VIRY.CZ

Zdravím,
moc prosím o pomoc s velkým problémem.
Včera se mi zaviroval PC a zřejmě to začalo aplikací Security Shield, která se mi nechtěným způsobem dostala do PC.
Pořád mi skákala okna se všema možnýma upozorněníma. Všechno jsem zavíral a ihned hledal možnost, jak se toho zbavit.
Antivir jsem neměl žádný.
Začal jsem tedy instalovat všechno možný na zbavení se viru.
Začal jsem Trojan Killer, pak a-squared guard a spyboot.
Už po instalaci Trojan Killer, Security Shield zmizel, ale největší problém stále zůstává.
Jde o to, že všechny soubory... videa, obrázky a pod. jsou zašifrované a nejdou otevřít.
Například u obrázků jpg na kartě vlastnosti je uveden jako typ souboruu: Soubor ENCIPHERED (.EnCiPhErEd).

Po celém PC je rozhozená tato zpráva v txt souboru:
The files on your machine to the disabled for viewing, copying and duplicating video elements of porn and gay porn. To unlock you need to pay a fine of 100 euros. For this purpose, any terminal pay or buy a Ukash voucher Paysafecard on that amount. More sites hxxp://ukash.com/uk/en/home.aspx http://www.paysafecard.com/choose-country/
Please send the voucher by e-mail giorgio4(zavinac)mail.com.
In the case of payment of an amount equal to the penalty in return you will receive an unlock code. It must be entered in the field. After unlocking you must remove all materials that contain elements of violence and porn. In the case of non-payment, all data on your personal computer will be permanently blocked.

Je nějaká možnost, jak soubory odšifrovat?
Díky moc za každou radu.

Dobrý den ,

dejte log z RSIT podle návodu zde.

Nahrajte jeden ze 'zašifrovaných' obrázků na http://www.leteckaposta.cz a pošlete sem odkaz na stažení.

Postupoval jsem dle rad, ale nastal problém.
Po spuštění RSIT.exe mi po chvíli vyskočí okno s touto zprávou:
Line 7153 (File"C:/Users/Admin/Desktop/RSIT.exe"):
Error: Subscript used with non-Array variable.
Když dám na tom oknu OK, program se ukončí.

Jinak zašifrovaný obrázek je zde: http://leteckaposta.cz/462206212

Zkusíme OTL :

Stáhněte OTL.

• Pokud pouzivate Win Vista ci W7, kliknete na OTL pravym a dejte Run As Administrator ci Spustit jako spravce
• Pokud pouzivate 64bitovy OS, zkontrolujte, zda-li je zaskrtnuty ctverecek u Pro 64 bitové OS, pokud ne, zaskrtnete jej
• Zaskrtnete okenko Pro vsechny uzivatele
• Zaskrtnete okenko Kontrola na havet "LOP"
• Zaskrtnete okenko Kontrola na havet "Purity"
• Kliknete na tlacitko Prohledat
• Po dokonceni skenu (cca 10 az 15 min) se objevi logy OTL.txt a Extras.txt, oba sem vlozte

Jinak tu budu až večer, takže prosím o strpení.

Tak OTL zatím běží bez problémů.
Až to vytvoří ten log, dám to sem.
Podařilo se mi najít něco víc o mém problému, ale moc tomu nerozumím.
http://www.im-infected.com/trojan/enciphered.html
Budu to ještě zkoušet, tak se pak ozvu.


Tady jsou ty logy: http://leteckaposta.cz/711790629

Neprovadejte prosim zadne pokusy na vlastni pest, muzete tim napachat vic skody, nez uzitku.

Poslal jsem ty logy.
Dobře, nebudu nic dělat sám bez vašich rad.

