VIRY.CZ

Ahoj všem,

dostal se mi pod ruky NB od kamaráda kde je problém s policejním virem.
Našel jsem návody na jeho odstranení, které vyžadují nouzový režim, jenže já se nemůžu vůbec dostat do nouzového režimu.
Po spuštění dám F8 dostanu se na nabídku kde si vyberu Nouzový režim ten se i začne spuštět (naskočí bílé řádky) pak se jako by sekne, dlouho nic a pak se restaruje. Ať vyzkouším jakoukoliv variantu to stejné.

Mohli by jste mi prosím poradit jak na odstranění toho viru.

Děkuji za pomoc.

Zdravím!
Postupujte takto:

Na zdravem PC stahnete Farbar Recovery Scan Tool http://www.bleepingcomputer.com/downloa ... scan-tool/

Ulozte na nejaky flash disk, primo na jeho koren


Na poskozenem PC nabootujte Nouzovy rezim s prikazovym radkem MS-DOS

Nyni si zjisteme pismeno flash disku

Zadejte prikaz notepad a odenterujte
Otebre se poznamkovy blok (notepad)
Dejte Soubor --> Otevrit --> najdete tento pocitac a otevrete USB klic je FRST ulozeny
Podivejte se, jake pismeno ma USB klic (F:\, G:\ apod)
Zavrete notepad krizkem


Ted si ziskame log

Pokud mate stazeny FRST pro 64 bit OS, tak se jmenuje FRST64.exe a je nutne jej tak zadat
Zadejte prikaz "pismeno disku":\FRST.exe a odenterujte (napr. F:\FRST.exe)
Spusti se FRST
Spuste prohledavani kliknutim na Scan
Po chvili se vytvori na flash disku log FRST.exe
Ten mi sem vlozte pres zdravy PC.

Děkuji za radu hned to vyzkouším.

O ou ... problém ...
Došel jsem až po krok:
"Na poskozenem PC nabootujte Nouzovy rezim s prikazovym radkem MS-DOS"
bohužel nejde pustit
Naskočí bílé řádky, pak černá obrazovka se šipkou (uprostřed) a pak příjde restart...

OS je Win vista.

Všechno beru z5
nakonec jsem se do nouzového režimu dostal. Sice sám nevím jak, ale podařilo se.
Tím pádem sem mužu vložit log.

--------------------------------------------------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-09-2013 03
Ran by tina (administrator) on TINA-PC on 17-09-2013 14:29:07
Running from F:\
Windows Vista (TM) Ultimate Service Pack 1 (X86) OS Language: Czech
Internet Explorer Version 7
Boot Mode:

==================== Could not list processes ===============

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-19] (Microsoft Corporation)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [AVG9_TRAY] - C:\PROGRA~1\AVG\AVG9\avgtray.exe [2077536 2012-02-05] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [facemoods] - C:\Program Files\facemoods.com\facemoods\1.4.17.1\facemoodssrv.exe [323584 2010-10-26] (facemoods.com)
HKLM\...\Run: [TaskTray] - [x]
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1430824 2009-02-06] (Synaptics Incorporated)
HKLM\...\Run: [WinampAgent] - C:\Program Files\Winamp\winampa.exe [74752 2010-11-30] (Nullsoft, Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [39792 2008-01-11] (Adobe Systems Incorporated)
HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [4853760 2008-01-07] (Realtek Semiconductor)
HKLM\...\Run: [Skytel] - C:\Windows\Skytel.exe [1826816 2007-11-20] (Realtek Semiconductor Corp.)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [248552 2010-05-14] (Sun Microsystems, Inc.)
HKLM\...\Run: [NokiaMServer] - C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
HKCU\...\Run: [NokiaOviSuite2] - C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe [703360 2011-01-31] (Nokia)
HKCU\...\Run: [] - [x]
MountPoints2: {665ddaf9-fc89-11df-a088-000000000000} - F:\Axesstel_Setup.exe
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
Startup: C:\Users\tina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qrrj14fr.lnk
ShortcutTarget: qrrj14fr.lnk -> C:\PROGRA~2\rf41jrrq.plz ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.facemoods.com/?a=tweak
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
SearchScopes: HKCU - DefaultScope {0D7562AE-8EF6-416d-A838-AB665251703A} URL = http://start.facemoods.com/?a=tweak&s={searchTerms}&f=4
SearchScopes: HKCU - {0D7562AE-8EF6-416d-A838-AB665251703A} URL = http://start.facemoods.com/?a=tweak&s={searchTerms}&f=4
BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
BHO: CescrtHlpr Object - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files\facemoods.com\facemoods\1.4.17.1\bh\facemoods.dll (facemoods.com BHO)
BHO: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - facemoods Toolbar - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files\facemoods.com\facemoods\1.4.17.1\facemoodsTlbr.dll (facemoods.com)
Toolbar: HKLM - uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
Toolbar: HKLM - Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
Toolbar: HKCU -uTorrentBar Toolbar - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Winsock: Catalog5 02 %SystemRoot%\system32\napinsp.dll [50176] (Společnost Microsoft)

