Re: Prosim o kontrolu logu,asi mam virus.
Napsal: 13 čer 2013 18:40
Pokud problé pominul a není další, je to vše.
VIRY.CZ
Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/
Prosim o kontrolu logu,asi mam virus.
Stránka 2 z 2
Re: Prosim o kontrolu logu,asi mam virus.
Napsal: 13 čer 2013 22:11
bohuzial stale problem pretrvava
Re: Prosim o kontrolu logu,asi mam virus.
Napsal: 14 čer 2013 16:34
Dejte log ComboFix:
Stahnete a ulozte nejlepe na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
pote spustte aplikaci pod uctem s administratorskym opravnenim
hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.
v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se
jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine
aplikace ani nic jineho
behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)
upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode,
pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k
nezadoucim kolizim s rezidentem antispyware.
Re: Prosim o kontrolu logu,asi mam virus.
Napsal: 14 čer 2013 18:04
uz to mam spravene
Re: Prosim o kontrolu logu,asi mam virus.
Napsal: 14 čer 2013 18:31
Dejte log ComboFix.
Re: Prosim o kontrolu logu,asi mam virus.
Napsal: 14 čer 2013 18:37
ComboFix 13-06-13.01 - pc . 06. 2013 18:43:43.1.8 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.421.1051.18.6142.4535 [GMT 2:00]
Running from: d:\downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\052ffd5c.tmp
c:\programdata\mazuki.dll
c:\users\pc\AppData\Local\Temp\sfamcc00001.dll
c:\users\pc\AppData\Local\Temp\sfareca00001.dll
c:\users\pc\AppData\Roaming\FileDoumi
c:\users\pc\AppData\Roaming\OpenTab
c:\windows\Downloaded Program Files\120425049
c:\windows\Downloaded Program Files\120425049\BaiduSetupAx_1.dll
c:\windows\Downloaded Program Files\120425049\npxbdsetup.dll
c:\windows\Downloaded Program Files\668199
c:\windows\Downloaded Program Files\668199\BaiduSetupAx_1.dll
c:\windows\Downloaded Program Files\668199\npxbdsetup.dll
c:\windows\Downloaded Program Files\936489
c:\windows\Downloaded Program Files\936489\BaiduSetupAx_1.dll
c:\windows\Downloaded Program Files\936489\npxbdsetup.dll
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\SysWow64\frapsvid.dll
c:\windows\SysWow64\funshion.ini
.
.
((((((((((((((((((((((((( Files Created from 2013-05-14 to 2013-06-14 )))))))))))))))))))))))))))))))
.
.
2013-06-14 16:50 . 2013-06-14 16:52 -------- d-----w- c:\users\pc\AppData\Local\temp
2013-06-13 16:33 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C50EA4D9-6C30-4004-A101-CC9697613999}\mpengine.dll
2013-06-12 19:19 . 2013-06-12 19:19 1200 ----a-w- c:\windows\DeleteOnReboot.bat
2013-06-12 17:14 . 2013-06-13 16:27 -------- d-----w- c:\program files\trend micro
2013-06-12 15:57 . 2013-05-08 04:14 1417576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-12 15:57 . 2013-05-08 02:27 40448 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2013-06-12 15:55 . 2013-04-24 04:09 1269248 ----a-w- c:\windows\system32\crypt32.dll
2013-06-12 15:55 . 2013-04-24 04:00 985600 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-06-12 15:55 . 2013-04-24 02:10 1078272 ----a-w- c:\windows\system32\certutil.exe
2013-06-12 15:55 . 2013-04-24 01:46 812544 ----a-w- c:\windows\SysWow64\certutil.exe
2013-06-12 15:55 . 2013-04-24 04:09 174592 ----a-w- c:\windows\system32\cryptsvc.dll
2013-06-12 15:55 . 2013-04-24 04:09 132096 ----a-w- c:\windows\system32\cryptnet.dll
2013-06-12 15:55 . 2013-04-24 04:09 50688 ----a-w- c:\windows\system32\certenc.dll
2013-06-12 15:55 . 2013-04-24 04:00 98304 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-06-12 15:55 . 2013-04-24 04:00 133120 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-06-12 15:55 . 2013-04-24 04:00 41984 ----a-w- c:\windows\SysWow64\certenc.dll
2013-06-12 15:53 . 2013-04-17 13:04 30720 ----a-w- c:\windows\system32\cryptdlg.dll
2013-06-12 15:53 . 2013-04-17 12:30 24576 ----a-w- c:\windows\SysWow64\cryptdlg.dll
2013-06-12 15:53 . 2013-05-02 04:16 686080 ----a-w- c:\windows\system32\win32spl.dll
2013-06-12 15:53 . 2013-05-02 04:04 443904 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-06-12 15:53 . 2013-05-02 04:03 37376 ----a-w- c:\windows\SysWow64\printcom.dll
