preventivna kontrola logu RSIT

[Márty84]

Combofix smaznul c:\keyremappers\KeyRemapper CW\KeyRemapper.exe
Na stejny program jsem se vas ptal u jineho pc http://forum.viry.cz/viewtopic.php?f=30&t=123036 a tam jste rikala, ze je v poradku. Tady byl asi take zamerne, nebo ne?

Chcete ho z karanteny CF vratit, nebo ho nainstalujete znovu?

Jinak vsechno vypada v poradku. Nic zadnou havet neukazuje.

[velkev]

Keyremaper sa tiez spusta automaticky, je to programik na klavesove skratky a jeho instalacia odznova nic neriesi kedze bude treba zadavat vsetky skratky odznovu, preto by som ho radsej vytiahla z karanteny ak sa to vobec da.

[Márty84]

Da, ale musim to sepsat Tak moment

[Márty84]

Otevrete si poznamkovy blok a zkopirujte do nej tento skript

Kód: Vybrat vše

KillAll::

DeQuarantine::
c:\Qoobox\c:\keyremappers\KeyRemapper CW\KeyRemapper.exe

Ignore::
c:\keyremappers\KeyRemapper CW\KeyRemapper.exe

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

Reboot::

Vlevo nahore kliknete na napis Soubor
Kliknete na napis Ulozit jako...
Napiste spravne ten cerveny nazev CFScript a ulozte na plochu.
Vypnete antivir i dalsi pripadne zabezpeceni a ukoncete vsechny spustene programy
Pretahntete mysi tento vytvoreny textovy dokument nad ikonu ComboFix a pustte.
ComboFix by se mel spustit a vykonat prikazy.
Az skonci (muze dojit k restartu pc), mel by se objevit novy log, ten mi sem zase zkopirujte.

Kdyby po restartu nenabehl windows, restartujte znovu, mackejte klavesu F8 a zvolte - Posledni znama funkcni konfigurace

[velkev]

Vykonane, keyremapper to ale z karanteny nevytiahlo. tu je log:


ComboFix 12-08-07.05 - Darken . 08. 2012 12:48:41.2.4 - x64
Microsoft Windows 7 Enterprise 6.1.7601.1.1250.421.1033.18.4095.3011 [GMT 2:00]
Running from: c:\users\Darken\Desktop\ComboFix.exe
Command switches used :: c:\users\Darken\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 5.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-07-09 to 2012-08-09 )))))))))))))))))))))))))))))))
.
.
2012-08-09 10:51 . 2012-08-09 10:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-07 17:20 . 2012-08-07 17:20 -------- d-----w- C:\_OTM
2012-08-07 17:05 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DCCEF8D4-38EF-416A-8970-537BC6B192F6}\mpengine.dll
2012-08-06 16:38 . 2012-08-06 16:38 -------- d-----w- C:\rsit
2012-08-06 16:28 . 2012-08-07 10:54 -------- d-----w- c:\program files\trend micro
2012-08-06 16:24 . 2012-08-06 16:24 -------- d-----w- c:\program files\CCleaner
2012-07-19 17:30 . 2012-07-19 17:30 -------- d-----w- C:\11dc357a5132eccbaf13
2012-07-19 11:54 . 2012-08-08 12:12 -------- d-----w- c:\programdata\Spyware Terminator
2012-07-19 11:54 . 2012-07-19 11:54 51496 ----a-w- c:\windows\system32\drivers\stflt.sys
2012-07-19 11:54 . 2012-07-19 11:54 -------- d-----w- c:\users\Darken\AppData\Roaming\Spyware Terminator
2012-07-19 11:54 . 2012-07-19 11:54 -------- d-----w- c:\program files (x86)\Spyware Terminator
2012-07-19 11:51 . 2012-07-19 11:51 -------- d-----w- c:\users\Darken\AppData\Local\ESET
2012-07-19 11:49 . 2012-07-19 11:49 -------- d-----w- c:\users\Darken\AppData\Roaming\Malwarebytes
2012-07-19 11:49 . 2012-07-19 11:49 -------- d-----w- c:\programdata\Malwarebytes
2012-07-19 11:49 . 2012-07-19 11:49 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-19 11:49 . 2012-07-03 11:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-13 20:22 . 2012-07-14 00:33 -------- d-----w- c:\program files (x86)\Shutter
2012-07-11 20:23 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 17:59 . 2012-06-06 06:06 2004480 ----a-w- c:\windows\system32\msxml6.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 20:22 . 2012-06-19 15:24 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-20 16:08 . 2011-03-28 16:36 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-06-19 17:14 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-06-19 17:14 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-06-19 15:59 . 2012-06-19 15:59 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-06-19 15:59 . 2012-06-19 15:59 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-06-19 15:59 . 2012-06-19 15:59 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-06-19 15:59 . 2012-06-19 15:59 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-06-19 15:59 . 2012-06-19 15:59 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-06-19 15:59 . 2012-06-19 15:59 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-06-19 15:59 . 2012-06-19 15:59 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-06-19 15:59 . 2012-06-19 15:59 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-06-19 15:59 . 2012-06-19 15:59 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-06-19 15:59 . 2012-06-19 15:59 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-06-19 15:59 . 2012-06-19 15:59 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-06-19 15:59 . 2012-06-19 15:59 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-06-19 15:59 . 2012-06-19 15:59 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-06-19 15:59 . 2012-06-19 15:59 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-06-19 15:59 . 2012-06-19 15:59 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-06-19 15:59 . 2012-06-19 15:59 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-06-19 15:59 . 2012-06-19 15:59 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-06-19 15:59 . 2012-06-19 15:59 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-06-19 15:59 . 2012-06-19 15:59 89088 ----a-w- c:\windows\system32\ie4uinit.exe
2012-06-19 15:59 . 2012-06-19 15:59 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-06-19 15:59 . 2012-06-19 15:59 82432 ----a-w- c:\windows\system32\icardie.dll
2012-06-19 15:59 . 2012-06-19 15:59 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-06-19 15:59 . 2012-06-19 15:59 697344 ----a-w- c:\windows\system32\msfeeds.dll
2012-06-19 15:59 . 2012-06-19 15:59 65024 ----a-w- c:\windows\system32\pngfilt.dll
2012-06-19 15:59 . 2012-06-19 15:59 603648 ----a-w- c:\windows\system32\vbscript.dll
2012-06-19 15:59 . 2012-06-19 15:59 55296 ----a-w- c:\windows\system32\msfeedsbs.dll
2012-06-19 15:59 . 2012-06-19 15:59 534528 ----a-w- c:\windows\system32\ieapfltr.dll
2012-06-19 15:59 . 2012-06-19 15:59 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-06-19 15:59 . 2012-06-19 15:59 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-06-19 15:59 . 2012-06-19 15:59 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2012-06-19 15:59 . 2012-06-19 15:59 448512 ----a-w- c:\windows\system32\html.iec
2012-06-19 15:59 . 2012-06-19 15:59 403248 ----a-w- c:\windows\system32\iedkcs32.dll
2012-06-19 15:59 . 2012-06-19 15:59 39936 ----a-w- c:\windows\system32\iernonce.dll
2012-06-19 15:59 . 2012-06-19 15:59 3695416 ----a-w- c:\windows\system32\ieapfltr.dat
2012-06-19 15:59 . 2012-06-19 15:59 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-06-19 15:59 . 2012-06-19 15:59 282112 ----a-w- c:\windows\system32\dxtrans.dll
2012-06-19 15:59 . 2012-06-19 15:59 267776 ----a-w- c:\windows\system32\ieaksie.dll
2012-06-19 15:59 . 2012-06-19 15:59 249344 ----a-w- c:\windows\system32\webcheck.dll
2012-06-19 15:59 . 2012-06-19 15:59 222208 ----a-w- c:\windows\system32\msls31.dll
2012-06-19 15:59 . 2012-06-19 15:59 197120 ----a-w- c:\windows\system32\msrating.dll
2012-06-19 15:59 . 2012-06-19 15:59 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-06-19 15:59 . 2012-06-19 15:59 163840 ----a-w- c:\windows\system32\ieakui.dll
2012-06-19 15:59 . 2012-06-19 15:59 160256 ----a-w- c:\windows\system32\wextract.exe
2012-06-19 15:59 . 2012-06-19 15:59 160256 ----a-w- c:\windows\system32\ieakeng.dll
2012-06-19 15:59 . 2012-06-19 15:59 149504 ----a-w- c:\windows\system32\occache.dll
2012-06-19 15:59 . 2012-06-19 15:59 145920 ----a-w- c:\windows\system32\iepeers.dll
2012-06-19 15:59 . 2012-06-19 15:59 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-06-19 15:59 . 2012-06-19 15:59 12288 ----a-w- c:\windows\system32\mshta.exe
2012-06-19 15:59 . 2012-06-19 15:59 114176 ----a-w- c:\windows\system32\admparse.dll
2012-06-19 15:59 . 2012-06-19 15:59 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-06-19 15:59 . 2012-06-19 15:59 10752 ----a-w- c:\windows\system32\msfeedssync.exe
2012-06-19 15:59 . 2012-06-19 15:59 103936 ----a-w- c:\windows\system32\inseng.dll
2012-06-02 22:19 . 2012-06-24 20:30 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-24 20:30 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-24 20:30 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-24 20:30 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-24 20:30 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-24 20:30 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-24 20:30 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 13:19 . 2012-06-24 20:30 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 13:15 . 2012-06-24 20:30 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 05:45 . 2012-07-11 17:59 340992 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:40 . 2012-07-11 17:59 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-05-31 10:25 . 2012-06-19 15:18 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-08_13.12.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-06-19 15:52 . 2012-08-09 10:25 28340 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-08-09 10:25 23640 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:46 . 2012-08-09 10:20 80728 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2012-06-19 14:54 . 2012-08-09 10:25 7730 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3377480134-622928347-3400585505-1000_UserData.bin
- 2012-08-08 13:12 . 2012-08-08 13:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-09 10:52 . 2012-08-09 10:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-08-08 12:16 615810 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-09 10:27 615810 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-09 10:27 106190 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-08-08 12:16 106190 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-08-08 13:11 228720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-08-09 10:52 228720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-06-19 22:08 . 2012-08-09 10:52 5477436 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3377480134-622928347-3400585505-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
c:\users\Darken\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
t4sks - Shortcut.lnk - c:\users\Darken\Desktop\t4sks.rtf [2012-6-19 50145]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-12-05 95248]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-06-19 1255736]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2012-03-14 209768]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2012-03-14 148528]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-02-15 235520]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2012-03-07 913144]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2012-03-14 137144]
S2 sp_rsdrv2;Spyware Terminator Driver Filter;c:\windows\system32\DRIVERS\stflt.sys [2012-07-19 51496]
S2 ST2012_Svc;Spyware Terminator 2012 Realtime Shield Service;c:\program files (x86)\Spyware Terminator\st_rsser64.exe [2012-06-21 1148664]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-02-15 10856960]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-02-15 327680]
S3 RTL8023x64;Realtek 10/100 NIC Family NDIS x64 Driver;c:\windows\system32\DRIVERS\Rtnic64.sys [2008-07-22 60416]
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2012-03-07 4081008]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"SpywareTerminatorShield"="c:\program files (x86)\Spyware Terminator\SpywareTerminatorShield.exe" [2012-06-21 2786512]
"SpywareTerminatorUpdater"="c:\program files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe" [2012-06-21 3669712]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.sk/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 176.107.17.1 176.107.20.1
.
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
.
**************************************************************************
.
Completion time: 2012-08-09 12:55:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-09 10:55
ComboFix2.txt 2012-08-08 13:15
.
Pre-Run: 829 277 605 888 bytes free
Post-Run: 829 183 295 488 bytes free
.
- - End Of File - - B8900F0B7EA442C08AB1BED89F4DC942

[Márty84]

Moje chyba

Postupujte stejnym zpusobem, jen do toho poznamkoveho bloku zkopirujte tento skript

Kód: Vybrat vše

KillAll::

FMove::
C:\Qoobox\Quarantine\c:\keyremappers\KeyRemapper CW\KeyRemapper.exe.vir | c:\keyremappers\KeyRemapper CW\KeyRemapper.exe

Ignore::
c:\keyremappers\KeyRemapper CW\KeyRemapper.exe

Reboot::

[motji]

Jak to tu vypadá?

[motji]

Dobrý den,
pro neaktivitu je toto téma uzamknuto.
Pokud ho budete chtít odemknout, kontaktujte mě na email nebo některého z mých kolegů.
Děkujeme za pochopení