VIRY.CZ

Pokud nemate, tak presunte Combofix na plochu

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  KillAll::
  
  Registry::
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  "Adobe ARM"=-
  "SunJavaUpdateSched"=-
  "DivXUpdate"=-
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  "DAEMON Tools Lite"=-
  "Skype"=-
  "ctfmon.exe"=-
  
  Collect::
  C:\WINDOWS\system32\nero.bat
  
  File::
  C:\Documents and Settings\mato\Start Menu\Programs\Startup\nero.bat.lnk
  C:\WINDOWS\tasks\Adobe Flash Player Updater.job
  
  RegLock::
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
  
  ClearJavaCache::
  
  Reboot::

• Ulozte vytvoreny TXT jako CFScript.txt
• Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
  
• Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Pokud vyskoci hlaska "Pokus pouzit neplatnou operaci na klic registru, ktery je oznacen pro odstraneni", tak jen restartujte PC - registr se da do kupy - jedna se o vnitrni chybu, kterou zpusobuje CF a autor ji zatim neumi bohuzel opravit

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

Log - ComboFix

ComboFix 12-10-22.01 - mato 22.10.2012 19:15:43.3.2 - x86
Systém Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.1023.630 [GMT 2:00]
Running from: c:\documents and settings\mato\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mato\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\documents and settings\mato\Start Menu\Programs\Startup\nero.bat.lnk"
"c:\windows\tasks\Adobe Flash Player Updater.job"
.
file zipped: c:\windows\system32\nero.bat
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\mato\Start Menu\Programs\Startup\nero.bat.lnk
c:\windows\system32\nero.bat
c:\windows\tasks\Adobe Flash Player Updater.job
.
.
((((((((((((((((((((((((( Files Created from 2012-09-22 to 2012-10-22 )))))))))))))))))))))))))))))))
.
.
2012-10-22 17:12 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1AD522E2-746D-4727-9258-2795C2B97F5C}\mpengine.dll
2012-10-22 16:25 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-18 06:51 . 2012-10-18 06:51 -------- d-----w- c:\program files\Common Files\Java
2012-10-18 06:50 . 2012-10-18 06:50 -------- d-----w- c:\documents and settings\mato\Application Data\Malwarebytes
2012-10-18 06:49 . 2012-10-18 06:49 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-10-18 06:49 . 2012-10-18 06:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-18 06:49 . 2012-09-29 17:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-10 19:36 . 2012-10-10 19:36 -------- d-----w- C:\_OTL
2012-10-10 19:20 . 2012-10-10 19:20 512 ----a-w- C:\PhysicalMBR.bin
2012-10-10 19:06 . 2012-10-10 19:09 -------- d-----w- c:\documents and settings\mato\Local Settings\Application Data\Deployment
2012-10-10 19:04 . 2012-10-10 19:04 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-10 16:59 . 2012-10-10 19:03 -------- d-----w- c:\program files\Google
2012-10-10 15:22 . 2012-10-11 03:02 -------- d-----w- c:\program files\trend micro
2012-10-10 15:22 . 2012-10-10 15:23 -------- d-----w- C:\rsit
2012-10-10 07:51 . 2012-10-10 19:04 -------- d-----w- C:\7e50a67569ec7e5b66c069d75501e7
2012-10-08 18:58 . 2012-10-08 18:58 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-08 18:58 . 2012-05-09 04:16 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-08 18:58 . 2011-06-14 19:00 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-24 13:32 . 2012-06-18 04:48 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-24 13:32 . 2011-04-23 19:11 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-24 11:51 . 2012-06-18 04:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-30 20:03 . 2010-10-24 19:25 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2006-02-28 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-24 13:53 . 2006-02-28 12:00 177664 ----a-w- c:\windows\system32\wintrust(2).dll
2012-08-21 13:33 . 2006-02-28 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2004-08-03 22:59 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KrosMeninyP"="True" [X]
"KrosMeniny"="c:\documents and settings\mato\Desktop\Meniny.exe" [2011-08-28 1323520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 16844800]
"SkyTel"="SkyTel.EXE" [2007-08-03 1826816]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]
"nwiz"="nwiz.exe" [2006-02-13 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-02-13 86016]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"Atomic.exe"="c:\program files\Atomic Clock Sync\Atomic.exe" [2004-06-17 524288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [25.12.2011 12:44 239168]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [3.7.2012 13:19 160944]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [23.4.2011 16:02 36864]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [18.10.2012 8:49 22856]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [18.10.2012 8:49 676936]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [9.5.2012 6:16 250808]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\mato\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\mato\LOCALS~1\Temp\CFcatchme.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.sk/
mStart Page =
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\mato\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\mato\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Stiahnuť s USDownloaderom - c:\documents and settings\mato\Desktop\USDownloader135\Ext\downloadie.html
TCP: DhcpNameServer = 188.120.1.2 188.120.0.122
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-22 19:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3272)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSSK.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\ATKKBService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-10-22 19:24:01 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-22 17:23
ComboFix2.txt 2012-10-22 16:59
ComboFix3.txt 2012-10-10 20:16
.
Pre-Run: 190 426 710 016 bytes free
Post-Run: 25 adresárov, 190 387 388 416 voľných bajtov
.
- - End Of File - - 4E3A605DC44ABC21A76BAB99A066F815
Upload was successful