2013-06-12 14:05 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-22 22:50 . 2013-05-22 22:50 -------- d-----w- c:\users\pc\AppData\Local\FLT
2013-05-22 22:50 . 2013-05-22 22:50 -------- d-----w- c:\users\pc\AppData\Local\CAPCOM
2013-05-22 05:20 . 2013-05-22 05:18 964552 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6B78915A-6D56-4548-A029-084015BAE9FD}\gapaengine.dll
2013-05-19 02:20 . 2013-06-14 16:25 -------- d-----w- c:\program files (x86)\SpeedFan
2013-05-17 20:41 . 2013-05-17 20:41 -------- d-----w- c:\users\pc\AppData\Roaming\Arrowhead
2013-05-15 22:11 . 2013-04-15 14:17 901496 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 22:11 . 2013-04-13 03:34 47104 ----a-w- c:\windows\system32\cdd.dll
2013-05-15 22:11 . 2013-04-09 01:55 2774016 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 16:22 . 2006-11-02 12:35 75825640 ----a-w- c:\windows\system32\mrt.exe
2013-06-12 14:50 . 2012-05-23 21:05 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-12 14:50 . 2012-05-23 21:05 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-02 15:29 . 2009-10-02 15:55 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-04-30 20:19 . 2011-10-28 11:01 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2013-04-30 20:19 . 2011-10-28 11:01 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2013-04-30 20:19 . 2011-10-28 11:01 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2013-04-30 20:19 . 2011-10-28 11:01 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2013-04-24 13:16 . 2011-03-25 13:00 905296 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-04-04 03:35 . 2013-04-25 16:57 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-03-04 . 66CFDF478939DD6388858DE06F2CE14C . 302080 . . [6.0.6000.16386] .. c:\windows\system32\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2013-06-06 1641896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Keyboard Inf."="c:\users\pc\AppData\Roaming\runic games\msdn.exe" [2013-06-08 5178368]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared files\brs.exe" [2009-11-19 75048]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
FunshionServiceTools REG_MULTI_SZ FunshionSvr
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-06 11:29 1165776 ----a-w- c:\program files (x86)\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-23 14:50]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-07-24 6452256]
"Skytel"="Skytel.exe" [2008-07-24 1833504]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.hao123.com/?tn=29065018_246_hao_pg
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\pc\AppData\Roaming\Mozilla\Firefox\Profiles\0t6j0k41.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - ExtSQL: 2013-04-19 07:50; FirefoxAddon@similarWeb.com; c:\users\pc\AppData\Roaming\Mozilla\Firefox\Profiles\0t6j0k41.default\extensions\FirefoxAddon@similarWeb.com
FF - ExtSQL: !HIDDEN! 2009-10-20 19:33; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{31A0D938-3055-46BA-8919-59E44E0D7E51} - c:\program files (x86)\Keyword Search\torangcomz.dll
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKLM-Run-WinampAgent - c:\program files (x86)\Winamp\winampa.exe
Wow6432Node-HKLM-Run-NBKeyScan - c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
HKLM-Run-LogMeIn GUI - c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe
AddRemove-Totalcmd - c:\totalcmd\tcuninst.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files (x86)\DivX\DivXCodecUninstall.exe
AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - c:\program files (x86)\DivX\DivXPlayerUninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3719279243-3044573747-122376168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*-N‡eW[U^]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3719279243-3044573747-122376168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*-N‡eW[U^\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3719279243-3044573747-122376168-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:b5,97,90,bd,81,4e,14,2a,ae,08,86,f5,cb,9d,d9,46,a2,02,2a,c7,e3,4b,e3,
ce,f9,62,ac,b2,b0,9e,aa,97,ad,f7,78,78,93,5c,ad,da,47,8c,5e,cd,1f,f5,2f,74,\
"??"=hex:dd,db,4f,1d,e3,ef,e8,14,f7,05,e5,98,3b,10,83,c3
.
