VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

ESET hlasi Yebot.AB

https://forum.viry.cz:443/viewtopic.php?t=136817

Stránka 1 z 1

ESET hlasi Yebot.AB

Napsal: 13 bře 2014 09:20
od rezna
Dostal se mi do ruky pocitac s timhle trojanem s zadosti o odstraneni. Bohuzel uz to tam radi vice jak 5 tydnu (majitel proste odklepaval hlaseni ESETu porad dokola), takze s timhle uz si moc rady nevim.

Prikladam log z ComboFixu + DDS. RSIT a FRST udelam vecer, to uz jsem rano nez jsem sel z domu nestihl.

Mohli byste na to nekdo mrknout pls.

Re: ESET hlasi Yebot.AB

Napsal: 13 bře 2014 09:21
od rezna
Pridam info, ze Yebot.AB je hlasen v pameti a v podstate na vsech spoustenych *.exe souborech. To ale muze byt dano tim ze hookuje spoustu systemovych callu, dle http://www.virusradar.com/en/Win32_Yebot.AB/description

Re: ESET hlasi Yebot.AB

Napsal: 13 bře 2014 09:43
od rezna
aha tak logy se nemaji zipovat, v tom pripade prikladam naprimo

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16798
Run by pc2 at 7:57:51 on 2014-03-13
Microsoft Windows 7 Home Premium 6.1.7601.1.1250.420.1029.18.3583.2579 [GMT 1:00]
.
AV: ESET Smart Security 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Smart Security 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\taskhost.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Trophy\Services\RVGNetworkConfiguration\RVGNetworkConfiguration.exe
C:\Windows\Explorer.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.seznam.cz/
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
StartupFolder: c:\users\pc2\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 10.0.0.138
TCP: Interfaces\{312AAFB0-4B6C-427A-AB98-F9550A943838} : DHCPNameServer = 10.0.0.138
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 CORLOG;CORLOG;c:\windows\system32\drivers\corlog.sys [2011-4-29 3104]
R0 CORPCI;CORPCI;c:\windows\system32\drivers\corpci.sys [2011-4-29 10112]
R1 CORSERIAL;CORSERIAL;c:\windows\system32\drivers\corserial.sys [2011-4-29 45880]
R1 mvcntp;mvcntp;c:\windows\system32\drivers\mvcntp.sys [2011-4-29 111872]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-10-26 176128]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-12-21 137144]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-1-12 810144]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2010-12-21 41336]
R2 MSSQL$DENTIST32;SQL Server (DENTIST32);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R2 RVGNetworkConfigurationService;RVG Network Configuration Service;c:\program files\common files\trophy\services\rvgnetworkconfiguration\RVGNetworkConfiguration.exe [2010-4-9 40960]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2011-2-8 5120]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2012-4-10 211984]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-12-9 1077760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 ifccsc21;ifccsc21;c:\windows\system32\ifccsc21.exe --> c:\windows\system32\ifccsc21.exe [?]
S3 RVG6Driver;Kodak Trophy RVG Driver;c:\windows\system32\drivers\RVG6USB.sys [2010-12-15 159808]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-9 52224]
S3 WatAdminSvc;Služba Technologie aktivace Windows;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-17 1343400]
.
=============== Created Last 30 ================
.
2014-03-13 06:21:02 -------- d-----w- C:\$RECYCLE.BIN
2014-03-13 06:17:48 -------- d-----w- c:\users\pc2\appdata\local\temp
2014-03-13 06:14:13 62576 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9bdd512c-83af-44e9-84a7-46b8c7837c04}\offreg.dll
2014-03-13 06:05:01 98816 ----a-w- c:\windows\sed.exe
2014-03-13 06:05:01 256000 ----a-w- c:\windows\PEV.exe
2014-03-13 06:05:01 208896 ----a-w- c:\windows\MBR.exe
2014-03-13 05:55:43 -------- d-----w- C:\Veronika.KOS
2014-03-13 05:55:43 -------- d-----w- c:\users\pc2\appdata\local\GHISLER
2014-03-12 19:24:00 545 ----a-w- c:\windows\UC.PIF
2014-03-12 19:24:00 545 ----a-w- c:\windows\RAR.PIF
2014-03-12 19:24:00 545 ----a-w- c:\windows\LHA.PIF
2014-03-12 19:24:00 545 ----a-w- c:\windows\ARJ.PIF
2014-03-12 19:24:00 -------- d-----w- c:\users\pc2\appdata\roaming\GHISLER
2014-03-12 19:24:00 -------- d-----w- C:\totalcmd
2014-03-12 19:19:24 -------- d-----w- c:\users\pc2\appdata\roaming\TeraCopy
2014-03-12 19:19:20 -------- d-----w- c:\program files\TeraCopy
2014-03-12 13:39:32 83456 ----a-w- c:\windows\system32\WKLxIpU.exe
2014-03-12 13:22:42 -------- d-----w- c:\users\pc2\appdata\roaming\Malwarebytes
2014-03-12 13:22:30 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-03-12 13:22:30 -------- d-----w- c:\programdata\Malwarebytes
2014-03-12 13:22:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2014-03-12 13:22:16 -------- d-----w- c:\users\pc2\appdata\local\Programs
2014-03-07 13:11:37 7947048 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9bdd512c-83af-44e9-84a7-46b8c7837c04}\mpengine.dll
2014-02-27 13:24:59 -------- d-----w- c:\windows\Migration
2014-02-14 14:08:04 523776 ----a-w- c:\windows\system32\vbscript.dll
2014-02-14 05:57:28 2048 ----a-w- c:\windows\system32\msxml3r.dll
2014-02-14 05:57:28 1237504 ----a-w- c:\windows\system32\msxml3.dll
2014-02-14 05:57:19 3419136 ----a-w- c:\windows\system32\d2d1.dll
2014-02-14 05:57:19 1987584 ----a-w- c:\windows\system32\d3d10warp.dll
2014-02-14 05:57:17 594944 ----a-w- c:\windows\system32\RMActivate_isv.exe
2014-02-14 05:57:17 572416 ----a-w- c:\windows\system32\RMActivate.exe
2014-02-14 05:57:17 508928 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2014-02-14 05:57:16 87040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2014-02-14 05:57:16 87040 ----a-w- c:\windows\system32\secproc_ssp.dll
2014-02-14 05:57:16 510976 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2014-02-14 05:57:16 428032 ----a-w- c:\windows\system32\secproc.dll
2014-02-14 05:57:16 423936 ----a-w- c:\windows\system32\secproc_isv.dll
2014-02-14 05:57:16 390144 ----a-w- c:\windows\system32\msdrm.dll
.
==================== Find3M ====================
.
2014-03-12 13:19:07 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-12 13:19:07 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-02-01 07:58:31 1767936 ----a-w- c:\windows\system32\wininet.dll
2014-02-01 07:57:20 2877952 ----a-w- c:\windows\system32\jscript9.dll
2014-02-01 07:57:16 61440 ----a-w- c:\windows\system32\iesetup.dll
2014-02-01 07:57:16 109056 ----a-w- c:\windows\system32\iesysprep.dll
2014-02-01 07:34:53 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2014-02-01 06:38:03 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-12-18 05:13:56 231584 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 7:58:28,77 ===============

Re: ESET hlasi Yebot.AB

Napsal: 13 bře 2014 10:11
od vyosek
Zdravim :)

:arrow: To delate nekomu servis, firemni PC??

:arrow:Co se tyce ComboFixu, ktery jste pouzil, tak na zaklade licence a pravidel fora ptam, umite s nim pracovat (spusteni, rozlusteni logu, napsani skriptu)?

:arrow: Licencni podminky ComboFixu hovori jasne "Nikdy by nemel byt pouzit v prostredi bez dozoru zkusene osoby"
Obrázek

:arrow: Nebezpeci CFka
  • Je urcen primarne pro radce - jeho svevolnym pouzitim ztracite narok na podporu
  • Maze stopy po haveti, takze v logu z RSIT neni nic videt
  • Jeho log je treba dolustit, jelikoz neumi smazat vse - to ovsem tezko zvladnete pokud k tomu nejste vyskolen
  • CF muze mit bug = sunda Vam system, pokud nevite kam co uklada, jak co obnovit, mate system v kytkam a ceka Vas reinstal
  • CF taky bohuzel prozatim nekontroluje nektere dulezite knihovny (napr. hal.dll) - ty treba mazou nektere typy haveti (napr. angela) - smaze Vam po restartu hal.dll = nenajede Vam system a jste o radek vyse = reinstal

Re: ESET hlasi Yebot.AB

Napsal: 13 bře 2014 10:31
od rezna
Ahoj, teda takove proskoleni bych necekal :) Tak odpovim postupne

1) jsem programator a obraci se na me kamaradi kdyz si rozbiji pocitac (tzn. je to ciste soukrome)
2) CF mi povetsinou pomuze a z logu se mi pak darilo na netu dohledavat skripty potrebne pro opravu, aktualne se mi to s Yebot.AB nedari - data stroje mam zazalohovana, takze to, ze pripadne odejde system neresim a proste prijde reinstall
3) za relativne zkusenou osobu se povazuji a proto jsem ho pustil ;)

neb na tento trojan jsem kratky, zejmena asi proto, ze combofix defaulne hleda jen mesic pozpatku a infekce dle logu ESETu koluje v pocitaci uz druhy mesic

pokud tedy plati bod 1) ze sekce nebezpeci CFka, pak to zamknete/smazte ...

