VIRY.CZ

Otevřte poznámkový blok a zkopírujte do něj:

File::
c:\windows\system32\drivers\wStLibG.sys
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

Driver::
wStLibG

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=-

RegLock::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

Reboot::

Uložte na plochu jako CFscript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pusťte.CF se spustí a vykoná příkazy ze skriptu.

Další postup? Nebo je to vše?

Dejte log z posledního skenu. Najdete ho v C:\combofix.txt.

Posílám log z combofix.

ComboFix 14-05-16.01 - obchod 17.05.2014 23:14:45.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1250.420.1029.18.2037.830 [GMT 2:00]
Spuštěný z: c:\users\obchod\Desktop\ComboFix.exe
Použité ovládací přepínače :: c:\users\obchod\Desktop\CFscript.txt
AV: avast! Antivirus *Disabled/Outdated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Outdated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\drivers\wStLibG.sys"
"c:\windows\Tasks\GoogleUpdateTaskMachineCore.job"
"c:\windows\Tasks\GoogleUpdateTaskMachineUA.job"
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\wStLibG.sys
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
.
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_WSTLIBG
-------\Service_wStLibG
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2014-04-17 do 2014-05-17 )))))))))))))))))))))))))))))))
.
.
2014-05-17 21:22 . 2014-05-17 21:27 -------- d-----w- c:\users\obchod\AppData\Local\temp
2014-05-17 19:22 . 2014-05-06 03:07 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-05-17 19:11 . 2014-05-17 19:11 -------- d-----w- c:\program files\CCleaner
2014-05-17 11:46 . 2014-05-17 11:46 -------- d-----w- c:\users\obchod\AppData\Local\ElevatedDiagnostics
2014-05-17 08:45 . 2014-05-17 08:45 -------- d-----w- c:\program files\trend micro
2014-05-12 14:09 . 2014-05-12 14:09 -------- d-----w- C:\rsit
2014-05-12 13:56 . 2014-05-12 13:56 -------- d-----w- c:\users\obchod\AppData\Roaming\TeamViewer
2014-05-12 09:58 . 2014-05-12 09:58 -------- d-sh--w- c:\users\obchod\AppData\Local\EmieUserList
2014-05-12 09:58 . 2014-05-12 09:58 -------- d-sh--w- c:\users\obchod\AppData\Local\EmieSiteList
2014-05-10 08:18 . 2014-04-24 10:27 52920 ----a-w- c:\windows\system32\drivers\{b2db3058-74ee-4ace-bcd8-8cd0fbe3a4f6}w.sys
2014-05-07 14:15 . 2014-05-17 18:39 -------- d-----w- c:\programdata\AVG Secure Search
2014-04-23 07:59 . 2014-05-17 18:41 -------- d-----w- c:\program files\LogMeIn Hamachi
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-07 14:14 . 2013-07-04 09:40 42784 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2014-04-28 18:21 . 2013-03-19 12:09 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-04-28 18:21 . 2011-06-07 07:02 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2014-05-07 14:14 3592728 ----a-w- c:\program files\AVG SafeGuard toolbar\18.1.5.512\AVG SafeGuard toolbar_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG SafeGuard toolbar\18.1.5.512\AVG SafeGuard toolbar_toolbar.dll" [2014-05-07 3592728]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG SafeGuard toolbar.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG SafeGuard toolbar.PugiObj]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-01-28 18:17 259464 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"CorelDRAW Graphics Suite 11b"="c:\program files\Corel\Corel Graphics 12\Languages\CZ\Programs\registration.exe" [2004-06-22 729088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]
"KONICA MINOLTA PagePro 1300WStatusDisplay"="c:\windows\system32\MSTMON_N.EXE" [2004-04-13 151552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"Print2PDF Print Monitor"="c:\program files\Software602\Print2PDF\Print2PDF.exe" [2011-10-04 220992]
"AvastUI.exe"="c:\program files\Alwil Software\Avast5\AvastUI.exe" [2014-04-01 3774312]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2014-04-15 3814736]
.
c:\users\obchod\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-6-7 1195520]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-12-3 110592]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-12-3 110592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^FTP Utility.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\FTP Utility.lnk
backup=c:\windows\pss\FTP Utility.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^obchod^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^13c8bc67f4675629f7e5fbf8c9435e6f.exe]
path=c:\users\obchod\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13c8bc67f4675629f7e5fbf8c9435e6f.exe
backup=c:\windows\pss\13c8bc67f4675629f7e5fbf8c9435e6f.exe.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
2014-01-28 18:18 100200 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vProt]
2014-05-07 14:14 2561560 ----a-w- c:\program files\AVG SafeGuard toolbar\vprot.exe
.
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-03-06 108032]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S1 {b2db3058-74ee-4ace-bcd8-8cd0fbe3a4f6}w;{b2db3058-74ee-4ace-bcd8-8cd0fbe3a4f6}w;c:\windows\system32\drivers\{b2db3058-74ee-4ace-bcd8-8cd0fbe3a4f6}w.sys [2014-04-24 52920]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-01-28 775952]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-01-28 410784]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2014-05-07 42784]
S2 602XML Updater;602Updater;c:\program files\Common Files\soft602\602updsvc\602updsvc.exe [2011-10-10 85344]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-01-28 67824]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2014-04-15 1682256]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn Hamachi\LMIGuardianSvc.exe [2014-04-08 375056]
S2 MLPTDR_N;MLPTDR_N;c:\windows\system32\MLPTDR_N.SYS [2003-07-18 18848]
S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2010-10-03 63488]
S2 PasswordBox;PasswordBox;c:\program files\PasswordBox\pbbtnService.exe [2013-11-01 67584]
S2 vToolbarUpdater18.1.5;vToolbarUpdater18.1.5;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.5\ToolbarUpdater.exe [2014-05-07 1801752]
S3 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys [2014-01-28 64168]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-07-13 50688]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-04-26 13:22 1078088 ----a-w- c:\program files\Google\Chrome\Application\34.0.1847.131\Installer\chrmstp.exe
.
Obsah adresáře 'Naplánované úlohy'
.
2014-05-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-19 18:21]
.
.
------- Doplňkový sken -------
.
uInternet Settings,ProxyOverride = *.local
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Show avast! EasyPass Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\18.1.5\ViProtocol.dll
FF - ProfilePath -
.
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\taskhost.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.5\loggingserver.exe
c:\windows\system32\conhost.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\program files\Google\Update\GoogleUpdate.exe
c:\windows\system32\PrintIsolationHost.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\WerFault.exe
c:\windows\system32\msiexec.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Celkový čas: 2014-05-17 23:32:48 - počítač byl restartován
ComboFix-quarantined-files.txt 2014-05-17 21:32
ComboFix2.txt 2014-05-17 20:51
.
Před spuštěním: Volných bajtů: 78 042 230 784
Po spuštění: Volných bajtů: 77 264 576 512
.
- - End Of File - - CA806B58459172553B0FE5ADC9BB06EB
A36C5E4F47E84449FF07ED3517B43A31

Vše smazáno. CF odinstalujte pomocí T-Cleaneru: http://vyosek.ic.cz/pro_usery/T-Cleaner.exe . Nastala nějaká změna?

vypadá to že je vše v pořádku. Zatím se žádný z dřívějších problému neobjevil.Co tam bylo za havěť.

P.S. díky moc za trpělivost.

Byl tam rootkit. Nemáte zač!