[HKEY_USERS\S-1-5-21-3719279243-3044573747-122376168-1000\Software\SecuROM\License information*]
"datasecu"=hex:e7,b4,db,fa,6e,d6,93,2a,ac,79,3f,92,e4,88,94,c3,05,2d,b9,ac,43,
4f,d0,25,cc,4d,20,37,87,fb,c3,45,b5,95,25,3c,79,c1,71,73,c6,4f,72,02,11,66,\
"rkeysecu"=hex:0c,bc,06,08,8d,d0,41,32,be,6f,10,02,dc,b0,be,e5
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Steam\SteamService.exe
c:\program files (x86)\Google\Update\GoogleUpdate.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\users\pc\AppData\Local\temp\bojwobyjmuyatzd\tvuabwbysl.exe
.
**************************************************************************
.
Completion time: 2013-06-14 18:59:44 - machine was rebooted
ComboFix-quarantined-files.txt 2013-06-14 16:59
.
Pre-Run: 41 711 165 440 bytes free
Post-Run: 41 473 196 032 bytes free
.
- - End Of File - - C3A28F5D67D48EDF62BC924B546DE617
D41D8CD98F00B204E9800998ECF8427E
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.421.1051.18.6142.4535 [GMT 2:00]
Running from: d:\downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\052ffd5c.tmp
c:\programdata\mazuki.dll
c:\users\pc\AppData\Local\Temp\sfamcc00001.dll
c:\users\pc\AppData\Local\Temp\sfareca00001.dll
c:\users\pc\AppData\Roaming\FileDoumi
c:\users\pc\AppData\Roaming\OpenTab
c:\windows\Downloaded Program Files\120425049
c:\windows\Downloaded Program Files\120425049\BaiduSetupAx_1.dll
c:\windows\Downloaded Program Files\120425049\npxbdsetup.dll
c:\windows\Downloaded Program Files\668199
c:\windows\Downloaded Program Files\668199\BaiduSetupAx_1.dll
c:\windows\Downloaded Program Files\668199\npxbdsetup.dll
c:\windows\Downloaded Program Files\936489
c:\windows\Downloaded Program Files\936489\BaiduSetupAx_1.dll
c:\windows\Downloaded Program Files\936489\npxbdsetup.dll
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\SysWow64\frapsvid.dll
c:\windows\SysWow64\funshion.ini
.
.
((((((((((((((((((((((((( Files Created from 2013-05-14 to 2013-06-14 )))))))))))))))))))))))))))))))
.
.
2013-06-14 16:50 . 2013-06-14 16:52 -------- d-----w- c:\users\pc\AppData\Local\temp
2013-06-13 16:33 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C50EA4D9-6C30-4004-A101-CC9697613999}\mpengine.dll
2013-06-12 19:19 . 2013-06-12 19:19 1200 ----a-w- c:\windows\DeleteOnReboot.bat
2013-06-12 17:14 . 2013-06-13 16:27 -------- d-----w- c:\program files\trend micro
2013-06-12 15:57 . 2013-05-08 04:14 1417576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-12 15:57 . 2013-05-08 02:27 40448 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2013-06-12 15:55 . 2013-04-24 04:09 1269248 ----a-w- c:\windows\system32\crypt32.dll
2013-06-12 15:55 . 2013-04-24 04:00 985600 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-06-12 15:55 . 2013-04-24 02:10 1078272 ----a-w- c:\windows\system32\certutil.exe
2013-06-12 15:55 . 2013-04-24 01:46 812544 ----a-w- c:\windows\SysWow64\certutil.exe
2013-06-12 15:55 . 2013-04-24 04:09 174592 ----a-w- c:\windows\system32\cryptsvc.dll
2013-06-12 15:55 . 2013-04-24 04:09 132096 ----a-w- c:\windows\system32\cryptnet.dll
2013-06-12 15:55 . 2013-04-24 04:09 50688 ----a-w- c:\windows\system32\certenc.dll
2013-06-12 15:55 . 2013-04-24 04:00 98304 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-06-12 15:55 . 2013-04-24 04:00 133120 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-06-12 15:55 . 2013-04-24 04:00 41984 ----a-w- c:\windows\SysWow64\certenc.dll
2013-06-12 15:53 . 2013-04-17 13:04 30720 ----a-w- c:\windows\system32\cryptdlg.dll
2013-06-12 15:53 . 2013-04-17 12:30 24576 ----a-w- c:\windows\SysWow64\cryptdlg.dll
2013-06-12 15:53 . 2013-05-02 04:16 686080 ----a-w- c:\windows\system32\win32spl.dll
2013-06-12 15:53 . 2013-05-02 04:04 443904 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-06-12 15:53 . 2013-05-02 04:03 37376 ----a-w- c:\windows\SysWow64\printcom.dll
2013-06-12 14:05 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-22 22:50 . 2013-05-22 22:50 -------- d-----w- c:\users\pc\AppData\Local\FLT