Tak jsem včera čekal na nějakou radu, ale zatím jsem se nedočkal.
Pokusil jsem se tedy o opravu sám.
Nainstaloval jsem program http://www.malwarecity.com/community/in ... howfile=57
ale ani tohle nepomohlo.
Soubory to sice dešifruje, ale tak, že vytvoří soubor nový a ten je poškozený, nebo nejde otevřít.
Program jsem tedy zastavil a hledám další řešení.
Takže zatím bezvýsledné

Zdravim

zaskocim za kolegu, nejak nam ochorel...

Jeste vam kolega pise at nedelate nejake hokusy-pokusy, Security Shield neni sranda lecit

Stahnete RogueKiller http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe

• Ukoncete vsechny programy
• Pokud pouzivate Win Vista ci W7, kliknete na RogueKiller pravym a dejte Run As Administrator ci Spustit jako spravce
• Pockejte na dokonceni PreScanu
• Zvolte moznost Prohledat (scan)
• Po dokonceni skenu kliknete na Zpráva (Report)- otevre se log, ten sem vlozte

Děkuji, udělám to.
Teď ale musím pryč, tak hned jak se vrátím, pustím se do toho.
Ještě jsem našel zajímavé video, jak odstranit můj problém.
http://www.youtube.com/watch?v=rca0116LgSk
Jenže tohle je pro mne hodně složité

Ano je to slozite, uvidime jak se nam bude darit se nejdrive poprat se Shieldem

Tak posílám log z RogueKiller:

¤¤¤ Záznamy Registrů: 7 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Badoo Desktop (C:\ProgramData\Badoo\Badoo Desktop\1.6.48.1082\Badoo.Desktop.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-4037204527-4293416820-2358000098-1001[...]\Run : Badoo Desktop (C:\ProgramData\Badoo\Badoo Desktop\1.6.48.1082\Badoo.Desktop.exe) -> FOUND
[HJ] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Zvláštní soubory / Složky: ¤¤¤

