odinstalacia antiviru - virus

Zpráva

#16 Příspěvek od **vyosek** » 04 lis 2012 23:19

Pokud nemate, tak presunte Combofix na plochu

Spustte poznamkovy blok (Start-spustit-notepad)
Zkopirujte skript nize

KillAll::

File::
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1788223648-682003330-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1788223648-682003330-1003UA.job
C:\WINDOWS\tasks\Protected Search.job
C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-854245398-1788223648-682003330-1003.job
C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-854245398-1788223648-682003330-1003.job

Driver::
xzyedelu
abq9d91
ntjbb8a
rdnb6a2
erjcigxn
hoiznhpk

Collect::
c:\windows\system32\Drivers\xzyedelu.sys
c:\windows\system32\drivers\abq9d91.sys
c:\windows\system32\drivers\ntjbb8a.sys
c:\windows\system32\drivers\rdnb6a2.sys
c:\windows\system32\Drivers\hoiznhpk.sys
c:\documents and settings\Gabo\vsuc.exe

DDS::
uStart Page = hxxp://search.certified-toolbar.com?si= ... ue&tid=592
uDefault_Search_URL = hxxp://search.certified-toolbar.com?si= ... bs=true&q=
mStart Page = hxxp://search.certified-toolbar.com?si= ... ue&tid=592
mSearch Bar = hxxp://search.certified-toolbar.com?si= ... bs=true&q=
IE: {{45d8438c-b51d-47a8-aeea-9061535f25f1} - {b52d0735-ec19-448a-abde-e01b5bd275d2}

Firefox::
FF - ProfilePath - c:\documents and settings\Gabo\Application Data\Mozilla\Firefox\Profiles\3nxjgx8n.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.certified-toolbar.com?si= ... ue&tid=592
FF - prefs.js: keyword.URL - hxxp://search.certified-toolbar.com?si= ... bs=true&q=

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"=-
"AlcoholAutomount"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"=-]
"QuickTime Task"=-
"Adobe ARM"=-
"NeroFilterCheck"=-
"UnlockerAssistant"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xzyedelu.sys]
[-HKLM\~\startupfolder\C:^Documents and Settings^Gabo^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

ClearJavaCache::

Reboot::

Ulozte vytvoreny TXT jako CFScript.txt
Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Pokud vyskoci hlaska "Pokus pouzit neplatnou operaci na klic registru, ktery je oznacen pro odstraneni", tak jen restartujte PC - registr se da do kupy - jedna se o vnitrni chybu, kterou zpusobuje CF a autor ji zatim neumi bohuzel opravit

