Trojan.Win32.Regrun.pc co s nim?

[F4kt0r]

Ahoj, pri kazdem startu na me vyskoci okno s nakou cizi reci, neco jako madarstina nebo co a nakym loginem. Program se jmenuje "PROJECT_DRLV_V0_6_1_1212266137.EXE" a je ve WINDOWS\System32 . Kdyz ho smazu a restartnu pokazde se okno i ten program na stejnem umisteni objevi znova. Vypada to na trojana. Projel sem to posledni verzi ESS, Spyware Search and Destroy a Trojan Removerem, to co se naslo nemelo nic spolecneho s timdle.

*EDIT: Tak pomoci MWAV sem ten virus nasel, jmenuje se "Trojan.Win32.Regrun.pc" , takze kdo vi jak na nej toho bych prosil o pomoc... dik moc F!

Zde je vypis z HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 22:39:40, on 20.8.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson\ST330\service\st330service.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Total Commander\TOTALCMD.EXE
D:\Download\hijackthis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\ati2vaaaac.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\WINDOWS\ati2vaaaac.exe",
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D15DD46-03B8-4A05-B53A-995BEC682D52}: NameServer = 212.65.193.157 212.65.242.210
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson/ST330/service/st330service.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

Diky moc za pomoc. F!

[rary]

Stáhni si ComboFix a ulož ho na plochu a poté ho spusť.
Postupuj dle pokynů na obrazovce, během aplikování ComboFixu neklikej do zobrazujícího se okna může se stát totiž že to proces zastaví.
Je možné, že se restartuje počítač, znamená to, že byli nalezeny škodlivé soubory a je nutný restart, aby je ComboFix smazal.
Po skončení se vytvoří log tak sem zkopíruj jeho obsah.

Poznámka: Pro spuštění ComboFixe je nutné mít práva administrátora.

[F4kt0r]

Diky moc za pomoc...

*EDIT: Tak sem odinstaloval ESS a zkusil Kasperskyho a ten to nasel a snad smazal, uz se mi nic pri startu neobjevuje... Stejne si ale myslim ze nekde naky zbytky budou, ale casem stejne budu formatovat... Kdyby ses ale stejne kouknul na ten log byl bych ti vdecnej... dik

Tady je log z Combofix... Pocitac se nerestartoval...

ComboFix 08-08-19.06 - F! 2008-08-21 12:27:32.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1531 [GMT 2:00]
Running from: D:\Download\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\F!\LOCALS~1\Temp\E_4
C:\Documents and Settings\F!\Data aplikací\macromedia\Flash Player\#SharedObjects\9KZ7AEQW\static.youku.com
C:\Documents and Settings\F!\Data aplikací\macromedia\Flash Player\#SharedObjects\9KZ7AEQW\static.youku.com\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\F!\Data aplikací\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\F!\Data aplikací\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-21 10:16 . 2008-08-21 10:16 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-08-21 10:16 . 2008-08-21 10:16 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-08-21 10:16 . 2008-08-21 10:16 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-08-21 10:16 . 2008-08-21 10:16 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-08-21 10:16 . 2008-08-21 10:16 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-08-21 10:16 . 2008-08-21 10:16 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-08-21 10:11 . 2004-08-17 15:49 147,968 --a------ C:\WINDOWS\R.COM
2008-08-21 10:11 . 2004-08-17 15:49 137,216 --a------ C:\WINDOWS\system32\T.COM
2008-08-21 10:11 . 2008-08-21 10:14 52 --a------ C:\WINDOWS\Lic.xxx
2008-08-21 10:10 . 2008-08-21 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\MicroWorld
2008-08-20 21:55 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-08-20 21:55 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-08-20 21:55 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-08-20 21:55 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-08-20 21:55 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-08-20 20:22 . 2008-08-21 09:07 524,800 --a------ C:\WINDOWS\system32\PROJECT_DRLV_V0_6_1_1212266137.EXE
2008-08-20 19:12 . 2008-08-20 19:12 <DIR> d-------- C:\Program Files\ESET
2008-08-19 15:17 . 2008-08-19 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Plocha
2008-08-10 20:18 . 2008-08-10 20:18 <DIR> dr-h----- C:\Documents and Settings\F!\Data aplikací\SecuROM
2008-08-10 20:18 . 2008-08-10 20:18 <DIR> dr-h----- C:\Documents and Settings\F!\Data aplikací\SecuROM
2008-08-10 20:18 . 2008-08-10 20:18 <DIR> dr-h----- C:\Documents and Settings\F!\Data aplikací\SecuROM
2008-08-10 09:58 . 2008-08-10 09:58 52,736 --a------ C:\WINDOWS\ipuninst.exe
2008-07-22 14:44 . 2008-07-22 14:44 <DIR> d-------- C:\Program Files\Mio Technology
2008-07-22 14:43 . 2008-07-22 14:43 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-07-22 14:43 . 2005-10-21 03:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-07-22 14:43 . 2005-10-21 03:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 07:52 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2008-08-20 18:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 17:49 --------- d-----w C:\Program Files\Trillian
2008-08-20 17:12 --------- d-----w C:\Program Files\RegClean
2008-08-19 16:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 07:06 --------- d-----w C:\Documents and Settings\F!\Data aplikací\uTorrent
2008-08-19 07:06 --------- d-----w C:\Documents and Settings\F!\Data aplikací\uTorrent
2008-08-19 07:06 --------- d-----w C:\Documents and Settings\F!\Data aplikací\uTorrent
2008-08-10 15:25 --------- d-----w C:\Program Files\Fraps
2008-08-09 20:35 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-07-27 17:23 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-27 17:23 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-05 13:45 --------- d--h--w C:\Documents and Settings\All Users\Data aplikací\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-07-01 07:04 71,688 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
2008-07-01 07:04 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
2008-07-01 07:04 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
2008-07-01 06:57 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-07-01 06:56 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-06-26 18:31 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\SimCity Societies
2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:42 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:42 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-05-29 20:25 444,952 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-05-29 20:25 109,080 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-04-12 09:11 22,328 ----a-w C:\Documents and Settings\F!\Data aplikací\PnkBstrK.sys
2008-04-12 09:11 22,328 ----a-w C:\Documents and Settings\F!\Data aplikací\PnkBstrK.sys
2008-04-12 09:11 22,328 ----a-w C:\Documents and Settings\F!\Data aplikací\PnkBstrK.sys
2008-01-03 20:42 1 ----a-w C:\Documents and Settings\F!\SI.bin
2006-11-02 00:17 529,408 --sha-r C:\WINDOWS\ati2vaaaac.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 15:08 136136]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-04-11 08:16 1276416]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 21:34 868352]
"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE" [2006-05-10 10:48 94208]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 12:06 77824]
"diagnostics"="C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe" [2008-03-22 10:10 557149]
"Start WingMan Profiler"="C:\Program Files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 11:38 88584]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-07-01 09:01 1447168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 15:49 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"FighterFX"="C:\WINDOWS\ati2vaaaac.exe" [2006-11-02 02:17 529408]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-12-25 20:45:02 593920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"OODefragTray"=C:\WINDOWS\system32\oodtray.exe
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Thomson\\ST330\\service\\st330service.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Game\\GRID\\GRID.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"D:\\Game\\Kane and Lynch Dead Men\\kaneandlynch.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-30 01:53]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-17 15:49]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
R3 ST330;ST330;C:\WINDOWS\system32\drivers\st330.sys [2008-03-20 23:42]
R3 STBUS;STBUS;C:\WINDOWS\system32\drivers\stbus.sys [2008-03-20 23:42]
R3 STETH;SpeedTouch Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\steth.sys [2008-03-20 23:42]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-03 22:49]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{05I41M56-QW07-U20F-YX8T-VB4U6TP4UX63}]
"C:\WINDOWS\ati2vaaaac.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
Contents of the 'Scheduled Tasks' folder

2008-08-21 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C2266DB3-77DF-4D4B-96C2-010B292E846A}.job
- C:\WINDOWS\system32\msfeedssync.exe [2007-08-13 18:36]
.
.
------- Supplementary Scan -------
.
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 -: E&xportovat do aplikace Microsoft Office Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{4D15DD46-03B8-4A05-B53A-995BEC682D52}: NameServer = 212.65.193.157 212.65.242.210
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 12:29:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\st330service]
"ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service"
.
Completion time: 2008-08-21 12:29:35
ComboFix-quarantined-files.txt 2008-08-21 10:29:29

Pre-Run: Volných bajtů: 29,797,560,320
Post-Run: Volných bajtů: 31,632,474,112

185 --- E O F --- 2008-08-13 13:33:42

[rary]

Omlouvám se za pozdní reakci.

Přesuň ComboFix na plochu.
Spusť poznámkový blok a vlož do něj:

Kód: Vybrat vše

File::
C:\WINDOWS\system32\PROJECT_DRLV_V0_6_1_1212266137.EXE
C:\WINDOWS\ati2vaaaac.exe

DirLook::
C:\Documents and Settings\All Users\Data aplikací\{0E8E33D8-193A-414A-A909-0F101A142D26}

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"FighterFX"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{05I41M56-QW07-U20F-YX8T-VB4U6TP4UX63}]

Ulož ho na plochu pod názvem CFScript.txt (u položky uložit jako typ vyber všechny soubory) a přetáhni soubor nad ComboFix. ComboFix se spustí a po dokončení operace ti vytvoří log, tak sem zkopíruj jeho obsah.