2013-05-22 22:50 . 2013-05-22 22:50 -------- d-----w- c:\users\pc\AppData\Local\CAPCOM
2013-05-22 05:20 . 2013-05-22 05:18 964552 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6B78915A-6D56-4548-A029-084015BAE9FD}\gapaengine.dll
2013-05-19 02:20 . 2013-06-14 16:25 -------- d-----w- c:\program files (x86)\SpeedFan
2013-05-17 20:41 . 2013-05-17 20:41 -------- d-----w- c:\users\pc\AppData\Roaming\Arrowhead
2013-05-15 22:11 . 2013-04-15 14:17 901496 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 22:11 . 2013-04-13 03:34 47104 ----a-w- c:\windows\system32\cdd.dll
2013-05-15 22:11 . 2013-04-09 01:55 2774016 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 16:22 . 2006-11-02 12:35 75825640 ----a-w- c:\windows\system32\mrt.exe
2013-06-12 14:50 . 2012-05-23 21:05 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-12 14:50 . 2012-05-23 21:05 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-02 15:29 . 2009-10-02 15:55 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-04-30 20:19 . 2011-10-28 11:01 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2013-04-30 20:19 . 2011-10-28 11:01 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2013-04-30 20:19 . 2011-10-28 11:01 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2013-04-30 20:19 . 2011-10-28 11:01 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2013-04-24 13:16 . 2011-03-25 13:00 905296 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-04-04 03:35 . 2013-04-25 16:57 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-03-04 . 66CFDF478939DD6388858DE06F2CE14C . 302080 . . [6.0.6000.16386] .. c:\windows\system32\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2013-06-06 1641896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Keyboard Inf."="c:\users\pc\AppData\Roaming\runic games\msdn.exe" [2013-06-08 5178368]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared files\brs.exe" [2009-11-19 75048]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
FunshionServiceTools REG_MULTI_SZ FunshionSvr
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-06 11:29 1165776 ----a-w- c:\program files (x86)\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-23 14:50]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-07-24 6452256]
"Skytel"="Skytel.exe" [2008-07-24 1833504]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.hao123.com/?tn=29065018_246_hao_pg
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\pc\AppData\Roaming\Mozilla\Firefox\Profiles\0t6j0k41.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - ExtSQL: 2013-04-19 07:50; FirefoxAddon@similarWeb.com; c:\users\pc\AppData\Roaming\Mozilla\Firefox\Profiles\0t6j0k41.default\extensions\FirefoxAddon@similarWeb.com
FF - ExtSQL: !HIDDEN! 2009-10-20 19:33; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{31A0D938-3055-46BA-8919-59E44E0D7E51} - c:\program files (x86)\Keyword Search\torangcomz.dll
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKLM-Run-WinampAgent - c:\program files (x86)\Winamp\winampa.exe
Wow6432Node-HKLM-Run-NBKeyScan - c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
HKLM-Run-LogMeIn GUI - c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe
AddRemove-Totalcmd - c:\totalcmd\tcuninst.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files (x86)\DivX\DivXCodecUninstall.exe
AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - c:\program files (x86)\DivX\DivXPlayerUninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3719279243-3044573747-122376168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*-N‡eW[U^]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3719279243-3044573747-122376168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*-N‡eW[U^\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3719279243-3044573747-122376168-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:b5,97,90,bd,81,4e,14,2a,ae,08,86,f5,cb,9d,d9,46,a2,02,2a,c7,e3,4b,e3,
ce,f9,62,ac,b2,b0,9e,aa,97,ad,f7,78,78,93,5c,ad,da,47,8c,5e,cd,1f,f5,2f,74,\
"??"=hex:dd,db,4f,1d,e3,ef,e8,14,f7,05,e5,98,3b,10,83,c3
.