¤¤¤ Ovladač: [NAHRÁNO] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x836F39D5 -> HOOKED (Unknown @ 0x87F5F7C8)
SSDT[14] : NtAlertThread @ 0x836A17A8 -> HOOKED (Unknown @ 0x87F5F8A8)
SSDT[19] : NtAllocateVirtualMemory @ 0x83662E9B -> HOOKED (Unknown @ 0x87F51D50)
SSDT[22] : NtAlpcConnectPort @ 0x8366A8AD -> HOOKED (Unknown @ 0x8781A3C0)
SSDT[43] : NtAssignProcessToJobObject @ 0x8360E764 -> HOOKED (Unknown @ 0x87F60B88)
SSDT[74] : NtCreateMutant @ 0x83695CA5 -> HOOKED (Unknown @ 0x87F5F518)
SSDT[86] : NtCreateSymbolicLinkObject @ 0x836260BF -> HOOKED (Unknown @ 0x87F608A8)
SSDT[87] : NtCreateThread @ 0x836F1C6A -> HOOKED (Unknown @ 0x87F50588)
SSDT[88] : NtCreateThreadEx @ 0x8364FDD1 -> HOOKED (Unknown @ 0x87F60998)
SSDT[96] : NtDebugActiveProcess @ 0x836C723C -> HOOKED (Unknown @ 0x87F60C68)
SSDT[111] : NtDuplicateObject @ 0x83693152 -> HOOKED (Unknown @ 0x87F5E5E0)
SSDT[131] : NtFreeVirtualMemory @ 0x834CA831 -> HOOKED (Unknown @ 0x87F51B90)
SSDT[145] : NtImpersonateAnonymousToken @ 0x83609F96 -> HOOKED (Unknown @ 0x87F5F608)
SSDT[147] : NtImpersonateThread @ 0x8366F6C9 -> HOOKED (Unknown @ 0x87F5F6E8)
SSDT[155] : NtLoadDriver @ 0x835B8291 -> HOOKED (Unknown @ 0x86DF2700)
SSDT[168] : NtMapViewOfSection @ 0x83695F67 -> HOOKED (Unknown @ 0x87F51A90)
SSDT[177] : NtOpenEvent @ 0x836985F7 -> HOOKED (Unknown @ 0x87F5F438)
SSDT[190] : unknown @ 0x836985C1 -> HOOKED (Unknown @ 0x87F5E780)
SSDT[191] : NtOpenProcessToken @ 0x83653971 -> HOOKED (Unknown @ 0x87F5E500)
SSDT[194] : NtOpenSection @ 0x8369624A -> HOOKED (Unknown @ 0x87F60E90)
SSDT[198] : NtOpenThread @ 0x83696F18 -> HOOKED (Unknown @ 0x87F5E6B0)
SSDT[215] : NtProtectVirtualMemory @ 0x83696CD1 -> HOOKED (Unknown @ 0x87F60A98)
SSDT[304] : NtResumeThread @ 0x8368905F -> HOOKED (Unknown @ 0x87F5F988)
SSDT[316] : NtSetContextThread @ 0x836F2D6F -> HOOKED (Unknown @ 0x87F517E0)
SSDT[333] : NtSetInformationProcess @ 0x83664495 -> HOOKED (Unknown @ 0x87F518C0)
SSDT[350] : NtSetSystemInformation @ 0x836A1E85 -> HOOKED (Unknown @ 0x87F60D48)
SSDT[366] : NtSuspendProcess @ 0x836F390F -> HOOKED (Unknown @ 0x87F60F70)
SSDT[367] : NtSuspendThread @ 0x836B06E6 -> HOOKED (Unknown @ 0x87F5FA68)
SSDT[370] : NtTerminateProcess @ 0x83678BCD -> HOOKED (Unknown @ 0x87F50668)
SSDT[371] : NtTerminateThread @ 0x8368B974 -> HOOKED (Unknown @ 0x87F5FB28)
SSDT[385] : NtUnmapViewOfSection @ 0x83692D6C -> HOOKED (Unknown @ 0x87F519B0)
SSDT[399] : NtWriteVirtualMemory @ 0x8369E645 -> HOOKED (Unknown @ 0x87F51C80)
S_SSDT[318] : Unknown -> HOOKED (Unknown @ 0x86A2B810)
S_SSDT[402] : Unknown -> HOOKED (Unknown @ 0x86A291A8)
S_SSDT[434] : Unknown -> HOOKED (Unknown @ 0x8810FEA8)
S_SSDT[436] : Unknown -> HOOKED (Unknown @ 0x87579690)
S_SSDT[448] : Unknown -> HOOKED (Unknown @ 0x8898E6F8)
S_SSDT[490] : Unknown -> HOOKED (Unknown @ 0x889B17B0)
S_SSDT[508] : Unknown -> HOOKED (Unknown @ 0x889ACEB8)
S_SSDT[509] : Unknown -> HOOKED (Unknown @ 0x889B3DC8)
S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x88986BB8)
S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x8898EDB8)

¤¤¤ Nákaza : ¤¤¤

¤¤¤ Soubor HOSTS: ¤¤¤


¤¤¤ Kontrola MBR: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200BEVT-22ZCT0 ATA Device +++++
--- User ---
[MBR] 7c6448db00aad048554506d54c3beae0
[BSP] 468274b22c910c15fa88edc1f06a615f : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 59475 Mo
1 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 121806720 | Size: 245766 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Dokončeno : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt


Jinak k tomu Security Shield... já nevím, jestli ještě v PC je. Žádný okna ani jiné zprávy nevyskakují a v liště ikona taky není. V podstatě všechno funguje jako dřív, jen ty soubory jsou zašifrovaný.

