Trojan a youndoo

[Sweden]

Zdravim

mam v pc novy system cca tyden a po navsteve jineho uzivatele se mi zacala zobrazovat stranka yuondoo tu se mi podarilo nejaky zpusobem zabit (cleanery atd..) aspon v to doufam... nicmene pri pouziti onech malware programu prvni dva ukazuji infekci s nazvem trojan a yuondoo ale smazat to nechteji... tedy ne zadarmo pote jsem zkusil jiny program ktery sice odstranil youndoo z firefoxu ale take nalezl asi 1/3 toho hnusu co tam ma byt.
Prosim o kontrolu logu a pripadne zabiti trojanu... pripadne nejakou radu zda ma smysl instalovat cosi co tomu v budoucnu zabrani

dekuji

ps: FRST dodavam v raru proroze log ma 2x tolik znaku nez je povoleno.

[Rudy]

Zdravím!
Spusťte tuto utilitu:

Stáhněte AdwCleaner https://toolslib.net/downloads/viewdown ... dwcleaner/
Uložte na plochu
Ukončete všechny programy
Klikněte nejprve na >Scan< a pak na >Clean<.
Proběhne skenováni a pak se objeví log, který sem vložte.

[Sweden]

Provedeno

zde log

# AdwCleaner v6.030 - Log soubor vytvořen 08/11/2016 na 09:03:49
# Aktualizováno dne 19/10/2016 z Malwarebytes
# Databáze : 2016-11-08.1 [Server]
# Operační systém : Windows 7 Home Premium Service Pack 1 (X64)
# Uživatelské jméno : Userfirma - USERFIRMA-PC
# Beží od : C:\Users\Userfirma\Desktop\adwcleaner_6.030.exe
# Mod: Čištění
# Podpora : hxxps://www.malwarebytes.com/support



***** [ Služby ] *****



***** [ Adresáře ] *****



***** [ Soubory ] *****

[-] Soubor smazán:C:\local64spl.dll


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Zástupce ] *****



***** [ Plánovač úloh ] *****



***** [ Registry ] *****

[-] Klíč smazán:HKU\.DEFAULT\Software\ecb`nl
[#] Klíč smazán po restartování:HKU\S-1-5-18\Software\ecb`nl
[-] Klíč smazán:HKLM\SOFTWARE\ecb`nl
[-] Klíč smazán:[x64] HKLM\SOFTWARE\ecb`nl


***** [ Prohlížeče ] *****



*************************

:: "Tracing" klíč smazán
:: Winsock nastavení vyčištěno

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [1065 Bajtů] - [08/11/2016 09:03:49]
C:\AdwCleaner\AdwCleaner[S0].txt - [1525 Bajtů] - [08/11/2016 09:03:36]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1213 Bajtů] ##########

[Rudy]

Dejte nový log FRST.

[Sweden]

zde opet v raru opet moc znaku

dekuji

[Rudy]

Otevřte poznámkový blok a zkopírujte do něj:

Start
C:\Program Files\KMSpico
HKLM\...\Providers\8sqp1emy: C:\Users\\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\erf9t56s: C:\Brother_\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\i2179eo3: C:\Brother\\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\igla4rph: F:\dokumenty\\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\k0lp7yne: F:\Foto_\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\l09lrssv: F:\dokumenty_\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\nkjb8ut0: F:\Foto\\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\qmylhkgp: C:\_\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\ruzjpnud: C:\Users_\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\vidap5xl: C:\\local64spl.dll
ShellExecuteHooks: - {47BCB852-9E94-11E6-AEC8-64006A5CFC23} - C:\Users\Userfirma\AppData\Roaming\Hnentqerky\Domesanruent.dll No File [ ]
C:\ProgramData\DP45977C.lfl
C:\ProgramData\7z.exe
C:\Users\Userfirma\AppData\Local\Temp
End

Uložte do C:\Users\Userfirma\Downloads jako fixlist.txt. Spusťte znovu FRST a klikněte na >Fix<. Po skončení akce se objeví log, který sem zkopírujte.

[Sweden]

Fix result of Farbar Recovery Scan Tool (x64) Version: 04-11-2016
Ran by Userfirma (10-11-2016 09:48:59) Run:1
Running from C:\Users\Userfirma\Downloads
Loaded Profiles: Userfirma (Available Profiles: Userfirma)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
C:\Program Files\KMSpico
HKLM\...\Providers\8sqp1emy: C:\Users\\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\erf9t56s: C:\Brother_\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\i2179eo3: C:\Brother\\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\igla4rph: F:\dokumenty\\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\k0lp7yne: F:\Foto_\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\l09lrssv: F:\dokumenty_\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\nkjb8ut0: F:\Foto\\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\qmylhkgp: C:\_\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\ruzjpnud: C:\Users_\local64spl.dll [143360 2016-11-04] ()
HKLM\...\Providers\vidap5xl: C:\\local64spl.dll
ShellExecuteHooks: - {47BCB852-9E94-11E6-AEC8-64006A5CFC23} - C:\Users\Userfirma\AppData\Roaming\Hnentqerky\Domesanruent.dll No File [ ]
C:\ProgramData\DP45977C.lfl
C:\ProgramData\7z.exe
C:\Users\Userfirma\AppData\Local\Temp
End
*****************

C:\Program Files\KMSpico => moved successfully
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\8sqp1emy" => key removed successfully
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\\order 8sqp1emy => removed successfully
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\erf9t56s" => key removed successfully
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\\order erf9t56s => removed successfully
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\i2179eo3" => key removed successfully
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\\order i2179eo3 => removed successfully
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\igla4rph" => key removed successfully
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\\order igla4rph => removed successfully
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\k0lp7yne" => key removed successfully
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\\order k0lp7yne => removed successfully
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\l09lrssv" => key removed successfully
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\\order l09lrssv => removed successfully
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\nkjb8ut0" => key removed successfully
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\\order nkjb8ut0 => removed successfully
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\qmylhkgp" => key removed successfully
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\\order qmylhkgp => removed successfully
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\ruzjpnud" => key removed successfully
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\\order ruzjpnud => removed successfully
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\vidap5xl" => key removed successfully
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\\order vidap5xl => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{47BCB852-9E94-11E6-AEC8-64006A5CFC23} => value removed successfully
"HKCR\CLSID\{47BCB852-9E94-11E6-AEC8-64006A5CFC23}" => key removed successfully
C:\ProgramData\DP45977C.lfl => moved successfully
C:\ProgramData\7z.exe => moved successfully

"C:\Users\Userfirma\AppData\Local\Temp" folder move:

Could not move "C:\Users\Userfirma\AppData\Local\Temp" => Scheduled to move on reboot.


Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 10-11-2016 09:50:30)

C:\Users\Userfirma\AppData\Local\Temp => moved successfully

==== End of Fixlog 09:50:30 ====

[Rudy]

Smazáno. Nastala nějaká změna?

[Sweden]

vse vypada v poradku

mockrat dekuji

btw: nazev pc se zadava pri instalaci win a pak se s nim neda hybat ze? win se instaloval u firmy na oprave pc kdy umrel disk a opravoval se zdroj. ne ze by me to asi nejak vydilo vzhledem k tomu ze sem si toho vsiml az ted jen me zajimalo zda se to da zmenit

dekuji a urcite opet zaslu nejaky prispevek

[Rudy]

Název PC nezměníte. Lze pouze přejmenovat profil. Za příspěvek předem děkujeme a nemáte zač!