[HKEY_USERS\S-1-5-21-3719279243-3044573747-122376168-1000\Software\SecuROM\License information*]
"datasecu"=hex:e7,b4,db,fa,6e,d6,93,2a,ac,79,3f,92,e4,88,94,c3,05,2d,b9,ac,43,
4f,d0,25,cc,4d,20,37,87,fb,c3,45,b5,95,25,3c,79,c1,71,73,c6,4f,72,02,11,66,\
"rkeysecu"=hex:0c,bc,06,08,8d,d0,41,32,be,6f,10,02,dc,b0,be,e5
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Steam\SteamService.exe
c:\program files (x86)\Google\Update\GoogleUpdate.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\users\pc\AppData\Local\temp\bojwobyjmuyatzd\tvuabwbysl.exe
.
**************************************************************************
.
Completion time: 2013-06-14 18:59:44 - machine was rebooted
ComboFix-quarantined-files.txt 2013-06-14 16:59
.
Pre-Run: 41 711 165 440 bytes free
Post-Run: 41 473 196 032 bytes free
.
- - End Of File - - C3A28F5D67D48EDF62BC924B546DE617
D41D8CD98F00B204E9800998ECF8427E
Re: Prosim o kontrolu logu,asi mam virus.
Napsal: 14 čer 2013 18:45
Ještě dočistíme. Přesuňte ComboFix na plochu. Otevřte poznámkový blok a zkopírujte do něj:
Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkazy ze skriptu.RegLock::
[HKEY_USERS\S-1-5-21-3719279243-3044573747-122376168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*-N‡eW[U^]
[HKEY_USERS\S-1-5-21-3719279243-3044573747-122376168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*-N‡eW[U^]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
Regnull::
[HKEY_USERS\S-1-5-21-3719279243-3044573747-122376168-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
[HKEY_USERS\S-1-5-21-3719279243-3044573747-122376168-1000\Software\SecuROM\License information*]
Reboot::
Re: Prosim o kontrolu logu,asi mam virus.
Napsal: 14 čer 2013 19:28
prikladam vypis z comba ComboFix 13-06-13.01 - pc . 06. 2013 20:08:28.2.8 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.421.1051.18.6142.4333 [GMT 2:00]
Running from: d:\downloads\ComboFix.exe
Command switches used :: c:\users\pc\Desktop\CFScript.txt..txt
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-05-14 to 2013-06-14 )))))))))))))))))))))))))))))))
.
.
2013-06-14 18:14 . 2013-06-14 18:15 -------- d-----w- c:\users\pc\AppData\Local\temp
2013-06-14 18:14 . 2013-06-14 18:14 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-06-14 18:14 . 2013-06-14 18:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-14 17:04 . 2013-05-22 05:18 964552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{01B12F35-D92E-4DD8-BA66-A50B919A75CB}\gapaengine.dll
2013-06-14 17:03 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2A658ABB-DC4A-49B2-BC12-F7A664BE6680}\mpengine.dll
2013-06-14 17:01 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-06-12 19:19 . 2013-06-12 19:19 1200 ----a-w- c:\windows\DeleteOnReboot.bat
2013-06-12 17:14 . 2013-06-13 16:27 -------- d-----w- c:\program files\trend micro
2013-06-12 15:57 . 2013-05-08 04:14 1417576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-12 15:57 . 2013-05-08 02:27 40448 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2013-06-12 15:55 . 2013-04-24 04:09 1269248 ----a-w- c:\windows\system32\crypt32.dll
2013-06-12 15:55 . 2013-04-24 04:00 985600 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-06-12 15:55 . 2013-04-24 02:10 1078272 ----a-w- c:\windows\system32\certutil.exe
2013-06-12 15:55 . 2013-04-24 01:46 812544 ----a-w- c:\windows\SysWow64\certutil.exe
2013-06-12 15:55 . 2013-04-24 04:09 174592 ----a-w- c:\windows\system32\cryptsvc.dll
2013-06-12 15:55 . 2013-04-24 04:09 132096 ----a-w- c:\windows\system32\cryptnet.dll
2013-06-12 15:55 . 2013-04-24 04:09 50688 ----a-w- c:\windows\system32\certenc.dll
2013-06-12 15:55 . 2013-04-24 04:00 98304 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-06-12 15:55 . 2013-04-24 04:00 133120 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-06-12 15:55 . 2013-04-24 04:00 41984 ----a-w- c:\windows\SysWow64\certenc.dll
2013-06-12 15:53 . 2013-04-17 13:04 30720 ----a-w- c:\windows\system32\cryptdlg.dll
2013-06-12 15:53 . 2013-04-17 12:30 24576 ----a-w- c:\windows\SysWow64\cryptdlg.dll
2013-06-12 15:53 . 2013-05-02 04:16 686080 ----a-w- c:\windows\system32\win32spl.dll
2013-06-12 15:53 . 2013-05-02 04:04 443904 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-06-12 15:53 . 2013-05-02 04:03 37376 ----a-w- c:\windows\SysWow64\printcom.dll
2013-05-22 22:50 . 2013-05-22 22:50 -------- d-----w- c:\users\pc\AppData\Local\FLT
2013-05-22 22:50 . 2013-05-22 22:50 -------- d-----w- c:\users\pc\AppData\Local\CAPCOM
2013-05-19 02:20 . 2013-06-14 16:25 -------- d-----w- c:\program files (x86)\SpeedFan
2013-05-17 20:41 . 2013-05-17 20:41 -------- d-----w- c:\users\pc\AppData\Roaming\Arrowhead
2013-05-15 22:11 . 2013-04-15 14:17 901496 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 22:11 . 2013-04-13 03:34 47104 ----a-w- c:\windows\system32\cdd.dll
2013-05-15 22:11 . 2013-04-09 01:55 2774016 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 16:22 . 2006-11-02 12:35 75825640 ----a-w- c:\windows\system32\mrt.exe
2013-06-12 14:50 . 2012-05-23 21:05 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-12 14:50 . 2012-05-23 21:05 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-22 05:18 . 2011-03-25 13:00 964552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-05-02 15:29 . 2009-10-02 15:55 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-04-30 20:19 . 2011-10-28 11:01 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2013-04-30 20:19 . 2011-10-28 11:01 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2013-04-30 20:19 . 2011-10-28 11:01 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2013-04-30 20:19 . 2011-10-28 11:01 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2013-04-04 03:35 . 2013-04-25 16:57 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-03-04 . 66CFDF478939DD6388858DE06F2CE14C . 302080 . . [6.0.6000.16386] .. c:\windows\system32\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{31A0D938-3055-46BA-8919-59E44E0D7E51}]
c:\program files (x86)\Keyword Search\torangcomz.dll [BU]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2013-06-06 1641896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Keyboard Inf."="c:\users\pc\AppData\Roaming\runic games\msdn.exe" [2013-06-08 5178368]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared files\brs.exe" [2009-11-19 75048]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
FunshionServiceTools REG_MULTI_SZ FunshionSvr
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-06 11:29 1165776 ----a-w- c:\program files (x86)\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-23 14:50]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-07-24 6452256]
"Skytel"="Skytel.exe" [2008-07-24 1833504]
"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [BU]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.hao123.com/?tn=29065018_246_hao_pg
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\pc\AppData\Roaming\Mozilla\Firefox\Profiles\0t6j0k41.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - ExtSQL: 2013-04-19 07:50; FirefoxAddon@similarWeb.com; c:\users\pc\AppData\Roaming\Mozilla\Firefox\Profiles\0t6j0k41.default\extensions\FirefoxAddon@similarWeb.com
FF - ExtSQL: !HIDDEN! 2009-10-20 19:33; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Totalcmd - c:\totalcmd\tcuninst.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files (x86)\DivX\DivXCodecUninstall.exe
AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - c:\program files (x86)\DivX\DivXPlayerUninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3719279243-3044573747-122376168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*-N‡eW[U^]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3719279243-3044573747-122376168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*-N‡eW[U^\OpenWithList]
@Class="Shell"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Steam\SteamService.exe
c:\program files (x86)\Google\Update\GoogleUpdate.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
.
**************************************************************************
.