On rozkryptovat je asi bude docela problem, zkusim pohledat jeste na zahranicnich forech

PROSIM CTETE DUKLADNE NAVOD - TATO UTILITA MA VELKOU SCHOPNOST MAZAT A JE NUTNE JI APLIKOVAT JEN NA DOPORUCENI, JINAK VAM MUZE JIT SYSTEM DO KYTEK
Stahnete a ulozte na plochu Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

• Vypnete vsechny rezidentni bezpecnostní programy - firewally, antiviry, antispywary apod.
• Pokud mate Win XP spustte pod uctem Spravce\Administratora
• Pokud mate Win Vista ci Win 7, kliknete na Combofix pravym a dejte Run As Administrator ci Spustit jako spravce
• Ihned po startu se zobrazi stranka s licencnim ujednanim, pokracujte kliknutim na Ano
• Pokud Vam CF nabidne instalaci Konzoly pro zotaveni, tak souhlaste
• Dale postupujte dle pokynu, behem scanu nechte PC naprosto v klidu - nespoustejte zadne aplikace a neklikejte do zobrazujiciho se okna
• Scan by mel trvat cca 10 min, ale pokud bude PC hodne zaneseno, muze se cas prodlouzit
• Po dokonceni skenu a pripadnem restartu CF zobrazi log, pripadne jej najdete zde C:\ComboFix.txt, jeho obsah sem vlozte
• Detailni postup vc. obrazku mate zde http://www.bleepingcomputer.com/combofi ... t-combofix

Tak tady je ten log:

