Zákeřný autorun.inf

[michier]

Dobrý den,
mám problém s autorun.inf na externím disku. Do HDD se mi nerozšířil tomu zabránil NOD32. Projel jsem to USBfixem a po načtení externího disku už NOD32 nehází žádnou ceduly s virem. Pokud ale kliknu na autorun.inf (jinak skrytý soubor) ihned se cedule objeví. Autorun.inf nemohu nijak upravovat ani smazat protože je jen pro čtení. Stačí to pouze takto ošetřené? Radši bych ten autorun na tom externím disku vůbec neměl - nějaká možnost vymazání? (mimo zformátování HDD)

############################## | UsbFix 7.014 | [Deletion]

User: Michi (Administrator) # CRAZYHORSE [ ]
Updated 24/06/10 by El Desaparecido / C_XX
Started at 00:18:20 | 11/08/2011
Website: http://pagesperso-orange.fr/NosTools/index.html
Contact: FindyKill.Contact@gmail.com

CPU: AMD Athlon(tm) Dual Core Processor 4450e
CPU 2: AMD Athlon(tm) Dual Core Processor 4450e
Systém Microsoft Windows XP Professional (5.1.2600 32-Bit) # Service Pack 2
Internet Explorer 6.0.2900.2180

Windows Firewall: Disabled /!\
Antivirus: ESET Smart Security 4.2 4.2 [Enabled | Updated]
Firewall: ESET personal firewall 4.2.64.12 [Enabled]
RAM -> 2047 Mb
C:\ (%systemdrive%) -> Fixed drive # 75 Gb (51 Mb free - 68%) [] # NTFS
D:\ -> CD-ROM
E:\ -> Fixed drive # 932 Gb (430 Mb free - 46%) [Silverblue Saphire] # NTFS

################## | Files # Infected Folders |

Deleted ! C:\DOCUME~1\Michi\LOCALS~1\Temp\bdc.exe
Deleted ! C:\DOCUME~1\Michi\LOCALS~1\Temp\KK.EXE
Deleted ! C:\WINDOWS\regedit.com
Not deleted ! E:\Autorun.inf

################## | Registry |


################## | Mountpoints2 |

Deleted ! HKCU\.\.\.\.\Explorer\MountPoints2\E

################## | Listing |

[01/07/2011 - 18:52:00 | A | 0] C:\AUTOEXEC.BAT
[10/08/2011 - 23:59:02 | RASHD ] C:\autorun.inf
[01/07/2011 - 18:58:36 | RSH | 223] C:\boot.ini
[25/10/2001 - 14:00:00 | RASH | 4952] C:\Bootfont.bin
[01/07/2011 - 18:52:00 | A | 0] C:\CONFIG.SYS
[01/07/2011 - 19:02:33 | A | 86] C:\CSB.LOG
[10/08/2011 - 23:29:56 | D ] C:\Documents and Settings
[02/07/2011 - 21:22:17 | D ] C:\Fraps
[01/07/2011 - 18:52:00 | RASH | 0] C:\IO.SYS
[01/07/2011 - 18:52:00 | RASH | 0] C:\MSDOS.SYS
[03/08/2004 - 22:38:34 | RASH | 47564] C:\NTDETECT.COM
[03/08/2004 - 22:59:38 | RASH | 250048] C:\ntldr
[01/07/2011 - 19:07:06 | D ] C:\NVIDIA
[10/08/2011 - 23:56:37 | ASH | 2145386496] C:\pagefile.sys
[11/08/2011 - 00:12:22 | RD ] C:\Program Files
[11/08/2011 - 00:04:04 | D ] C:\Qoobox
[11/08/2011 - 00:25:12 | SHD ] C:\RECYCLER
[01/07/2011 - 19:00:04 | A | 347] C:\RHDSetup.log
[01/07/2011 - 18:55:27 | SHD ] C:\System Volume Information
[11/08/2011 - 00:25:12 | D ] C:\UsbFix
[11/08/2011 - 00:25:12 | A | 1075] C:\UsbFix.txt
[11/08/2011 - 00:25:11 | D ] C:\WINDOWS
[11/08/2011 - 00:19:49 | SHD ] E:\$RECYCLE.BIN
[17/08/2004 - 15:49:10 | RASH | 95034] E:\autorun.inf
[17/07/2011 - 09:36:03 | D ] E:\hauken
[03/08/2011 - 23:43:58 | D ] E:\Michi
[11/08/2011 - 00:25:12 | SHD ] E:\RECYCLER
[01/07/2011 - 19:07:58 | SHD ] E:\System Volume Information
[09/01/2011 - 18:04:50 | AD ] E:\TOSHIBA

################## | Vaccin |

C:\Autorun.inf -> Folder created by UsbFix (El Desaparecido & C_XX)

################## | Upload |

Please send the file: C:\UsbFix_Upload_Me_CRAZYHORSE.zip
http://chiquitine.changelog.fr/Sample/Upload.php
Thank you for your contribution.

################## | E.O.F |

Děkuji za pomoc

[vyosek]

Zdravim a pekny den preji

Dejte jeste prosim logy z RSIT - navod v mem podpise - a poprosim o oba logy z nej (log.txt i info.txt), pokud se neotevrou, budou ulozeny v c:\rsit

[michier]

LOG.TXT

Logfile of random's system information tool 1.09 (written by random/random)
Run by Michi at 2011-08-11 14:09:39
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 55 GB (72%) free of 76 GB
Total RAM: 2047 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:09:41, on 11.8.2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\steam.exe
C:\Program Files\QIP 2010\qip.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\AllInOne\Downloads\RSIT.exe
C:\Program Files\trend micro\Michi.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.microsoft.com/fwlink/?linkid=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [Infium] "C:\Program Files\QIP 2010\qip.exe" /autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3991 bytes

=========Mozilla firefox=========

ProfilePath - C:\Documents and Settings\Michi\Data aplikací\Mozilla\Firefox\Profiles\qtvx5pkg.default

prefs.js - "browser.startup.homepage" - "seznam.cz"

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Description"=Adobe® Flash® Player 10.1 Plugin
"Path"=C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

C:\Program Files\Mozilla Firefox\extensions\
{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
{972ce4c6-7e08-4474-a285-3208198ce6fd}

C:\Program Files\Mozilla Firefox\components\
binary.manifest
browsercomps.dll

C:\Program Files\Mozilla Firefox\searchplugins\
google.xml
heureka-cz.xml
jyxo-cz.xml
seznam-cz.xml
slunecnice-cz.xml
wikipedia-cz.xml

C:\Documents and Settings\Michi\Data aplikací\Mozilla\Firefox\Profiles\qtvx5pkg.default\extensions\
{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
{ba14329e-9550-4989-b3f2-9732e92d17cc}

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}]
Skype Browser Helper - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2011-07-01 1901960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-10-30 16269312]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"nwiz"=C:\Program Files\NVIDIA Corporation\nView\nwiz.exe [2010-07-07 1753192]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2010-07-09 110696]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2010-07-09 13923432]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2010-08-12 2215064]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-17 15360]
"Steam"=C:\Program Files\Valve\Steam\steam.exe [2011-08-02 1242448]
"Infium"=C:\Program Files\QIP 2010\qip.exe [2011-07-18 6812032]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0
"NoDriveAutoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=0
"NoDriveTypeAutoRun"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\SubaGames\ACEonline\Launcher.atm"="C:\Program Files\SubaGames\ACEonline\Launcher.atm:Enabled:GameExe2"
"C:\Program Files\SubaGames\ACEonline\Res-Voip\SCVoIP.exe"="C:\Program Files\SubaGames\ACEonline\Res-Voip\SCVoIP.exe:Enabled:GameVoIP"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Vuze\Azureus.exe"="C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus / Vuze"
"C:\Program Files\Valve\Steam\SteamApps\michizero\counter-strike\hl.exe"="C:\Program Files\Valve\Steam\SteamApps\michizero\counter-strike\hl.exe:*:Enabled:Counter-Strike"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"=midimap.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msadpcm"=msadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.trspch"=tssoft32.acm
"vidc.cvid"=iccvid.dll
"vidc.I420"=msh263.drv
"vidc.iv31"=ir32_32.dll
"vidc.iv32"=ir32_32.dll
"vidc.iv41"=ir41_32.ax
"vidc.iyuv"=iyuv_32.dll
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"vidc.uyvy"=msyuv.dll
"vidc.yuy2"=msyuv.dll
"vidc.yvu9"=tsbyuv.dll
"vidc.yvyu"=msyuv.dll
"wavemapper"=msacm32.drv
"msacm.msg723"=msg723.acm
"vidc.M263"=msh263.drv
"vidc.M261"=msh261.drv
"msacm.msaudio1"=msaud32.acm
"msacm.sl_anet"=sl_anet.acm
"msacm.iac2"=C:\WINDOWS\system32\iac25_32.ax
"vidc.iv50"=ir50_32.dll
"msacm.l3acm"=C:\WINDOWS\system32\l3codeca.acm
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux"=wdmaud.drv
"VIDC.FPS1"=frapsvid.dll
"VIDC.DIVX"=divx.dll
"VIDC.XVID"=xvidvfw.dll
"VIDC.YV12"=yv12vfw.dll
"msacm.ac3acm"=ac3acm.acm
"msacm.lameacm"=lameACM.acm
"VIDC.FFDS"=ff_vfw.dll

======List of files/folders created in the last 1 month======

2011-08-11 14:08:50 ----D---- C:\rsit
2011-08-11 14:08:50 ----D---- C:\Program Files\trend micro
2011-08-11 00:25:15 ----RASHD---- C:\Autorun.inf
2011-08-11 00:18:20 ----A---- C:\UsbFix.txt
2011-08-11 00:17:51 ----D---- C:\UsbFix
2011-08-11 00:15:12 ----A---- C:\WINDOWS\system32\msvcr80.dll
2011-08-11 00:15:11 ----A---- C:\WINDOWS\system32\msvcp80.dll
2011-08-11 00:15:10 ----A---- C:\WINDOWS\system32\eEmpty.exe
2011-08-11 00:15:07 ----A---- C:\WINDOWS\system32\TASKMGR.COM
2011-08-11 00:15:07 ----A---- C:\WINDOWS\system32\T.COM
2011-08-11 00:15:07 ----A---- C:\WINDOWS\R.COM
2011-08-11 00:15:05 ----D---- C:\Program Files\Common Files\MicroWorld
2011-08-11 00:15:04 ----D---- C:\Documents and Settings\All Users\Data aplikací\MicroWorld
2011-08-11 00:04:04 ----D---- C:\WINDOWS\ERDNT
2011-08-11 00:03:32 ----D---- C:\Qoobox
2011-08-10 23:29:46 ----A---- C:\WINDOWS\ntbtlog.txt
2011-08-10 23:00:33 ----HD---- C:\WINDOWS\system32\GroupPolicy
2011-07-14 18:49:01 ----D---- C:\Documents and Settings\Michi\Data aplikací\Ventrilo
2011-07-12 02:56:11 ----D---- C:\Documents and Settings\Michi\Data aplikací\Azureus
2011-07-12 02:53:01 ----D---- C:\Program Files\Vuze

======List of files/folders modified in the last 1 month======

2011-08-11 14:09:39 ----D---- C:\WINDOWS\Temp
2011-08-11 14:08:54 ----D---- C:\WINDOWS\Prefetch
2011-08-11 14:08:50 ----RD---- C:\Program Files
2011-08-11 13:39:11 ----D---- C:\Program Files\SpeedFan
2011-08-11 13:24:36 ----D---- C:\WINDOWS\system32\CatRoot2
2011-08-11 13:23:37 ----D---- C:\Program Files\QIP 2010
2011-08-11 06:00:26 ----A---- C:\WINDOWS\SchedLgU.Txt
2011-08-11 03:02:47 ----D---- C:\WINDOWS\system32\drivers
2011-08-11 00:25:12 ----SHD---- C:\RECYCLER
2011-08-11 00:25:11 ----D---- C:\WINDOWS
2011-08-11 00:15:12 ----D---- C:\WINDOWS\system32
2011-08-11 00:15:05 ----D---- C:\Program Files\Common Files
2011-08-11 00:12:33 ----SD---- C:\Documents and Settings\Michi\Data aplikací\Microsoft
2011-08-10 23:29:56 ----D---- C:\Documents and Settings
2011-08-05 22:16:05 ----D---- C:\Documents and Settings\Michi\Data aplikací\Skype
2011-07-12 01:41:09 ----SD---- C:\Documents and Settings\All Users\Data aplikací\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 giveio;giveio; C:\WINDOWS\system32\giveio.sys [1996-04-03 5248]
R0 nvata;nvata; C:\WINDOWS\system32\DRIVERS\nvata.sys [2006-08-21 105344]
R0 ohci1394;Hostitelský řadič IEEE 1394 dle standardu OHCI Texas Instruments; C:\WINDOWS\system32\DRIVERS\ohci1394.sys [2004-08-03 61056]
R0 speedfan;speedfan; C:\WINDOWS\system32\speedfan.sys [2006-09-24 5248]
R1 AmdK8;Ovladač procesoru AMD; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-06-18 43008]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2010-07-29 115008]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2010-08-03 55256]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2010-08-04 140752]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2010-07-29 134512]
R3 Arp1394;Protokol 1394 ARP Client; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-17 60800]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2010-07-29 32608]
R3 HDAudBus;Ovladač Microsoft UAA pro sběrnici High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 hidusb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-10-25 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-11-02 4394496]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-25 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-17 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2010-07-10 10604128]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-09-11 57856]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-09-11 19968]
R3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 EagleNT;EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;ESET Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2010-08-12 810144]
R2 nvsvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2010-07-09 155752]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2010-08-12 33584]

-----------------EOF-----------------


INFO.TXT

info.txt logfile of random's system information tool 1.09 2011-08-11 14:08:54

======Uninstall list======

-->MsiExec /X{8A809006-C25A-4A3A-9DAB-94659BCDB107}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACE Online EP3-3 2.5.0.3 Full-->"C:\Program Files\SubaGames\ACEonline\unins000.exe"
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10u_Plugin.exe -maintain plugin
Balíček ovladače systému Windows - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)-->C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_E04BFC62AB75C18018CA32A469FC44BA0E376B83\amdk8.inf
Counter-Strike(TM)-->MsiExec.exe /I{DF5A03CC-D5AA-43D8-B948-D9903F2AF94A}
EVEREST Ultimate Edition v4.50-->"C:\Program Files\Lavalys\EVEREST Ultimate Edition\unins000.exe"
Fraps (remove only)-->"C:\Fraps\uninstall.exe"
High Definition Audio - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
K-Lite Codec Pack 4.4.2 (Full)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Mozilla Firefox 5.0 (x86 cs)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Display Control Panel-->C:\Program Files\NVIDIA Corporation\Uninstall\nvuninst.exe DisplayControlPanel
NVIDIA Drivers-->C:\Program Files\NVIDIA Corporation\Uninstall\nvuninst.exe UninstallGUI
NVIDIA nView Desktop Manager-->C:\Program Files\NVIDIA Corporation\nView\nViewSetup.exe -uninstall
NVIDIA PhysX-->MsiExec.exe /X{8A809006-C25A-4A3A-9DAB-94659BCDB107}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\SETUP.EXE" -l0x5 -removeonly
Skype Toolbars-->MsiExec.exe /I{B6CF2967-C81E-40C0-9815-C05774FEF120}
Skype™ 5.3-->MsiExec.exe /X{D6F879CC-59D6-4D4B-AE9B-D761E48D25ED}
SpeedFan (remove only)-->"C:\Program Files\SpeedFan\uninstall.exe"
Steam(TM)-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Usbfix By C_XX & El Desaparecido-->"C:\Usbfix\Un-Usbfix.exe"
VentriloMIX-->C:\Program Files\VentriloMIX\Uninstal.exe
Vuze-->C:\Program Files\Vuze\uninstall.exe
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
WinRAR-->C:\Program Files\WinRAR\uninstall.exe

======Security center information======

AV: ESET Smart Security 4.2
FW: ESET personal firewall

======System event log======

Computer Name: CRAZYHORSE
Event Code: 3260
Message: Tento počítač byl úspěšně připojen k workgroup SKUPINA.

Record Number: 5
Source Name: Workstation
Time Written: 20110701184755.000000+120
Event Type: Informace
User:

Computer Name: CRAZYHORSE
Event Code: 6011
Message: Název tohoto počítače v systémech DNS a NetBIOS byl změněn z MACHINENAME na CRAZYHORSE.

Record Number: 4
Source Name: EventLog
Time Written: 20110701184543.000000+120
Event Type: Informace
User:

Computer Name: MACHINENAME
Event Code: 2
Message: Během prověřování, zda \Device\Serial0 je skutečně sériový port, byl zjištěn zásobník typu FIFO. Bude použit tento zásobník.

Record Number: 3
Source Name: Serial
Time Written: 20110701203732.000000+120
Event Type: Informace
User:

Computer Name: MACHINENAME
Event Code: 6005
Message: Služba Event Log byla spuštěna.

Record Number: 2
Source Name: EventLog
Time Written: 20110701203712.000000+120
Event Type: Informace
User:

Computer Name: MACHINENAME
Event Code: 6009
Message: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 2 Multiprocessor Free.

Record Number: 1
Source Name: EventLog
Time Written: 20110701203712.000000+120
Event Type: Informace
User:

=====Application event log=====

Computer Name: CRAZYHORSE
Event Code: 1000
Message: Čítače výkonu pro službu MSDTC (MSDTC) byly úspěšně načteny.
Data záznamu obsahují nové indexové hodnoty přiřazené
této službě.

Record Number: 5
Source Name: LoadPerf
Time Written: 20110701184848.000000+120
Event Type: Informace
User:

Computer Name: CRAZYHORSE
Event Code: 1000
Message: Čítače výkonu pro službu TermService (Terminálová služba) byly úspěšně načteny.
Data záznamu obsahují nové indexové hodnoty přiřazené
této službě.

Record Number: 4
Source Name: LoadPerf
Time Written: 20110701184846.000000+120
Event Type: Informace
User:

Computer Name: CRAZYHORSE
Event Code: 1000
Message: Čítače výkonu pro službu RemoteAccess (Směrování a vzdálený přístup) byly úspěšně načteny.
Data záznamu obsahují nové indexové hodnoty přiřazené
této službě.

Record Number: 3
Source Name: LoadPerf
Time Written: 20110701184644.000000+120
Event Type: Informace
User:

Computer Name: CRAZYHORSE
Event Code: 1000
Message: Čítače výkonu pro službu PSched (PSched) byly úspěšně načteny.
Data záznamu obsahují nové indexové hodnoty přiřazené
této službě.

Record Number: 2
Source Name: LoadPerf
Time Written: 20110701184552.000000+120
Event Type: Informace
User:

Computer Name: CRAZYHORSE
Event Code: 1000
Message: Čítače výkonu pro službu RSVP (QoS RSVP) byly úspěšně načteny.
Data záznamu obsahují nové indexové hodnoty přiřazené
této službě.

Record Number: 1
Source Name: LoadPerf
Time Written: 20110701184552.000000+120
Event Type: Informace
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\Wbem;c:\Program Files\NVIDIA Corporation\PhysX\Common
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 107 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=6b02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

[vyosek]

Zapojte externi disk do PC

Stahnete Malwarebytes' Anti-Malware (zkracene MBAM) (viz muj podpis)

• Provedte aktualizaci - treti zalozka
• Provedte uplny sken - nic nemazte
• MBAM miva obcas falesne detekce, proto vlozte log do prispevku a pockejte na posouzeni

[michier]

Malwarebytes' Anti-Malware
www.malwarebytes.org

Verze databáze:

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

11.8.2011 20:23:38
mbam-log-2011-08-11 (20-23-35).txt

Typ: Úplná kontrola (C:\|E:\|)
Kontrolované objekty: 241380
Uplynulý čas: 20 minut, 53 sekund

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče v registru: 0
Infikované hodnoty v registru: 0
Infikované datové položky v registru: 0
Infikované složky: 0
Infikované soubory: 1

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče v registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované hodnoty v registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky v registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
e:\RECYCLER\s-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx (Worm.Conficker) -> No action taken.

[vyosek]

Nechte opet disk zapojeny

Stahnete RKill http://download.bleepingcomputer.com/grinler/rkill.com

• Pokud ho havet blokuje, pouzijte jeden z nasledujicich

  Rkill EXE:
  http://download.bleepingcomputer.com/grinler/rkill.exe
  
  Rkill SCR:
  http://download.bleepingcomputer.com/grinler/rkill.scr
  
  Rkill PIF:
  http://download.bleepingcomputer.com/grinler/rkill.pif

• Ulozte nejlepena plochu a ukoncete vsechny aplikace (jinak to udela RKill za Vas)
• Spustte tradicne dvojklikem - program probehne temer okamzite a ukonci i svou cinnost
• RKill ukonci vsechny ne-systemove procesy - tedy i procesy, pod kterymi bezi havet
• Ted nerestartujte PC - prisli byste o ucinek RKillu

PROSIM CTETE DUKLADNE NAVOD - TATO UTILITA MA VELKOU SCHOPNOST MAZAT A JE NUTNE JI APLIKOVAT JEN NA DOPORUCENI, JINAK VAM MUZE JIT SYSTEM DO KYTEK
Stahnete a ulozte na plochu Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

• Vypnete vsechny rezidentni bezpecnostní programy - firewally, antiviry, antispywary apod.
• Pokud mate Win XP spustte pod uctem Spravce\Administratora
• Pokud mate Win Vista ci Win 7, kliknete na Combofix pravym a dejte Run As Administrator ci Spustit jako spravce
• Ihned po startu se zobrazi stranka s licencnim ujednanim, pokracujte kliknutim na Ano
• Pokud Vam CF nabidne instalaci Konzoly pro zotaveni, tak souhlaste
• Dale postupujte dle pokynu, behem scanu nechte PC naprosto v klidu - nespoustejte zadne aplikace a neklikejte do zobrazujiciho se okna
• Scan by mel trvat cca 10 min, ale pokud bude PC hodne zaneseno, muze se cas prodlouzit
• Po dokonceni skenu a pripadnem restartu CF zobrazi log, pripadne jej najdete zde C:\ComboFix.txt, jeho obsah sem vlozte
• Detailni postup vc. obrazku mate zde http://www.bleepingcomputer.com/combofi ... t-combofix

[michier]

Koukám, že se povedlo. Skvělá práce! Děkuji mnohokrát.


ComboFix 11-08-15.01 - Michi 14.08.2011 17:43:52.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2047.1482 [GMT 2:00]
Spuštěný z: c:\program files\AllInOne\Downloads\ComboFix.exe
AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Vytvořen nový Bod Obnovení
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\taskmgr.com
E:\Autorun.inf
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-07-14 do 2011-08-14 )))))))))))))))))))))))))))))))
.
.
2011-08-11 16:40 . 2011-08-11 16:40 -------- d-----w- c:\documents and settings\Michi\Data aplikací\Malwarebytes
2011-08-11 16:40 . 2011-08-11 16:40 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Malwarebytes
2011-08-11 16:40 . 2011-07-06 17:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-11 16:40 . 2011-08-11 18:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-11 16:40 . 2011-07-06 17:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-11 12:08 . 2011-08-11 12:09 -------- d-----w- c:\program files\trend micro
2011-08-11 12:08 . 2011-08-11 12:08 -------- d-----w- C:\rsit
2011-08-10 22:17 . 2011-08-10 22:25 -------- d-----w- C:\UsbFix
2011-08-10 22:15 . 2011-08-10 22:15 632064 ----a-w- c:\windows\system32\msvcr80.dll
2011-08-10 22:15 . 2011-08-10 22:15 554240 ----a-w- c:\windows\system32\msvcp80.dll
2011-08-10 22:15 . 2011-08-10 22:15 34048 ----a-w- c:\windows\system32\eEmpty.exe
2011-08-10 22:15 . 2004-08-17 13:49 147968 ----a-w- c:\windows\R.COM
2011-08-10 22:15 . 2004-08-17 13:49 137216 ----a-w- c:\windows\system32\T.COM
2011-08-10 22:15 . 2011-08-10 22:15 -------- d-----w- c:\program files\Common Files\MicroWorld
2011-08-10 22:15 . 2011-08-10 22:15 -------- d-----w- c:\documents and settings\All Users\Data aplikací\MicroWorld
2011-08-10 21:29 . 2011-08-10 21:29 -------- d-----w- c:\documents and settings\Administrator
2011-08-10 21:00 . 2011-08-10 21:00 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-08-01 07:43 . 2011-08-05 23:19 -------- d-----w- c:\documents and settings\Michi\dwhelper
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-10 22:25 . 2011-08-10 22:25 268350 ----a-w- C:\UsbFix_Upload_Me_CRAZYHORSE.zip
2011-07-01 17:17 . 2011-07-01 17:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-01 17:15 . 2011-07-01 17:15 15872 ----a-r- c:\documents and settings\Michi\Data aplikací\Microsoft\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C9.exe
2011-07-01 17:15 . 2011-07-01 17:15 15872 ----a-r- c:\documents and settings\Michi\Data aplikací\Microsoft\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C9.exe
2011-07-01 17:15 . 2011-07-01 17:15 15872 ----a-r- c:\documents and settings\Michi\Data aplikací\Microsoft\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C9.exe
2011-07-01 17:15 . 2011-07-01 17:15 15872 ----a-r- c:\documents and settings\Michi\Data aplikací\Microsoft\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C9.exe
2011-06-16 04:30 . 2011-07-01 17:07 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Valve\Steam\steam.exe" [2011-08-02 1242448]
"Infium"="c:\program files\QIP 2010\qip.exe" [2011-07-18 6812032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 16269312]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-07 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-08-12 2215064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\SubaGames\ACEonline\Launcher.atm"= c:\program files\SubaGames\ACEonline\Launcher.atm:Enabled:GameExe2
"c:\program files\SubaGames\ACEonline\Res-Voip\SCVoIP.exe"= c:\program files\SubaGames\ACEonline\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\michizero\\counter-strike\\hl.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29.7.2010 13:31 115008]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [12.8.2010 14:16 810144]
.
.
------- Doplňkový sken -------
.
TCP: DhcpNameServer = 10.0.0.138
FF - ProfilePath - c:\documents and settings\Michi\Data aplikací\Mozilla\Firefox\Profiles\qtvx5pkg.default\
FF - prefs.js: browser.startup.homepage - seznam.cz
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-14 17:45
Windows 5.1.2600 Service Pack 2 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
Celkový čas: 2011-08-14 17:46:02
ComboFix-quarantined-files.txt 2011-08-14 15:46
.
Před spuštěním: Volných bajtů: 54 872 453 120
Po spuštění: Volných bajtů: 56 563 929 088
.
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 2C20BD40E1570F30DED108E7FDFC075A

[vyosek]

Odinstalujte Combofix

• Prejmenujte ComboFix na Uninstall
• Spustte jej
• Tohle smaze Combofix a jeho slozky

T-Cleaner http://vyosek.ic.cz/pro_usery/T-Cleaner.exe

• Stahnete a spustte
• Pro potvrzeni volby mackejte A, Enter
• Po pouziti utilitu smazte
• Antiviry touhou utilitu chybne oznacit jako vir - jedna se o falesny poplach - takze v pohode stahnete
  (pripadne vypnete pri stahovani antivir)

OTC http://oldtimer.geekstogo.com/OTC.exe

• Stahnete a spustte
• Kliknete na CleanUp a potvrdte YES
• Program uklidi a restartuje PC

TFC http://oldtimer.geekstogo.com/TFC.exe

• Stahnete a spustte
• Kliknete na Start a potvrdte OK
• Program uklidi a restartuje pc
• Po pouziti utilitu smazte

Stahnete Ccleaner (viz muj podpis)
Panel čistič

• Vse nechte jak je, jen dejte Analyzovat a pote Spustit CCleaner

Panel registry

• dejte Hledej problémy
• nasledne Opravit problémy - zalohu registru doporucuji udelat, opravte vsechny problemy
• postup opakujte dokud nebude bez problemu - vetsinou cca 3x

Panel nástroje

• Zde muzete odinstalovat nepotrebne programy

CCleaner doporucuji pouzivat cca jednou za tyden

Napiste jak se chova PC

[michier]

PC se chová standartně a vypadá to že windows běhá rychleji. Mě hlavně šlo o ten autorun na tom externím HDD.
Mám znovu spustit USBfix, aby vytvořil falešný autorun na ext HDD?

Děkuji za rychlou a efektivní pomoc. Vaše odvedená práce je vyjímečná

[vyosek]

Spustte znovu USBFix a pouzijte volbu vaccinate

Znovu spusťte Usbfix a zvolte možnost Uninstall, tim po sobe uklidi