FireFox:
========
FF ProfilePath: C:\Users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default
FF SelectedSearchEngine: Search
FF Homepage: hxxp://www.seznam.cz/
FF Keyword.URL: hxxp://start.facemoods.com/results.php?f=5&a=tweak&q=
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\fcmdSrchtweak.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\jyxo-cz.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\mall-cz.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\seznam-cz.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\slunecnice-cz.xml
FF Extension: Conduit Engine - C:\Users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default\Extensions\engine@conduit.com
FF Extension: Facemoods - C:\Users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default\Extensions\ffxtlbr@Facemoods.com
FF Extension: Microsoft .NET Framework Assistant - C:\Users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF Extension: uTorrentBar Community Toolbar - C:\Users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default\Extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [{A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}] - C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\
FF Extension: Firefox Synchronisation Extension - C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\
FF HKLM\...\Thunderbird\Extensions: [{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}] - C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\
FF Extension: Thunderbird Address Book Synchronisation Extension - C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\

========================== Services (Whitelisted) =================

S2 avg9emc; C:\Program Files\AVG\AVG9\avgemc.exe [921952 2010-11-30] (AVG Technologies CZ, s.r.o.)
R2 avg9wd; C:\Program Files\AVG\AVG9\avgwdsvc.exe [308136 2010-11-30] (AVG Technologies CZ, s.r.o.)
S2 AVGIDSAgent; C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [5897808 2010-11-30] (AVG Technologies CZ, s.r.o.)
S2 Winmgmt; C:\PROGRA~2\rf41jrrq.plz [89600 2013-09-10] ()

==================== Drivers (Whitelisted) ====================

R3 AVGIDSDrivervtx; C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSDriver.sys [122448 2010-11-30] (AVG Technologies CZ, s.r.o. )
R0 AVGIDSErHrvtx; C:\Windows\System32\Drivers\AVGIDSvx.sys [25168 2010-11-30] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSFiltervtx; C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSFilter.sys [30288 2010-11-30] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSShimvtx; C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSShim.sys [27216 2010-11-30] (AVG Technologies CZ, s.r.o. )
R1 AvgLdx86; C:\Windows\System32\Drivers\avgldx86.sys [226016 2013-01-16] (AVG Technologies CZ, s.r.o.)
R1 AvgMfx86; C:\Windows\System32\Drivers\avgmfx86.sys [29712 2011-09-13] (AVG Technologies CZ, s.r.o.)
R0 AvgRkx86; C:\Windows\System32\Drivers\avgrkx86.sys [52872 2010-11-30] (AVG Technologies CZ, s.r.o.)
R1 AvgTdiX; C:\Windows\System32\Drivers\avgtdix.sys [243152 2011-05-06] (AVG Technologies CZ, s.r.o.)
S3 Axtmvflt; C:\Windows\System32\DRIVERS\Axtmvflt.sys [3456 2007-03-22] (Axesstel)
S3 Axtmvmdm; C:\Windows\System32\DRIVERS\Axtmvmdm.sys [40064 2007-03-26] (Axesstel)
S3 Axtmvprt; C:\Windows\System32\Drivers\Axtmvprt.sys [38784 2007-03-26] (Axesstel)
R0 CLFS; C:\Windows\System32\CLFS.sys [247352 2008-01-19] (Microsoft Corporation)
R0 FltMgr; C:\Windows\System32\drivers\fltmgr.sys [192056 2008-01-19] (Společnost Microsoft)
R3 Ntfs; C:\Windows\System32\Drivers\Ntfs.sys [1081912 2008-01-19] (Společnost Microsoft)
S3 se45bus; C:\Windows\System32\DRIVERS\se45bus.sys [61536 2006-11-30] (MCCI)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-09-17 14:29 - 2013-09-17 14:29 - 00000000 ____D C:\FRST
2013-09-10 17:52 - 2013-09-13 10:20 - 00000000 _____ C:\ProgramData\qrrj14fr.ctrl
2013-09-10 17:52 - 2013-09-10 17:56 - 95025368 ____T C:\ProgramData\qrrj14fr.pff
2013-09-10 17:52 - 2013-09-10 17:52 - 00089600 _____ C:\ProgramData\rf41jrrq.plz
2013-08-28 15:03 - 2013-08-28 15:15 - 00000000 ____D C:\Windows\system32\MRT
2013-08-26 14:08 - 2013-08-26 14:08 - 00005489 _____ C:\Users\tina\Downloads\smime(5).p7s
2013-08-26 14:06 - 2013-08-26 14:06 - 00005489 _____ C:\Users\tina\Downloads\smime(4).p7s
2013-08-26 14:04 - 2013-08-26 14:04 - 00005489 _____ C:\Users\tina\Downloads\smime(3).p7s
2013-08-26 14:03 - 2013-08-26 14:03 - 00005489 _____ C:\Users\tina\Downloads\smime(2).p7s
2013-08-26 14:02 - 2013-08-26 14:02 - 00005489 _____ C:\Users\tina\Downloads\smime.p7s

==================== One Month Modified Files and Folders =======

2013-09-17 14:30 - 2006-11-02 14:51 - 01434647 _____ C:\Windows\WindowsUpdate.log
2013-09-17 14:29 - 2013-09-17 14:29 - 00000000 ____D C:\FRST
2013-09-17 14:24 - 2006-11-02 15:00 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-17 09:39 - 2006-11-02 14:46 - 00033792 _____ C:\Windows\system32\umstartup.etl
2013-09-17 09:38 - 2010-11-26 18:28 - 00000012 _____ C:\Windows\bthservsdp.dat
2013-09-17 09:38 - 2006-11-02 15:00 - 00032588 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-09-17 09:38 - 2006-11-02 14:51 - 00043847 _____ C:\Windows\setupact.log
2013-09-17 09:34 - 2006-11-02 14:46 - 00004512 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-17 09:34 - 2006-11-02 14:46 - 00004512 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-13 10:21 - 2010-11-26 18:00 - 00006648 _____ C:\Users\tina\AppData\Local\d3d9caps.dat
2013-09-13 10:20 - 2013-09-10 17:52 - 00000000 _____ C:\ProgramData\qrrj14fr.ctrl
2013-09-13 09:43 - 2010-11-30 16:31 - 00000000 ____D C:\ProgramData\PC Suite
2013-09-10 17:56 - 2013-09-10 17:52 - 95025368 ____T C:\ProgramData\qrrj14fr.pff
2013-09-10 17:52 - 2013-09-10 17:52 - 00089600 _____ C:\ProgramData\rf41jrrq.plz
2013-09-10 17:27 - 2006-11-02 12:33 - 01418258 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-28 15:15 - 2013-08-28 15:03 - 00000000 ____D C:\Windows\system32\MRT
2013-08-28 15:03 - 2006-11-02 12:24 - 75778376 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2013-08-26 14:08 - 2013-08-26 14:08 - 00005489 _____ C:\Users\tina\Downloads\smime(5).p7s
2013-08-26 14:06 - 2013-08-26 14:06 - 00005489 _____ C:\Users\tina\Downloads\smime(4).p7s
2013-08-26 14:04 - 2013-08-26 14:04 - 00005489 _____ C:\Users\tina\Downloads\smime(3).p7s
2013-08-26 14:03 - 2013-08-26 14:03 - 00005489 _____ C:\Users\tina\Downloads\smime(2).p7s
2013-08-26 14:02 - 2013-08-26 14:02 - 00005489 _____ C:\Users\tina\Downloads\smime.p7s

Files to move or delete:
====================
C:\ProgramData\qrrj14fr.ctrl
C:\ProgramData\qrrj14fr.pff
C:\ProgramData\rf41jrrq.plz


Some content of TEMP:
====================
C:\Users\tina\AppData\Local\Temp\AMPing.exe
C:\Users\tina\AppData\Local\Temp\bbidbiceimuifbpskqj.bfg
C:\Users\tina\AppData\Local\Temp\firefoxjre_exe-1.exe
C:\Users\tina\AppData\Local\Temp\firefoxjre_exe.exe
C:\Users\tina\AppData\Local\Temp\FP_PL_PFS_INSTALLER.exe
C:\Users\tina\AppData\Local\Temp\GLFF0F8.tmp.ConduitEngineSetup.exe
C:\Users\tina\AppData\Local\Temp\ietE1F5.tmp.exe
C:\Users\tina\AppData\Local\Temp\installapi.exe
C:\Users\tina\AppData\Local\Temp\InstallManager_BAB_BAB.exe
C:\Users\tina\AppData\Local\Temp\NEventMessages.dll
C:\Users\tina\AppData\Local\Temp\NOSEventMessages.dll
C:\Users\tina\AppData\Local\Temp\RtkBtMnt.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-09-13 10:50

==================== End Of Log ============================

Otevřte poznámkový blok a zkopírujte do něj:

Start
HKLM\...\Run: [facemoods] - C:\Program Files\facemoods.com\facemoods\1.4.17.1\facemoodssrv.exe [323584 2010-10-26] (facemoods.com)
C:\Program Files\facemoods.com\facemoods
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [248552 2010-05-14] (Sun Microsystems, Inc.)
MountPoints2: {665ddaf9-fc89-11df-a088-000000000000} - F:\Axesstel_Setup.exe
Startup: C:\Users\tina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qrrj14fr.lnk
ShortcutTarget: qrrj14fr.lnk -> C:\PROGRA~2\rf41jrrq.plz
URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
BHO: CescrtHlpr Object - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files\facemoods.com\facemoods\1.4.17.1\bh\facemoods.dll (facemoods.com BHO)
HO: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
Toolbar: HKLM - facemoods Toolbar - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files\facemoods.com\facemoods\1.4.17.1\facemoodsTlbr.dll (facemoods.com)
Toolbar: HKLM - facemoods Toolbar - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files\facemoods.com\facemoods\1.4.17.1\facemoodsTlbr.dll (facemoods.com)
Toolbar: HKLM - uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
Toolbar: HKLM - Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
Toolbar: HKCU -uTorrentBar Toolbar - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
FF Extension: Conduit Engine - C:\Users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default\Extensions\engine@conduit.com
FF Extension: Facemoods - C:\Users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default\Extensions\ffxtlbr@Facemoods.com
FF Extension: uTorrentBar Community Toolbar - C:\Users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default\Extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
C:\ProgramData\qrrj14fr.ctrl
C:\ProgramData\qrrj14fr.pff
C:\ProgramData\rf41jrrq.plz
C:\Users\tina\Downloads\smime(5).p7s
C:\Users\tina\Downloads\smime(4).p7s
C:\Users\tina\Downloads\smime(3).p7s
C:\Users\tina\Downloads\smime(2).p7s
C:\Users\tina\Downloads\smime.p7s
C:\Users\tina\AppData\Local\Temp\bbidbiceimuifbpskqj.bfg
C:\Users\tina\AppData\Local\Temp\InstallManager_BAB_BAB.exe
End

Uložte do stejného adresáře, jako FRST. Spusťte znovu FRST a klikněte na >Fix<. Po skončení akce se objeví log, který sem zkopírujte.

Vložil jsem Scrip do poznámkového bloku a uložil na flešku (kde mám FRST) pod názvem Fixlist.txt
Flešku vložil do napadeného NB a pustil FRST dal >fix<
Pustil se scan jenže po chvilce vyskočila chybová hláška (viz příloha)

Nic méně nějaký log s názvem Fixlog.txt to vytvořilo (přikládám)

-----------------------------------------------------------

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 16-09-2013 03
Ran by tina at 2013-09-18 07:40:10 Run:1
Running from F:\
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Start
HKLM\...\Run: [facemoods] - C:\Program Files\facemoods.com\facemoods\1.4.17.1\facemoodssrv.exe [323584 2010-10-26] (facemoods.com)
C:\Program Files\facemoods.com\facemoods
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [248552 2010-05-14] (Sun Microsystems, Inc.)
MountPoints2: {665ddaf9-fc89-11df-a088-000000000000} - F:\Axesstel_Setup.exe
Startup: C:\Users\tina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qrrj14fr.lnk
ShortcutTarget: qrrj14fr.lnk -> C:\PROGRA~2\rf41jrrq.plz
URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
BHO: CescrtHlpr Object - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files\facemoods.com\facemoods\1.4.17.1\bh\facemoods.dll (facemoods.com BHO)
HO: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
Toolbar: HKLM - facemoods Toolbar - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files\facemoods.com\facemoods\1.4.17.1\facemoodsTlbr.dll (facemoods.com)
Toolbar: HKLM - facemoods Toolbar - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files\facemoods.com\facemoods\1.4.17.1\facemoodsTlbr.dll (facemoods.com)
Toolbar: HKLM - uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
Toolbar: HKLM - Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
Toolbar: HKCU -uTorrentBar Toolbar - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
FF Extension: Conduit Engine - C:\Users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default\Extensions\engine@conduit.com
FF Extension: Facemoods - C:\Users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default\Extensions\ffxtlbr@Facemoods.com
FF Extension: uTorrentBar Community Toolbar - C:\Users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default\Extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
C:\ProgramData\qrrj14fr.ctrl
C:\ProgramData\qrrj14fr.pff
C:\ProgramData\rf41jrrq.plz
C:\Users\tina\Downloads\smime(5).p7s
C:\Users\tina\Downloads\smime(4).p7s
C:\Users\tina\Downloads\smime(3).p7s
C:\Users\tina\Downloads\smime(2).p7s
C:\Users\tina\Downloads\smime.p7s
C:\Users\tina\AppData\Local\Temp\bbidbiceimuifbpskqj.bfg
C:\Users\tina\AppData\Local\Temp\InstallManager_BAB_BAB.exe
End
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\facemoods => Value not found.
C:\Program Files\facemoods.com\facemoods => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{665ddaf9-fc89-11df-a088-000000000000} => Key deleted successfully.
HKCR\CLSID\{665ddaf9-fc89-11df-a088-000000000000} => Key not found.
C:\Users\tina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qrrj14fr.lnk not found.
ShortcutTarget: qrrj14fr.lnk -> C:\PROGRA~2\rf41jrrq.plz not found.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} => Value deleted successfully.
HKCR\CLSID\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64182481-4F71-486b-A045-B233BD0DA8FC} => Key deleted successfully.
HKCR\CLSID\{64182481-4F71-486b-A045-B233BD0DA8FC} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9} => Value deleted successfully.
HKCR\CLSID\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9} => Value not found.
HKCR\CLSID\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} => Value deleted successfully.
HKCR\CLSID\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{30F9B915-B755-4826-820B-08FBA6BD249D} => Value deleted successfully.
HKCR\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D} => Key deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} => Value deleted successfully.
HKCR\CLSID\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} => Key not found.
C:\Users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default\Extensions\engine@conduit.com => Moved successfully.
C:\Users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default\Extensions\ffxtlbr@Facemoods.com => Moved successfully.
C:\Users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default\Extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} => Moved successfully.
C:\ProgramData\qrrj14fr.ctrl => Moved successfully.
C:\ProgramData\qrrj14fr.pff => Moved successfully.
C:\ProgramData\rf41jrrq.plz => Moved successfully.
C:\Users\tina\Downloads\smime(5).p7s => Moved successfully.
C:\Users\tina\Downloads\smime(4).p7s => Moved successfully.
C:\Users\tina\Downloads\smime(3).p7s => Moved successfully.
C:\Users\tina\Downloads\smime(2).p7s => Moved successfully.
C:\Users\tina\Downloads\smime.p7s => Moved successfully.
C:\Users\tina\AppData\Local\Temp\bbidbiceimuifbpskqj.bfg => Moved successfully.
C:\Users\tina\AppData\Local\Temp\InstallManager_BAB_BAB.exe => Moved successfully.

OK. Z nouz. režimu dejte log ComboFix:

Stahnete a ulozte nejlepe na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se

jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine

aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode,

pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k

nezadoucim kolizim s rezidentem antispyware.

Omlouvám se za odmlku. (byl jsem mimo)
Hned to stáhnu a provedu.

OK.

Tak (nebylo to až tak hned jak jsem si myslel ale ...) je to tu.
Nemohl jsem se poprat s AVG nedokázal jsem ho vypnout. Ani přes rady na AVG foru ani přes Správce uloh.
Po spuštění ComboFixu to psalo, že je puštěná AVG ochrana (anit-vir a anti-spyware) nic méně přes všechny varování jsem to pustil a nějaký výsledek z toho je ...

--------------------------------------------------------

ComboFix 13-10-01.03 - tina 02.10.2013 13:38:40.1.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1250.420.1029.18.2038.1235 [GMT 2:00]
Spuštěný z: c:\users\tina\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2013-09-02 do 2013-10-02 )))))))))))))))))))))))))))))))
.
.
2013-10-02 11:45 . 2013-10-02 11:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-10-02 11:09 . 2013-10-02 11:45 -------- d-----w- c:\users\tina\AppData\Local\temp
2013-10-02 10:49 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2013-10-02 10:49 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2013-10-02 10:49 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2013-10-02 10:49 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2013-10-02 10:49 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2013-10-02 10:49 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2013-10-02 10:49 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2013-10-02 10:49 . 2012-06-02 13:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2013-10-02 10:49 . 2012-06-02 13:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2013-10-02 08:32 . 2013-10-02 08:32 -------- d-----w- c:\windows\system32\ca-ES
2013-10-02 08:32 . 2013-10-02 08:32 -------- d-----w- c:\windows\system32\eu-ES
2013-10-02 08:32 . 2013-10-02 08:32 -------- d-----w- c:\windows\system32\vi-VN
2013-10-02 07:00 . 2013-10-02 07:00 -------- d-----w- c:\windows\system32\EventProviders
2013-10-02 05:06 . 2013-10-02 05:06 -------- d-----w- C:\$AVG
2013-09-17 12:29 . 2013-09-17 12:29 -------- d-----w- C:\FRST
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2012-02-05 2077536]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-07 4853760]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^tina^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^qrrj14fr.lnk]
path=c:\users\tina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qrrj14fr.lnk
backup=c:\windows\pss\qrrj14fr.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 21:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2011-01-31 10:16 703360 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-07 15:25 4853760 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-20 17:15 1826816 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-02-06 16:32 1430824 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-11-30 13:19 74752 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
--- Ostatní služby/ovladače v paměti ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://start.facemoods.com/?a=tweak
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.253
FF - ProfilePath - c:\users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://start.facemoods.com/results.php?f=5&a=tweak&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Firefox Synchronisation Extension: {A27F3FEF-1113-4cfb-A032-8E12D7D8EE70} - c:\program files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-02 13:45
Windows 6.0.6002 Service Pack 2 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:0000002e
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Celkový čas: 2013-10-02 13:47:42
ComboFix-quarantined-files.txt 2013-10-02 11:47
ComboFix2.txt 2013-10-02 11:09
.
Před spuštěním: Volných bajtů: 112 552 013 824
Po spuštění: Volných bajtů: 112 525 922 304
.
- - End Of File - - 19AEA9B41F2F1E03902E1CB6CC5508D6
5C616939100B85E558DA92B899A0FC36

Otevřte poznámkový blok a zkopírujte do něj:

KillAll::

Firefox::
FF - ProfilePath - c:\users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default\
FF - prefs.js: keyword.URL - hxxp://start.facemoods.com/results.php?f=5&a=tweak&q=
FF - prefs.js: network.proxy.type - 0

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]

Reboot::

Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkazy ze skriptu.

Tak je to tady ...

---------------------------------------------

ComboFix 13-10-01.03 - tina 03.10.2013 7:09.2.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1250.420.1029.18.2038.1076 [GMT 2:00]
Spuštěný z: c:\users\tina\Desktop\ComboFix.exe
Použité ovládací přepínače :: c:\users\tina\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2013-09-03 do 2013-10-03 )))))))))))))))))))))))))))))))
.
.
2013-10-03 05:15 . 2013-10-03 05:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-10-02 11:09 . 2013-10-03 05:19 -------- d-----w- c:\users\tina\AppData\Local\temp
2013-10-02 10:49 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2013-10-02 10:49 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2013-10-02 10:49 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2013-10-02 10:49 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2013-10-02 10:49 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2013-10-02 10:49 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2013-10-02 10:49 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2013-10-02 10:49 . 2012-06-02 13:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2013-10-02 10:49 . 2012-06-02 13:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2013-10-02 08:32 . 2013-10-02 08:32 -------- d-----w- c:\windows\system32\ca-ES
2013-10-02 08:32 . 2013-10-02 08:32 -------- d-----w- c:\windows\system32\eu-ES
2013-10-02 08:32 . 2013-10-02 08:32 -------- d-----w- c:\windows\system32\vi-VN
2013-10-02 07:00 . 2013-10-02 07:00 -------- d-----w- c:\windows\system32\EventProviders
2013-10-02 05:06 . 2013-10-02 05:06 -------- d-----w- C:\$AVG
2013-09-17 12:29 . 2013-09-17 12:29 -------- d-----w- C:\FRST
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2012-02-05 2077536]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-07 4853760]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^tina^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^qrrj14fr.lnk]
path=c:\users\tina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qrrj14fr.lnk
backup=c:\windows\pss\qrrj14fr.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 21:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2011-01-31 10:16 703360 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-07 15:25 4853760 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-20 17:15 1826816 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-02-06 16:32 1430824 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-11-30 13:19 74752 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://start.facemoods.com/?a=tweak
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.253
FF - ProfilePath - c:\users\tina\AppData\Roaming\Mozilla\Firefox\Profiles\z0kwav2s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Firefox Synchronisation Extension: {A27F3FEF-1113-4cfb-A032-8E12D7D8EE70} - c:\program files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-03 07:18
Windows 6.0.6002 Service Pack 2 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\AVG\AVG9\avgwdsvc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG9\avgemc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\conime.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\users\tina\AppData\Local\Temp\RtkBtMnt.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Celkový čas: 2013-10-03 07:22:05 - počítač byl restartován
ComboFix-quarantined-files.txt 2013-10-03 05:22
ComboFix2.txt 2013-10-02 11:47
ComboFix3.txt 2013-10-02 11:09
.
Před spuštěním: Volných bajtů: 112 378 712 064
Po spuštění: Volných bajtů: 112 140 648 448
.
- - End Of File - - 3E443D74D7D5DC902A26A01F4545C2AF
5C616939100B85E558DA92B899A0FC36

Log je již OK. Nastala nějaká změna?

Zdá se že je všechno v pořádku NB běží vpohodě.