ComboFix 12-04-24.02 - Admin 24.04.2012 16:42:02.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1250.420.1029.18.3002.2324 [GMT 2:00]
Spuštěný z: c:\users\Admin\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\DS.exe
c:\users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\HOW TO DECRYPT FILES.txt
c:\users\Admin\AppData\Local\Temp\b01d42a6-0948-4bd0-8dea-54d68f50a791\CliSecureRT.dll
c:\users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\HOW TO DECRYPT FILES.txt
c:\users\Admin\AppData\Roaming\HOW TO DECRYPT FILES.txt
c:\users\Admin\AppData\Roaming\chrtmp
c:\users\Admin\AppData\Roaming\inst.exe
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\(1993) VA - Born to Choose.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\(MS WORD 93-2003) Storno podminky 2010 - 2011 - portály.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\[rutracker.org].t2035399.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\[rutracker.org].t3524510.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\001.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\002.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\003.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\11-0212.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\1105 Removing content with the Clone Stamp tool.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\12.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\120___04.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\1201 Applying filters.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\1244.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\142.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\1824.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\36.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\40.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\6000 ëĺň ňŕňóčđîâęĺ.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\635d_2.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\663.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\8.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\adip_logo.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Anim.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\anim1.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\ASSiGN.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AT7F2832_3_4_5_6_tonemapped.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Bastia.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Black.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Blue's.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Botan (Peonies).lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Buď-v-klidu-CZ-2005-(DANiELS).lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\buena-vista-tattoo-club-wuerzburg-bad-mergentheim (1).lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\buena-vista-tattoo-club-wuerzburg-bad-mergentheim (2).lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\buena-vista-tattoo-club-wuerzburg-bad-mergentheim.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\cbII.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CC.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Centrum síťových připojení a sdílení.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\dobirky-slovensko.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Documents (D).lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Dole~ité informace MOBY.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Ethno.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\faktura.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Feliz_by_kissy_face.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\flexo.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Folder.auCDtect.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Hardware a zvuk.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Hide It Pro v2.7 (HideItPro) Android Apk App.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\HOW TO DECRYPT FILES.txt
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Chinese_Phoenix.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\inked-2012-02-feb.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\inked.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Inked_2011-11.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Inked_2011-12.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Inked_2012-02.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Inked_2012-03.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Inked_2012-04.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Jerry.Lee.Lewis-Great.Balls.of.Fire.1989.DVDRip.XviD.CZ-SAGiTTARiO.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Kalkulace pruvodni informace.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Kiku (Chrysanthemums).lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Koi.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\La-vie-de-boheme-Bohemsky-zivot-(Kaurismaki)-titulky-pribalen.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Led-Zeppelin---The-Song-Remains-the-Same-(1976).lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\logo.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Londýnsky gangster.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Lotus.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Lux.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Magazines.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\mail.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\material-kabely.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\md55 room1.nepesufumu.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Michael Jackson's - This Is It.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Michael Jackson - This Is It.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Mlčení-Lorny-2008-titulky-Drama.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\multivan.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\My-Phoenix-tattoo-69488.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\N-50+OPERATING+INSTRUCTIONS.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Native.Instruments.Komplete.8.DVD9.D01-ASSiGN.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Native.Instruments.Traktor.Pro.2.v2.1.1-UNION.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Neuveritelny-zivot-rockera-Coxe-2007-cz.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\odstoupeni-od-smlouvy-nakup-pres-internet.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\odstoupeni-spotrebitele-od-kupni-smlouvy.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\ONEDAY.2011-ETRG (2).lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\ONEDAY.2011-ETRG.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\phoenix layout1-11a.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\phoenix sleeve1-11a.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Phoenix.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\pi_944.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Restless 2011 BRRip XviD AC3-FTW (2).lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Restless 2011 BRRip XviD AC3-FTW.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\sacd_log.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Sakura (Cherry Blossoms).lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Sakura.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Sasha Cane.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Sexy trany fuck very perfect.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Skin_Shots.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Skulls.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Síť a Internet.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\The Last Picture Show (TVrip) [CZsubs].lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Torrent downloaded from Demonoid.me.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\tumblr_lokwrk67vl1qh01oyo1_500.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\tumblr_lwjhnoSYaS1r3w34vo1_1280.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Uživatelské účty a zabezpečení rodiny.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\VW_-_Multivan_Back.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Woodstock-1969.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\www.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\www1.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\yellowblaze.net.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\ZDCRT.part3.lnk.EnCiPhErEd
c:\users\Admin\AppData\Roaming\qtwm.exe
c:\users\Admin\AppData\Roaming\UnInstall RMV Data.exe
c:\users\Admin\AppData\Roaming\vso_ts_preview.xml
c:\users\Admin\x.exe
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\muzapp.exe