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

gabriel vohlarik

nech sa paci log combofix,ospravedlnujem sa chvilu to trvalo

ComboFix 12-11-04.01 - Gabo . 11. 2012 23:48:21.2.4 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1033.18.3327.2686 [GMT 1:00]
Running from: c:\documents and settings\Gabo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gabo\Desktop\CFScript.txt
AV: ESET Smart Security 6.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
FILE ::
"c:\windows\tasks\AppleSoftwareUpdate.job"
"c:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1788223648-682003330-1003Core.job"
"c:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1788223648-682003330-1003UA.job"
"c:\windows\tasks\Protected Search.job"
"c:\windows\tasks\RealUpgradeLogonTaskS-1-5-21-854245398-1788223648-682003330-1003.job"
"c:\windows\tasks\RealUpgradeScheduledTaskS-1-5-21-854245398-1788223648-682003330-1003.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\tasks\AppleSoftwareUpdate.job
c:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1788223648-682003330-1003Core.job
c:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1788223648-682003330-1003UA.job
c:\windows\tasks\RealUpgradeLogonTaskS-1-5-21-854245398-1788223648-682003330-1003.job
c:\windows\tasks\RealUpgradeScheduledTaskS-1-5-21-854245398-1788223648-682003330-1003.job
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ABQ9D91
-------\Legacy_ERJCIGXN
-------\Legacy_HOIZNHPK
-------\Legacy_NTJBB8A
-------\Legacy_RDNB6A2
-------\Legacy_XZYEDELU
-------\Service_abq9d91
-------\Service_erjcigxn
-------\Service_hoiznhpk
-------\Service_ntjbb8a
-------\Service_rdnb6a2
-------\Service_xzyedelu
.
.
((((((((((((((((((((((((( Files Created from 2012-10-04 to 2012-11-04 )))))))))))))))))))))))))))))))
.
.
2012-11-04 20:36 . 2012-11-04 20:36 -------- d-----w- c:\program files\ESET
2012-11-04 20:36 . 2012-11-04 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2012-11-04 19:49 . 2012-11-04 21:04 -------- d-----w- c:\program files\trend micro
2012-11-04 19:49 . 2012-11-04 19:49 -------- d-----w- C:\rsit
2012-11-01 18:53 . 2012-11-01 18:53 -------- d-----w- c:\program files\Alcohol Soft
2012-11-01 18:50 . 2012-11-01 18:50 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-11-01 18:20 . 2012-11-01 18:22 -------- d-----w- c:\program files\Unlocker
2012-11-01 18:11 . 2012-11-01 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Martau
2012-11-01 18:11 . 2012-11-01 18:11 -------- d-----w- c:\program files\Total Uninstall 6
2012-11-01 18:04 . 2012-11-01 18:04 -------- d-----w- c:\program files\Total Uninstall
2012-10-31 17:00 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-10-31 17:00 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-10-31 17:00 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-10-31 17:00 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-10-22 23:45 . 2012-10-22 23:45 -------- d-----w- c:\documents and settings\Gabo\Local Settings\Application Data\SimplyTech
2012-10-22 23:44 . 2012-10-22 23:44 -------- d-----w- c:\program files\Protected Search
2012-10-22 23:44 . 2012-08-30 01:01 15432 ----a-w- c:\windows\Launcher.exe
2012-10-22 23:43 . 2012-10-22 23:44 -------- d-----w- c:\documents and settings\Gabo\Local Settings\Application Data\DownTango
2012-10-22 23:43 . 2012-10-22 23:43 -------- d-----w- c:\program files\Red Sky
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-27 19:12 . 2007-07-27 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2012-08-27 19:12 . 2007-07-27 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2012-08-27 19:12 . 2007-07-27 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-08-27 19:12 . 2007-07-27 12:00 17408 ------w- c:\windows\system32\corpol.dll
2012-08-24 13:53 . 2007-07-27 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33 . 2007-07-27 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2004-08-03 22:59 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-07-14 00:15 . 2012-08-16 00:22 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16126464]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-01-03 274608]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2012-06-14 4431664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
mLAN Manager.lnk - c:\program files\mLAN Tools\YAMAHA\mLANmanager.exe [2007-3-12 77824]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Red Sky\\DownTango\\DownTango.exe"=
"c:\\Program Files\\Red Sky\\DownTango\\pyload-dist\\pyLoadCore.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1. 11. 2012 19:50 691696]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14. 6. 2012 16:33 121216]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [14. 6. 2012 16:33 1288104]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13. 7. 2012 12:28 160944]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [29. 12. 2010 15:21 38656]
R3 mLanBus;Yamaha mLAN Bus Driver;c:\windows\system32\drivers\mLanBus.sys [25. 4. 2008 14:48 93568]
R3 mLanMIDI;Yamaha mLAN MIDI Driver;c:\windows\system32\drivers\mLanMIDI.sys [25. 4. 2008 14:48 12800]
R3 mLanStrm;Yamaha mLAN Audio Driver;c:\windows\system32\drivers\mLanStrm.sys [25. 4. 2008 14:48 25472]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [6. 5. 2008 16:06 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
------- Supplementary Scan -------
.
IE: {{45d8438c-b51d-47a8-aeea-9061535f25f1} - {b52d0735-ec19-448a-abde-e01b5bd275d2} -
TCP: DhcpNameServer = 193.110.186.240 217.75.71.141
FF - ProfilePath - c:\documents and settings\Gabo\Application Data\Mozilla\Firefox\Profiles\3nxjgx8n.default\
FF - ExtSQL: 2012-10-23 01:44; {890a3e16-521d-4d00-bdf9-e07218d09c8d}; c:\documents and settings\Gabo\Application Data\Mozilla\Firefox\Profiles\3nxjgx8n.default\extensions\{890a3e16-521d-4d00-bdf9-e07218d09c8d}
FF - ExtSQL: !HIDDEN! 2010-12-31 16:04; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-04 23:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_HD501LJ rev.CR100-11 -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-10
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(964)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wdfmgr.exe
c:\windows\RTHDCPL.EXE
c:\program files\mLAN Tools\mLANSoftPH.exe
c:\program files\mLAN Tools\mLANVDevice.exe
c:\program files\mLAN Tools\mLANTFamily.exe
c:\program files\mLAN Tools\YAMAHA\mLANConnectionManager.exe
.
**************************************************************************
.
Completion time: 2012-11-04 23:53:20 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-04 22:53
ComboFix2.txt 2012-11-04 22:11
.
Pre-Run: 13 259 116 544 bytes free
Post-Run: Volných bajtů: 13 160 693 760
.
- - End Of File - - 11B4E69B38067D753A6EBA3720D03F8E