Completion time: 2013-06-14 20:22:48 - machine was rebooted
ComboFix-quarantined-files.txt 2013-06-14 18:22
ComboFix2.txt 2013-06-14 16:59
.
Pre-Run: 40 970 579 968 bytes free
Post-Run: 40 932 847 616 bytes free
.
- - End Of File - - F3685F6316BF24E8B9BA45D794F30A3F
D41D8CD98F00B204E9800998ECF8427E
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.421.1051.18.6142.4333 [GMT 2:00]
Running from: d:\downloads\ComboFix.exe
Command switches used :: c:\users\pc\Desktop\CFScript.txt..txt
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-05-14 to 2013-06-14 )))))))))))))))))))))))))))))))
.
.
2013-06-14 18:14 . 2013-06-14 18:15 -------- d-----w- c:\users\pc\AppData\Local\temp
2013-06-14 18:14 . 2013-06-14 18:14 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-06-14 18:14 . 2013-06-14 18:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-14 17:04 . 2013-05-22 05:18 964552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{01B12F35-D92E-4DD8-BA66-A50B919A75CB}\gapaengine.dll
2013-06-14 17:03 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2A658ABB-DC4A-49B2-BC12-F7A664BE6680}\mpengine.dll
2013-06-14 17:01 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-06-12 19:19 . 2013-06-12 19:19 1200 ----a-w- c:\windows\DeleteOnReboot.bat
2013-06-12 17:14 . 2013-06-13 16:27 -------- d-----w- c:\program files\trend micro
2013-06-12 15:57 . 2013-05-08 04:14 1417576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-12 15:57 . 2013-05-08 02:27 40448 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2013-06-12 15:55 . 2013-04-24 04:09 1269248 ----a-w- c:\windows\system32\crypt32.dll
2013-06-12 15:55 . 2013-04-24 04:00 985600 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-06-12 15:55 . 2013-04-24 02:10 1078272 ----a-w- c:\windows\system32\certutil.exe
2013-06-12 15:55 . 2013-04-24 01:46 812544 ----a-w- c:\windows\SysWow64\certutil.exe
2013-06-12 15:55 . 2013-04-24 04:09 174592 ----a-w- c:\windows\system32\cryptsvc.dll
2013-06-12 15:55 . 2013-04-24 04:09 132096 ----a-w- c:\windows\system32\cryptnet.dll
2013-06-12 15:55 . 2013-04-24 04:09 50688 ----a-w- c:\windows\system32\certenc.dll
2013-06-12 15:55 . 2013-04-24 04:00 98304 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-06-12 15:55 . 2013-04-24 04:00 133120 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-06-12 15:55 . 2013-04-24 04:00 41984 ----a-w- c:\windows\SysWow64\certenc.dll
2013-06-12 15:53 . 2013-04-17 13:04 30720 ----a-w- c:\windows\system32\cryptdlg.dll
2013-06-12 15:53 . 2013-04-17 12:30 24576 ----a-w- c:\windows\SysWow64\cryptdlg.dll
2013-06-12 15:53 . 2013-05-02 04:16 686080 ----a-w- c:\windows\system32\win32spl.dll
2013-06-12 15:53 . 2013-05-02 04:04 443904 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-06-12 15:53 . 2013-05-02 04:03 37376 ----a-w- c:\windows\SysWow64\printcom.dll
2013-05-22 22:50 . 2013-05-22 22:50 -------- d-----w- c:\users\pc\AppData\Local\FLT
2013-05-22 22:50 . 2013-05-22 22:50 -------- d-----w- c:\users\pc\AppData\Local\CAPCOM
2013-05-19 02:20 . 2013-06-14 16:25 -------- d-----w- c:\program files (x86)\SpeedFan
2013-05-17 20:41 . 2013-05-17 20:41 -------- d-----w- c:\users\pc\AppData\Roaming\Arrowhead
2013-05-15 22:11 . 2013-04-15 14:17 901496 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 22:11 . 2013-04-13 03:34 47104 ----a-w- c:\windows\system32\cdd.dll
2013-05-15 22:11 . 2013-04-09 01:55 2774016 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 16:22 . 2006-11-02 12:35 75825640 ----a-w- c:\windows\system32\mrt.exe
2013-06-12 14:50 . 2012-05-23 21:05 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-12 14:50 . 2012-05-23 21:05 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-22 05:18 . 2011-03-25 13:00 964552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-05-02 15:29 . 2009-10-02 15:55 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-04-30 20:19 . 2011-10-28 11:01 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2013-04-30 20:19 . 2011-10-28 11:01 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2013-04-30 20:19 . 2011-10-28 11:01 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2013-04-30 20:19 . 2011-10-28 11:01 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2013-04-04 03:35 . 2013-04-25 16:57 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-03-04 . 66CFDF478939DD6388858DE06F2CE14C . 302080 . . [6.0.6000.16386] .. c:\windows\system32\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{31A0D938-3055-46BA-8919-59E44E0D7E51}]
