]
FF HKLM\...\Firefox\Extensions: [support@vdownloader.com] - C:\Program Files\VDownloader\Addons\FireFox => not found

CHR HKLM\...\Chrome\Extension: [eoccbpoodnckjdnackiffhjfkogfhnhh] - C:\Program Files\VDownloader\Addons\Chrome.crx <not found>

S1 9704792drv; C:\Windows\System32\DRIVERS\9704792drv.sys [489048 2013-01-29] () [File not signed]
S2 TAOAccelerator; C:\Windows\system32\Drivers\TAOAccelerator.sys [116408 2016-03-17] (Tencent)
S1 TAOKernelDriver; C:\Windows\system32\Drivers\TAOKernel.sys [100088 2016-03-17] (Tencent Technology(Shenzhen) Company Limited)
S1 TFsFlt; C:\Windows\System32\Drivers\TFsFlt.sys [150008 2016-03-17] (????)
S1 TSDefenseBt; C:\Windows\System32\DRIVERS\TSDefenseBt.sys [14008 2016-03-17] (Tencent)
R0 TsFltMgr; C:\Windows\System32\drivers\TsFltMgr.sys [128216 2016-03-17] (????)

2016-03-18 07:36 - 2016-03-17 11:07 - 00100088 _____ (Tencent Technology(Shenzhen) Company Limited) C:\Windows\system32\Drivers\TAOKernel.sys
2016-03-18 07:35 - 2016-03-19 10:07 - 00039928 _____ (Tencent) C:\Windows\system32\Drivers\TS888.sys
2016-03-17 16:00 - 2016-03-17 11:07 - 00116408 _____ (Tencent) C:\Windows\system32\Drivers\TAOAccelerator.sys
2016-03-17 11:09 - 2016-03-17 11:07 - 00014008 _____ (Tencent) C:\Windows\system32\Drivers\TSDefenseBt.sys
2016-03-17 11:08 - 2016-03-17 11:07 - 00150008 _____ (????) C:\Windows\system32\Drivers\TFsFlt.sys
2016-03-17 11:08 - 2016-03-17 11:07 - 00128216 _____ (????) C:\Windows\system32\Drivers\TsFltMgr.sys

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: {AB9FA6EF-F256-4DDE-94AE-218721DA82F2} - \SW-Booster-S-1095609242 -> No File <==== ATTENTION

AlternateDataStreams: C:\Users\cesko\Downloads:Shareaza.GUID [16]

FirewallRules: [{28B6D336-7AEF-404E-8C48-5E722F8E2BA7}] => (Allow) C:\program files\common files\tencent\qqdownload\130\bugreport_xf.exe
FirewallRules: [{2BD2E642-D46F-411F-8D7A-A0DA26CB6765}] => (Allow) C:\program files\common files\tencent\qqdownload\131\bugreport_xf.exe
FirewallRules: [{B56A2B23-692C-432A-BF58-E3CE20DE241D}] => (Allow) C:\program files\common files\tencent\qqdownload\131\tencentdl.exe

C:\program files\common files\tencent
C:\Program Files\Tencent

Hosts:
EmptyTemp:
Reboot:
End
*****************

Processes closed successfully.
Error: Restore point can only be created in normal mode.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ QQPCTray => value removed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ => value removed successfully.

"C:\Windows\system32\GroupPolicy\Machine" folder move:

Could not move "C:\Windows\system32\GroupPolicy\Machine" => Scheduled to move on reboot.

C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Search Page => value removed successfully.
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page => value removed successfully.
"HKLM\Software\MozillaPlugins\@qq.com/npAndroidAssistant" => key removed successfully.
HKLM\Software\Mozilla\Firefox\Extensions\\support@vdownloader.com => value removed successfully.
"HKLM\SOFTWARE\Google\Chrome\Extensions\eoccbpoodnckjdnackiffhjfkogfhnhh" => key removed successfully.
9704792drv => service removed successfully.
TAOAccelerator => service not found.
TAOKernelDriver => service removed successfully.
TFsFlt => service not found.
TSDefenseBt => service not found.
TsFltMgr => service not found.
C:\Windows\system32\Drivers\TAOKernel.sys => moved successfully
C:\Windows\system32\Drivers\TS888.sys => moved successfully
C:\Windows\system32\Drivers\TAOAccelerator.sys => moved successfully
C:\Windows\system32\Drivers\TSDefenseBt.sys => moved successfully
C:\Windows\system32\Drivers\TFsFlt.sys => moved successfully
C:\Windows\system32\Drivers\TsFltMgr.sys => moved successfully
C:\Windows\Tasks\Adobe Flash Player Updater.job => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{AB9FA6EF-F256-4DDE-94AE-218721DA82F2}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AB9FA6EF-F256-4DDE-94AE-218721DA82F2}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SW-Booster-S-1095609242 => key not found.
"C:\Users\cesko\Downloads" => ":Shareaza.GUID" ADS not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{28B6D336-7AEF-404E-8C48-5E722F8E2BA7} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2BD2E642-D46F-411F-8D7A-A0DA26CB6765} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B56A2B23-692C-432A-BF58-E3CE20DE241D} => value removed successfully.
"C:\program files\common files\tencent" => not found.
"C:\Program Files\Tencent" => not found.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
EmptyTemp: => 52 MB temporary data Removed.

Result of scheduled files to move (Boot Mode: Safe Mode (with Networking)) (Date&Time: 2016-03-21 03:16:23)

C:\Windows\system32\GroupPolicy\Machine => is moved successfully

==== End of Fixlog 03:16:23 ====
Nahoru
Márty84
VIP
VIP
Příspěvky: 21679
Registrován: 05 pro 2009 20:08
Bydliště: Ostrava

Re: Čínský malware, vir - chová se jako správce, FRSTLaunche

#41 Příspěvek od Márty84 »

Soubory, co nasel MBAM, smazte v nouzaku rucne.

Dejte novy log z FRST.
Pokud máte dotaz, který není určen pro veřejnost, můžete mi napsat na mail marty84zavináčforum.viry.cz

Možnost podpořit naše fórum https://platba.viry.cz/payment/

Z časových důvodů teď budu na fóru méně často. V případě delšího čekání na odpověď kontaktujte prosím některého z kolegů (většina má mailovou adresu ve svém podpisu).
Nahoru
F7R
Návštěvník
Návštěvník
Příspěvky: 49
Registrován: 17 bře 2016 12:26

Re: Čínský malware, vir - chová se jako správce, FRSTLaunche

#42 Příspěvek od F7R »

Sakra, bohuzel jsem to spatne pochopil a soubory smazal pres MBAM...vse pri starem akorat v nouzaku se mi smazal FRST, CF a ostatni programy ktere jsem nedavno nainstaloval, jako winRAR.
Zmenila se mi asi klavesnice z CZ na EN, protoze se pise Z Y naopak, nemohu psat cisla tak jako predtim pres shift, misto toho pres shift mi to pise pismena s hacky, dlouhe ypsilon apod.
Nektere infikovane soubory tam presto zustaly po vymazu z MBAM tak sem je dodatecne smazal rucne, ovsem uz pak nebyly v kosi ...nechapu

Log {je zajimave ze uz neni spusten jakoby ze system profile ale z meho uctu cesko...tak ze bz mirny pokrok k lepsimu...uz pri nacteni nouzaku se neobjevila hlaska ze muj profil neni spravne nacten.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:05-03-2016 01
Ran by cesko (administrator) on CESKO-PC (21-03-2016 12:22:18)
Running from C:\Users\cesko\Desktop
Loaded Profiles: cesko (Available Profiles: cesko)
Platform: Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) Language: Čeština (Česká republika)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Mozilla Corporation) D:\Tor Browser\Browser\firefox.exe
() D:\Tor Browser\Browser\TorBrowser\Tor\tor.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [55264 2016-03-10] (Malwarebytes)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 02 C:\Windows\system32\napinsp.dll [50176 2008-01-21] (Společnost Microsoft)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.138
Tcpip\..\Interfaces\{93E4835A-8CC3-420B-91E5-48014E065A30}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{BAE6D55F-F66B-4F39-A3DD-E2F6609718A1}: [DhcpNameServer] 10.0.0.138

Internet Explorer:
==================
URLSearchHook: [S-1-5-21-3613717200-223133842-2651324926-1000] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> OldSearch URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
BHO: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll => No File
BHO: IEExtension.VDownloaderBHO -> {7b523e7c-f096-4e36-a0cb-7efeb5c675c1} -> C:\Windows\system32\mscoree.dll [2009-11-08] (Microsoft Corporation)
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll No File []
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll No File []
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll No File []
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll No File []
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL No File
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll No File []
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll No File []
Handler: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL No File
Handler: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL No File
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_21_0_0_182.dll [2016-03-10] ()
FF Plugin: @java.com/DTPlugin,version=10.11.2 -> C:\Windows\system32\npDeployJava1.dll [2013-01-12] (Oracle Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [No File]
FF Plugin: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [No File]
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @real.com/nprjplug;version=15.0.4.53 -> C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll [No File]
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.4.53 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [No File]
FF Plugin: @real.com/nprphtml5videoshim;version=15.0.4.53 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll [No File]
FF Extension: No Name - C:\Program Files\TrustMediaViewerV1\TrustMediaViewerV1alpha1447\ff [not found]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-07-28] [not signed]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
FF HKLM\...\Firefox\Extensions: [{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext => not found

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx <not found>

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 MBAMScheduler; C:\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
S2 MBAMService; C:\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2016-01-29] (Microsoft Corporation)
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
S3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [X]
S3 IDriverT; "C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe" [X]
S3 LightScribeService; "C:\Program Files\Common Files\LightScribe\LSSrvc.exe" [X]
S3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [X]
S3 ose; "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [X]
S3 WinDefend; %ProgramFiles%\Windows Defender\mpsvc.dll [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 amdide; C:\Windows\System32\DRIVERS\amdide.sys [10632 2012-11-01] (Advanced Micro Devices)
S1 cpuidlep; C:\Windows\system32\Drivers\cpuidlep.sys [4484 2013-03-08] ()
R0 FltMgr; C:\Windows\System32\drivers\fltmgr.sys [190424 2009-04-11] (Společnost Microsoft)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [170200 2016-03-21] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [53120 2016-03-10] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [253704 2015-11-13] (Microsoft Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ATKACPI.sys [7680 2007-07-31] (ATK0100) [File not signed]
R3 Ntfs; C:\Windows\system32\Drivers\Ntfs.sys [1082232 2013-03-03] (Společnost Microsoft)
R3 pmkbdfltr; C:\Windows\System32\DRIVERS\pmkbdfltr.sys [15248 2012-11-01] (PenMount)
R0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [36560 2006-09-27] (Sonic Solutions) [File not signed]
S3 s0016bus; C:\Windows\System32\DRIVERS\s0016bus.sys [89256 2008-05-16] (MCCI Corporation)
S3 s0016mdfl; C:\Windows\System32\DRIVERS\s0016mdfl.sys [15016 2008-05-16] (MCCI Corporation)
S3 s0016mdm; C:\Windows\System32\DRIVERS\s0016mdm.sys [120744 2008-05-16] (MCCI Corporation)
S3 s0016mgmt; C:\Windows\System32\DRIVERS\s0016mgmt.sys [114216 2008-05-16] (MCCI Corporation)
S3 s0016nd5; C:\Windows\System32\DRIVERS\s0016nd5.sys [25512 2008-05-16] (MCCI Corporation)
S3 s0016obex; C:\Windows\System32\DRIVERS\s0016obex.sys [110632 2008-05-16] (MCCI Corporation)
S3 s0016unic; C:\Windows\System32\DRIVERS\s0016unic.sys [115752 2008-05-16] (MCCI Corporation)
S3 s0017bus; C:\Windows\System32\DRIVERS\s0017bus.sys [86824 2008-10-21] (MCCI Corporation)
S3 s0017mdfl; C:\Windows\System32\DRIVERS\s0017mdfl.sys [15016 2008-10-21] (MCCI Corporation)
S3 s0017mdm; C:\Windows\System32\DRIVERS\s0017mdm.sys [114600 2008-10-21] (MCCI Corporation)
S3 s0017mgmt; C:\Windows\System32\DRIVERS\s0017mgmt.sys [108328 2008-10-21] (MCCI Corporation)
S3 s0017nd5; C:\Windows\System32\DRIVERS\s0017nd5.sys [26024 2008-10-21] (MCCI Corporation)
S3 s0017obex; C:\Windows\System32\DRIVERS\s0017obex.sys [104616 2008-10-21] (MCCI Corporation)
S3 s0017unic; C:\Windows\System32\DRIVERS\s0017unic.sys [109736 2008-10-21] (MCCI Corporation)
S3 s1018obex; C:\Windows\System32\DRIVERS\s1018obex.sys [104744 2009-03-25] (MCCI Corporation)
S3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1743232 2007-05-25] ()
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-21] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-21 12:22 - 2016-03-21 12:22 - 01725440 _____ (Farbar) C:\Users\cesko\Desktop\FRST.exe
2016-03-21 12:22 - 2016-03-21 12:22 - 00010260 _____ C:\Users\cesko\Desktop\FRST.txt
2016-03-21 12:08 - 2016-03-21 12:08 - 00000020 ___SH C:\Users\cesko\ntuser.ini
2016-03-21 03:19 - 2016-03-21 03:19 - 00000000 __SHD C:\%APPDATA%
2016-03-21 02:55 - 2016-03-21 02:55 - 00001617 _____ C:\MBAm
2016-03-20 16:57 - 2016-03-20 16:57 - 00000653 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-03-20 16:56 - 2016-03-20 16:56 - 00000000 ____D C:\Malwarebytes Anti-Malware
2016-03-20 15:27 - 2016-03-20 15:27 - 00012872 _____ C:\ComboFix.txt
2016-03-20 13:00 - 2016-03-20 13:00 - 00000584 _____ C:\Users\Public\Desktop\WinRAR.lnk
2016-03-20 12:37 - 2016-03-21 12:22 - 00000000 ____D C:\FRST
2016-03-19 16:25 - 2016-03-20 15:27 - 00000000 ____D C:\Qoobox
2016-03-19 11:20 - 2016-03-21 12:09 - 01400210 _____ C:\Windows\ntbtlog.txt
2016-03-19 11:20 - 2016-03-21 12:09 - 01400210 _____ C:\Windows\ntbtlog.txt
2016-03-18 18:38 - 2016-03-18 18:38 - 00001613 _____ C:\scan3.txt
2016-03-18 17:55 - 2016-03-18 17:55 - 00001615 _____ C:\scan 2!.txt
2016-03-17 18:12 - 2016-03-21 09:28 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-03-17 18:10 - 2016-03-10 14:09 - 00053120 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-03-17 18:10 - 2016-03-10 14:08 - 00126336 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-03-17 18:10 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-03-17 14:59 - 2016-03-19 10:25 - 00000000 ____D C:\Program Files\AdwCleaner
2016-03-17 12:48 - 2016-03-17 12:48 - 00688992 ____R (Swearware) C:\Users\cesko\Desktop\dds.exe
2016-03-10 10:12 - 2016-02-19 22:34 - 01208776 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-03-10 10:12 - 2016-02-06 03:17 - 03609024 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2016-03-10 10:12 - 2016-02-06 03:17 - 03556800 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-03-10 10:12 - 2016-02-06 03:12 - 00783872 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-03-10 10:12 - 2016-02-06 03:11 - 00802304 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2016-03-10 10:12 - 2016-02-06 03:11 - 00049664 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2016-03-10 10:12 - 2016-02-06 01:32 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2016-03-10 10:10 - 2015-11-20 15:15 - 00922432 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00066400 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-private-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00022368 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-math-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00019808 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-string-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00016224 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00015712 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00015200 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-time-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-2-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-process-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-conio-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-environment-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-2-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l2-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l2-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-2-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011104 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-03-10 10:10 - 2015-11-20 15:15 - 00011104 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2016-03-10 10:08 - 2016-02-06 03:12 - 00019968 _____ (Microsoft Corporation) C:\Windows\system32\seclogon.dll
2016-03-10 10:07 - 2016-02-06 03:11 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2016-03-10 10:07 - 2016-02-06 01:33 - 00297472 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2016-03-10 08:23 - 2016-02-02 16:30 - 00071680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\USBSTOR.SYS
2016-03-10 08:22 - 2016-02-03 18:06 - 00564736 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2016-03-10 08:22 - 2016-02-03 18:06 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\olepro32.dll
2016-03-10 08:22 - 2016-02-03 18:05 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\asycfilt.dll
2016-03-10 08:08 - 2016-02-04 16:25 - 02068992 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-03-09 16:08 - 2016-02-09 01:17 - 01815552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-03-09 16:08 - 2016-02-09 01:15 - 12392960 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-03-09 16:08 - 2016-02-09 01:13 - 00367616 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-03-09 16:08 - 2016-02-09 01:12 - 09753600 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-03-09 16:08 - 2016-02-09 01:12 - 01140224 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-03-09 16:08 - 2016-02-09 01:11 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-03-09 16:08 - 2016-02-09 01:10 - 01804800 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-03-09 16:08 - 2016-02-09 01:10 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-03-09 16:08 - 2016-02-09 01:10 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-03-09 16:08 - 2016-02-09 01:10 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-03-09 16:08 - 2016-02-09 01:10 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2016-03-09 16:08 - 2016-02-09 01:10 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-03-09 16:08 - 2016-02-09 01:10 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-03-09 16:08 - 2016-02-09 01:09 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-03-09 16:08 - 2016-02-09 01:09 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-03-09 16:08 - 2016-02-09 01:09 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-03-09 16:08 - 2016-02-09 01:09 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-03-09 16:08 - 2016-02-09 01:09 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-03-09 16:08 - 2016-02-09 01:09 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-03-09 16:08 - 2016-02-09 01:09 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2016-03-09 16:08 - 2016-02-09 01:09 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2016-03-09 16:08 - 2016-02-09 01:09 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-21 12:14 - 2012-06-09 12:09 - 46681744 _____ C:\Windows\system32\perfh005.dat
2016-03-21 12:14 - 2012-06-09 12:09 - 17089002 _____ C:\Windows\system32\perfc005.dat
2016-03-21 12:14 - 2006-11-02 11:33 - 00007044 _____ C:\Windows\system32\PerfStringBackup.INI
2016-03-21 12:01 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\schemas
2016-03-21 12:01 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\schemas
2016-03-21 03:09 - 2006-11-02 12:18 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2016-03-20 15:21 - 2006-11-02 11:23 - 00000215 _____ C:\Windows\system.ini
2016-03-20 15:21 - 2006-11-02 11:23 - 00000215 _____ C:\Windows\system.ini
2016-03-20 15:09 - 2015-03-10 13:48 - 00000000 ____D C:\Windows\erdnt
2016-03-20 15:09 - 2015-03-10 13:48 - 00000000 ____D C:\Windows\erdnt
2016-03-19 10:42 - 2016-01-01 14:04 - 00000000 ___RD C:\Program Files\Skype
2016-03-19 10:42 - 2015-03-10 15:45 - 00000000 ____D C:\Program Files\Microsoft Security Client
2016-03-19 10:42 - 2011-12-19 01:36 - 00000000 ____D C:\Program Files\Dialogys
2016-03-19 10:42 - 2011-12-19 01:36 - 00000000 ____D C:\Program Files\_jvm
2016-03-19 10:42 - 2011-08-11 13:28 - 00000000 ____D C:\Program Files\Microsoft Office
2016-03-19 10:42 - 2011-08-10 16:06 - 00000012 _____ C:\Windows\bthservsdp.dat
2016-03-19 10:42 - 2011-08-10 16:06 - 00000012 _____ C:\Windows\bthservsdp.dat
2016-03-19 10:42 - 2006-11-02 14:01 - 00032618 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-03-19 10:42 - 2006-11-02 14:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-03-19 10:42 - 2006-11-02 13:47 - 00003760 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-03-19 10:42 - 2006-11-02 13:47 - 00003760 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-03-19 10:42 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Microsoft Games
2016-03-19 10:26 - 2011-08-11 15:04 - 00000000 ____D C:\Program Files\Common Files\LightScribe
2016-03-19 10:26 - 2011-08-10 17:30 - 00000000 ____D C:\Program Files\ATI Technologies
2016-03-19 10:26 - 2006-11-02 12:18 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2016-03-19 10:25 - 2013-03-20 12:15 - 00000000 ____D C:\Users\cesko\Desktop\Sony
2016-03-19 10:25 - 2013-02-16 06:38 - 00000000 ____D C:\Users\cesko\Tracing
2016-03-19 10:25 - 2011-09-17 12:54 - 00000000 ____D C:\Program Files\7-Zip
2016-03-19 10:25 - 2006-11-02 13:37 - 00000000 ___RD C:\Users\Public\Recorded TV
2016-03-19 10:04 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\Performance
2016-03-19 10:04 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\Performance
2016-03-18 08:51 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\inf
2016-03-18 08:51 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\inf
2016-03-17 12:10 - 2015-03-12 15:30 - 00383096 _____ C:\Windows\system32\FNTCACHE.DAT
2016-03-10 21:17 - 2012-12-04 14:02 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2016-03-10 21:17 - 2012-12-04 14:02 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2016-03-10 12:37 - 2013-08-21 17:54 - 00000000 ____D C:\Windows\system32\MRT
2016-03-10 12:27 - 2006-11-02 11:24 - 141270216 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2016-03-10 10:19 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\system32\XPSViewer
2016-02-24 09:49 - 2012-05-01 16:17 - 00001945 _____ C:\Windows\epplauncher.mif
2016-02-24 09:49 - 2012-05-01 16:17 - 00001945 _____ C:\Windows\epplauncher.mif

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-03-21 12:23

==================== End of FRST.txt ============================
Přílohy
Addition.rar
(7.57 KiB) Staženo 30 x
Nahoru
Márty84
VIP
VIP
Příspěvky: 21679
Registrován: 05 pro 2009 20:08
Bydliště: Ostrava

Re: Čínský malware, vir - chová se jako správce, FRSTLaunche

#43 Příspěvek od Márty84 »

Log uz je cisty, neni tam ani stopa po tom nezvanem navstevnikovi. Ale pokud to stale nebezi jak ma, bude naboreny system. Zkuste Fix It http://www.stahuj.centrum.cz/utility_a_ ... it-center/ , jinak mozna bude nutne opravit system pomoci instalacniho media.
Pokud máte dotaz, který není určen pro veřejnost, můžete mi napsat na mail marty84zavináčforum.viry.cz

Možnost podpořit naše fórum https://platba.viry.cz/payment/

Z časových důvodů teď budu na fóru méně často. V případě delšího čekání na odpověď kontaktujte prosím některého z kolegů (většina má mailovou adresu ve svém podpisu).
Nahoru
F7R
Návštěvník
Návštěvník
Příspěvky: 49
Registrován: 17 bře 2016 12:26

Re: Čínský malware, vir - chová se jako správce, FRSTLaunche

#44 Příspěvek od F7R »

Ten program nejde v nouzaku spustit. Instalacni medium na opravu mych Vist uz nemam.
Nic, zanesu to ke kamaradovi a ten mi nainstaluje kompletne Win 7
Ten vir nebo co to vlastne bylo mi kompletne smazal cely Disk C Zustalo mi tam pouze 2 fotky a dve alba muziky z nespoctu co jsem tam mel. A z programu tam zustal snad jen ten Dialogys, program nahradnich dilu Renault
Takze nejake reseni zalohy disku nebo nejaky vytah souboru jaksi ztraci smysl :(

Nicmene vsem zucastnenym, kteri mi pomahaly zde Velice dekuji :thumbsup:
Mejte se hezky. Je super ze takove forum existuje :wink:
Nahoru
Márty84
VIP
VIP
Příspěvky: 21679
Registrován: 05 pro 2009 20:08
Bydliště: Ostrava

Re: Čínský malware, vir - chová se jako správce, FRSTLaunche

#45 Příspěvek od Márty84 »

No je to divne. Tencent je vlastne antivir, ktery se tam nekudy vetrel a nechtelo se mu ven. Takove skody ale obvykle nedela, vsak jste si vsim, ze u jinych uzivatelu to probihalo bez vetsich komplikaci.

Ale tak ma to i vyhody. Sedmicky jsou lepsi nez Vista :) Jen doufam, ze to bude legalni instalace.

No bohuzel tentokrat neni zac, kdyz to stejne dopadne novou instalaci :-( Tak snad to bylo naposled :)

Dejte pak vedet, zda ten novy system slape jak ma, zatim se mejte :bye:
Pokud máte dotaz, který není určen pro veřejnost, můžete mi napsat na mail marty84zavináčforum.viry.cz

Možnost podpořit naše fórum https://platba.viry.cz/payment/

Z časových důvodů teď budu na fóru méně často. V případě delšího čekání na odpověď kontaktujte prosím některého z kolegů (většina má mailovou adresu ve svém podpisu).
Nahoru
Zamčeno

Zpět na „Řešení problémů, logy“