c:\windows\system32\tmpFB9D.tmp
c:\windows\system32\tmpFBBE.tmp
D:\install.exe
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2012-03-24 do 2012-04-24 )))))))))))))))))))))))))))))))
.
.
2012-04-24 15:09 . 2012-04-24 18:51 -------- d-----w- c:\users\Admin\AppData\Local\temp
2012-04-24 15:09 . 2012-04-24 15:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-24 10:08 . 2012-04-24 10:08 13824 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-04-23 17:37 . 2012-04-23 17:37 -------- d-----w- c:\program files\JPEG Recovery Pro
2012-04-23 10:48 . 2012-04-23 10:48 -------- d-----w- c:\programdata\PCSettings
2012-04-23 10:16 . 2012-04-24 13:16 -------- d-----w- c:\programdata\Norton
2012-04-23 10:03 . 2012-04-23 10:10 -------- d-----w- c:\program files\trend micro
2012-04-23 10:03 . 2012-04-23 10:03 -------- d-----w- C:\rsit
2012-04-23 00:01 . 2012-04-23 00:06 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-04-23 00:01 . 2012-04-23 00:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-04-22 23:51 . 2012-04-24 15:11 -------- d-----w- c:\program files\a-squared Anti-Malware
2012-04-22 19:07 . 2012-04-22 19:07 -------- d-----w- c:\programdata\Alwil Software
2012-04-22 18:55 . 2012-04-23 14:39 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-04-21 19:18 . 2012-04-21 19:23 -------- d-----w- c:\users\Admin\AppData\Local\Canon Easy-PhotoPrint EX
2012-04-14 18:15 . 2012-04-14 18:53 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-14 18:53 . 2011-06-05 12:23 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2009-11-30 12:26 . 2009-11-30 12:26 292560 ----a-w- c:\program files\Iso-burner.exe
2003-05-01 12:59 . 2002-09-19 12:20 1413120 ----a-w- c:\program files\DS_PlugIn.8bf
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KiesHelper"="c:\program files\Samsung\Kies\KiesHelper.exe" [2011-06-24 941968]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2011-06-24 3373968]
"KiesPDLR"="c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2011-06-24 20880]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"a-squared"="c:\program files\A-SQUARED ANTI-MALWARE\a2guard.exe" [2012-04-22 3322256]
.
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
HOW TO DECRYPT FILES.txt [2009-10-31 705]
Yahoo! Widgets.lnk.EnCiPhErEd [2010-9-1 1067]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2009-8-26 2684256]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI10"=diomidi.dll
"wave10"=Digi32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\fsproflt]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe" /c
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" -stealth
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" -autorun
"ICQ"="c:\program files\ICQ7.1\ICQ.exe" silent loginmode=4
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
"PLFSetI"=c:\windows\PLFSetI.exe
"WinampAgent"="c:\program files\Winamp\winampa.exe"
"FontExpertType1Loader"=c:\program files\FontExpert\Type1Loader.exe
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
"IgfxTray"=c:\windows\system32\igfxtray.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"Persistence"=c:\windows\system32\igfxpers.exe
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"B2C_AGENT"=c:\programdata\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" /s
"Creative SB Monitoring Utility"=RunDll32 sbavmon.dll,SBAVMonitor
"SynTPEnh"=%ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
"Module Loader"=c:\program files\Creative\Shared Files\Module Loader\DLLML.exe -StartUpRun
"RtHDVCpl"=c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"POPUPTV"=c:\program files\ASUS\PopupTV\ExpressTV.exe
"CanonSolutionMenu"=c:\program files\Canon\SolutionMenu\CNSLMAIN.exe /logon
.
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/02/21 01:18];c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 EraserSvc11122;Symantec Eraser Service;c:\program files\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe [x]
R2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-22 136176]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 253088]
R3 AF9035BDA;ASUS U3100 Mini Plus BDA Devices;c:\windows\system32\Drivers\AF9035BDA.sys [2009-07-16 462952]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-05-31 79360]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2011-06-16 76088]
R3 gupdatem;Služba Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-22 136176]
R3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2009-12-15 899712]
R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\DRIVERS\lgbtport.sys [x]
R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\DRIVERS\lgbtbus.sys [x]
R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\DRIVERS\lgvmodem.sys [x]
R3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\Drivers\Pcouffin.sys [x]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2011-06-16 181432]
R3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\DRIVERS\gtkdrv.sys [2012-01-04 16128]
R3 WatAdminSvc;Služba Technologie aktivace Windows;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-26 1343400]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\Winamp\WinRing0.sys [2008-07-26 14416]
S0 FSProFilter;FSPro File Filter;c:\windows\System32\Drivers\FSPFltd.sys [2008-06-05 43792]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-01 691696]
S1 a2injectiondriver;a2injectiondriver;c:\program files\a-squared Anti-Malware\a2dix86.sys [2012-04-22 34768]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files\a-squared Anti-Malware\a2util32.sys [2012-04-22 11776]
S1 sdpiosys;sdpiosys;c:\windows\system32\drivers\sdpiosys.sys [2004-11-30 161792]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 a2AntiMalware;a-squared Anti-Malware Service;c:\program files\a-squared Anti-Malware\a2service.exe [2012-04-22 3045688]
S2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2008-05-19 57344]
S2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2009-05-03 73392]
S2 OS Selector;Acronis OS Selector activator;c:\program files\Acronis\DiskDirector\OSS\reinstall_svc.exe [2010-09-29 2139400]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 a2acc;a2acc;c:\program files\A-SQUARED ANTI-MALWARE\a2accx86.sys [2012-04-22 51632]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-07-13 50688]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
Obsah adresáře 'Naplánované úlohy'
.
2012-04-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 18:53]
.
2012-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-22 16:53]
.
2012-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-22 16:53]
.
2012-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4037204527-4293416820-2358000098-1001Core.job
- c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-13 02:02]
.
2012-04-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4037204527-4293416820-2358000098-1001UA.job
- c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-13 02:02]
.
.
------- Doplňkový sken -------
.
uInternet Settings,ProxyOverride = 127.0.0.1
IE: + Offline &Explorer: Download the link - file://c:\program files\Offline Explorer Enterprise\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://c:\program files\Offline Explorer Enterprise\Add_AllO.htm
IE: Převést cíl vazby do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Převést do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Připojit cíl vazby k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Připojit k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Send To &Bluetooth - c:\program files\MSI\Bluetooth Software\btsendto_ie_ctx.htm
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: {{71BFC818-0CED-42D6-9C87-5142918957EE} - c:\program files\ICQ7.1\ICQ.exe
Trusted Zone: postsignum.cz\www
TCP: Interfaces\{9D62CBA2-BBB5-4C8E-952B-74E7461921F7}: DhcpNameServer = 10.0.0.138
TCP: Interfaces\{9D62CBA2-BBB5-4C8E-952B-74E7461921F7}\777777E286F64756C656C6567616E647E236A7: DhcpNameServer = 10.3.0.1
TCP: Interfaces\{9D62CBA2-BBB5-4C8E-952B-74E7461921F7}\96E6564786F6D656234316: DhcpNameServer = 178.77.254.254 77.48.100.254
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
.
HKCU-Run-Badoo Desktop - c:\programdata\Badoo\Badoo Desktop\1.6.48.1082\Badoo.Desktop.exe
HKLM-Run-<NO NAME> - (no file)
HKLM-Run-Pocket Navigator Installer 6.0 - c:\program files\Navigator11\Setup Utility\clickertray.exe
HKLM-Run-avast5 - c:\program files\Alwil Software\Avast5\avastUI.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\Samsung\USB Drivers\21_Searsburg\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Celkový čas: 2012-04-24 20:55:45 - počítač byl restartován
ComboFix-quarantined-files.txt 2012-04-24 18:55
.
Před spuštěním: 1 819 934 720
Po spuštění: 3 568 492 544
.
- - End Of File - - 32236C61085222549AB38215DCC78DFA