c:\program files (x86)\Keyword Search\torangcomz.dll [BU]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2013-06-06 1641896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Keyboard Inf."="c:\users\pc\AppData\Roaming\runic games\msdn.exe" [2013-06-08 5178368]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared files\brs.exe" [2009-11-19 75048]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
FunshionServiceTools REG_MULTI_SZ FunshionSvr
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-06 11:29 1165776 ----a-w- c:\program files (x86)\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-23 14:50]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-07-24 6452256]
"Skytel"="Skytel.exe" [2008-07-24 1833504]
"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [BU]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.hao123.com/?tn=29065018_246_hao_pg
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\pc\AppData\Roaming\Mozilla\Firefox\Profiles\0t6j0k41.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - ExtSQL: 2013-04-19 07:50; FirefoxAddon@similarWeb.com; c:\users\pc\AppData\Roaming\Mozilla\Firefox\Profiles\0t6j0k41.default\extensions\FirefoxAddon@similarWeb.com
FF - ExtSQL: !HIDDEN! 2009-10-20 19:33; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Totalcmd - c:\totalcmd\tcuninst.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files (x86)\DivX\DivXCodecUninstall.exe
AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - c:\program files (x86)\DivX\DivXPlayerUninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3719279243-3044573747-122376168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*-N‡eW[U^]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3719279243-3044573747-122376168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*-N‡eW[U^\OpenWithList]
@Class="Shell"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Steam\SteamService.exe
c:\program files (x86)\Google\Update\GoogleUpdate.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
.
**************************************************************************
.
Completion time: 2013-06-14 20:22:48 - machine was rebooted
ComboFix-quarantined-files.txt 2013-06-14 18:22
ComboFix2.txt 2013-06-14 16:59
.
Pre-Run: 40 970 579 968 bytes free
Post-Run: 40 932 847 616 bytes free
.
- - End Of File - - F3685F6316BF24E8B9BA45D794F30A3F
D41D8CD98F00B204E9800998ECF8427E
Re: Prosim o kontrolu logu,asi mam virus.
Napsal: 14 čer 2013 19:57
Log je OK. Nastala nějaká změna?
Re: Prosim o kontrolu logu,asi mam virus.
Napsal: 14 čer 2013 20:17
bohuzial stale to pretrvava
Re: Prosim o kontrolu logu,asi mam virus.
Napsal: 14 čer 2013 21:01
Chladiče máte čisté? Větráky fungují?
Re: Prosim o kontrolu logu,asi mam virus.
Napsal: 14 čer 2013 21:31
pc som cca pred mesiacom komplet vycistil a vetraky sa tocia.
Re: Prosim o kontrolu logu,asi mam virus.
Napsal: 15 čer 2013 10:21
Ještě spusťte toto:
Stahněte Malwarebytes Anti-Rootkit http://www.bleepingcomputer.com/downloa ... i-rootkit/
Uložte nejlépe na Plochu a rozbalte
Spusťte kliknutím na mbar
Nyní postupně klikněte na Next a Update
Po dokončení update (aktualizace) databáze klikněte opět na Next
Nechte zaškrtnute všechny tři možnosti a kliněte na Scan čímž spustíte prohledáváni PC
Po dokončení skenu (cca 5 minutek) zkontrolujte, zda-li je u všech nálezů (samozřejme pokud budou) zatržítko
Též zkontrolujte, jestli je zatržítko u Create Restore point
Nyní klikněte na CleanUp, čímž nalezenou infekci odstraníme
PC bude restartován
Složka mbar by měla obsahovat log (a zřejme se i sam otevre) mbar-log-rok-mesic-den (hodina-minuta-sekunda).txt, ten mi sem dejte.