VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

Zavirovany laptop

https://forum.viry.cz:443/viewtopic.php?t=148201

Stránka 1 z 1

Re: Zavirovany laptop

Napsal: 05 bře 2016 01:50
od altrok
Krasny den Vam preju :bye:


:arrow: V ramci cisteni Vam budou vyprazdneny docasne adresare (vcetne Kose).

:arrow: Ulozte na plochu AdwCleaner https://toolslib.net/downloads/viewdown ... dwcleaner/ (nebo http://www.bleepingcomputer.com/download/adwcleaner/ )
  • ukoncete vsechny programy
  • kliknete pravym na ikonu AdwCleaneru a vyberte Spustit jako spravce (v pripade Win XP spustte obycejne dvojklikem)
  • kliknete na Scan, pote na Cleaning
  • po restartu na Vas vyskoci log (pripadne jej najdete v C:\AdwCleaner\AdwCleaner[Cx].txt), jehoz obsah mi zkopirujte do pristi odpovedi


:arrow: Ulozte na plochu zoek.exe http://hijackthis.nl/smeenk/zoek.htm
  • spustte jako spravce
  • do velkeho okna zkopirujte script uvedeny nize
  • kliknete na Run script
  • po restartu na Vas vyskoci log (pripadne jej najdete v C:\zoek-results.log) - vlozte mi jej do pristi odpovedi

    Kód: Vybrat vše

    autoclean;
emptyclsid;
iedefaults;
FFdefaults;
CHRdefaults;
emptyalltemp;
resethosts;

Re: Zavirovany laptop

Napsal: 05 bře 2016 07:52
od altrok
:arrow: Dejte logy FRST.txt a Addition.txt - http://forum.viry.cz/viewtopic.php?f=30&t=133101
Pozn. pri druhem a dalsim spusteni FRST je pro vytvoreni logu Addition.txt nutne tuto volbu explicitne zatrhnout pred zacatkem skenu.

Re: Zavirovany laptop

Napsal: 06 bře 2016 14:30
od altrok
  • Do Poznamkoveho bloku (Start -> spustit -> notepad) zkopirujte obsah bileho pole
  • ulozte na plochu jako fixlist (Typ souboru: Textovy dokument)
  • znovu spustte FRST a kliknete na Fix
  • po restartu bude na plose ulozen fixlog, jehoz obsah vlozte do pristi odpovedi