Re: ESET hlasi Yebot.AB

Napsal: 13 bře 2014 10:38
od vyosek
:arrow: CF nehleda infekci jen mesic pozpatku, to dela jen vypis za poslednich 30 dni

:arrow: Zkusena osoba = osoba vyskolena s pristupem k navodum a vysvetlenim prikazu

:arrow: Tentokrat to poresime, ale priste muze byt pomoc odmitnuta

:arrow: Stahnete AdwCleaner http://general-changelog-team.fr/fr/dow ... adwcleaner
  • Ulozte nejlepe na plochu
  • Ukoncete vsechny programy
  • Kliknete na Scan a nasledne Clean
  • Probehne oprava, restart PC a pak se objevi log, pripadne bude ulozen ve slozce c:\AdwCleaner\AdwCleaner[S?].txt, ten sem vlozte
:arrow: Stahnete si TDSSKiller http://media.kaspersky.com/utilities/Vi ... killer.exe
  • Po spusteni odsouhlaste licencni podminky (klik na Accept)
  • Kliknete na volbu Change parametrs
  • V okne Additional Option zakliknete vsechny moznosti
  • Kliknete na OK
  • Utilite prikazte, at skenuje - klik na Start Scan
  • Po dokonceni skenu se objevi okno, zkontrolujte, zda-li je vsude moznost Skip
  • Pokud moznost Skip nebude primarne nastavena, prekliknete ji na Skip
  • Pokud mate vsude Skip, kliknete na Continue
  • Na disku, kde mate Windows (obvykle c:\) ve tvaru TDSSKiller.nejaka cisilka _log.txt bude log - jeho obsah sem vlozte

Re: ESET hlasi Yebot.AB

Napsal: 13 bře 2014 10:40
od rezna
Diky, za rady na softy. Udelam vecer, ted jsem v praci. Priste tedy s CF pockam.

Re: ESET hlasi Yebot.AB

Napsal: 13 bře 2014 10:49
od vyosek
OK, vecer tu budu tez nakukovat...

Re: ESET hlasi Yebot.AB

Napsal: 13 bře 2014 19:15
od rezna
tak, tady jsou logy

AdwCleaner primo, TDS v priloze v ZIPu.

# AdwCleaner v3.021 - Report created 13/03/2014 at 19:01:55
# Updated 10/03/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (32 bits)
# Username : pc2 - PC-2
# Running from : C:\Users\pc2\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\Program Files\Ask.com
Folder Deleted : C:\Windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}
Folder Deleted : C:\Users\pc2\AppData\LocalLow\AskToolbar
File Deleted : C:\Windows\System32\Tasks\Scheduled Update for Ask Toolbar

***** [ Shortcuts ] *****


***** [ Registry ] *****

[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{790A2AD7-3D39-4C5C-B30C-5E6315929216}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{790A2AD7-3D39-4C5C-B30C-5E6315929216}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]
Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16798


-\\ Google Chrome v

[ File : C:\Users\pc2\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [5704 octets] - [13/03/2014 19:00:42]
AdwCleaner[S0].txt - [5747 octets] - [13/03/2014 19:01:55]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5807 octets] ##########

Re: ESET hlasi Yebot.AB

Napsal: 14 bře 2014 02:41
od vyosek
:arrow: Stahnete Zoek.exe http://hijackthis.nl/smeenk/ a ulozte jej na plochu
  • Pokud pouzivate Win Vista ci W7, kliknete na Zoek pravym a dejte Run As Administrator ci Spustit jako spravce
  • Do okna vlozte skript nize

  • Kód: Vybrat vše

    autoclean;
emptyclsid;
iedefaults;
FFdefaults;
CHRdefaults;
emptyalltemp;
resethosts;
  • Nasledne kliknete na Run Script
  • PC provede opravu, restartuje se a da Vam log, jeho obsah vlozte sem

Re: ESET hlasi Yebot.AB

Napsal: 14 bře 2014 08:52
od rezna
prikladam log ze zoeku s informaci ze ESET zda se prestal resit ze by nasel Yebot.AB pri startu


Zoek.exe v5.0.0.0 Updated 07-March-2014
Tool run by pc2 on p  14.03.2014 at 7:16:24,63.
Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x86
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\pc2\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

14.3.2014 7:17:09 Zoek.exe System Restore Point Created Succesfully.

