VIRY.CZ

Při dnešním procházení webu mi vyskočilo okno s ransomware (kriminální policie...). Zavřel jsem ho přes správce (jinak to nešlo). Provedl restart a následně vrácení v čase přes obnovení + kompletní scan antivirem TrustPort a Eset online. Našlo to jen nějakou "běžnou" havěť.

Okno s virem se mi již neobjevuje a PC běží bez problémů.

Raději však provedena kontrola pomocí Roguekiller (nejspíše je to OK, ale prosím o kontrolu):

RogueKiller V10.9.1.0 [Jul 9 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Webová stránka : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Opera?ní systém : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Spu?t?no : Normální re?im
U?ivatel : HANES [Práva správce]
Started from : C:\Documents and Settings\HANES\Dokumenty\Downloads\RogueKiller.exe
Mód : Prohledat -- Datum : 07/12/2015 18:46:24

¤¤¤ Procesy : 11 ¤¤¤
[VT.Unknown] dplang-CSY.dll(1828) -- C:\Program Files\TrustPort\DiskProtection\bin\dplang-CSY.dll[7] -> Uvoln?no
[VT.Unknown] dpimages.dll(1828) -- C:\Program Files\TrustPort\DiskProtection\bin\dpimages.dll[7] -> Uvoln?no
[VT.Unknown] TDSRes.dll(1828) -- C:\Program Files\TrustPort\DiskProtection\bin\TDSRes.dll[7] -> Uvoln?no
[VT.Unknown] TDCore.dll(1828) -- C:\Program Files\TrustPort\DiskProtection\bin\TDCore.dll[7] -> Uvoln?no
[VT.Unknown] cryptlib.dll(1828) -- C:\Program Files\TrustPort\DiskProtection\bin\cryptlib.dll[7] -> Uvoln?no
[VT.Unknown] CARPC.dll(1828) -- C:\Program Files\TrustPort\ArchiveEnc\CARPC.dll[7] -> Uvoln?no
[VT.Unknown] aelang-CSY.dll(1828) -- C:\Program Files\TrustPort\ArchiveEnc\aelang-CSY.dll[7] -> Uvoln?no
[VT.Unknown] aeimages.dll(1828) -- C:\Program Files\TrustPort\ArchiveEnc\aeimages.dll[7] -> Uvoln?no
[VT.Unknown] carsres.dll(1828) -- C:\Program Files\TrustPort\ArchiveEnc\carsres.dll[7] -> Uvoln?no
[VT.Unknown] CARCore.dll(1828) -- C:\Program Files\TrustPort\ArchiveEnc\CARCore.dll[7] -> Uvoln?no
[VT.Unknown] tpadvapp.dll(1828) -- C:\Program Files\TrustPort\ArchiveEnc\tpadvapp.dll[7] -> Uvoln?no

¤¤¤ Registry : 23 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\eapihdrv (\??\C:\DOCUME~1\HANES\LOCALS~1\Temp\ehdrv.sys) -> Nalezeno
[PUM.HomePage] HKEY_LOCAL_MACHINE\RK_Software_ON_D_36D1\Microsoft\Internet Explorer\Main | Start Page : https://www.seznam.cz/?clid=22668 -> Nalezeno
[PUM.HomePage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.seznam.cz/?clid=22668 -> Nalezeno
[PUM.HomePage] HKEY_USERS\RK_Ukrutor_ON_D_5012\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.seznam.cz/?clid=22668 -> Nalezeno
[PUM.HomePage] HKEY_USERS\S-1-5-21-2025429265-963894560-725345543-1003\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.seznam.cz/?clid=22668 -> Nalezeno
[PUM.SearchPage] HKEY_LOCAL_MACHINE\RK_Software_ON_D_36D1\Microsoft\Internet Explorer\Main | Search Page : http://search.seznam.cz/?sourceid=quick ... earchTerms} -> Nalezeno
[PUM.SearchPage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://search.seznam.cz/?sourceid=quick ... earchTerms} -> Nalezeno
[PUM.SearchPage] HKEY_USERS\RK_Ukrutor_ON_D_5012\Software\Microsoft\Internet Explorer\Main | Search Page : http://search.seznam.cz/?sourceid=quick ... earchTerms} -> Nalezeno
[PUM.SearchPage] HKEY_USERS\S-1-5-21-2025429265-963894560-725345543-1003\Software\Microsoft\Internet Explorer\Main | Search Page : http://search.seznam.cz/?sourceid=quick ... earchTerms} -> Nalezeno
[PUM.SearchPage] HKEY_LOCAL_MACHINE\RK_Software_ON_D_36D1\Microsoft\Internet Explorer\Main | Search Bar : https://www.seznam.cz/?clid=22668 -> Nalezeno
[PUM.SearchPage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Bar : https://www.seznam.cz/?clid=22668 -> Nalezeno
[PUM.SearchPage] HKEY_USERS\RK_Ukrutor_ON_D_5012\Software\Microsoft\Internet Explorer\Main | Search Bar : https://www.seznam.cz/?clid=22668 -> Nalezeno
[PUM.SearchPage] HKEY_USERS\S-1-5-21-2025429265-963894560-725345543-1003\Software\Microsoft\Internet Explorer\Main | Search Bar : https://www.seznam.cz/?clid=22668 -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([(Private Address) (XX)]) -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\RK_System_ON_D_2AFB\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([(Private Address) (XX)]) -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([(Private Address) (XX)]) -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\RK_System_ON_D_2AFB\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([(Private Address) (XX)]) -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([(Private Address) (XX)]) -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{35007ED6-483B-4D3B-BFD1-3385E72D925E} | DhcpNameServer : 10.0.0.138 ([(Private Address) (XX)]) -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\RK_System_ON_D_2AFB\ControlSet001\Services\Tcpip\Parameters\Interfaces\{58BAE504-460E-4FF6-B83D-415EA37067C7} | DhcpNameServer : 10.0.0.138 ([(Private Address) (XX)]) -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{35007ED6-483B-4D3B-BFD1-3385E72D925E} | DhcpNameServer : 10.0.0.138 ([(Private Address) (XX)]) -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\RK_System_ON_D_2AFB\ControlSet002\Services\Tcpip\Parameters\Interfaces\{58BAE504-460E-4FF6-B83D-415EA37067C7} | DhcpNameServer : 10.0.0.138 ([(Private Address) (XX)]) -> Nalezeno
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{35007ED6-483B-4D3B-BFD1-3385E72D925E} | DhcpNameServer : 10.0.0.138 ([(Private Address) (XX)]) -> Nalezeno

¤¤¤ Úlohy : 0 ¤¤¤

¤¤¤ Soubory : 0 ¤¤¤

¤¤¤ Soubor HOSTS : 1 ¤¤¤
[C:\WINDOWS\system32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 0 (Driver: Nahrán) ¤¤¤

¤¤¤ Webové prohlí?e?e : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] u3pgjued.default : user_pref("browser.startup.homepage", "https://www.seznam.cz/"); -> Nalezeno

¤¤¤ Kontrola MBR : ¤¤¤
+++++ PhysicalDrive0: ST3500418AS +++++
--- User ---
[MBR] c7424b4c276b06667e1bc63a3788abe4
[BSP] 917cbc917ca33f0debbbe47999f9fef4 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 45998 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 94205160 | Size: 430931 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SAMSUNG SP2504C +++++
--- User ---
[MBR] cdcf2c85562c812ffefd9fd86edc30fc
[BSP] 8a1da5904025ed056bc0d268908682f6 : Windows XP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 49999 MB [Windows XP Bootstrap | Windows XP Bootloader]
1 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 102398310 | Size: 188473 MB
User = LL1 ... OK
User = LL2 ... OK

Zdravím!
Dejte log ComboFix:

Stahnete a ulozte nejlepe na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se

jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine

aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode,

pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k

nezadoucim kolizim s rezidentem antispyware.

ComboFix 15-07-12.01 - HANES 13.07.2015 9:56.1.3 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.3326.2510 [GMT 2:00]
Spuštěný z: c:\documents and settings\HANES\Dokumenty\Sta×enÚ soubory\ComboFix.exe
AV: TrustPort Antivirus *Disabled/Updated* {3E803F6C-6C2F-4647-BCA9-1C7E98603DB4}
FW: TrustPort Firewall *Enabled* {3A5163D7-AF08-48AC-BE9F-10B653A9E9C9}
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\HANES\WINDOWS
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2015-06-13 do 2015-07-13 )))))))))))))))))))))))))))))))
.
.
2015-07-13 06:17 . 2015-07-13 06:17 -------- d-----w- c:\windows\system32\wbem\Repository
2015-07-12 16:27 . 2015-07-12 16:49 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-07-12 16:27 . 2015-07-12 16:27 -------- d-----w- c:\documents and settings\All Users\Data aplikací\RogueKiller
2015-07-12 12:13 . 2015-07-12 12:15 -------- d-----w- c:\windows\system32\MRT
2015-07-12 11:50 . 2015-07-12 11:50 -------- d-----w- c:\program files\ESET
2015-07-02 14:45 . 2015-07-02 14:45 -------- d-----w- c:\program files\Common Files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-07-02 14:45 . 2015-04-23 17:19 146432 ----a-w- c:\windows\system32\javacpl.cpl
2015-07-02 14:45 . 2015-04-23 17:19 96352 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2015-06-18 15:55 . 2015-03-13 14:29 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin
2015-05-08 15:03 . 2015-03-28 15:46 778416 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-05-08 15:03 . 2015-03-28 15:46 142512 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-06-05 33628160]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2013-03-15 15668512]
"NvMediaCenter"="NvMCTray.dll" [2013-03-15 223008]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2013-03-15 1982312]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
"AntivirusCommunicatorAgent"="c:\program files\TrustPort\Antivirus\bin\avcom.exe" [2015-02-13 931880]
"TrustPortDiskProtectionWatchDog"="c:\program files\TrustPort\DiskProtection\bin\TDWatch.exe" [2015-02-13 235600]
"TrustPortTray"="c:\program files\Common Files\TrustPort\Bin\tptray.exe" [2015-02-13 1084320]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2015-04-30 334896]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avinspect.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0tpnative
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 tpdevflt;TrustPort Device Filter;c:\windows\system32\drivers\tpdevflt.sys [22.4.2015 18:38 33816]
R1 tdimapper;TrustPort TDI port to process mapper;c:\program files\TrustPort\PersonalFirewall\bin\tdimapper.sys [22.4.2015 18:40 19400]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [16.10.2009 11:42 319488]
R2 EncDisk;EncDisk;c:\program files\TrustPort\DiskProtection\bin\encdsk.sys [22.4.2015 18:39 56464]
R2 FreemakeVideoCapture;FreemakeVideoCapture;c:\program files\Freemake\CaptureLib\CaptureLibService.exe [8.6.2015 12:38 9216]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11.2.2011 23:23 35088]
R2 tdifw;TrustPort PGTW driver;c:\windows\system32\drivers\tdifw.sys [22.4.2015 18:39 41520]
R2 tpmgma_service;TrustPort Core Service;c:\program files\Common Files\TrustPort\bin\tpmgma.exe [22.4.2015 18:38 503400]
R2 tpsec;TrustPort Security Filter;c:\windows\system32\drivers\tpsec.sys [22.4.2015 18:38 47200]
R2 wipesrv;TrustPort DataShredder Wipe Service;c:\program files\TrustPort\DataShredder\bin\wipesrv.exe [22.4.2015 18:39 289160]
R3 avss_service;TrustPort Antivirus Service Scanner Provider;c:\program files\TrustPort\Antivirus\bin\avss.exe [22.4.2015 18:38 379800]
R3 gozer;TrustPort Personal GTW;c:\program files\TrustPort\Antivirus\bin\gozer.exe [22.4.2015 18:39 515760]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [27.4.2010 10:27 64904]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [27.4.2010 10:28 146568]
R3 TPPFHOOK;TPPFHOOK;c:\program files\TrustPort\PersonalFirewall\bin\tppfhook.sys [22.4.2015 18:39 26592]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [22.12.2014 10:23 1374464]
S3 avas_service;TrustPort Antivirus On-Access Scanner Agent;c:\program files\TrustPort\Antivirus\bin\avas.exe [22.4.2015 18:38 894800]
S3 avasdmft;TrustPort Antivirus On-Access Scanner (W2K/XP) MF;c:\windows\system32\drivers\avasdmft.sys [22.4.2015 18:38 38448]
S3 dsio;TrustPort Raw IO Driver;c:\program files\Common Files\TrustPort\bin\dsio.sys [22.4.2015 18:38 17328]
.
Obsah adresáře 'Naplánované úlohy'
.
2015-07-13 c:\windows\Tasks\TrustPort Updater.job
- c:\program files\Common Files\TrustPort\bin\tpupdate.exe [2015-04-22 07:47]
.
.
------- Doplňkový sken -------
.
uStart Page = https://www.seznam.cz/?clid=22668
mStart Page = https://www.seznam.cz/?clid=22668
mSearch Bar = https://www.seznam.cz/?clid=22668
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.138
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\HANES\Data aplikací\Mozilla\Firefox\Profiles\u3pgjued.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.seznam.cz/
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
.
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
HKLM-Run-NWEReboot - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-07-13 10:01
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwOpenKey, ZwOpenFile
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_17_0_0_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_17_0_0_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'explorer.exe'(7492)
c:\windows\system32\webcheck.dll
.
Celkový čas: 2015-07-13 10:02:45
ComboFix-quarantined-files.txt 2015-07-13 08:02
.
Před spuštěním: Volných bajtů: 27 056 443 392
Po spuštění: Volných bajtů: 27 185 913 856
.
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /FASTDETECT /NOEXECUTE=OPTIN
.
- - End Of File - - 7903D5790C3A882ED85799C7D7AF0B88
A36C5E4F47E84449FF07ED3517B43A31

Ještě dočistíme. Přesuňte ComboFix na plochu. Otevřte poznámkový blok a zkopírujte do něj:

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=-

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]

Reboot::

Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkazy ze skriptu.

Obrázek

Hotovo:

ComboFix 15-07-12.01 - HANES 13.07.2015 18:35:34.2.3 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.3326.2418 [GMT 2:00]
Spuštěný z: c:\documents and settings\HANES\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\HANES\Plocha\CFScript.txt
AV: TrustPort Antivirus *Disabled/Updated* {3E803F6C-6C2F-4647-BCA9-1C7E98603DB4}
FW: TrustPort Firewall *Enabled* {3A5163D7-AF08-48AC-BE9F-10B653A9E9C9}
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2015-06-13 do 2015-07-13 )))))))))))))))))))))))))))))))
.
.
2015-07-13 06:17 . 2015-07-13 06:17 -------- d-----w- c:\windows\system32\wbem\Repository
2015-07-12 16:27 . 2015-07-12 16:49 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-07-12 16:27 . 2015-07-12 16:27 -------- d-----w- c:\documents and settings\All Users\Data aplikací\RogueKiller
2015-07-12 12:13 . 2015-07-12 12:15 -------- d-----w- c:\windows\system32\MRT
2015-07-12 11:50 . 2015-07-12 11:50 -------- d-----w- c:\program files\ESET
2015-07-02 14:45 . 2015-07-02 14:45 -------- d-----w- c:\program files\Common Files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-07-02 14:45 . 2015-04-23 17:19 146432 ----a-w- c:\windows\system32\javacpl.cpl
2015-07-02 14:45 . 2015-04-23 17:19 96352 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2015-06-18 15:55 . 2015-03-13 14:29 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin
2015-05-08 15:03 . 2015-03-28 15:46 778416 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-05-08 15:03 . 2015-03-28 15:46 142512 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-06-05 33628160]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2013-03-15 15668512]
"NvMediaCenter"="NvMCTray.dll" [2013-03-15 223008]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2013-03-15 1982312]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
"AntivirusCommunicatorAgent"="c:\program files\TrustPort\Antivirus\bin\avcom.exe" [2015-02-13 931880]
"TrustPortDiskProtectionWatchDog"="c:\program files\TrustPort\DiskProtection\bin\TDWatch.exe" [2015-02-13 235600]
"TrustPortTray"="c:\program files\Common Files\TrustPort\Bin\tptray.exe" [2015-02-13 1084320]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0tpnative
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 tpdevflt;TrustPort Device Filter;c:\windows\system32\drivers\tpdevflt.sys [22.4.2015 18:38 33816]
R1 tdimapper;TrustPort TDI port to process mapper;c:\program files\TrustPort\PersonalFirewall\bin\tdimapper.sys [22.4.2015 18:40 19400]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [16.10.2009 11:42 319488]
R2 EncDisk;EncDisk;c:\program files\TrustPort\DiskProtection\bin\encdsk.sys [22.4.2015 18:39 56464]
R2 FreemakeVideoCapture;FreemakeVideoCapture;c:\program files\Freemake\CaptureLib\CaptureLibService.exe [8.6.2015 12:38 9216]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11.2.2011 23:23 35088]
R2 tdifw;TrustPort PGTW driver;c:\windows\system32\drivers\tdifw.sys [22.4.2015 18:39 41520]
R2 tpmgma_service;TrustPort Core Service;c:\program files\Common Files\TrustPort\bin\tpmgma.exe [22.4.2015 18:38 503400]
R2 tpsec;TrustPort Security Filter;c:\windows\system32\drivers\tpsec.sys [22.4.2015 18:38 47200]
R2 wipesrv;TrustPort DataShredder Wipe Service;c:\program files\TrustPort\DataShredder\bin\wipesrv.exe [22.4.2015 18:39 289160]
R3 avss_service;TrustPort Antivirus Service Scanner Provider;c:\program files\TrustPort\Antivirus\bin\avss.exe [22.4.2015 18:38 379800]
R3 gozer;TrustPort Personal GTW;c:\program files\TrustPort\Antivirus\bin\gozer.exe [22.4.2015 18:39 515760]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [27.4.2010 10:27 64904]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [27.4.2010 10:28 146568]
R3 TPPFHOOK;TPPFHOOK;c:\program files\TrustPort\PersonalFirewall\bin\tppfhook.sys [22.4.2015 18:39 26592]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [22.12.2014 10:23 1374464]
S3 avas_service;TrustPort Antivirus On-Access Scanner Agent;c:\program files\TrustPort\Antivirus\bin\avas.exe [22.4.2015 18:38 894800]
S3 avasdmft;TrustPort Antivirus On-Access Scanner (W2K/XP) MF;c:\windows\system32\drivers\avasdmft.sys [22.4.2015 18:38 38448]
S3 dsio;TrustPort Raw IO Driver;c:\program files\Common Files\TrustPort\bin\dsio.sys [22.4.2015 18:38 17328]
.
Obsah adresáře 'Naplánované úlohy'
.
2015-07-13 c:\windows\Tasks\TrustPort Updater.job
- c:\program files\Common Files\TrustPort\bin\tpupdate.exe [2015-04-22 07:47]
.
.
------- Doplňkový sken -------
.
uStart Page = https://www.seznam.cz/?clid=22668

Smazáno. PC by již měl být čistý.

Díky za pomoc

Rádo se stalo!

VIRY.CZ

Prosím o kontrolu

Prosím o kontrolu

Re: Prosím o kontrolu

Re: Prosím o kontrolu

Re: Prosím o kontrolu

Re: Prosím o kontrolu

Re: Prosím o kontrolu

Re: Prosím o kontrolu

Re: Prosím o kontrolu