#18 Příspěvek od **vyosek** » 04 lis 2012 23:56

Nic se nedeje

Jak se chova PC

gabriel vohlarik

chova sa v poriadku..

#20 Příspěvek od **vyosek** » 04 lis 2012 23:59

Tak jeste uklidime

Odinstalujte Combofix

Prejmenujte ComboFix na Uninstall
Spustte jej
Tohle smaze Combofix a jeho slozky

T-Cleaner http://vyosek.ic.cz/pro_usery/T-Cleaner.exe

Stahnete a spustte
Pro potvrzeni volby mackejte A, Enter
Po pouziti utilitu smazte
Antiviry touhou utilitu chybne oznacit jako vir - jedna se o falesny poplach - takze v pohode stahnete (pripadne vypnete pri stahovani antivir)

OTC http://oldtimer.geekstogo.com/OTC.exe

Stahnete a spustte
Kliknete na CleanUp a potvrdte YES
Program uklidi a restartuje PC

TFC http://oldtimer.geekstogo.com/TFC.exe

Stahnete a spustte
Kliknete na Start a potvrdte OK
Program uklidi a restartuje pc
Po pouziti utilitu smazte

Stahnete Ccleaner http://forum.viry.cz/viewtopic.php?t=7478
Panel čistič

Vse nechte jak je, jen dejte Analyzovat a pote Spustit CCleaner

Panel registry

dejte Hledej problémy
nasledne Opravit problémy - zalohu registru doporucuji udelat, opravte vsechny problemy
postup opakujte dokud nebude bez problemu - vetsinou cca 3x

Panel nástroje

Zde muzete odinstalovat nepotrebne programy

CCleaner doporucuji pouzivat cca jednou za tyden

A pokud nejsou problemy ci dotazy, je to z me strany vse

#21 Příspěvek od **vyosek** » 05 lis 2012 11:04

Druhe PC jsem oddelil at se nam to neplete - tema zde http://forum.viry.cz/viewtopic.php?f=13&t=125550

Zde na zaklade Pravidla o zamykani temat

VIRY.CZ

odinstalacia antiviru - virus

Re: odinstalacia antiviru - virus

Re: odinstalacia antiviru - virus

Re: odinstalacia antiviru - virus

Re: odinstalacia antiviru - virus

Re: odinstalacia antiviru - virus

Re: odinstalacia antiviru - virus