Problém s .EXE

[Tommy_]

Provedeno. Tady je 2

RogueKiller V5.3.0 [08/01/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: s.langerova.kvsu [Admin rights]
Mode: Remove -- Date : 08/02/2011 18:10:51

Bad processes: 3
[HJ NAME] DWM.EXE -- c:\documents and settings\s.langerova.kvsu\data aplikací\dwm.exe -> KILLED [TermProc]
[HJ NAME] CONHOST.EXE -- c:\documents and settings\s.langerova.kvsu\data aplikací\microsoft\conhost.exe -> KILLED [TermProc]
[HJ NAME] CSRSS.EXE -- c:\docume~1\slange~1.kvs\locals~1\temp\csrss.exe -> KILLED [TermProc]

Registry Entries: 8
[SUSP PATH] HKLM\[...]\Run : conhost (C:\Documents and Settings\s.langerova.kvsu\Data aplikací\Microsoft\conhost.exe) -> DELETED
[SUSP PATH] HKCU\[...]\Winlogon : Shell (explorer.exe,C:\Documents and Settings\s.langerova.kvsu\Data aplikací\dwm.exe) -> DELETED
[SUSP PATH] HKCU\[...]\Windows : Load (C:\DOCUME~1\SLANGE~1.KVS\LOCALS~1\Temp\csrss.exe) -> DELETED
[SUSP PATH] GoogleUpdateTaskUserS-1-5-21-1214440339-220523388-839522115-11885Core1cc25404255ffee.job : c:\documents and settings\s.langerova.kvsu\local -> DELETED
[PROXY IE] HKCU\[...]\Internet Settings : ProxyEnable (1) -> NOT REMOVED, USE PROXYFIX
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (http=127.0.0.1:49758) -> NOT REMOVED, USE PROXYFIX
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt

[Tommy_]

Tady 3

RogueKiller V5.3.0 [08/01/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: s.langerova.kvsu [Admin rights]
Mode: HOSTSFix -- Date : 08/02/2011 18:11:31

Bad processes: 0

HOSTS File:
127.0.0.1 localhost


Resetted HOSTS:
127.0.0.1 localhost

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

[Tommy_]

Tady 4

RogueKiller V5.3.0 [08/01/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: s.langerova.kvsu [Admin rights]
Mode: ProxyFix -- Date : 08/02/2011 18:11:43

Bad processes: 0

Registry Entries: 2
[PROXY IE] HKCU\[...]\Internet Settings : ProxyEnable (1) -> REPLACED (0)
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (http=127.0.0.1:49758) -> DELETED

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

[vyosek]

Fajn, jdeme dale

PROSIM CTETE DUKLADNE NAVOD - TATO UTILITA MA VELKOU SCHOPNOST MAZAT A JE NUTNE JI APLIKOVAT JEN NA DOPORUCENI, JINAK VAM MUZE JIT SYSTEM DO KYTEK
Stahnete a ulozte na plochu Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

• Vypnete vsechny rezidentni bezpecnostní programy - firewally, antiviry, antispywary apod.
• Pokud mate Win XP spustte pod uctem Spravce\Administratora
• Pokud mate Win Vista ci Win 7, kliknete na Combofix pravym a dejte Run As Administrator ci Spustit jako spravce
• Ihned po startu se zobrazi stranka s licencnim ujednanim, pokracujte kliknutim na Ano
• Pokud Vam CF nabidne instalaci Konzoly pro zotaveni, tak souhlaste
• Dale postupujte dle pokynu, behem scanu nechte PC naprosto v klidu - nespoustejte zadne aplikace a neklikejte do zobrazujiciho se okna
• Scan by mel trvat cca 10 min, ale pokud bude PC hodne zaneseno, muze se cas prodlouzit
• Po dokonceni skenu a pripadnem restartu CF zobrazi log, pripadne jej najdete zde C:\ComboFix.txt, jeho obsah sem vlozte
• Detailni postup vc. obrazku mate zde http://www.bleepingcomputer.com/combofi ... t-combofix

[Tommy_]

Zkusil jsem to a udělal jsem to do podrobna podle návodu, ale zaseklo se to na vyhledávání nakažených souborů a nechal jsem to tak 45 minut a nic se nedělalo, tak jsem to tvrdě vypnul. A obnovil systém.

[vyosek]

Aplikujte tedy znovu ComboFix ale tentokrat v nouzovem rezimu (restart PC, mackat F8, zvolit Stav nouze s praci v siti)

[Tommy_]

Dobře pokusím se.

[vyosek]

Kdyby neco, tak napiste

[Tommy_]

Tak jsem to zkusil i v nouzovým režimu a taky nic a nechal jsem to něco přes hodinu. Takže jsem zase tvrdě vypnul a obnovil systém.

[vyosek]

Tak tam pustime neco jinyho

Stahnete Malwarebytes' Anti-Malware (zkracene MBAM) (viz muj podpis)

• Provedte aktualizaci - treti zalozka
• Provedte uplny sken - nic nemazte
• MBAM miva obcas falesne detekce, proto vlozte log do prispevku a pockejte na posouzeni

[Tommy_]

Provedeno podle návodu. Tady to je

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
c:\documents and settings\s.langerova.kvsu\local settings\Temp\setup.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\instmsiw.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\instmsia.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\hpsetup.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\hpinst.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\hpbvspst.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\hpbtpg.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\autorun.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\apps\Adobe\acrobat 5.0\Reader\AcroRd32.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\autorun\launch.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\autorun\hpcdb.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\hewlett-packard\Scrubber\Scrubber.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\hewlett-packard\Scrubber\MsiZap.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\HW\HPZipm12.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\HW\HPZinw12.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\HW\HPZid412.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\Temp\cfgtoipx.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\Temp\cfgtoip.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\webreg\webreg.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\ar\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\cs\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\da\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\de\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\el\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\en\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\es\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\fi\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\fr\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\he\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\hu\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\it\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\ja\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\ko\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\nl\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\no\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\pl\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\pt\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\ru\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\sk\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\sv\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\th\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\tr\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\zhcn\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\lj1010seriesprintsys\wu_wizard\zhtw\hpbsuwiz.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\s.langerova.kvsu\data aplikací\microsoft\conhost.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\s.langerova.kvsu\local settings\Temp\csrss.exe (Trojan.Agent) -> No action taken.
c:\WINDOWS\SVCHOST.COM (Virus.Neshta) -> No action taken.

[vyosek]

vse co je ve slozce c:\lj1010seriesprintsys nemazte, ostatni smazat - vznikne log - ten bych rad videl

[Tommy_]

Tady je ten log.



Malwarebytes' Anti-Malware
www.malwarebytes.org

Verze databáze:

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3.8.2011 13:05:54
mbam-log-2011-08-03 (13-05-54).txt

Typ: Úplná kontrola (C:\|)
Kontrolované objekty: 230163
Uplynulý čas: 49 minut, 26 sekund

Infikované procesy v paměti: 1
Infikované moduly v paměti: 0
Infikované klíče v registru: 2
Infikované hodnoty v registru: 4
Infikované datové položky v registru: 1
Infikované složky: 0
Infikované soubory: 47

Infikované procesy v paměti:
c:\documents and settings\s.langerova.kvsu\data aplikací\microsoft\conhost.exe (Trojan.Agent) -> 1564 -> Unloaded process successfully.

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče v registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACRORD32.EXE (Trojan.Agent) -> Quarantined and deleted successfully.

Infikované hodnoty v registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Agent) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Infikované datové položky v registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Bad: (C:\DOCUME~1\SLANGE~1.KVS\LOCALS~1\Temp\csrss.exe) Good: () -> Quarantined and deleted successfully.

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
c:\documents and settings\s.langerova.kvsu\local settings\Temp\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\lj1010seriesprintsys\instmsiw.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\instmsia.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\hpsetup.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\hpinst.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\hpbvspst.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\hpbtpg.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\autorun.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\apps\Adobe\acrobat 5.0\Reader\AcroRd32.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\autorun\launch.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\autorun\hpcdb.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\hewlett-packard\Scrubber\Scrubber.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\hewlett-packard\Scrubber\MsiZap.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\HW\HPZipm12.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\HW\HPZinw12.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\HW\HPZid412.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\Temp\cfgtoipx.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\Temp\cfgtoip.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\webreg\webreg.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\ar\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\cs\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\da\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\de\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\el\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\en\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\es\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\fi\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\fr\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\he\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\hu\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\it\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\ja\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\ko\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\nl\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\no\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\pl\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\pt\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\ru\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\sk\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\sv\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\th\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\tr\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\zhcn\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\lj1010seriesprintsys\wu_wizard\zhtw\hpbsuwiz.exe (Trojan.Agent) -> Not selected for removal.
c:\documents and settings\s.langerova.kvsu\data aplikací\microsoft\conhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\s.langerova.kvsu\local settings\Temp\csrss.exe (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\SVCHOST.COM (Virus.Neshta) -> Quarantined and deleted successfully.

[Tommy_]

Teď jse mi PC úplně asi zbláznil Nejde se mi přihlásit do Widnows, zmizeli mi přihlašovací údaje a píše to, že zmizela doména.

[vyosek]

Restart PC, mackat F8, zvolit posledni znama funkcni konfigurace

Napiste ci jede