    Kód: Vybrat vše

    Start
CreateRestorePoint:
CloseProcesses:
Folder: C:\ProgramData\Validity
File: C:\Windows\system32\Mystify.scr
File: C:\ProgramData\CloudPrinter\CloudPrinter.exe
File: C:\Users\user\AppData\Roaming\Freshtom.tst
File: C:\Users\user\AppData\Roaming\Zenex.tst
Folder: C:\Users\user\AppData\Local\Tempfolder
File: C:\Windows\system32\winupd.exe
File: C:\Windows\system32\Wimboldon.exe
File: C:\Windows\system32\win.exe
File: C:\Windows\system32\Mint.exe
File: C:\Users\user\AppData\Roaming\ReukmQichif\Jeastof.exe
HKLM-x32\...\Run: [dply_en_015020253] => [X]
HKU\S-1-5-21-2009210261-2343647282-559151360-1002\...\Run: [yllgpa] => rundll32.exe "C:\Users\user\AppData\Local\yllgpa.dll",yllgpa <===== ATTENTION
HKU\S-1-5-21-2009210261-2343647282-559151360-1002\...\MountPoints2: {4f66dbac-a0ac-11e4-800e-10604bdc1d7e} - "F:\NokiaPCIA_Autorun.exe" 
AppInit_DLLs: C:\ProgramData\Konksolex\Rundonbam.dll => No File
AppInit_DLLs-x32: C:\ProgramData\Konksolex\Quadtech.dll => No File
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL = 
S2 Konksolex; C:\ProgramData\\Konksolex\\Konksolex.exe shuz -f "C:\ProgramData\\Konksolex\\Konksolex.dat" -l -a
C:\ProgramData\Konksolex
R2 Gudsanru; C:\Users\user\AppData\Roaming\ReukmQichif\Jeastof.exe [125776 2016-02-29] () [File not signed]
C:\Users\user\AppData\Roaming\ReukmQichif
S3 AtiDCM; \??\C:\Users\user\AppData\Local\Temp\atdcm64a.sys [X]
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
S3 STHDA; \SystemRoot\system32\DRIVERS\stwrt64.sys [X]
2016-02-29 17:08 - 2016-02-29 17:08 - 00000000 ____D C:\uninst
2016-02-29 17:05 - 2016-03-04 19:38 - 00000000 ____D C:\Program Files\shopperz290220162341
2016-02-29 17:05 - 2016-02-29 17:05 - 00000000 ____D C:\Users\user\AppData\Roaming\ReukmQichif
2016-03-04 19:36 - 2014-09-01 07:10 - 00000000 ____D C:\AdwCleaner
2016-03-04 18:08 - 2014-03-14 10:55 - 00000000 ____D C:\Program Files\trend micro
CMD: ipconfig /flushdns
Task: {04090299-7F50-4D3C-BF9C-2A6402F0E968} - System32\Tasks\GoogleUp => C:\Windows\system32\hsysinfo.exe <==== ATTENTION
Task: {06CA4585-E982-4001-B2E9-E15D33F8BF6F} - \Balance Component -> No File <==== ATTENTION
Task: {077924CB-C402-4235-A580-34D744AB7184} - System32\Tasks\Opewp => C:\PROGRA~1\SHOPPE~1\Cizdi.bat
C:\PROGRA~1\SHOPPE~1
Task: {0C755020-9C6E-44A9-8C01-3250F1DC98C8} - System32\Tasks\MyDailyBackup => C:\Windows\system32\winupd.exe <==== ATTENTION
C:\Windows\system32\winupd.exe
Task: {2439A55E-A7E5-40D6-90FA-41846A408F95} - System32\Tasks\Nedgie => C:\PROGRA~1\SHOPPE~1\Soyqbew.bat
Task: {2F46F28D-3DCD-4593-840A-5E3B2750DF97} - System32\Tasks\Googleuptodate => C:\Windows\system32\Wimboldon.exe <==== ATTENTION
C:\Windows\system32\Wimboldon.exe
Task: {39582745-A349-4860-9CA0-8D0E1A611B7B} - System32\Tasks\{EFA80B71-E2C6-4D5A-A032-2896DC818B7E} => pcalua.exe -a C:\Users\user\Desktop\zoek\zoek.com -d C:\Users\user\Desktop\zoek
Task: {54499370-72FC-4B77-BE4F-B2FD3B44E153} - \bvxvcxxvaf -> No File <==== ATTENTION
Task: {9D2CA2AA-029C-49EA-9F51-68BE78FCB3CB} - System32\Tasks\{0226161A-52F5-4DA3-8A13-66689F298090} => pcalua.exe -a C:\Users\user\Desktop\zoek\zoek.scr -d C:\Users\user\Desktop\zoek -c /S
Task: {D20E8A17-A250-47E6-B624-AD611FC3D71F} - \Tlaoudnoweet -> No File <==== ATTENTION
Task: {D272D7FB-B501-418A-904D-E3636C2E5566} - \Punixnuifx -> No File <==== ATTENTION
Task: {D989D97C-A7F6-47BB-9D64-D25C4705ADBE} - System32\Tasks\Emakoraw => C:\PROGRA~1\SHOPPE~1\Igohcu.bat
Task: {F14DC18B-A123-4363-A1BD-E82D27066776} - \impo -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
FirewallRules: [{7EA7F9A0-B377-4E78-83B1-5EBF32148F3A}] => (Allow) C:\WINDOWS\explorer.exe
FirewallRules: [{B1FC92C4-3315-4D96-B634-FF1502768928}] => (Allow) C:\WINDOWS\system32\rundll32.exe
FirewallRules: [{88A1CE66-6986-415E-8821-8721B993DA56}] => (Allow) C:\Program Files (x86)\GoforFiles\GoforFiles.exe
FirewallRules: [{7FC6D382-1217-4A1C-A00D-FEE63AD027F4}] => (Allow) C:\Program Files (x86)\GoforFiles\GoforFiles.exe
FirewallRules: [{3329D1FF-B99B-4A3A-8B77-DEE89D733869}] => (Allow) C:\Program Files (x86)\GoforFiles\goforfilesdl.exe
FirewallRules: [{1F166FCA-DA68-410C-900B-B8E2C9767184}] => (Allow) C:\Program Files (x86)\GoforFiles\goforfilesdl.exe
FirewallRules: [{1A78F0A5-B64B-4338-856C-2A350ED830F6}] => (Allow) C:\Program Files (x86)\GoforFiles\goforfilesdl.exe
FirewallRules: [{ADDD6F92-DD8D-4C4D-8613-06D6BAFAE836}] => (Allow) C:\Program Files (x86)\GoforFiles\goforfilesdl.exe
FirewallRules: [{0AF2DF27-125E-4238-BF29-7A2308183CC0}] => (Allow) C:\Program Files (x86)\GoforFiles\GoforFiles.exe
FirewallRules: [{DD964D38-F054-480C-8BCB-693B5ECA56A3}] => (Allow) C:\Program Files (x86)\GoforFiles\GoforFiles.exe
FirewallRules: [{D6488F88-7614-41EF-B8A3-30D3DA729E6C}] => (Allow) C:\WINDOWS\system32\rundll32.exe
CMD: dir "C:\PROGRA~1"
CMD: dir "C:\PROGRA~2"
CMD: dir "C:\PROGRA~3"
CMD: dir "%localappdata%"
CMD: dir "%appdata%"
Hosts:
EmptyTemp:
End