Odinstalujte a-squared Anti-Malware, Spybot - Search & Destroy, GridinSoft Trojan Killer a JPEG Recovery Pro

Dale uz prosim nedeljte sam dalsi kroky ve snaze polecit si to sam - bud s nami nebo sam a tema uzavrem

Pokud nemate, tak presunte Combofix na plochu

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  KillAll::
  
  DirLook::
  c:\programdata\PCSettings
  
  Folder::
  c:\programdata\Spybot - Search & Destroy
  c:\program files\Spybot - Search & Destroy
  c:\program files\a-squared Anti-Malware
  c:\programdata\Alwil Software
  c:\program files\GridinSoft Trojan Killer
  
  Registry::
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "SpybotSD TeaTimer"=-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "SunJavaUpdateSched"=-
  "a-squared"=-
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
  
  Collect::
  c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt
  
  Driver::
  gupdate
  gupdatem
  TrojanKillerDriver
  a2injectiondriver
  a2util
  a2AntiMalware
  
  DDS::
  Trusted Zone: postsignum.cz\www
  
  File::
  c:\windows\Tasks\Adobe Flash Player Updater.job
  c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
  c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
  c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4037204527-4293416820-2358000098-1001Core.job
  c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-13 02:02]
  c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4037204527-4293416820-2358000098-1001UA.job
  
  RegLock::
  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}]
  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
  
  ClearJavaCache::
  
  AtJob::
  
  Reboot::

• Ulozte vytvoreny TXT jako CFScript.txt
• Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
  
• Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci