virus, trojsky kon, Total XP Security

[cernohous13]

Stahni Avenger zde:
http://swandog46.geekstogo.com/avenger.exe
Spusť a všude souhlas „Yes“
Hlavní okno

dole dej fajfku do obou čtverečků

Do pole „Input script here“ zkopíruj zelený text scriptu > „Execute“ > „Yes“
Bude restart a je potřeba vyčkat na otevření Notepadu a jeho obsah sem vložit.

Script

Kód: Vybrat vše

Files to delete:
C:\Documents and Settings\jančo\Local Settings\temp\wmpscfgs.exe
C:\Program Files\Internet Explorer\wmpscfgs.exe

Registry keys to replace with dummy:
[HKEY_USERS\S-1-5-21-1060284298-117609710-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{09748BF1-7FC1-A1A9-A757-64127CEAF4DD}*]

Folders to delete:
c:\program files\Firebird

Potom udělej scan ComboFixem bez scriptu - log dej sem

[nofuj]

po skopirovani zeleneho skriptu a po volbe Execute sa objavi hlaska



mam pokracovat v "exekucii"?

[cernohous13]

Moje chyba Avenger nemaže klíče "user" - přeskoč

[nofuj]

ved nic hrozne sa nestalo

log z Avengeru, zachvilku pridam CF:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Mar 25 19:59:43 2010

19:59:36: Error: Invalid registry syntax in command:
"[HKEY_USERS\S-1-5-21-1060284298-117609710-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{09748BF1-7FC1-A1A9-A757-64127CEAF4DD}*]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key replacement mode)
19:59:43: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Mar 25 19:59:59 2010

19:59:56: Error: Invalid registry syntax in command:
"[HKEY_USERS\S-1-5-21-1060284298-117609710-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{09748BF1-7FC1-A1A9-A757-64127CEAF4DD}*]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key replacement mode)
19:59:59: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Mar 25 20:00:16 2010

20:00:09: Error: Invalid registry syntax in command:
"[HKEY_USERS\S-1-5-21-1060284298-117609710-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{09748BF1-7FC1-A1A9-A757-64127CEAF4DD}*]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key replacement mode)
20:00:16: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Mar 25 20:03:03 2010

20:02:53: Error: Invalid registry syntax in command:
"[HKEY_USERS\S-1-5-21-1060284298-117609710-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{09748BF1-7FC1-A1A9-A757-64127CEAF4DD}*]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key replacement mode)
20:03:03: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Mar 25 20:07:38 2010

20:07:29: Error: Invalid registry syntax in command:
"[HKEY_USERS\S-1-5-21-1060284298-117609710-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{09748BF1-7FC1-A1A9-A757-64127CEAF4DD}*]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key replacement mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Documents and Settings\jančo\Local Settings\temp\wmpscfgs.exe" deleted successfully.
File "C:\Program Files\Internet Explorer\wmpscfgs.exe" deleted successfully.
Folder "c:\program files\Firebird" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[nofuj]

log z CF:


ComboFix 10-03-25.02 - jančo 25.03.2010 20:18:41.3.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2038.1495 [GMT 0:00]
Spuštěný z: c:\documents and settings\jančo\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100325-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-25 do 2010-03-25 )))))))))))))))))))))))))))))))
.

2010-03-24 12:22 . 2010-03-24 12:22 -------- d-----r- c:\documents and settings\NetworkService\Oblíbené položky
2010-03-24 12:22 . 2010-03-24 12:22 27648 ----a-w- c:\windows\system32\alcmtr.exe
2010-03-24 03:39 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 03:39 . 2010-03-24 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 03:39 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 23:17 . 2010-03-25 12:27 -------- d-----w- c:\program files\trend micro
2010-03-23 23:17 . 2010-03-23 23:18 -------- d-----w- C:\rsit
2010-03-23 22:57 . 2010-03-23 22:57 -------- d-----w- c:\windows\system32\LogFiles
2010-03-23 22:45 . 2010-03-23 22:45 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-20 01:29 . 2010-03-20 01:29 -------- d-----w- c:\program files\Frontlets
2010-03-11 20:23 . 2010-03-11 20:23 -------- d-----w- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 20:10 . 2009-03-21 14:13 -------- d-----w- c:\program files\Launch Manager
2010-03-25 11:07 . 2009-03-21 13:31 27648 ----a-w- c:\windows\system32\igfxpers.exe
2010-03-25 11:07 . 2009-03-21 13:31 27648 ----a-w- c:\windows\system32\hkcmd.exe
2010-03-24 14:22 . 2009-06-25 20:43 -------- d-----w- c:\program files\QuickTime
2010-03-24 12:40 . 2001-07-09 09:50 27648 ----a-w- c:\windows\system32\nerocheck.exe
2010-03-11 20:22 . 2009-04-05 16:10 -------- d-----w- c:\program files\Java
.

Kód: Vybrat vše

<pre>
c:\program files\Common Files\Ahead\Lib\nmbgmonitor .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\zcfgsvc .exe
c:\program files\Launch Manager\lmanager .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Realtek\InstallShield\azmixersel .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
</pre>

------- Sigcheck -------

[-] 2009-03-21 . 427E6DED3A2369D3432A683EB489EE14 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-03-24_12.39.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-25 20:09 . 2010-03-25 20:09 16384 c:\windows\Temp\Perflib_Perfdata_944.dat
+ 2010-03-25 20:08 . 2010-03-25 20:08 16384 c:\windows\Temp\Perflib_Perfdata_108.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2010-03-25 27648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-25 27648]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2010-03-25 27648]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-25 27648]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2010-03-25 27648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2010-03-25 27648]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2010-03-25 27648]
"avast!"="e:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2010-03-25 27648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\ICQ6.5\\ICQ.exe"=
"e:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\Mathematica.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\MathKernel.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\math.exe"=
"e:\\Program Files\\Nero 7\\Nero 7\\Nero Home\\NeroHome.exe"=
"e:\\Program Files\\Genuitec_fortran\\Profiles\\Eclipse 3.4 Classic\\eclipse.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"e:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Maple 11\\jre\\bin\\maple.exe"=
"e:\\Program Files\\Maple 11\\jre\\bin\\java.exe"=
"e:\\Program Files\\SopCast\\SopCast.exe"=
"e:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"e:\\Program Files\\Proxy Switcher Standard\\ProxySwitcher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [21.3.2009 16:34 114768]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [8.1.2010 0:51 380928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21.3.2009 16:34 20560]
R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\RTWTKRNL.sys [23.3.2009 18:18 29184]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [4.3.2009 15:52 202016]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe -s DefaultInstance --> c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe -s DefaultInstance --> c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
.
Obsah adresáře 'Naplánované úlohy'
.
.
------- Doplňkový sken -------
.
uInternet Settings,ProxyOverride = *.local
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\jančo\Data aplikací\Mozilla\Firefox\Profiles\pte9svr1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/weather/forecast/353
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8 ... &gfns=1&q=
FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll

---- NASTAVENÍ FIREFOXU ----
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

AddRemove-FBDBServer_2_0_is1 - c:\program files\Firebird\Firebird_2_1\unins000.exe



**************************************************************************
skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory:

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1060284298-117609710-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{09748BF1-7FC1-A1A9-A757-64127CEAF4DD}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iacpcglipipmfoipoi"=hex:69,61,62,61,70,65,6f,65,65,64,70,6d,6d,68,66,69,69,70,
00,00
"haipidolmipmffim"=hex:6a,61,6e,61,69,68,67,70,67,6b,69,69,6a,6e,67,6e,61,64,
6a,6c,00,fe
"iaookfhcmmajfkjjhg"=hex:63,61,62,61,6f,65,00,7c
.
Celkový čas: 2010-03-25 20:21:37
ComboFix-quarantined-files.txt 2010-03-25 20:21
ComboFix2.txt 2010-03-24 14:27
ComboFix3.txt 2010-03-24 12:41

Před spuštěním: Volných bajtů: 46 203 060 224
Po spuštění: Volných bajtů: 46 172 250 112

- - End Of File - - C8C93D18FBCF3984DEDD83F1829C12C9

[cernohous13]

Děláš mi starosti, příteli

smaž soubor rthdcpl.exe v Documents and Settings

C:\Program Files\Internet Explorer\wmpscfgs.exe - už smazaly CF, MBAM, Avenger a stále je v posledním CF logu

udělej ještě jeden pokus s CFscriptem

Kód: Vybrat vše

KillAll::

ATJob::

RegLockDel::
[HKEY_USERS\S-1-5-21-1060284298-117609710-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{09748BF1-7FC1-A1A9-A757-64127CEAF4DD}*]

Driver::
FirebirdGuardianDefaultInstance
FirebirdServerDefaultInstance

RenV::
c:\program files\Common Files\Ahead\Lib\nmbgmonitor .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\zcfgsvc .exe
c:\program files\Launch Manager\lmanager .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Realtek\InstallShield\azmixersel .exe
c:\program files\Synaptics\SynTP\syntpenh .exe

Extra::

Reboot::

[nofuj]

smaž soubor rthdcpl.exe v Documents and Settings

zmazane, ale po pouziti CF a restartovani laptopu sa objavil znova, ... a wmpscfgs.exe nebol odstraneny, zaujimave je, ze vzdy po aplikovani ComboFixu sa mi na ploche objavi ikona IE... pocitac sa teraz sprava dobre. su subory rthdcpl.exe a wmpscfgs.exe nebezpecne?

novy CFlog:

ComboFix 10-03-25.03 - jančo 25.03.2010 22:00:53.4.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2038.1429 [GMT 0:00]
Spuštěný z: c:\documents and settings\jančo\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\jančo\Plocha\CFscript.txt
AV: avast! antivirus 4.8.1368 [VPS 100325-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FIREBIRDGUARDIANDEFAULTINSTANCE
-------\Legacy_FIREBIRDSERVERDEFAULTINSTANCE
-------\Service_FirebirdGuardianDefaultInstance
-------\Service_FirebirdServerDefaultInstance


((((((((((((((((((((((((( Soubory vytvořené od 2010-02-25 do 2010-03-25 )))))))))))))))))))))))))))))))
.

2010-03-24 12:22 . 2010-03-24 12:22 -------- d-----r- c:\documents and settings\NetworkService\Oblíbené položky
2010-03-24 12:22 . 2010-03-24 12:22 27648 ----a-w- c:\windows\system32\alcmtr.exe
2010-03-24 03:39 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 03:39 . 2010-03-24 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 03:39 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 23:17 . 2010-03-25 12:27 -------- d-----w- c:\program files\trend micro
2010-03-23 23:17 . 2010-03-23 23:18 -------- d-----w- C:\rsit
2010-03-23 22:57 . 2010-03-23 22:57 -------- d-----w- c:\windows\system32\LogFiles
2010-03-23 22:45 . 2010-03-23 22:45 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-20 01:29 . 2010-03-20 01:29 -------- d-----w- c:\program files\Frontlets
2010-03-11 20:23 . 2010-03-11 20:23 -------- d-----w- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 22:00 . 2009-06-25 20:43 -------- d-----w- c:\program files\QuickTime
2010-03-25 22:00 . 2009-03-21 14:13 -------- d-----w- c:\program files\Launch Manager
2010-03-25 11:07 . 2009-03-21 13:31 27648 ----a-w- c:\windows\system32\igfxpers.exe
2010-03-25 11:07 . 2009-03-21 13:31 27648 ----a-w- c:\windows\system32\hkcmd.exe
2010-03-24 12:40 . 2001-07-09 09:50 27648 ----a-w- c:\windows\system32\nerocheck.exe
2010-03-11 20:22 . 2009-04-05 16:10 -------- d-----w- c:\program files\Java
.

Kód: Vybrat vše

<pre>
c:\program files\Common Files\Ahead\Lib\nmbgmonitor .exe
c:\program files\Intel\Wireless\Bin\zcfgsvc .exe
c:\program files\Realtek\InstallShield\azmixersel .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
</pre>

------- Sigcheck -------

[-] 2009-03-21 . 427E6DED3A2369D3432A683EB489EE14 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-03-24_12.39.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-25 22:03 . 2010-03-25 22:03 16384 c:\windows\Temp\Perflib_Perfdata_b7c.dat
+ 2010-03-25 22:03 . 2010-03-25 22:03 16384 c:\windows\Temp\Perflib_Perfdata_11c.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2010-03-25 27648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-25 27648]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2010-03-25 27648]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-25 27648]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2010-03-25 27648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2010-03-25 27648]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2010-03-25 27648]
"avast!"="e:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2010-03-25 27648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\ICQ6.5\\ICQ.exe"=
"e:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\Mathematica.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\MathKernel.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\math.exe"=
"e:\\Program Files\\Nero 7\\Nero 7\\Nero Home\\NeroHome.exe"=
"e:\\Program Files\\Genuitec_fortran\\Profiles\\Eclipse 3.4 Classic\\eclipse.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"e:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Maple 11\\jre\\bin\\maple.exe"=
"e:\\Program Files\\Maple 11\\jre\\bin\\java.exe"=
"e:\\Program Files\\SopCast\\SopCast.exe"=
"e:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"e:\\Program Files\\Proxy Switcher Standard\\ProxySwitcher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [21.3.2009 16:34 114768]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [8.1.2010 0:51 380928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21.3.2009 16:34 20560]
R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\RTWTKRNL.sys [23.3.2009 18:18 29184]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [4.3.2009 15:52 202016]
.
Obsah adresáře 'Naplánované úlohy'

2010-03-25 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]

2010-03-25 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 22:05]
.
.
------- Doplňkový sken -------
.
uInternet Settings,ProxyOverride = *.local
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\jančo\Data aplikací\Mozilla\Firefox\Profiles\pte9svr1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/weather/forecast/353
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8 ... &gfns=1&q=
FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll

---- NASTAVENÍ FIREFOXU ----
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory:

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1060284298-117609710-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{09748BF1-7FC1-A1A9-A757-64127CEAF4DD}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iacpcglipipmfoipoi"=hex:69,61,62,61,70,65,6f,65,65,64,70,6d,6d,68,66,69,69,70,
00,00
"haipidolmipmffim"=hex:6a,61,6e,61,69,68,67,70,67,6b,69,69,6a,6e,67,6e,61,64,
6a,6c,00,fe
"iaookfhcmmajfkjjhg"=hex:63,61,62,61,6f,65,00,7c
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(2824)
e:\program files\iTunes\iTunesMiniPlayer.dll
e:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
e:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
e:\program files\Alwil Software\Avast4\aswUpdSv.exe
e:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\docume~1\JANO~1\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
e:\program files\itunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
e:\program files\Alwil Software\Avast4\ashMaiSv.exe
e:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Celkový čas: 2010-03-25 22:05:44 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-25 22:05
ComboFix2.txt 2010-03-25 20:21
ComboFix3.txt 2010-03-24 14:27
ComboFix4.txt 2010-03-24 12:41

Před spuštěním: Volných bajtů: 46 127 161 344
Po spuštění: Volných bajtů: 46 094 790 656

- - End Of File - - 14F8EF1EC23F21C86D27CBF091A979D0

[nofuj]

ahoj, trochu som googlil, a narazil som na stranku, v ktorej chlapik popisuje ako odstranoval virus wmpscfgs.exe, tento virus sa pri restarte znova a znova objavuje preto, ze on si narobil kopie a pomenoval ich uz podla existujucich suborov, pricom tie povodne subory premenoval na meno .exe s medzerou medzi menom suboru a koncovkou exe, alebo aj inak ... pustil by som sa do cistenia, ktore ponuka ten chlapik, ale mam obavy, nakolko uz len regedit som v zivote nespustal (to aby som sa dostal k vsetkym procesom) a tiez nerozumiem hantirke ako "Open up your task manager, make sure the ’show all processes’ is ticked and look for the same process. If it is running. Kill it." - akoze, co znamena kill it? ukoncit proces?

to, co pise, moze byt pravda, nakolko napriklad mam hore v CF logu, a aj v procesoch mi bezi e:\program files\itunes\ituneshelper .exe a v adresari e:\program files\itunes mam este subor e:\program files\itunes\ituneshelper.exe

vsak si clanok mozes precitat sam:

http://www.howtogeek.com/howto/9727/how ... ted-guide/

inac, ten chlapik neodporuca uz viac cistit comp so skenermi, pretoze problem vraj nevyriesia ...

avsak budem pokracovat podla toho, co mi poradis, inac dakujem za doterajsiu pomoc

a zostava aj ten druhy virus rthdcpl.exe - asi je to virus, kedze podobny subor ma lezat v adresari Windows alebo Windows\System32 ... mozno ma suvis s tym prvym, kedze tiez sa objavil po restarte, avsak ja sa velmi v takychto veciach nevyznam

[cernohous13]

spusť ComboFix tímto scriptem

Kód: Vybrat vše

KillAll::

RegNull::
[HKEY_USERS\S-1-5-21-1060284298-117609710-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{09748BF1-7FC1-A1A9-A757-64127CEAF4DD}*]

Rootkit::
c:\program files\internet explorer\wmpscfgs.exe

Reboot::

[nofuj]

opat neuspesne

CF log:

ComboFix 10-03-25.06 - jančo 26.03.2010 9:14.5.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2038.1566 [GMT 0:00]
Spuštěný z: c:\documents and settings\jančo\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\jančo\Plocha\CFscript.txt
AV: avast! antivirus 4.8.1368 [VPS 100325-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-26 do 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-24 12:22 . 2010-03-24 12:22 -------- d-----r- c:\documents and settings\NetworkService\Oblíbené položky
2010-03-24 12:22 . 2010-03-24 12:22 27648 ----a-w- c:\windows\system32\alcmtr.exe
2010-03-24 03:39 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 03:39 . 2010-03-24 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 03:39 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 23:17 . 2010-03-25 12:27 -------- d-----w- c:\program files\trend micro
2010-03-23 23:17 . 2010-03-23 23:18 -------- d-----w- C:\rsit
2010-03-23 22:57 . 2010-03-23 22:57 -------- d-----w- c:\windows\system32\LogFiles
2010-03-23 22:45 . 2010-03-23 22:45 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-20 01:29 . 2010-03-20 01:29 -------- d-----w- c:\program files\Frontlets
2010-03-11 20:23 . 2010-03-11 20:23 -------- d-----w- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 09:19 . 2009-03-21 14:13 -------- d-----w- c:\program files\Launch Manager
2010-03-26 00:16 . 2009-03-21 13:53 -------- d-----w- c:\program files\Atheros
2010-03-25 22:00 . 2009-06-25 20:43 -------- d-----w- c:\program files\QuickTime
2010-03-25 11:07 . 2009-03-21 13:31 27648 ----a-w- c:\windows\system32\igfxpers.exe
2010-03-25 11:07 . 2009-03-21 13:31 27648 ----a-w- c:\windows\system32\hkcmd.exe
2010-03-24 12:40 . 2001-07-09 09:50 27648 ----a-w- c:\windows\system32\nerocheck.exe
2010-03-11 20:22 . 2009-04-05 16:10 -------- d-----w- c:\program files\Java
.

Kód: Vybrat vše

<pre>
c:\program files\Common Files\Ahead\Lib\nmbgmonitor .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\zcfgsvc .exe
c:\program files\Launch Manager\lmanager .exe
c:\program files\Realtek\InstallShield\azmixersel .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
</pre>

------- Sigcheck -------

[-] 2009-03-21 . 427E6DED3A2369D3432A683EB489EE14 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-03-24_12.39.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-26 09:17 . 2010-03-26 09:17 16384 c:\windows\Temp\Perflib_Perfdata_7c8.dat
+ 2010-03-26 09:17 . 2010-03-26 09:17 16384 c:\windows\Temp\Perflib_Perfdata_258.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2010-03-26 27648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-25 27648]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2010-03-26 27648]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-26 27648]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2010-03-26 27648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2010-03-26 27648]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2010-03-26 27648]
"avast!"="e:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2010-03-26 27648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\ICQ6.5\\ICQ.exe"=
"e:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\Mathematica.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\MathKernel.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\math.exe"=
"e:\\Program Files\\Nero 7\\Nero 7\\Nero Home\\NeroHome.exe"=
"e:\\Program Files\\Genuitec_fortran\\Profiles\\Eclipse 3.4 Classic\\eclipse.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"e:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Maple 11\\jre\\bin\\maple.exe"=
"e:\\Program Files\\Maple 11\\jre\\bin\\java.exe"=
"e:\\Program Files\\SopCast\\SopCast.exe"=
"e:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"e:\\Program Files\\Proxy Switcher Standard\\ProxySwitcher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [21.3.2009 16:34 114768]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [8.1.2010 0:51 380928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21.3.2009 16:34 20560]
R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\RTWTKRNL.sys [23.3.2009 18:18 29184]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [4.3.2009 15:52 202016]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [24.3.2010 3:39 38224]
.
Obsah adresáře 'Naplánované úlohy'

2010-03-26 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]

2010-03-26 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 09:19]
.
.
------- Doplňkový sken -------
.
uInternet Settings,ProxyOverride = *.local
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\jančo\Data aplikací\Mozilla\Firefox\Profiles\pte9svr1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/weather/forecast/353
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8 ... &gfns=1&q=
FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll

---- NASTAVENÍ FIREFOXU ----
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-26 09:17
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(4032)
e:\program files\iTunes\iTunesMiniPlayer.dll
e:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
e:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
e:\program files\Alwil Software\Avast4\aswUpdSv.exe
e:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wscntfy.exe
e:\program files\Alwil Software\Avast4\ashMaiSv.exe
e:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\intel\wireless\bin\zcfgsvc .exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\synaptics\syntp\syntpenh .exe
c:\program files\intel\wireless\bin\ifrmewrk .exe
c:\progra~1\launch~1\lmanager .exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
e:\program files\itunes\ituneshelper .exe
c:\program files\common files\ahead\lib\nmbgmonitor .exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Celkový čas: 2010-03-26 09:20:10 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-26 09:20
ComboFix2.txt 2010-03-25 22:05
ComboFix3.txt 2010-03-25 20:21
ComboFix4.txt 2010-03-24 14:27
ComboFix5.txt 2010-03-26 09:13

Před spuštěním: Volných bajtů: 46 207 045 632
Po spuštění: Volných bajtů: 46 176 518 144

- - End Of File - - 15BDD649F5B59204CF19804806090932

[cernohous13]

to není neúspěch - zrušili jsme nebezpečný klíč v registrech

Spusť znovu "System Look" a do okna zkopíruj

Kód: Vybrat vše

:filefind
nmbgmonitor .exe
ifrmewrk .exe
zcfgsvc .exe
lmanager .exe
azmixersel .exe
syntpenh .exe
nmbgmonitor.exe
ifrmewrk.exe
zcfgsvc.exe
lmanager.exe
azmixersel.exe
syntpenh.exe
wmpscfgs.exe
js.mui
winlogon.exe

Klik na Look a po scanu sem zkopíruj výsledek hledání

[nofuj]

tak sa zda, ze vsetky nakazene subory maju 27kB

System Look:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 09:51 on 26/03/2010 by jančo (Administrator - Elevation successful)

========== filefind ==========

Searching for "nmbgmonitor .exe"
C:\Program Files\Common Files\Ahead\Lib\nmbgmonitor .exe --a--- 94208 bytes [15:25 28/10/2005] [15:25 28/10/2005] 15A1A88D97D440C735058CCF3F74A6EE

Searching for "ifrmewrk .exe"
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe --a--- 970752 bytes [10:22 16/04/2007] [10:22 16/04/2007] A801ADEC047109963FF91B4D93A57CD5

Searching for "zcfgsvc .exe"
C:\Program Files\Intel\Wireless\Bin\zcfgsvc .exe --a--- 819200 bytes [10:24 16/04/2007] [10:24 16/04/2007] 66A23F0DFA7EB3B4FD9125BB074CA23F

Searching for "lmanager .exe"
C:\Program Files\Launch Manager\lmanager .exe --a--- 858632 bytes [02:59 17/10/2007] [02:59 17/10/2007] 83785CAD40A326B102A624F13D42D95E

Searching for "azmixersel .exe"
C:\Program Files\Realtek\InstallShield\azmixersel .exe --a--- 53248 bytes [13:40 21/03/2009] [11:51 11/06/2005] AE09A7FAD521DA4E5781CB93F594FD3C

Searching for "syntpenh .exe"
C:\Program Files\Synaptics\SynTP\syntpenh .exe --a--- 761945 bytes [13:42 21/03/2009] [08:32 16/12/2005] 53DCD7CEF78CC06692400B339336233B

Searching for "nmbgmonitor.exe"
C:\Program Files\Common Files\Ahead\Lib\nmbgmonitor.exe --a--- 27648 bytes [15:25 28/10/2005] [09:18 26/03/2010] 3C8A0A8D86E4770CF9584AC8CE576C8F

Searching for "ifrmewrk.exe"
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe --a--- 27648 bytes [10:22 16/04/2007] [09:19 26/03/2010] 3C8A0A8D86E4770CF9584AC8CE576C8F

Searching for "zcfgsvc.exe"
C:\Program Files\Intel\Wireless\Bin\zcfgsvc.exe --a--- 27648 bytes [10:24 16/04/2007] [09:19 26/03/2010] 3C8A0A8D86E4770CF9584AC8CE576C8F

Searching for "lmanager.exe"
C:\Program Files\Launch Manager\lmanager.exe --a--- 27648 bytes [02:59 17/10/2007] [09:19 26/03/2010] 3C8A0A8D86E4770CF9584AC8CE576C8F

Searching for "azmixersel.exe"
C:\Program Files\Realtek\InstallShield\azmixersel.exe --a--- 27648 bytes [13:40 21/03/2009] [09:19 26/03/2010] 3C8A0A8D86E4770CF9584AC8CE576C8F

Searching for "syntpenh.exe"
C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe ------ 761945 bytes [13:42 21/03/2009] [08:32 16/12/2005] 53DCD7CEF78CC06692400B339336233B
C:\Program Files\Synaptics\SynTP\syntpenh.exe --a--- 27648 bytes [13:42 21/03/2009] [09:19 26/03/2010] 3C8A0A8D86E4770CF9584AC8CE576C8F

Searching for "wmpscfgs.exe"
C:\Program Files\Internet Explorer\wmpscfgs.exe --a--- 27648 bytes [09:19 26/03/2010] [09:19 26/03/2010] 3C8A0A8D86E4770CF9584AC8CE576C8F

Searching for "js.mui"
C:\Program Files\Internet Explorer\js.mui --a--- 27648 bytes [09:19 26/03/2010] [09:19 26/03/2010] 3C8A0A8D86E4770CF9584AC8CE576C8F

Searching for "winlogon.exe"
C:\WINDOWS\system32\winlogon.exe --a--- 502272 bytes [12:00 18/08/2004] [18:40 21/03/2009] 427E6DED3A2369D3432A683EB489EE14

-=End Of File=-

[cernohous13]

Další pokus

Spusť Avenger

dole dej fajfku do obou čtverečků

Do pole „Input script here“ zkopíruj zelený text scriptu > „Execute“ > „Yes“
Bude restart a je potřeba vyčkat na otevření Notepadu a jeho obsah sem vložit.

Script

Kód: Vybrat vše

Files to delete:
C:\Program Files\Common Files\Ahead\Lib\nmbgmonitor.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\zcfgsvc.exe
C:\Program Files\Launch Manager\lmanager.exe
C:\Program Files\Realtek\InstallShield\azmixersel.exe
C:\Program Files\Synaptics\SynTP\syntpenh.exe
C:\Program Files\Internet Explorer\wmpscfgs.exe
C:\Program Files\Internet Explorer\js.mui

Files to move:
C:\Program Files\Common Files\Ahead\Lib\nmbgmonitor .exe | C:\Program Files\Common Files\Ahead\Lib\nmbgmonitor.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe | C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\zcfgsvc .exe | C:\Program Files\Intel\Wireless\Bin\zcfgsvc.exe
C:\Program Files\Launch Manager\lmanager .exe | C:\Program Files\Launch Manager\lmanager.exe
C:\Program Files\Realtek\InstallShield\azmixersel .exe | C:\Program Files\Realtek\InstallShield\azmixersel.exe
C:\Program Files\Synaptics\SynTP\syntpenh .exe | C:\Program Files\Synaptics\SynTP\syntpenh.exe

[nofuj]

virus wmpscfgs.exe nebol odsrtraneny, mozno by sme mohli spravit este to iste, infikovany bude najskor este e:\program files\itunes\ituneshelper .exe // totiz, vacsinu uzivatelskych programov nemam nainstalovanych na disku C

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Program Files\Common Files\Ahead\Lib\nmbgmonitor.exe" deleted successfully.
File "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" deleted successfully.
File "C:\Program Files\Intel\Wireless\Bin\zcfgsvc.exe" deleted successfully.
File "C:\Program Files\Launch Manager\lmanager.exe" deleted successfully.
File "C:\Program Files\Realtek\InstallShield\azmixersel.exe" deleted successfully.
File "C:\Program Files\Synaptics\SynTP\syntpenh.exe" deleted successfully.
File "C:\Program Files\Internet Explorer\wmpscfgs.exe" deleted successfully.
File "C:\Program Files\Internet Explorer\js.mui" deleted successfully.
File move operation "C:\Program Files\Common Files\Ahead\Lib\nmbgmonitor .exe|C:\Program Files\Common Files\Ahead\Lib\nmbgmonitor.exe" completed successfully.
File move operation "C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe|C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" completed successfully.
File move operation "C:\Program Files\Intel\Wireless\Bin\zcfgsvc .exe|C:\Program Files\Intel\Wireless\Bin\zcfgsvc.exe" completed successfully.
File move operation "C:\Program Files\Launch Manager\lmanager .exe|C:\Program Files\Launch Manager\lmanager.exe" completed successfully.
File move operation "C:\Program Files\Realtek\InstallShield\azmixersel .exe|C:\Program Files\Realtek\InstallShield\azmixersel.exe" completed successfully.
File move operation "C:\Program Files\Synaptics\SynTP\syntpenh .exe|C:\Program Files\Synaptics\SynTP\syntpenh.exe" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

[cernohous13]

Na to bude script vypadat takto - můžeš podobně doplnit i další nalezené soubory

Kód: Vybrat vše

Files to delete:
e:\program files\itunes\ituneshelper.exe

Files to move:
e:\program files\itunes\ituneshelper .exe | e:\program files\itunes\ituneshelper.exe

použij Start -> Hledat - zadej - *.exe - Minulý týden - velikost v KB - nejvýše 27 -> výsledek seřaď podle velikosti

wmpscfgs.exe - zkusím sehnat radu u kolegů