VIRY.CZ

ahoj som tu nový a nevedel som kam dat tento problem. Začnem starky mali spomaleny pc a tak som ho reinstaloval lenze po reinstalovani siel pohode ale potom sa dali ovladace a uz mu trvalo dlho kým sa nainstaloval office vzdy to zamrzlo a dalo neodpovida a nic musel som rr pc a vitejte to bolo asi. 5 min a. Nic neslo instalnut a zamrzalo niako som nainstaloval office ale furt je to spomalene. Vyuzitie cpu je 2% a nizsie ked nabehne win vsetko ide v poho kliknem internet a po chvili sekne neviem co stym uz ma to stve . dakujem za rady ... Sorry ale pisal som to na mobile.

Zdravím!
Zkusíme tento postup: http://forum.viry.cz/viewtopic.php?f=13&t=133100

http://uloz.to/xiCxVtcE/frst-txt heslo : frst

Otevřte poznámkový blok a zkopírujte do něj:

Start
HKU\.DEFAULT\...\RunOnce: [_nltide_2] - regsvr32 /s /n /i:U shell32
HKU\S-1-5-19\...\RunOnce: [_nltide_2] - regsvr32 /s /n /i:U shell32
HKU\S-1-5-20\...\RunOnce: [_nltide_2] - regsvr32 /s /n /i:U shell32
C:\Documents and Settings\Lubo\Local Settings\Temp
ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\WINDOWS\system32\Drivers\volsnap.sys
[2008-04-14 07:42] - [2008-04-14 07:42] - 0052480 ____A (Microsoft Corporation) 28a4b296b47782173c346e376cb374d1
End

Uložte na plochu jako fixlist.txt. Pak znovu spusťte FRST a klikněte na >Fix<. Zkopírujte sem pak log, který se na závěr vytvoří.

dneska tam pojdem ... takže mam vytvorit nový text . dokument z nazvom toho fix a potom mam dat v tom programe fix ? a nasledne preskenovať ?

Txt soubor uložíte do stejného adresáře, jako FRST. Spustíte FRST a kliknete na >Fix<. Proběhne sken, na jehož konci se zobrazí log. Ten se dejte.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 27-04-2014
Ran by Lubo at 2014-04-28 13:56:58 Run:1
Running from C:\Documents and Settings\Lubo\Plocha
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Start
HKU\.DEFAULT\...\RunOnce: [_nltide_2] - regsvr32 /s /n /i:U shell32
HKU\S-1-5-19\...\RunOnce: [_nltide_2] - regsvr32 /s /n /i:U shell32
HKU\S-1-5-20\...\RunOnce: [_nltide_2] - regsvr32 /s /n /i:U shell32
C:\Documents and Settings\Lubo\Local Settings\Temp
ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\WINDOWS\system32\Drivers\volsnap.sys
[2008-04-14 07:42] - [2008-04-14 07:42] - 0052480 ____A (Microsoft Corporation) 28a4b296b47782173c346e376cb374d1
End



*****************

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\\_nltide_2 => Value deleted successfully.
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\_nltide_2 => Value deleted successfully.
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\_nltide_2 => Value deleted successfully.
C:\Documents and Settings\Lubo\Local Settings\Temp => Moved successfully.
C:\WINDOWS\system32\Drivers\volsnap.sys => Moved successfully.

==== End of Fixlog ====

Smazáno. Nastala nějaká změna?

ak ti mam pravdu povedat internet je rychlejší no niekedy to zamrzne chcel som tam inštalnut acrobat reader a seklo to na 96% a nič .... plus keď spustím priečinok s mailami tak to zmrzne úplne a nič nejde robiť

Dejte log ComboFix:

Stahnete a ulozte nejlepe na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se

jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine

aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode,

pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k

nezadoucim kolizim s rezidentem antispyware.

ComboFix 14-04-30.01 - Lubo . 04. 2014 19:17:57.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1029.18.1015.661 [GMT 2:00]
Running from: c:\documents and settings\Lubo\Plocha\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\msmqinst.log
c:\windows\regopt.log
c:\windows\system32\TZLog.log
.
.
((((((((((((((((((((((((( Files Created from 2014-03-28 to 2014-04-30 )))))))))))))))))))))))))))))))
.
.
2014-04-28 13:54 . 2014-04-28 13:54 -------- d-----w- C:\8806156a4abdb7bbe0
2014-04-27 09:41 . 2014-04-28 11:57 -------- d-----w- C:\FRST
2014-04-22 16:38 . 2014-04-22 16:38 -------- d-----w- C:\337200e5d2a01d96c6005dea
2014-04-22 15:25 . 2014-04-22 15:36 -------- d-----w- C:\887b13ae62618d5e05
2014-04-22 14:29 . 2014-04-22 14:34 -------- d-----w- C:\13562a1541642659c008863b
2014-04-22 14:02 . 2014-04-22 14:07 -------- d-----w- C:\498ca6fc4e6f5fd6bffc
2014-04-20 15:01 . 2014-04-20 15:01 -------- d-----r- C:\MSOCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-06 17:58 . 2012-05-22 15:17 920064 ----a-w- c:\windows\system32\wininet.dll
2014-03-06 17:58 . 2012-05-22 15:17 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2014-03-06 17:58 . 2012-05-22 15:17 18944 ----a-w- c:\windows\system32\corpol.dll
2014-03-06 17:58 . 2012-05-22 15:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2014-03-06 00:46 . 2012-05-22 15:17 385024 ----a-w- c:\windows\system32\html.iec
2014-02-07 06:36 . 2014-02-07 06:36 1879040 ----a-w- c:\windows\system32\win32k.sys
2014-02-05 08:55 . 2008-04-14 06:51 563712 ----a-w- c:\windows\system32\qedit.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-05-22 . 1E603EA2A3FDBAE9E5B88A8CB3C03124 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2013-10-04 20145368]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [5. 4. 2013 3:53 121600]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [23. 10. 2013 8:15 172192]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [20. 4. 2014 16:09 1691480]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2. 6. 2011 10:08 11336]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.centrum.sk/
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 217.119.113.244 8.8.4.4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-04-30 19:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2014-04-30 19:34:55
ComboFix-quarantined-files.txt 2014-04-30 17:34
.
Pre-Run: Volných bajtů: 53 752 832 000
Post-Run: Volných bajtů: 53 978 099 712
.
- - End Of File - - 777A5AAA0B7B2DBAEC6FB62A64743764
413FC2A0C716421B3158746D63736515

Ještě dočistíme. Otevřte poznámkový blok a zkopírujte do něj:

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

Reboot::

Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkazy ze skriptu.

ComboFix 14-04-30.01 - Lubo . 05. 2014 12:33:53.2.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1029.18.1015.672 [GMT 2:00]
Running from: c:\documents and settings\Lubo\Plocha\ComboFix.exe
Command switches used :: c:\documents and settings\Lubo\Plocha\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2014-04-01 to 2014-05-01 )))))))))))))))))))))))))))))))
.
.
2014-04-28 13:54 . 2014-04-28 13:54 -------- d-----w- C:\8806156a4abdb7bbe0
2014-04-27 09:41 . 2014-04-28 11:57 -------- d-----w- C:\FRST
2014-04-22 16:38 . 2014-04-22 16:38 -------- d-----w- C:\337200e5d2a01d96c6005dea
2014-04-22 15:25 . 2014-04-22 15:36 -------- d-----w- C:\887b13ae62618d5e05
2014-04-22 14:29 . 2014-04-22 14:34 -------- d-----w- C:\13562a1541642659c008863b
2014-04-22 14:02 . 2014-04-22 14:07 -------- d-----w- C:\498ca6fc4e6f5fd6bffc
2014-04-20 15:01 . 2014-04-20 15:01 -------- d-----r- C:\MSOCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-06 17:58 . 2012-05-22 15:17 920064 ----a-w- c:\windows\system32\wininet.dll
2014-03-06 17:58 . 2012-05-22 15:17 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2014-03-06 17:58 . 2012-05-22 15:17 18944 ----a-w- c:\windows\system32\corpol.dll
2014-03-06 17:58 . 2012-05-22 15:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2014-03-06 00:46 . 2012-05-22 15:17 385024 ----a-w- c:\windows\system32\html.iec
2014-02-07 06:36 . 2014-02-07 06:36 1879040 ----a-w- c:\windows\system32\win32k.sys
2014-02-05 08:55 . 2008-04-14 06:51 563712 ----a-w- c:\windows\system32\qedit.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-05-22 . 1E603EA2A3FDBAE9E5B88A8CB3C03124 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2013-10-04 20145368]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\TeamViewer\\Version9\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version9\\TeamViewer_Service.exe"=
.
R2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [5. 4. 2013 3:53 121600]
R2 TeamViewer9;TeamViewer 9;c:\program files\TeamViewer\Version9\TeamViewer_Service.exe [30. 4. 2014 19:49 5024576]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [23. 10. 2013 8:15 172192]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [20. 4. 2014 16:09 1691480]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2. 6. 2011 10:08 11336]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.centrum.sk/
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 217.119.113.244 8.8.4.4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-05-01 12:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3696)
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2014-05-01 13:01:05 - machine was rebooted
ComboFix-quarantined-files.txt 2014-05-01 11:01
ComboFix2.txt 2014-04-30 17:34
.
Pre-Run: Volných bajtů: 53 838 389 248
Post-Run: Volných bajtů: 53 949 698 048
.
- - End Of File - - E4AEA001A2616C9B90E2F702E65BA33A
413FC2A0C716421B3158746D63736515

Čisto. CF nyní odinstalujte pomocí T-Cleaneru: http://vyosek.ic.cz/pro_usery/T-Cleaner.exe . Nastala nějaká změna?

dobre už to ide rychlejšie ale ako som to odinštaloval CF a tak tak kym som otvoril zložku mu to trvalo dal som rr aj tak to dlho trvalo ale už to ide v pohode Ďakujem keby niečo pisnem .... Ďakujem neviem ako inak Vám poďakovať ja by som to nezvládol )