==== Reset Hosts File ======================

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handle within DNS itself.
127.0.0.1 localhost
::1 localhost

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-849347240-1981523250-842127770-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A927AFE8-5FEE-4435-AD2B-23B077F3E892} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== Chrome Look ======================


==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.seznam.cz/"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
No DefaultScope Set For HKCU

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.seznam.cz/"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTer ... ORM=IE10SR"
{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google Url="http://www.google.com/search?q={searchT ... {startPage}"
{6B0C0198-AA24-4636-9AA2-9251FB0F5D42} Seznam Url="http://search.seznam.cz/?q={searchTerms ... chmodule_2"

==== Reset Google Chrome ======================

C:\Users\pc2\AppData\Local\Google\Chrome\User Data\Default\preferences was reset successfully
C:\Users\pc2\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully

==== Empty IE Cache ======================

C:\Users\pc2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\pc2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

C:\Users\pc2\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=0 folders=0 0 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\temp emptied successfully
C:\Users\Default User\AppData\Local\temp emptied successfully
C:\Users\pc2\AppData\Local\temp will be emptied at reboot
C:\Users\Public\AppData\Local\temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\pc2\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on p  14.03.2014 at 7:24:53,38 ======================

Re: ESET hlasi Yebot.AB

Napsal: 14 bře 2014 09:46
od vyosek
Poprosim o novy log z FRST

Re: ESET hlasi Yebot.AB

Napsal: 14 bře 2014 10:20
od rezna
tady to je

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2014
Ran by pc2 (administrator) on PC-2 on 14-03-2014 10:12:43
Running from C:\Users\pc2\Desktop
Microsoft Windows 7 Home Premium Service Pack 1 (X86) OS Language: Czech
Internet Explorer Version 10
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/downloa ... ool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/downloa ... ool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(ESET) C:\Program Files\ESET\ESET Smart Security\ekrn.exe
(Microsoft Corporation) c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
(Carestream Health inc) C:\Program Files\Common Files\Trophy\Services\RVGNetworkConfiguration\RVGNetworkConfiguration.exe
(Microsoft Corporation) c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(VIA) C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
(ESET) C:\Program Files\ESET\ESET Smart Security\egui.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(OpenOffice.org) C:\Program Files\OpenOffice.org 3\program\soffice.exe
(OpenOffice.org) C:\Program Files\OpenOffice.org 3\program\soffice.bin
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\system32\AUDIODG.EXE
(Microsoft Corporation) c:\program files\windows defender\MpCmdRun.exe
(forum.viry.cz) C:\Users\pc2\Desktop\FRSTLauncher.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [JMB36X IDE Setup] - C:\Windows\RaidTool\xInsIDE.exe [43632 2010-01-19] ()
HKLM\...\Run: [HDAudDeck] - C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe [1486848 2009-08-28] (VIA)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [37296 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [egui] - C:\Program Files\ESET\ESET Smart Security\egui.exe [2219184 2011-01-12] (ESET)
HKLM\...\Run: [StartCCC] - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [343168 2011-10-25] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
Startup: C:\Users\pc2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
ShortcutTarget: OpenOffice.org 3.2.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={searchT ... {startPage}
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={searchT ... {startPage}
SearchScopes: HKCU - {6B0C0198-AA24-4636-9AA2-9251FB0F5D42} URL = http://search.seznam.cz/?q={searchTerms ... chmodule_2
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/s ... wflash.cab
Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [147456] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.138

========================== Services (Whitelisted) =================

S3 EhttpSrv; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [33584 2011-01-12] (ESET)
R2 ekrn; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [810144 2011-01-12] (ESET)
R2 MSSQL$DENTIST32; c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S4 MSSQLServerADHelper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)
R2 RVGNetworkConfigurationService; C:\Program Files\Common Files\Trophy\Services\RVGNetworkConfiguration\RVGNetworkConfiguration.exe [40960 2010-04-09] (Carestream Health inc)
S3 ifccsc21; C:\Windows\system32\ifccsc21.exe [X]