Re: Zavirovany laptop

Napsal: 06 bře 2016 23:32
od altrok
:arrow: Stale je v PC hodne malwaru, takze velice doporucuji leceni dokoncit do uplneho konce.


:arrow: Otestujte na virustotal.com C:\Users\user\AppData\Roaming\Freshtom.tst a C:\Users\user\AppData\Roaming\Zenex.tst - pokud uz byl soubor otestovany, zvolte Reanalyse. Do pristiho prispevku dejte link (odkaz) s vysledky analyzy.


:arrow: Ulozte na plochu MBAR - http://www.bleepingcomputer.com/downloa ... i-rootkit/
  • spuste dvojklikem a extrahujte na plochu
  • kliknete na Next
  • aktualizujte virovou databazi klikem na Update a pokracujte na Next
  • vsechny 3 moznosti nechte zaskrtnute a zvolte Scan (potrva cca 20 minut)
  • zatrhnete vsechny nalezy a take zkontrolujte zatrzitko u Create Restore Point
  • kliknete na Cleanup a souhlaste s restartem - Yes
  • obsah logu ulozene na plose v mbar\mbar-log-2015-mm-dd (hh-mm-ss).txt vlozte do pristi odpovedi

Re: Zavirovany laptop

Napsal: 10 bře 2016 00:30
od altrok
Postupujte dle navodu kolegy

vyosek píše: :arrow: Stahnete si TDSSKiller http://media.kaspersky.com/utilities/Vi ... killer.exe
  • Po spusteni odsouhlaste licencni podminky (klik na Accept)
  • Kliknete na volbu Change parametrs
  • V okne Additional Option zakliknete vsechny moznosti
  • Kliknete na OK
  • Utilite prikazte, at skenuje - klik na Start Scan
  • Po dokonceni skenu se objevi okno, zkontrolujte, zda-li je vsude moznost Skip
  • Pokud moznost Skip nebude primarne nastavena, prekliknete ji na Skip
  • Pokud mate vsude Skip, kliknete na Continue
  • Na disku, kde mate Windows (obvykle c:\) ve tvaru TDSSKiller.nejaka cisilka _log.txt bude log - jeho obsah sem vlozte

Re: Zavirovany laptop

Napsal: 11 bře 2016 18:09
od altrok
:arrow: Dejte logy FRST.txt a Addition.txt - http://forum.viry.cz/viewtopic.php?f=30&t=133101
Pozn. pri druhem a dalsim spusteni FRST je pro vytvoreni logu Addition.txt nutne tuto volbu explicitne zatrhnout pred zacatkem skenu.

Re: Zavirovany laptop

Napsal: 12 bře 2016 12:25
od altrok
:arrow: Nemate aktivni zadny antivir - alespon zapnete Windows Defender.


:arrow: Odinstalujte starou a zranitelnou verzi javy. Pokud javu potrebujete, pak nainstalujte novou z java.com - pozor na adware pri jeji instalaci http://forum.viry.cz/viewtopic.php?p=1374438#p1374438 . Z hlediska bezpecnosti (exploity) je lepsi ji nemit. Aktualni je 8U66. Verze Javy, ktere v PC mate nainstalovane:

  • Java 7 Update 21




  • Do Poznamkoveho bloku (Start -> spustit -> notepad) zkopirujte obsah bileho pole
  • ulozte na plochu jako fixlist (Typ souboru: Textovy dokument)
  • znovu spustte FRST a kliknete na Fix
  • po restartu bude na plose ulozen fixlog, jehoz obsah vlozte do pristi odpovedi

    Kód: Vybrat vše

    Start
CreateRestorePoint:
CloseProcesses:
Folder: C:\Users\user\AppData\Local\Shortcut Installer
Folder: C:\WINDOWS\system32\aoky
Folder: C:\ProgramData\AppxelosknoK
Folder: C:\Users\user\AppData\Local\Setup944066328
File: C:\ProgramData\AppxelosknoK\AppxelosknoK.exe
File: C:\PROGRA~2\AOL\AOL_HE~1.EXE
C:\ProgramData\AppxelosknoK
C:\ProgramData\CloudPrinter
HKU\S-1-5-21-2009210261-2343647282-559151360-1002\...\RunOnce: [Application Restart #0] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [746648 2016-02-17] (Google Inc.)
AppInit_DLLs: C:\ProgramData\AppxelosknoK\Movetech.dll => C:\ProgramData\AppxelosknoK\Movetech.dll [363520 2016-03-08] ()
AppInit_DLLs-x32: C:\ProgramData\AppxelosknoK\Quotetax.dll => C:\ProgramData\AppxelosknoK\Quotetax.dll [257536 2016-03-08] ()
HKU\S-1-5-21-2009210261-2343647282-559151360-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%73%6E%61%70%64%6F. ... v44DG9Cxx0,
HKU\S-1-5-21-2009210261-2343647282-559151360-1002\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73 ... KyxUSI,&q={searchTerms}
HKU\S-1-5-21-2009210261-2343647282-559151360-1002\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73 ... KyxUSI,&q={searchTerms}
HKU\S-1-5-21-2009210261-2343647282-559151360-1002\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73 ... KyxUSI,&q={searchTerms}
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73 ... KyxUSI,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2009210261-2343647282-559151360-1002 -> DefaultScope {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73 ... KyxUSI,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2009210261-2343647282-559151360-1002 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73 ... KyxUSI,&q={searchTerms}
FF NewTab: C:\\ProgramData\\AppxelosknoKs\\ff.NT
FF Homepage: C:\\ProgramData\\AppxelosknoKs\\ff.HP
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\djzt7o2x.default\searchplugins\findit.xml [2016-03-09]
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi [2016-03-03] [not signed]
FF Extension: TrueSuite Website Logon - C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\websitelogon@truesuite.com [2016-03-08] [not signed]
CHR HomePage: Default -> hxxp://%66%65%65%64.%73%6E%61%70%64%6F. ... IdcNsY5aws,
CHR StartupUrls: Default -> "hxxps://mail.google.com/mail/u/0/?shva=1#inbox/13d3b377bda7cb17","hxxp://bakalari.gymmost.cz/bakaweb/prehled.aspx?s=2","hxxp://www.darwiniana.cz/masozravky/forum:start","hxxp://www.searchnu.com/406?appid=484","hxxp://www1.delta-search.com/?affID=119292&tt=220413_www1&babsrc=HP_ss&mntrId=421B16E543B70157","hxxp://istart.webssearches.com/?type=hp&ts=1424181399&from=kmp&uid=HitachiXHTS547575A9E384_J2140059EWPG5AEWPG5AX","hxxp://istart.webssearches.com/?type=hppp&ts=1424181424&from=kmp&uid=HitachiXHTS547575A9E384_J2140059EWPG5AEWPG5AX","hxxp://www.delta-homes.com/?type=hp&ts=1434476281&z=1b085f3e900abe6e4735582g5z2c5z4zem8qao3bdo&from=ient06162&uid=HitachiXHTS547575A9E384_J2140059EWPG5AEWPG5AX","hxxp://www.istartsurf.com/?type=hppp&ts=1434476576&from=xtab&uid=4FE7469D149A49e4AE3EFE449E77E960"
CHR DefaultSearchURL: Default -> hxxp://%66%65%65%64.%73%6F%6E%69%63-%73 ... rQAV-A,&q={searchTerms}
CHR DefaultSearchKeyword: Default -> feed.sonic-search.com
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/chrome?ou ... s&command={searchTerms}
R2 AppxelosknoK; C:\ProgramData\\AppxelosknoK\\AppxelosknoK.exe [529408 2016-03-06] () [File not signed]
R2 CloudPrinter; C:\ProgramData\\CloudPrinter\\CloudPrinter.exe [764416 2016-03-01] () [File not signed]
S1 bsdriver; \??\C:\WINDOWS\system32\drivers\bsdriver.sys [X]
2016-03-10 21:52 - 2016-03-10 21:56 - 00441600 _____ C:\TDSSKiller.3.1.0.9_10.03.2016_21.52.01_log.txt
2016-03-10 21:51 - 2016-03-10 21:51 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\user\Desktop\tdsskiller.exe
2016-03-08 16:38 - 2016-03-08 20:35 - 00000000 ____D C:\Users\user\Desktop\mbar
2016-03-08 16:38 - 2016-03-08 20:32 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-03-08 16:38 - 2016-03-08 16:38 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-03-08 16:37 - 2016-03-08 16:37 - 16563352 _____ (Malwarebytes Corp.) C:\Users\user\Desktop\mbar-1.09.3.1001.exe
2016-03-06 14:17 - 2016-03-09 15:19 - 00003626 _____ C:\WINDOWS\System32\Tasks\snp
2016-03-06 14:17 - 2016-03-09 15:19 - 00002401 _____ C:\WINDOWS\SysWOW64\findit.xml
2016-03-06 14:17 - 2016-03-06 14:17 - 00000000 ____D C:\ProgramData\AppxelosknoKs
2016-03-04 20:28 - 2016-03-04 20:28 - 00000000 ____D C:\ProgramData\Validity
2016-03-04 20:05 - 2015-12-06 07:36 - 00000000 ____D C:\ProgramData\Nico Mak Computing
Task: {0762D7A8-844D-4142-941B-CFAFC1202770} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files (x86)\Norton Internet Security\Engine\20.0.0.136\SymErr.exe
Task: {56CB206A-C116-451C-B84B-8C54239D9D6B} - System32\Tasks\win => C:\Windows\system32\win.exe
C:\Windows\system32\win.exe
Task: {A70FCF60-65CE-4A5F-9152-AC5A77D99A52} - System32\Tasks\SecurityApps2 => C:\Program Files (x86)\PC Optimizer\PC Optimizer\SecurityApps.exe
Task: {AAD34274-23B2-4906-A612-D9C71FA8D54E} - System32\Tasks\snp => C:\ProgramData\AppxelosknoK\AppxelosknoK.exe [2016-03-06] () <==== ATTENTION
Task: {BF63B5C2-E435-48B2-94FB-52C864BB9AB8} - System32\Tasks\psv_Vaialab => /c regedit.exe /s "C:\ProgramData\AppxelosknoK\Dingtone.reg" & del "C:\ProgramData\AppxelosknoK\Dingtone.reg" & SCHTASKS /Delete /TN "psv_Vaialab" /F <==== ATTENTION
Task: {CC648FC0-3A50-49C9-A9AF-396198816C03} - System32\Tasks\import => C:\Windows\system32\Mint.exe
C:\Windows\system32\Mint.exe
CMD: dir "C:\PROGRA~1"
CMD: dir "C:\PROGRA~2"
CMD: dir "C:\PROGRA~3"
CMD: dir "%localappdata%"
CMD: dir "%appdata%"
Hosts:
EmptyTemp:
End

Re: Zavirovany laptop

Napsal: 12 bře 2016 16:30
od altrok
:arrow: Dejte logy FRST.txt a Addition.txt - http://forum.viry.cz/viewtopic.php?f=30&t=133101
Pozn. pri druhem a dalsim spusteni FRST je pro vytvoreni logu Addition.txt nutne tuto volbu explicitne zatrhnout pred zacatkem skenu.

Re: Zavirovany laptop

Napsal: 12 bře 2016 17:51
od altrok
:arrow: Stahnout zdarma muzete vsechny, co znam, ale tim, ze jej chcete zdarma pouzivat po neomezenou dobu se vyber zuzil na Avast, Aviru (ve free verzi anglicky), BitDefender, AVG, ... Kouknete na srovnavaci testy, ktere tady pro vas Tatry03 shromazduje a udelejte si vlastni nazor ;) http://forum.viry.cz/viewtopic.php?f=14 ... &start=165



:arrow: Ted uz PC vypada o poznani lepe nez na zacatku, ale stale se cast haveti obnovuje.



:arrow: Ulozte na plochu ESET Online Scanner kliknutim na esetsmartinstaller_csy.exe
  • ulozeny esetsmartinstaller_csy.exe dvojklikem spustte
  • zaskrtnete Ano, souhlasim s podminkami uziti a kliknete na Spustit
  • vyberte moznost Povolit detekci nechtenych aplikaci
  • rozkliknete moznost Rozsirene nastaveni a
    • zruste zatrzitko u volby Odstranit nalezene infiltrace
    • ponechte zatrhnutou moznost Pouzit technologii Anti-Stealth
  • kliknete na Kontrola, cimz se spusti az nekolikahodinovy sken
  • po dokonceni skenu kliknete na Seznam nalezenych infiltraci (v pripade zadneho nalezu log nevytvorite)
  • kliknete na Ulozit do textoveho souboru, log pojmenujte jako ESETlog a ulozte na plochu
  • obsah logu vlozte do pristi odpovedi
  • kliknete na << Zpet a zatrhnete moznost Odinstalovat
  • klikem na Dokoncit ESET Online Scanner zavrete.

Re: Zavirovany laptop

Napsal: 13 bře 2016 00:50
od altrok
  • Do Poznamkoveho bloku (Start -> spustit -> notepad) zkopirujte obsah bileho pole
  • ulozte na plochu jako fixlist (Typ souboru: Textovy dokument)
  • znovu spustte FRST a kliknete na Fix
  • po restartu bude na plose ulozen fixlog, jehoz obsah vlozte do pristi odpovedi

    Kód: Vybrat vše

    Start
CreateRestorePoint:
CloseProcesses:
CHR HomePage: Default -> hxxp://%66%65%65%64.%73%6E%61%70%64%6F. ... IdcNsY5aws,
CHR StartupUrls: Default -> "hxxps://mail.google.com/mail/u/0/?shva=1#inbox/13d3b377bda7cb17","hxxp://bakalari.gymmost.cz/bakaweb/prehled.aspx?s=2","hxxp://www.darwiniana.cz/masozravky/forum:start","hxxp://www.searchnu.com/406?appid=484","hxxp://www1.delta-search.com/?affID=119292&tt=220413_www1&babsrc=HP_ss&mntrId=421B16E543B70157","hxxp://istart.webssearches.com/?type=hp&ts=1424181399&from=kmp&uid=HitachiXHTS547575A9E384_J2140059EWPG5AEWPG5AX","hxxp://istart.webssearches.com/?type=hppp&ts=1424181424&from=kmp&uid=HitachiXHTS547575A9E384_J2140059EWPG5AEWPG5AX","hxxp://www.delta-homes.com/?type=hp&ts=1434476281&z=1b085f3e900abe6e4735582g5z2c5z4zem8qao3bdo&from=ient06162&uid=HitachiXHTS547575A9E384_J2140059EWPG5AEWPG5AX","hxxp://www.istartsurf.com/?type=hppp&ts=1434476576&from=xtab&uid=4FE7469D149A49e4AE3EFE449E77E960"
CHR DefaultSearchKeyword: Default -> pa
2016-03-12 09:01 - 2016-03-12 09:01 - 00003292 _____ C:\WINDOWS\System32\Tasks\psv_CofSaodom
2016-03-01 16:27 - 2016-03-01 16:27 - 1895432 _____ () C:\Users\user\AppData\Roaming\Freshtom.tst
2016-03-01 16:27 - 2016-03-01 16:27 - 0072857 _____ () C:\Users\user\AppData\Roaming\Zenex.tst
2016-03-01 16:26 - 2016-03-01 16:26 - 0127488 _____ () C:\Users\user\AppData\Roaming\Installer.dat
2016-03-01 16:27 - 2016-03-01 16:27 - 0126464 _____ () C:\Users\user\AppData\Roaming\lobby.dat
2016-03-01 16:27 - 2016-03-01 16:27 - 0018432 _____ () C:\Users\user\AppData\Roaming\Main.dat
Task: {C303846A-65A0-44E1-8988-76D160519B90} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Internet Security\Engine\20.0.0.136\WSCStub.exe
Task: {EAB19A2B-AD04-4860-8D60-C87059AC83D7} - System32\Tasks\psv_CofSaodom => /c regedit.exe /s "C:\ProgramData\AppxelosknoK\Dongtough.reg" & del "C:\ProgramData\AppxelosknoK\Dongtough.reg" & SCHTASKS /Delete /TN "psv_CofSaodom" /F <==== ATTENTION
C:\ProgramData\AppxelosknoK
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> %SNF%
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> %SNF%
End

Re: Zavirovany laptop

Napsal: 13 bře 2016 22:34
od altrok
:arrow: Jake problemy na PC pozorujete ted?


:arrow: Dejte nove logy z FRST - pred zacatkem skenu navic zatrhnete List BCD, Shortcut.txt a Addition.txt. Vsechny tri vysledne logy vlozte do pristich odpovedi (FRST.txt, Addition.txt i Shortcut.txt).

Re: Zavirovany laptop

Napsal: 15 bře 2016 09:26
od altrok
Nemate zac :)


Jedina havet, ktera se obnovuje, je v prohlizeci Google Chrome

Kód: Vybrat vše

CHR HomePage: Default -> hxxp://%66%65%65%64.%73%6E%61%70%64%6F. ... IdcNsY5aws,
CHR StartupUrls: Default -> "hxxps://mail.google.com/mail/u/0/?shva=1#inbox/13d3b377bda7cb17","hxxp://bakalari.gymmost.cz/bakaweb/prehled.aspx?s=2","hxxp://www.darwiniana.cz/masozravky/forum:start","hxxp://www.searchnu.com/406?appid=484","hxxp://www1.delta-search.com/?affID=119292&tt=220413_www1&babsrc=HP_ss&mntrId=421B16E543B70157","hxxp://istart.webssearches.com/?type=hp&ts=1424181399&from=kmp&uid=HitachiXHTS547575A9E384_J2140059EWPG5AEWPG5AX","hxxp://istart.webssearches.com/?type=hppp&ts=1424181424&from=kmp&uid=HitachiXHTS547575A9E384_J2140059EWPG5AEWPG5AX","hxxp://www.delta-homes.com/?type=hp&ts=1434476281&z=1b085f3e900abe6e4735582g5z2c5z4zem8qao3bdo&from=ient06162&uid=HitachiXHTS547575A9E384_J2140059EWPG5AEWPG5AX","hxxp://www.istartsurf.com/?type=hppp&ts=1434476576&from=xtab&uid=4FE7469D149A49e4AE3EFE449E77E960"
CHR DefaultSearchKeyword: Default -> pa
a dale mate v Chromu hodne rozsireni (extensions), ale nedari se mi zjistit, ktere by to mohlo mit na svedomi, proto doporucuji zazalohovat zalozky a hesla napr. pomoci http://www.stahuj.centrum.cz/internet_a ... me-backup/ , pote Chrome odinstalovat vcetne profilu a nanovo nainstalovat (ze zalohy obnovit pouze zalozky a hesla).


Ve zbytku logu jiz zadny malware nevidim, takze navrhuji zaverecny uklid pouzitych utilit ;)

Všechny časy jsou v UTC+01:00
Stránka 1 z 1

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz