VIRY.CZ

Ahoj nejsem v IT nejak pokrocily takze to mozna bude dost nesrozumitelny ale snad to nejak pude, na FB mi prisla zprava s odkazem na video jako uplnej "blbec" sem to otevrel a stahnul se mi soubor flash player. nesel spustit nic, ale od te doby mi nejde FB a kdyz dam restartovat PC tak se mi nejdriv spusti v nouzovim rezimu a pochvili se zas restartuje a az pak se konecne pusti PC normalne. vubec nvm co s tim.

Zdravim
Tu v mojom blogu
prave som napisal komplet navod.

Takze postupuj az po bod 8, AVPTOOL netreba zatial robit,
Vsetky logy, co programy daju vloz sem, do fora,ak nieco nepojde uz aj pis, nakolko tato infekcia bude sa rozsirovat ako mor .

mam tady hned prvni problem, kdyz dam nouzovej rezim tak se mi to po pak vterinach hned restartuje a kdyz skusim znova nouzak tak to udela znova, nejde to udelat bez nouzaku?

ano, odstran nastavenie miestnej siete lan, v normalnom rezime, a skus stiahnut roguekiller, ak nepojde nieco ihned pisat,

tohle je s toho roguekiller

RogueKiller V5.2.7 [06/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Jakub [Admin rights]
Mode: Scan -- Date : 07/18/2011 16:00:33

Bad processes: 9
[SVCHOST] svchost.exe -- c:\windows\update.5.0\svchost.exe -> KILLED
[SUSP PATH] sysdriver32.exe -- c:\windows\sysdriver32.exe -> KILLED
[SVCHOST] svchost.exe -- c:\windows\update.2\svchost.exe -> KILLED
[SVCHOST] svchost.exe -- c:\windows\update.tray-12-0\svchost.exe -> KILLED
[SVCHOST] svchost.exe -- c:\windows\update.tray-7-0\svchost.exe -> KILLED
[SUSP PATH] sysdriver32.exe -- c:\windows\sysdriver32.exe -> KILLED
[SUSP PATH] sysdriver32_.exe -- c:\windows\sysdriver32_.exe -> KILLED
[SUSP PATH] systemup.exe -- c:\windows\systemup.exe -> KILLED
[SUSP PATH] l1rezerv.exe -- c:\windows\l1rezerv.exe -> KILLED

Registry Entries: 12
[SUSP PATH] HKCU\[...]\Winlogon : Shell (explorer.exe,C:\Users\Jakub\AppData\Roaming\dwm.exe) -> FOUND
[SUSP PATH] HKCU\[...]\Windows : Load (C:\Users\Jakub\AppData\Local\Temp\csrss.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-3164604649-2522290797-2587036930-1004[...]\Winlogon : Shell (explorer.exe,C:\Users\Jakub\AppData\Roaming\dwm.exe) -> FOUND
[SUSP PATH] HKUS\.DEFAULT[...]\Windows : Load (C:\Windows\TEMP\csrss.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-3164604649-2522290797-2587036930-1004[...]\Windows : Load (C:\Users\Jakub\AppData\Local\Temp\csrss.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-18[...]\Windows : Load (C:\Windows\TEMP\csrss.exe) -> FOUND
[SUSP PATH] HP SimpleSave Monitor.lnk : C:\Users\Jakub\AppData\Roaming\HP SimpleSave Application\StartHelper.exe -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (http=127.0.0.1:49859) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

HOSTS File:
127.0.0.1 localhost
127.0.0.1 vkontakte.ru
127.0.0.1 www.vkontakte.ru
127.0.0.1 login.vk.com
127.0.0.1 vk.com
127.0.0.1 www.vk.com
127.0.0.1 odnoklassniki.ru
127.0.0.1 www.odnoklassniki.ru
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
[...]


Finished : << RKreport[1].txt >>
RKreport[1].txt

Dobre, spust Rogue Killer pouzi moznost 3 a 5 .
a potom pokracuj malwarebytes, log vloz sem

stale je tam aj proxy, tak pouzi aj moznost 4.

Este nieco ak mas win 7, vsetko pustaj ako administrator, pravy klik spustit ako administrator, ok.

moznost 3:

RogueKiller V5.2.7 [06/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Jakub [Admin rights]
Mode: HOSTSFix -- Date : 07/18/2011 16:09:33

Bad processes: 0

HOSTS File:
127.0.0.1 localhost
127.0.0.1 vkontakte.ru
127.0.0.1 http://www.vkontakte.ru
127.0.0.1 login.vk.com
127.0.0.1 vk.com
127.0.0.1 http://www.vk.com
127.0.0.1 odnoklassniki.ru
127.0.0.1 http://www.odnoklassniki.ru
127.0.0.1 facebook.com
127.0.0.1 http://www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
[...]


Resetted HOSTS:
127.0.0.1 localhost

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt


moznost 5:

RogueKiller V5.2.7 [06/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Jakub [Admin rights]
Mode: DNSFix -- Date : 07/18/2011 16:10:21

Bad processes: 0

Registry Entries: 0

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt


malwarebytes bude asi chvili trvat a az to dodela tak mam vypnout tu obnovu a restartovat PC nebo kdyz to nedelam v nouzaku tak nemusim restartovat?

takto ak malwarebytes ukonci UPLNY sken, daj vsetko zmazat, log vloz sem,
Potom vypnes obnovu systemu a restrtujes pocitac a obnovu zapnes spat.
Druhy sken uz netreba robit s malwarebytes, nakolko skenujes v normalnom rezime,
pokracujes dalej TDSSKILLER <<log vloz sem a Vycistis TEMP-pouzijes TFC a CCleaner, ak to vsetko budes mat napis, a pokracujeme combofixeom.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Verze databáze: 7190

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

18.7.2011 16:48:23
mbam-log-2011-07-18 (16-48-23).txt

Typ: Úplná kontrola (A:\|C:\|D:\|E:\|F:\|)
Kontrolované objekty: 419418
Uplynulý čas: 44 minut, 2 sekund

Infikované procesy v paměti: 3
Infikované moduly v paměti: 0
Infikované klíče v registru: 7
Infikované hodnoty v registru: 13
Infikované datové položky v registru: 4
Infikované složky: 0
Infikované soubory: 41

Infikované procesy v paměti:
c:\Windows\update.2\svchost.exe (Trojan.Downloader.H) -> 1776 -> Unloaded process successfully.
c:\Windows\update.1\svchost.exe (Trojan.Dropper) -> 2108 -> Unloaded process successfully.
c:\Windows\update.5.0\svchost.exe (Trojan.Downloader) -> 1572 -> Unloaded process successfully.

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče v registru:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srviecheck (Trojan.Downloader.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpdrivers (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvsysdriver32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\_w1uT-BZ (Adware.LoudMo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvbtcclient (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wxpdrivers (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wxpdrivers (Trojan.Agent) -> Quarantined and deleted successfully.

Infikované hodnoty v registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Agent) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxpdrv (Trojan.Dropper) -> Value: wxpdrv -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico0 (Trojan.Dropper) -> Value: tray_ico0 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico1 (Trojan.Dropper) -> Value: tray_ico1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6821156.exe (Trojan.Agent) -> Value: 6821156.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32.exe (Trojan.Agent) -> Value: sysdriver32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32_.exe (Trojan.Agent) -> Value: sysdriver32_.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5560659.exe (Trojan.Agent) -> Value: 5560659.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5771193.exe (Trojan.Downloader.H) -> Value: 5771193.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\systemup (Trojan.Agent) -> Value: systemup -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\l1rezerv.exe (Backdoor.Delf) -> Value: l1rezerv.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1693088.exe (Trojan.Agent) -> Value: 1693088.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpDrivers\ImagePath (Trojan.Agent) -> Value: ImagePath -> Quarantined and deleted successfully.

Infikované datové položky v registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Bad: (C:\Users\Jakub\AppData\Local\Temp\csrss.exe) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
c:\Windows\update.2\svchost.exe (Trojan.Downloader.H) -> Quarantined and deleted successfully.
c:\Windows\update.1\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\Jakub\AppData\Roaming\microsoft\conhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\services32.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\update.tray-12-0\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\update.tray-7-0\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\Temp\6821156.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\sysdriver32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\sysdriver32_.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jakub\AppData\Local\Temp\5560659.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\5771193.exe (Trojan.Downloader.H) -> Quarantined and deleted successfully.
c:\Windows\systemup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\l1rezerv.exe (Backdoor.Delf) -> Quarantined and deleted successfully.
c:\Windows\Temp\1693088.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jakub\AppData\Local\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files (x86)\Ubisoft\ubisoft game launcher\ubiorbitapi_r2.dll (Trojan.Agent.CK) -> Quarantined and deleted successfully.
c:\program files (x86)\WinRAR\Patch.exe (Malware.Tool) -> Quarantined and deleted successfully.
c:\Users\Jakub\AppData\Local\Temp\flash32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jakub\AppData\Roaming\dwm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jakub\Desktop\rk_quarantine\dwm.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jakub\Desktop\rk_quarantine\l1rezerv.exe.vir (Backdoor.Delf) -> Quarantined and deleted successfully.
c:\Users\Jakub\Desktop\rk_quarantine\sysdriver32.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jakub\Desktop\rk_quarantine\sysdriver32_.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jakub\Desktop\rk_quarantine\systemup.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Michael\Desktop\poweriso46\Keygen.exe (RiskWare.Tool.HCK) -> Quarantined and deleted successfully.
c:\Users\Michael\documents\downloads\flvdirect (1).exe (Adware.FLV) -> Quarantined and deleted successfully.
c:\Users\Michael\documents\downloads\flvdirect.exe (Adware.FLV) -> Quarantined and deleted successfully.
c:\Windows\System32\_w1uT-BZ.exe (Adware.LoudMo) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\dwm.exe (Backdoor.Cycbot) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\microsoft\conhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\_w1uT-BZ.exe (Adware.LoudMo) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\microsoft\conhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\2956463.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\4395634.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\4736211.exe (Backdoor.Delf) -> Quarantined and deleted successfully.
c:\Windows\Temp\5631111.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\6271705.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\update.tray-12-0-lnk\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\update.tray-7-0-lnk\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\update.5.0\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

ok, no len spust este raz Rogue killer moznost2 a vloz sem log.

RogueKiller V5.2.7 [06/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Jakub [Admin rights]
Mode: Remove -- Date : 07/18/2011 16:54:02

Bad processes: 1
[SUSP PATH] uUACTokenSvc.exe -- c:\users\jakub\appdata\roaming\hp simplesave application\uuactokensvc.exe -> KILLED

Registry Entries: 0

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt

ok, pokracuj vypnut obnovu restart zapnut spat, TDSSKILLER, a vycistit temp, log s TDSS vloz sem

TDSSKILLER mi nenasel vubec nic vyhodilo mi to uplne prazdny okno, je to dobre ?

no musis kliknut na REPORT