==================== Drivers (Whitelisted) ====================

R0 CORLOG; C:\Windows\System32\drivers\corlog.sys [3104 2011-01-24] (Coreco Imaging)
R0 CORPCI; C:\Windows\System32\drivers\corpci.sys [10112 2011-01-24] (Coreco Imaging)
R1 CORSERIAL; C:\Windows\System32\drivers\corserial.sys [45880 2011-01-24] (Coreco Imaging)
S3 DCamUSBEMPIA; C:\Windows\System32\DRIVERS\emDevice.sys [171136 2007-06-21] (eMPIA Technology, Inc.)
R2 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [137144 2010-12-21] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [115008 2010-12-21] (ESET)
S3 emAudio; C:\Windows\System32\drivers\emAudio.sys [25600 2010-05-07] (eMPIA Technology, Inc.)
R2 epfw; C:\Windows\System32\DRIVERS\epfw.sys [134000 2010-12-21] (ESET)
R3 Epfwndis; C:\Windows\System32\DRIVERS\Epfwndis.sys [33120 2010-12-21] (ESET)
R2 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [41336 2010-12-21] (ESET)
S3 FiltUSBEMPIA; C:\Windows\System32\DRIVERS\emFilter.sys [5248 2007-06-21] (eMPIA Technology, Inc.)
R0 JRAID; C:\Windows\System32\DRIVERS\jraid.sys [104024 2010-08-10] (JMicron Technology Corp.)
R3 L1E; C:\Windows\System32\DRIVERS\L1E62x86.sys [48640 2009-08-23] (Atheros Communications, Inc.)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [13216 2009-07-16] ()
R1 mvcntp; C:\Windows\System32\drivers\mvcntp.sys [111872 2011-01-24] (Dalsa Coreco)
S3 RVG6Driver; C:\Windows\System32\Drivers\RVG6USB.sys [159808 2010-06-25] (Kodak Trophy)
S3 ScanUSBEMPIA; C:\Windows\System32\DRIVERS\emScan.sys [5120 2007-06-21] (eMPIA Technology, Inc.)
R3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1077760 2009-08-17] (VIA Technologies, Inc.)
U5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S3 catchme; \??\C:\Users\pc2\AppData\Local\Temp\catchme.sys [X]
U5 PC2C; C:\Windows\System32\Drivers\PC2C.sys [75520 2011-01-24] (Coreco Imaging)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-03-14 10:12 - 2014-03-14 10:13 - 00008304 _____ () C:\Users\pc2\Desktop\FRST.txt
2014-03-14 10:12 - 2014-03-14 10:12 - 00000000 ____D () C:\FRST
2014-03-14 10:10 - 2014-03-13 07:44 - 01145856 _____ (Farbar) C:\Users\pc2\Desktop\FRST.exe
2014-03-14 10:10 - 2014-03-13 07:44 - 00112640 _____ (forum.viry.cz) C:\Users\pc2\Desktop\FRSTLauncher.exe
2014-03-14 07:22 - 2014-03-14 07:16 - 00024064 _____ () C:\Windows\zoek-delete.exe
2014-03-13 18:59 - 2014-03-13 18:59 - 00000000 ____D () C:\Users\pc2\AppData\Local\CrashDumps
2014-03-13 07:05 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-03-13 07:05 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-03-13 07:05 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-03-13 07:05 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-03-13 07:05 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-03-13 07:05 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe
2014-03-13 07:05 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe
2014-03-13 07:05 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe
2014-03-13 07:04 - 2014-03-14 09:14 - 00000000 ____D () C:\Qoobox
2014-03-13 07:04 - 2014-03-13 07:25 - 00000000 ____D () C:\Windows\erdnt
2014-03-13 06:55 - 2014-03-13 07:03 - 00000000 ____D () C:\Veronika.KOS
2014-03-13 06:55 - 2014-03-13 06:55 - 00000000 ____D () C:\Users\pc2\AppData\Local\GHISLER
2014-03-12 20:24 - 2014-03-12 20:24 - 00000632 _____ () C:\Users\pc2\Desktop\Total Commander.lnk
2014-03-12 20:24 - 2014-03-12 20:24 - 00000000 ____D () C:\Users\pc2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Commander
2014-03-12 20:24 - 2014-03-12 20:24 - 00000000 ____D () C:\Users\pc2\AppData\Roaming\GHISLER
2014-03-12 20:24 - 2014-03-12 20:24 - 00000000 ____D () C:\totalcmd
2014-03-12 20:24 - 2014-02-19 08:50 - 00000545 _____ () C:\Windows\UC.PIF
2014-03-12 20:24 - 2014-02-19 08:50 - 00000545 _____ () C:\Windows\RAR.PIF
2014-03-12 20:24 - 2014-02-19 08:50 - 00000545 _____ () C:\Windows\LHA.PIF
2014-03-12 20:24 - 2014-02-19 08:50 - 00000545 _____ () C:\Windows\ARJ.PIF
2014-03-12 20:19 - 2014-03-12 20:23 - 00000000 ____D () C:\Users\pc2\AppData\Roaming\TeraCopy
2014-03-12 14:46 - 2014-03-12 14:47 - 00000000 ____D () C:\Users\pc2\Desktop\RK_Quarantine
2014-03-12 14:46 - 2014-03-12 14:45 - 03819008 _____ () C:\Users\pc2\Desktop\RogueKiller.exe
2014-03-12 14:45 - 2014-03-12 14:45 - 03819008 _____ () C:\Users\pc2\Downloads\RogueKiller.exe
2014-03-12 14:22 - 2014-03-12 14:22 - 00000000 ____D () C:\Users\pc2\AppData\Roaming\Malwarebytes
2014-03-12 14:22 - 2014-03-12 14:22 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-12 14:21 - 2014-03-12 14:22 - 10284816 _____ (Malwarebytes Corporation ) C:\Users\pc2\Downloads\mbam-setup.exe
2014-03-12 14:19 - 2014-03-12 14:19 - 05188693 _____ (Swearware) C:\Users\pc2\Downloads\cf.exe.exe
2014-02-14 15:08 - 2013-12-21 08:56 - 00523776 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-02-14 15:00 - 2014-02-01 08:58 - 01767936 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-14 15:00 - 2014-02-01 08:58 - 01140736 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-14 15:00 - 2014-02-01 08:58 - 00042496 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-02-14 15:00 - 2014-02-01 08:57 - 14359040 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-02-14 15:00 - 2014-02-01 08:57 - 13760512 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-14 15:00 - 2014-02-01 08:57 - 02877952 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-14 15:00 - 2014-02-01 08:57 - 02049024 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-14 15:00 - 2014-02-01 08:57 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-02-14 15:00 - 2014-02-01 08:57 - 00493056 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-14 15:00 - 2014-02-01 08:57 - 00391168 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-02-14 15:00 - 2014-02-01 08:57 - 00163840 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-02-14 15:00 - 2014-02-01 08:57 - 00109056 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-02-14 15:00 - 2014-02-01 08:57 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-02-14 15:00 - 2014-02-01 08:57 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-14 15:00 - 2014-02-01 08:57 - 00033280 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-02-14 15:00 - 2014-02-01 08:34 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-02-14 15:00 - 2014-02-01 07:38 - 00071680 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2014-02-14 06:57 - 2014-01-01 00:05 - 00420008 _____ () C:\Windows\system32\locale.nls
2014-02-14 06:57 - 2013-12-25 00:09 - 01987584 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-02-14 06:57 - 2013-12-06 03:02 - 01237504 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-02-14 06:57 - 2013-12-06 03:02 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-02-14 06:57 - 2013-12-04 03:03 - 00428032 _____ (Microsoft Corporation) C:\Windows\system32\secproc.dll
2014-02-14 06:57 - 2013-12-04 03:03 - 00423936 _____ (Microsoft Corporation) C:\Windows\system32\secproc_isv.dll
2014-02-14 06:57 - 2013-12-04 03:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\secproc_ssp_isv.dll
2014-02-14 06:57 - 2013-12-04 03:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\secproc_ssp.dll
2014-02-14 06:57 - 2013-12-04 03:02 - 00390144 _____ (Microsoft Corporation) C:\Windows\system32\msdrm.dll
2014-02-14 06:57 - 2013-12-04 02:54 - 00594944 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_isv.exe
2014-02-14 06:57 - 2013-12-04 02:54 - 00572416 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate.exe
2014-02-14 06:57 - 2013-12-04 02:54 - 00510976 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_ssp.exe
2014-02-14 06:57 - 2013-12-04 02:54 - 00508928 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_ssp_isv.exe
2014-02-14 06:57 - 2013-11-26 09:16 - 03419136 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll

==================== One Month Modified Files and Folders =======

2014-03-14 10:13 - 2014-03-14 10:12 - 00008304 _____ () C:\Users\pc2\Desktop\FRST.txt
2014-03-14 10:12 - 2014-03-14 10:12 - 00000000 ____D () C:\FRST
2014-03-14 10:10 - 2009-07-14 05:39 - 03097233 _____ () C:\Windows\setupact.log
2014-03-14 09:55 - 2011-01-19 10:28 - 00000954 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-849347240-1981523250-842127770-1000UA.job
2014-03-14 09:29 - 2009-07-14 05:34 - 00015024 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-14 09:29 - 2009-07-14 05:34 - 00015024 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-14 09:22 - 2009-07-14 05:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-14 09:21 - 2010-12-09 17:49 - 01143456 _____ () C:\Windows\WindowsUpdate.log
2014-03-14 09:19 - 2012-03-30 16:17 - 00000914 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-14 09:14 - 2014-03-13 07:04 - 00000000 ____D () C:\Qoobox
2014-03-14 07:23 - 2010-12-21 08:43 - 00084518 _____ () C:\Windows\PFRO.log
2014-03-14 07:16 - 2014-03-14 07:22 - 00024064 _____ () C:\Windows\zoek-delete.exe
2014-03-13 18:59 - 2014-03-13 18:59 - 00000000 ____D () C:\Users\pc2\AppData\Local\CrashDumps
2014-03-13 07:44 - 2014-03-14 10:10 - 01145856 _____ (Farbar) C:\Users\pc2\Desktop\FRST.exe
2014-03-13 07:44 - 2014-03-14 10:10 - 00112640 _____ (forum.viry.cz) C:\Users\pc2\Desktop\FRSTLauncher.exe
2014-03-13 07:26 - 2009-07-14 03:37 - 00000000 ___RD () C:\Users\Public
2014-03-13 07:25 - 2014-03-13 07:04 - 00000000 ____D () C:\Windows\erdnt
2014-03-13 07:21 - 2009-07-14 03:04 - 00000215 _____ () C:\Windows\system.ini
2014-03-13 07:19 - 2009-07-14 03:03 - 42467328 _____ () C:\Windows\system32\config\SOFTWARE.bak
2014-03-13 07:19 - 2009-07-14 03:03 - 18612224 _____ () C:\Windows\system32\config\SYSTEM.bak
2014-03-13 07:19 - 2009-07-14 03:03 - 00524288 _____ () C:\Windows\system32\config\DEFAULT.bak
2014-03-13 07:19 - 2009-07-14 03:03 - 00262144 _____ () C:\Windows\system32\config\SECURITY.bak
2014-03-13 07:19 - 2009-07-14 03:03 - 00262144 _____ () C:\Windows\system32\config\SAM.bak
2014-03-13 07:17 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\Help
2014-03-13 07:03 - 2014-03-13 06:55 - 00000000 ____D () C:\Veronika.KOS
2014-03-13 06:55 - 2014-03-13 06:55 - 00000000 ____D () C:\Users\pc2\AppData\Local\GHISLER
2014-03-12 20:24 - 2014-03-12 20:24 - 00000632 _____ () C:\Users\pc2\Desktop\Total Commander.lnk
2014-03-12 20:24 - 2014-03-12 20:24 - 00000000 ____D () C:\Users\pc2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Commander
2014-03-12 20:24 - 2014-03-12 20:24 - 00000000 ____D () C:\Users\pc2\AppData\Roaming\GHISLER
2014-03-12 20:24 - 2014-03-12 20:24 - 00000000 ____D () C:\totalcmd
2014-03-12 20:23 - 2014-03-12 20:19 - 00000000 ____D () C:\Users\pc2\AppData\Roaming\TeraCopy
2014-03-12 19:47 - 2010-12-09 17:52 - 01716100 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-12 14:47 - 2014-03-12 14:46 - 00000000 ____D () C:\Users\pc2\Desktop\RK_Quarantine
2014-03-12 14:45 - 2014-03-12 14:46 - 03819008 _____ () C:\Users\pc2\Desktop\RogueKiller.exe
2014-03-12 14:45 - 2014-03-12 14:45 - 03819008 _____ () C:\Users\pc2\Downloads\RogueKiller.exe
2014-03-12 14:22 - 2014-03-12 14:22 - 00000000 ____D () C:\Users\pc2\AppData\Roaming\Malwarebytes
2014-03-12 14:22 - 2014-03-12 14:22 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-12 14:22 - 2014-03-12 14:21 - 10284816 _____ (Malwarebytes Corporation ) C:\Users\pc2\Downloads\mbam-setup.exe
2014-03-12 14:19 - 2014-03-12 14:19 - 05188693 _____ (Swearware) C:\Users\pc2\Downloads\cf.exe.exe
2014-03-12 14:19 - 2012-03-30 16:17 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-03-12 14:19 - 2012-03-30 16:17 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-03-07 14:11 - 2013-12-03 20:16 - 00411398 _____ () C:\Windows\IE11_main.log
2014-03-07 14:06 - 2011-01-06 17:23 - 00000000 ____D () C:\Users\pc2\Desktop\OPG
2014-03-07 13:45 - 2011-08-01 13:39 - 00000000 ____D () C:\MUDr. Tobolová
2014-03-04 11:57 - 2011-01-19 10:28 - 00002316 _____ () C:\Users\pc2\Desktop\Google Chrome.lnk
2014-03-03 17:55 - 2011-01-19 10:28 - 00000902 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-849347240-1981523250-842127770-1000Core.job
2014-03-03 11:01 - 2009-07-14 05:53 - 00032610 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-01 09:49 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-02-21 14:14 - 2011-02-09 07:34 - 00000000 ____D () C:\Users\pc2\Desktop\ordinace
2014-02-20 15:13 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\rescache
2014-02-19 08:50 - 2014-03-12 20:24 - 00000545 _____ () C:\Windows\UC.PIF
2014-02-19 08:50 - 2014-03-12 20:24 - 00000545 _____ () C:\Windows\RAR.PIF
2014-02-19 08:50 - 2014-03-12 20:24 - 00000545 _____ () C:\Windows\LHA.PIF
2014-02-19 08:50 - 2014-03-12 20:24 - 00000545 _____ () C:\Windows\ARJ.PIF
2014-02-14 15:06 - 2013-08-15 13:28 - 00000000 ____D () C:\Windows\system32\MRT
2014-02-14 15:04 - 2010-12-17 11:31 - 85946576 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-02-13 06:55 - 2009-07-14 05:33 - 00292912 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-02-12 19:02 - 2010-12-13 15:30 - 00064584 _____ () C:\Users\pc2\AppData\Local\GDIPFONTCACHEV1.DAT
2014-02-12 19:01 - 2010-12-22 15:31 - 00001005 _____ () C:\Users\Public\Desktop\Dentist+.lnk
2014-02-12 19:01 - 2010-12-20 08:58 - 00000777 _____ () C:\Windows\ODBCINST.INI
2014-02-12 19:01 - 2010-12-20 08:58 - 00000288 _____ () C:\Windows\ODBC.INI

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-03-13 19:36




===***===***===***=== Extract of Additional scan result of Farbar Recovery Scan Tool ===***===***===***===

==================== Drive and Memory info ===================

Drive c: () (Fixed) (Total:465.65 GB) (Free:414.9 GB) NTFS

Available physical RAM: 2570.83 MB
Total physical RAM: 3583.18 MB
Percentage of memory in use: 28%

==================== MBR and Partition Table ==================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 2E877757)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=466 GB) - (Type=07 NTFS)

==================== Scheduled Tasks (whitelisted) ==================

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-849347240-1981523250-842127770-1000Core.job => C:\Users\pc2\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-849347240-1981523250-842127770-1000UA.job => C:\Users\pc2\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Alternate Data Streams (whitelisted) ==================


==================== Security Center ==================

AV: ESET Smart Security 4.2 (Enabled - Up to date) {77DEAFED-8149-104B-25A1-21771CA47CD1}
AS: ESET Smart Security 4.2 (Enabled - Up to date) {CCBF4E09-A773-1FC5-1F11-1A056723366C}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET personal firewall (Enabled) {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}



===***===***===***=== Supplementary Scan createdy by FRSTLauncher ===***===***===***===
Posledni aktualizace FRSTLauncheru: 25_11_2013 (01)
Posledni aktualizace Modifikacniho skriptu: 30_09_2013 (01)


***** Velikost "Plochy" *****

Velikost slozky "C:\Users\pc2\Desktop" je 3819 MB.


***** Startup Programs *****


***** Firewall rules *****

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
DisableNotifications REG_DWORD 0x0
EnableFirewall REG_DWORD 0x0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
DisableNotifications REG_DWORD 0x0
EnableFirewall REG_DWORD 0x0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]


***** System Restore *****

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=dword:00000000
"Generalize_DisableSR"=dword:00000000


==================== End Of Log ==============================

Re: ESET hlasi Yebot.AB

Napsal: 15 bře 2014 03:28
od vyosek
:arrow: Tvorba fixlistu pro FRST
  • Spustte poznamkovy blok (Start-spustit-notepad)
  • Zkopirujte skript nize

  • Kód: Vybrat vše

    Start
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [37296 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
SearchScopes: HKLM - DefaultScope value is missing.

S3 ifccsc21; C:\Windows\system32\ifccsc21.exe [X]

C:\Windows\system32\ifccsc21.exe
2014-03-14 10:10 - 2014-03-13 07:44 - 00112640 _____ (forum.viry.cz) C:\Users\pc2\Desktop\FRSTLauncher.exe
2014-03-14 07:22 - 2014-03-14 07:16 - 00024064 _____ () C:\Windows\zoek-delete.exe2014-03-12 14:46 - 2014-03-12 14:47 - 00000000 ____D () C:\Users\pc2\Desktop\RK_Quarantine
2014-03-12 14:46 - 2014-03-12 14:45 - 03819008 _____ () C:\Users\pc2\Desktop\RogueKiller.exe
2014-03-12 14:45 - 2014-03-12 14:45 - 03819008 _____ () C:\Users\pc2\Downloads\RogueKiller.exe

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-849347240-1981523250-842127770-1000Core.job => C:\Users\pc2\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-849347240-1981523250-842127770-1000UA.job => C:\Users\pc2\AppData\Local\Google\Update\GoogleUpdate.exe

Hosts:
CMD: shutdown /r /f /t 2

End
  • Ulozte vytvoreny TXT jako fixlist.txt
  • Presunte vytvoreny fixlist vedle FRST
:arrow: Spustte znovu FRST.exe
  • Kliknete na Fix
  • Probehne oprava a vytvori log Fixlog.txt
:arrow: Restart PC a dejte mi sem fixlog.txt
Všechny časy jsou v UTC+01:00
Stránka 1 z 1

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz