virus autorun.inf

[igor.p]

kromě toho, že je vir někde v pc, tak i na usb je vytvořen autorun.inf, který nelze smazat. zkoušel jsem měnit atributy a ani v konzoli pro opravu nic, jednou se mi to podařilo máznout v linuxu, ale po druhé již nikoliv...(

Logfile of random's system information tool 1.07 (written by random/random)
Run by repronis at 2010-05-26 09:36:18
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 27 GB (68%) free of 40 GB
Total RAM: 1024 MB (55% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:36:34, on 26.5.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Usb Protector\USB Protector 3.0.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\totalcmd\TOTALCMD.EXE
E:\install\RSIT.exe
C:\Program Files\trend micro\repronis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [] "c:\msservice.exe"
O4 - HKLM\..\Run: [AutorunRemover.exe] C:\Program Files\AutorunRemover\AutorunRemover.exe -Hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Usb Protector 3.0.lnk = C:\Program Files\Usb Protector\USB Protector 3.0.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Převést cíl vazby do Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Převést do Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Připojit cíl vazby k existujícímu PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Připojit k existujícímu PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1400105718
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 6633 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\PandaUSBVaccine.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-04-03 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-04-03 349640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4971EE7-DAA0-4053-9964-665D8EE6A077}]
SmartSelect Class - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-04-03 349640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-04-03 349640]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2010-04-07 2145000]
""=c:\msservice.exe [2010-03-26 81920]
"AutorunRemover.exe"=C:\Program Files\AutorunRemover\AutorunRemover.exe [2010-05-19 1257472]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]
""=c:\msservice.exe [2010-03-26 81920]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [2010-04-03 640440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [2010-04-03 38840]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-03-24 952768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [2010-04-16 611712]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2008-02-27 570664]

C:\Documents and Settings\repronis\Nabídka Start\Programy\Po spuštění
Usb Protector 3.0.lnk - C:\Program Files\Usb Protector\USB Protector 3.0.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
C:\WINDOWS\system32\PCANotify.dll [2007-04-27 18744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 265096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=189
"NoDriveAutoRun"=0xFFFFFFFF

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"D:\CDS\Nero\Installation\SetupX.exe"="D:\CDS\Nero\Installation\SetupX.exe:*:Enabled:Nero ProductSetup"
"C:\Program Files\Symantec\pcAnywhere\awhost32.exe"="C:\Program Files\Symantec\pcAnywhere\awhost32.exe:*:Enabled:pcAnywhere Host"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63d43d4a-4d02-11df-a30f-00a024a66859}]
shell\AutoRun\command - F:\MILAN\\\\\\\\\\BALKAN.exe
shell\explore\command - F:\MILAN\\\\\\\\\\\\BALKAN.exe
shell\open\command - F:\MILAN\\\\\\\\\\\\BALKAN.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63d43d6c-4d02-11df-a30f-00a024a66859}]
shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a39f66d-51d7-11df-a310-00a024a66859}]
shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a39f66e-51d7-11df-a310-00a024a66859}]
shell\AutoRun\command - MILAN\\\\\\\\\\BALKAN.exe
shell\explore\command - MILAN\\\\\\\\\\\\BALKAN.exe
shell\open\command - MILAN\\\\\\\\\\\\BALKAN.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a39f696-51d7-11df-a310-00a024a66859}]
shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b658c9f-617c-11df-a319-00a024a66859}]
shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a50a521-5cc9-11df-a316-00a024a66859}]
shell\AutoRun\command - fidel\\castro.exe
shell\explore\command - fidel\castro.exe
shell\install\command - fidel\castro.exe
shell\open\command - fidel\castro.exe


======File associations======

.txt - open - NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2010-05-26 09:36:19 ----D---- C:\Program Files\trend micro
2010-05-26 09:36:18 ----D---- C:\rsit
2010-05-26 08:19:22 ----D---- C:\autorun.inf
2010-05-26 03:00:12 ----HDC---- C:\WINDOWS\$NtUninstallKB981793$
2010-05-25 13:53:50 ----D---- C:\Program Files\Usb Protector
2010-05-25 10:25:08 ----D---- C:\Documents and Settings\All Users\Data aplikací\Panda Security
2010-05-25 10:24:58 ----D---- C:\Program Files\Panda USB Vaccine
2010-05-25 08:02:57 ----AD---- C:\WINDOWS\VDLL.DLL
2010-05-25 08:02:57 ----AD---- C:\WINDOWS\system32\runouce.exe
2010-05-25 08:02:57 ----AD---- C:\WINDOWS\RUNDL132.EXE
2010-05-25 08:02:57 ----AD---- C:\WINDOWS\logo_1.exe
2010-05-25 08:00:18 ----A---- C:\WINDOWS\system32\msvcp80.dll
2010-05-25 08:00:17 ----A---- C:\WINDOWS\system32\eEmpty.exe
2010-05-25 08:00:14 ----A---- C:\WINDOWS\system32\T.COM
2010-05-25 08:00:13 ----A---- C:\WINDOWS\system32\TASKMGR.COM
2010-05-25 08:00:13 ----A---- C:\WINDOWS\R.COM
2010-05-25 08:00:12 ----A---- C:\WINDOWS\REGEDIT.COM
2010-05-25 08:00:06 ----D---- C:\Program Files\Common Files\MicroWorld
2010-05-25 07:59:58 ----D---- C:\Documents and Settings\All Users\Data aplikací\MicroWorld
2010-05-24 13:30:16 ----A---- C:\WINDOWS\system32\hidserv.dll
2010-05-19 09:22:14 ----A---- C:\WINDOWS\system32\TUProgSt.exe
2010-05-19 09:22:13 ----A---- C:\WINDOWS\system32\uxtuneup.dll
2010-05-19 09:22:12 ----A---- C:\WINDOWS\system32\TuneUpDefragService.exe
2010-05-19 09:17:51 ----D---- C:\Documents and Settings\repronis\Data aplikací\TuneUp Software
2010-05-19 09:17:03 ----D---- C:\Documents and Settings\All Users\Data aplikací\TuneUp Software
2010-05-19 09:16:49 ----D---- C:\Program Files\TuneUp Utilities 2009
2010-05-19 09:16:27 ----SHD---- C:\Documents and Settings\All Users\Data aplikací\{55A29068-F2CE-456C-9148-C869879E2357}
2010-05-19 09:07:39 ----A---- C:\WINDOWS\system32\capicom.dll
2010-05-19 09:04:59 ----D---- C:\Program Files\Common Files\Symantec Shared
2010-05-19 09:04:33 ----D---- C:\Program Files\Symantec
2010-05-19 09:04:33 ----D---- C:\Documents and Settings\All Users\Data aplikací\Symantec
2010-05-19 08:55:21 ----D---- C:\Program Files\AutorunRemover
2010-05-13 03:01:13 ----HDC---- C:\WINDOWS\$NtUninstallKB978542$
2010-05-03 12:18:54 ----D---- C:\003448-galerie magna samolepky

======List of files/folders modified in the last 1 months======

2010-05-26 09:36:19 ----RD---- C:\Program Files
2010-05-26 09:34:10 ----D---- C:\WINDOWS
2010-05-26 09:33:42 ----D---- C:\WINDOWS\Temp
2010-05-26 09:32:19 ----D---- C:\WINDOWS\Prefetch
2010-05-26 03:00:15 ----D---- C:\WINDOWS\system32
2010-05-26 03:00:12 ----HD---- C:\WINDOWS\inf
2010-05-26 03:00:11 ----D---- C:\WINDOWS\system32\CatRoot2
2010-05-25 14:23:24 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-05-25 10:25:05 ----SD---- C:\WINDOWS\Tasks
2010-05-25 08:00:06 ----D---- C:\Program Files\Common Files
2010-05-25 07:40:46 ----D---- C:\WINDOWS\system32\Restore
2010-05-24 13:30:23 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-05-24 13:30:15 ----D---- C:\WINDOWS\system32\drivers
2010-05-19 09:22:18 ----SHD---- C:\WINDOWS\Installer
2010-05-19 09:17:54 ----D---- C:\WINDOWS\system32\config
2010-05-19 09:02:36 ----D---- C:\WINDOWS\Debug
2010-05-17 13:27:52 ----D---- C:\Documents and Settings\repronis\Data aplikací\U3
2010-05-13 03:01:43 ----D---- C:\Documents and Settings\All Users\Data aplikací\Microsoft Help
2010-05-13 03:01:17 ----D---- C:\Program Files\Outlook Express
2010-05-12 11:00:48 ----SD---- C:\Documents and Settings\repronis\Data aplikací\Microsoft
2010-05-12 03:49:33 ----HD---- C:\WINDOWS\$hf_mig$
2010-05-11 10:24:30 ----A---- C:\WINDOWS\NeroDigital.ini
2010-05-10 14:48:24 ----D---- C:\Program Files\Mozilla Firefox
2010-04-30 20:51:06 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AW_HOST;AW_HOST; C:\WINDOWS\system32\drivers\aw_host5.sys [2007-03-30 18232]
R1 awecho;awecho; C:\WINDOWS\system32\drivers\awechomd.sys [2007-03-30 13368]
R1 awlegacy;awlegacy; C:\WINDOWS\System32\Drivers\awlegacy.sys [2007-03-30 17848]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2010-04-07 114984]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2010-04-07 95872]
R1 InCDPass;Nero InCDPass; C:\WINDOWS\system32\drivers\InCDPass.sys [2008-02-18 36648]
R1 incdrm;Nero InCD MRW Remapper; C:\WINDOWS\system32\drivers\InCDRm.sys [2008-02-18 38312]
R1 kbdhid;Ovladač klávesnice standardu HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R2 adfs;adfs; C:\WINDOWS\system32\drivers\adfs.sys [2010-04-16 73312]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2010-04-07 139192]
R2 PDIHWCTL;PDIHWCTL; \??\C:\WINDOWS\system32\drivers\pdihwctl.sys []
R3 atirage3;atirage3; C:\WINDOWS\system32\DRIVERS\atimpae.sys [2001-10-24 75136]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-10-24 117760]
R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
R3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbhub;Ovladač standardního rozbočovače USB; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R4 InCDfs;Nero InCD File System; C:\WINDOWS\system32\drivers\InCDFs.sys [2008-02-18 118952]
S4 ACPI;ACPI; C:\WINDOWS\system32\drivers\ACPI.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;Ovladač filtru Obnovy systému; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-14 73344]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 awhost32;Symantec pcAnywhere Host Service; C:\Program Files\Symantec\pcAnywhere\awhost32.exe [2008-09-05 136568]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-04-07 810120]
R2 InCDsrv;InCD Helper; C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe [2008-02-18 1553704]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service; C:\WINDOWS\System32\TUProgSt.exe [2010-05-19 604416]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S1 InCDrec;Nero InCD File System Recognizer; C:\WINDOWS\system32\drivers\InCDRec.sys [2008-02-18 16040]
S2 NeroRegInCDSrv;Nero Registry InCD Service; C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe []
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2010-04-07 33560]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2010-04-15 655624]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2008-06-30 3093872]
S3 LPDSVC;Tiskový server TCP/IP; C:\WINDOWS\system32\tcpsvcs.exe [2008-04-14 19456]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-09-17 800040]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service; C:\WINDOWS\System32\TuneUpDefragService.exe [2010-05-19 361216]

-----------------EOF-----------------

[JaRon]

Presun ComboFix
na plochu (ak tam este nie je)

otvor si Poznamkovy blok - notepad

do neho zkopiruj skript z nasledujiceho okna:

Kód: Vybrat vše

File::
c:\msservice.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63d43d4a-4d02-11df-a30f-00a024a66859}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a39f66e-51d7-11df-a310-00a024a66859}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a50a521-5cc9-11df-a316-00a024a66859}]

uloz vytvoreny textovy soubor ako CFScript.txt na plochu

po ulozeni uchop vytvoreny skript lavym tlacitkom mysi a presun ho nad ikonu Combofixu, nad nim skript upust:



po aplikacii by mal vzniknut dalsi log, ten vloz sem

[igor.p]

ComboFix 10-05-25.03 - repronis 26.05.2010 10:17:31.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1024.533 [GMT 2:00]
Spuštěný z: c:\documents and settings\repronis\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\repronis\Plocha\CFScript.txt
AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\repronis\ctfmon.exe
c:\windows\regedit.com
c:\windows\system32\taskmgr.com

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-04-26 do 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-26 07:36 . 2010-05-26 07:36 -------- d-----w- c:\program files\trend micro
2010-05-26 07:36 . 2010-05-26 07:36 -------- d-----w- C:\rsit
2010-05-25 11:53 . 2010-05-25 11:53 -------- d-----w- c:\program files\Usb Protector
2010-05-25 11:07 . 2010-05-25 11:07 -------- d-----w- c:\documents and settings\repronis\DoctorWeb
2010-05-25 08:24 . 2010-05-25 08:25 -------- d-----w- c:\program files\Panda USB Vaccine
2010-05-25 06:02 . 2010-05-25 06:02 -------- d---a-w- c:\windows\VDLL.DLL
2010-05-25 06:02 . 2010-05-25 06:02 -------- d---a-w- c:\windows\system32\runouce.exe
2010-05-25 06:02 . 2010-05-25 06:02 -------- d---a-w- c:\windows\RUNDL132.EXE
2010-05-25 06:02 . 2010-05-25 06:02 -------- d---a-w- c:\windows\logo_1.exe
2010-05-25 06:00 . 2010-05-25 06:00 554240 ----a-w- c:\windows\system32\msvcp80.dll
2010-05-25 06:00 . 2010-05-25 06:00 34048 ----a-w- c:\windows\system32\eEmpty.exe
2010-05-25 06:00 . 2008-04-14 12:00 137216 ----a-w- c:\windows\system32\T.COM
2010-05-25 06:00 . 2008-04-14 12:00 147968 ----a-w- c:\windows\R.COM
2010-05-25 06:00 . 2010-05-25 06:00 -------- d-----w- c:\program files\Common Files\MicroWorld
2010-05-24 11:30 . 2008-04-14 06:51 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-05-24 11:30 . 2008-04-14 06:51 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-05-24 11:30 . 2001-10-24 09:54 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-05-24 11:30 . 2001-10-24 09:54 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-05-24 11:30 . 2008-04-14 05:59 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-05-24 11:30 . 2008-04-14 05:59 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-05-24 11:29 . 2008-04-13 22:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-05-24 11:29 . 2008-04-13 22:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-05-24 11:29 . 2008-04-13 22:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-05-24 11:29 . 2008-04-13 22:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-05-19 07:22 . 2010-05-19 07:22 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2010-05-19 07:22 . 2009-04-27 12:21 28928 ----a-w- c:\windows\system32\uxtuneup.dll
2010-05-19 07:22 . 2010-05-19 07:22 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2010-05-19 07:16 . 2010-05-19 07:22 -------- d-----w- c:\program files\TuneUp Utilities 2009
2010-05-19 07:04 . 2010-05-19 07:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-19 07:04 . 2010-05-19 07:07 -------- d-----w- c:\program files\Symantec
2010-05-19 06:55 . 2010-05-26 06:44 -------- d-----w- c:\program files\AutorunRemover
2010-05-13 01:00 . 2010-05-13 01:00 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-05-03 10:18 . 2010-05-03 10:19 -------- d-----w- C:\003448-galerie magna samolepky

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-26 09:49 . 2010-04-19 06:22 1636 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-21 05:48 . 2008-04-14 12:00 46016 ----a-w- c:\windows\system32\perfc005.dat
2010-04-21 05:48 . 2008-04-14 12:00 309716 ----a-w- c:\windows\system32\perfh005.dat
2010-04-16 08:42 . 2010-04-16 08:42 -------- d-----w- c:\program files\MSXML 4.0
2010-04-16 08:31 . 2010-04-16 08:31 -------- d-----w- c:\program files\GretagMacbeth
2010-04-16 08:26 . 2010-04-16 08:26 -------- d-----w- c:\program files\CCleaner
2010-04-16 08:13 . 2010-04-16 08:09 -------- d-----w- c:\program files\Common Files\Ahead
2010-04-16 08:09 . 2010-04-16 08:09 -------- d-----w- c:\program files\Nero
2010-04-16 08:05 . 2010-04-16 08:05 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-16 08:00 . 2010-04-16 08:00 -------- d-----w- c:\program files\Common Files\Corel
2010-04-16 08:00 . 2010-04-16 08:00 -------- d-----w- c:\program files\Corel
2010-04-16 07:10 . 2010-04-16 06:36 -------- d-----w- c:\program files\Microsoft Works
2010-04-16 06:36 . 2010-04-16 06:36 -------- d-----w- c:\program files\MSBuild
2010-04-16 05:56 . 2008-08-14 05:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2010-04-16 05:45 . 2010-04-15 12:53 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-15 13:40 . 2010-04-15 12:17 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-15 13:40 . 2010-04-15 12:17 2426 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2010-04-15 13:40 . 2010-04-15 12:17 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2010-04-15 13:03 . 2010-04-15 13:03 -------- d-----w- c:\program files\Adobe Media Player
2010-04-15 13:01 . 2010-04-15 13:01 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-15 12:57 . 2010-04-15 12:57 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-04-15 12:41 . 2010-04-15 12:41 0 ----a-w- c:\windows\nsreg.dat
2010-04-15 12:28 . 2010-04-15 12:28 -------- d-----w- c:\program files\ESET
2010-04-15 12:18 . 2010-04-15 12:18 -------- d-----w- c:\program files\microsoft frontpage
2010-04-15 12:14 . 2010-04-15 12:14 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-07 19:08 . 2010-04-07 19:08 95872 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2010-04-07 19:07 . 2010-04-07 19:07 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-04-07 19:03 . 2010-04-07 19:03 139192 ----a-w- c:\windows\system32\drivers\eamon.sys
2010-03-26 07:06 . 2010-03-19 21:36 81920 ----a-w- C:\msservice.exe
2010-03-10 06:17 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-04-07 2145000]
"AutorunRemover.exe"="c:\program files\AutorunRemover\AutorunRemover.exe" [2010-05-19 1257472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\repronis\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Usb Protector 3.0.lnk - c:\program files\Usb Protector\USB Protector 3.0.exe [2010-3-18 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 10:10 18744 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-04-03 14:44 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-04-03 20:32 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2010-04-16 05:56 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 09:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-02-27 11:03 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Fasttrak;Fasttrak;c:\windows\system32\drivers\Fasttrak.sys [13.4.2010 12:03 69632]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7.4.2010 21:07 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [7.4.2010 21:08 95872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [7.4.2010 21:07 810120]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [16.4.2010 10:32 14416]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'

2010-05-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 13:37]

2010-05-26 c:\windows\Tasks\PandaUSBVaccine.job
- c:\program files\Panda USB Vaccine\RunInteractiveWin.exe [2010-05-25 14:45]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Převést cíl vazby do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Převést do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Připojit cíl vazby k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Připojit k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
FF - ProfilePath - c:\documents and settings\repronis\Data aplikací\Mozilla\Firefox\Profiles\nvaqbtdk.default\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

AddRemove-_{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91} - c:\program files\Corel\CorelDRAW Graphics Suite 13\Programs\MSILauncher {7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 10:20
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory:

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\PCANotify.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Celkový čas: 2010-05-26 10:22:11
ComboFix-quarantined-files.txt 2010-05-26 08:22

Před spuštěním: Volných bajtů: 28 320 583 680
Po spuštění: Volných bajtů: 28 824 051 712

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C90339712830AE5462CD953780254188

[JaRon]

pouzi este USBFix - navod motji >> http://www.viry.cz/forum/viewtopic.php? ... ix#p861397

[igor.p]

############################## | UsbFix V6.114 |

User : repronis (Administrators) # PRIJEM2
Update on 17/05/2010 by El Desaparecido , C_XX & Chimay8
Start at: 10:32:23 | 26.5.2010
Website : http://pagesperso-orange.fr/NosTools/index.html
Contact : FindyKill.Contact@gmail.com

Intel(R) Pentium(R) III CPU family 1266MHz
Systém Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 3
Internet Explorer 8.0.6001.18702
Windows Firewall Status : Enabled
AV : ESET NOD32 Antivirus 4.2 4.2 [ Enabled | Updated ]

C:\ -> Místní pevný disk # 39,07 Go (26,84 Go free) # NTFS
D:\ -> Disk CD-ROM
E:\ -> Místní pevný disk # 426,69 Go (424,89 Go free) [DATA] # NTFS
F:\ -> Vyměnitelný disk # 1007,22 Mo (496,34 Mo free) # FAT

################## | Files # Infected Folders |

Deleted ! C:\WINDOWS\autorun.ini
Deleted ! C:\WINDOWS\rundl132.exe
Deleted ! E:\Recycler\S-1-5-21-776561741-1958367476-1644491937-1003
Deleted ! F:\autorun.inf

################## | Registry |

Deleted ! [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoDrives"
Deleted ! [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoDrives"

################## | Mountpoints2 |


################## | Listing of the present files |

[15.04.2010 14:18|---------|0] C:\AUTOEXEC.BAT
[15.04.2010 14:12|--a------|211] C:\Boot.bak
[26.05.2010 10:16|-rahs----|281] C:\boot.ini
[14.04.2008 14:00|-rahs----|4952] C:\Bootfont.bin
[03.08.2004 23:00|--a------|261312] C:\cmldr
[26.05.2010 10:22|--a------|14070] C:\ComboFix.txt
[15.04.2010 14:18|--a------|0] C:\CONFIG.SYS
[15.04.2010 14:18|-rahs----|0] C:\IO.SYS
[15.04.2010 14:18|-rahs----|0] C:\MSDOS.SYS
[26.03.2010 09:06|--a------|81920] C:\msservice.exe
[14.04.2008 14:00|-rahs----|47564] C:\NTDETECT.COM
[14.04.2008 14:00|-rahs----|250576] C:\ntldr
[?|?|?] C:\pagefile.sys
[26.05.2010 10:35|--a------|1898] C:\UsbFix.txt
[19.02.2008 09:42|--a------|236068] E:\marketing pl n RC.pdf
[15.02.2008 11:18|--a------|139452] E:\Markov +ćevźˇk.pdf
[12.05.2010 12:17|--a------|60416] F:\Transferov  objedn vka09.xls
[12.05.2010 12:20|--a------|281581] F:\kontaktnˇ karta.pdf
[12.05.2010 12:22|--a------|174568] F:\dotaznˇk znalost produkt….pdf
[12.05.2010 14:28|--a------|447966] F:\slouźeně k tisku.pdf
[12.05.2010 14:33|--a------|39955] F:\nov .pdf

################## | Vaccination |

# C:\autorun.inf -> Autorun.inf created by Flash_Disinfector (sUBs).
# E:\autorun.inf -> Autorun.inf created by Flash_Disinfector (sUBs).
# F:\autorun.inf -> Autorun.inf created by UsbFix (El Desaparecido).

################## | Upload |

Please send the file : C:\UsbFix_Upload_Me_PRIJEM2.zip : http://chiquitine.changelog.fr/Sample/Upload.php
Thank you for your contribution .

################## | ! End of report # UsbFix V6.114 ! |

[JaRon]

myslim, ze hotovo

[igor.p]

díky moc za pomoc!!!
jen mi nejde do hlavy, jak se vir do kompu dostane přes aktualizovaný nod32 (netvrdím, že je všemocný...) ale jako preventivku budu asi muset mít spuštěno třeba Panda USB Vaccine?

[JaRon]

1. nemas zac
2. skontroluj ci bol naozaj zmazany C:\msservice.exe - ak nie ZMAZ
3. USBFix na pripojenych zariadeniach porobil poriadok
4. na dalsie - nove USB-kluce pouzi Pandu Vaccine
5. NOD je v akcii proti autorun.inf celkom zodpovedny, tiez mi je to divne ,,,