Jak se chova PC

Spravanie PC je v norme. Akurat mi iba pri zapinani PC tesne pred zobrazenim loga wondows na 1 sekundu zobrazi nejake 3 moznosti rezimu spustenia ale presne to neviem popisat pretoze sa to hned strati, dalej sa PC zapina uz normalne. Takto sa mi zapina uz dlhsi cas. Inac Pc pracuje rychlo, bez sekania, bez znamok infiltracie haveti. Mam este jednu otazku. Nebolo by dobre keby som vypol funkciu obnovy systemu cim by som vymazal jednotlive body obnovy k rôznym datumom a nasledne funkciu obnovy znovu zapol? Cital som raz jeden clanok ze prave v obnove systemu môzu byt ukrite rôzne haveti.

Nahrajte mi nekam prosim soubor c:\boot.ini

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Toto mi vyhodil google chrome.
Subor boot.ini som nasiel cez explorer ale po stiahnuti naplochu subor neviem najst. Akoby to bolo maskovane systemom.

Tady vidite jake moznosti to dava pri spousteni - ta recovery console je tam umyslne natazena spolu s ComboFixem - da se pres ni opravovat obcas system...

Ja myslim ze ty dve vteriny zpozdeni nic neresi

Odinstalujte Combofix

• Prejmenujte ComboFix na Uninstall
• Spustte jej
• Tohle smaze Combofix a jeho slozky

T-Cleaner http://vyosek.ic.cz/pro_usery/T-Cleaner.exe

• Stahnete a spustte
• Pro potvrzeni volby mackejte A, Enter
• Po pouziti utilitu smazte
• Antiviry touhou utilitu chybne oznacit jako vir - jedna se o falesny poplach - takze v pohode stahnete (pripadne vypnete pri stahovani antivir)

OTC http://oldtimer.geekstogo.com/OTC.exe

• Stahnete a spustte
• Kliknete na CleanUp a potvrdte YES
• Program uklidi a restartuje PC

TFC http://oldtimer.geekstogo.com/TFC.exe

• Stahnete a spustte
• Kliknete na Start a potvrdte OK
• Program uklidi a restartuje pc
• Po pouziti utilitu smazte

Stahnete Ccleaner http://forum.viry.cz/viewtopic.php?t=7478
Panel čistič

• Vse nechte jak je, jen dejte Analyzovat a pote Spustit CCleaner

Panel registry

• dejte Hledej problémy
• nasledne Opravit problémy - zalohu registru doporucuji udelat, opravte vsechny problemy
• postup opakujte dokud nebude bez problemu - vetsinou cca 3x

Panel nástroje

• Zde muzete odinstalovat nepotrebne programy

CCleaner doporucuji pouzivat cca jednou za tyden

A pokud nejsou problemy ci dotazy, je to z me strany vse

Ok dik, PC slape ako hodinka

Nemate zac, rad jsem pomohl Zase nekdy

A na zaklade Pravidla o zamykani temat