Prosím o kontrolu logu z Combofixu

[ceskyraj-jiri]

Dobrý den,
prosím o kontrolu logu, podezřele dlouho mi nabíhají Office.
Děkuji
Jiří
----------------------------
ComboFix 11-01-12.04 - user 13.01.2011 16:36:51.5.2 - x86
Systm Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2038.1524 [GMT 1:00]
Sputn z: d:\z_internetu\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Ostatn vmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Dokumenty\DPE.DUS

.
((((((((((((((((((((((((( Soubory vytvoen od 2010-12-13 do 2011-01-13 )))))))))))))))))))))))))))))))
.

2011-01-13 15:10 . 2011-01-13 15:10 -------- d-----w- c:\windows\SHELLNEW
2011-01-13 15:09 . 2011-01-13 15:09 -------- d-----w- c:\program files\Microsoft.NET
2011-01-11 08:02 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Data aplikac\Microsoft\Windows Defender\Definition Updates\{C89553F6-8EC3-4872-BC0D-7394E846BFD4}\mpengine.dll
2010-12-30 08:59 . 2010-12-30 09:00 -------- d-----w- c:\program files\Common Files\Activ Software
2010-12-30 08:59 . 2010-12-30 09:00 -------- d-----w- c:\program files\Activ Software
2010-12-15 07:24 . 2010-12-15 07:24 -------- d-----w- c:\documents and settings\user\Data aplikac\$CUERoot$
2010-12-15 06:59 . 2010-12-15 07:23 -------- d-----w- c:\program files\HP
2010-12-15 06:59 . 2010-12-15 06:59 82380 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2010-12-15 06:57 . 2010-12-15 06:57 1409 ----a-w- c:\windows\system32\tmp8E676.FOT
2010-12-15 06:57 . 2010-12-15 06:57 1409 ----a-w- c:\windows\system32\tmp70776.FOT
2010-12-15 06:57 . 2010-12-15 06:57 1409 ----a-w- c:\windows\system32\tmp64776.FOT
2010-12-15 06:57 . 2010-12-15 06:57 1409 ----a-w- c:\windows\system32\tmp55776.FOT
2010-12-15 06:57 . 2010-12-15 06:57 1409 ----a-w- c:\windows\system32\tmp48776.FOT
2010-12-15 06:57 . 2010-12-15 06:57 1409 ----a-w- c:\windows\system32\tmp47776.FOT
2010-12-15 06:20 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 06:19 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M vpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:15 . 2008-12-09 09:36 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-10 04:33 . 2008-12-15 10:23 6273872 ----a-w- c:\documents and settings\All Users\Data aplikac\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2010-11-09 14:52 . 2002-09-23 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:23 . 2002-09-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:23 . 2002-09-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:23 . 2002-09-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2008-12-10 09:46 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2002-09-23 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:09 . 2002-09-23 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:58 . 2002-09-23 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 09:41 . 2009-10-03 15:33 222080 ------w- c:\windows\system32\MpSigStub.exe
.

(((((((((((((((((((((((((((((((((( Spoutc body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznmka* przdn zznamy a legitimn vchoz daje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-12-21 1803064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\System32\igfxpers.exe" [2007-12-19 131072]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-03-19 2029640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Share-to-Web Namespace Daemon"="c:\program files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"ActivControl"="c:\program files\Activ Software\ActivDriver\ActivControl2.exe" [2010-06-10 1092896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\user\Nabdka Start\Programy\Po sputn\
Uzivatel.lnk - c:\program files\User_name\JmenoUzivatele.exe [2008-12-10 302592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GLOBALLYOPENPORTS\List]
"5509:TCP"= 5509:TCP:oa_nh9
"5508:TCP"= 5508:TCP:oa_nh8
"5507:TCP"= 5507:TCP:oa_nh7
"5506:TCP"= 5506:TCP:oa_nh6
"5505:TCP"= 5505:TCP:oa_nh5
"5504:TCP"= 5504:TCP:oa_nh4
"5503:TCP"= 5503:TCP:oa_nh3
"5502:TCP"= 5502:TCP:oa_nh2
"5501:TCP"= 5501:TCP:oa_nh1
"5500:TCP"= 5500:TCP:oa_nh0
"5020:TCP"= 5020:TCP:oa_rcclient
"5985:TCP"= 5985:TCP:*:Disabled:Vzdlen sprva systmu Windows

R0 oaFile;oaFile;c:\windows\system32\drivers\oafile.sys [12.12.2008 10:34 37376]
R0 oaRegMgr;oaRegMgr;c:\windows\system32\drivers\oaRegMgr.sys [12.12.2008 10:34 18944]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [19.3.2009 10:44 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [1.7.2008 9:04 93848]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [19.3.2009 10:44 731840]
R2 rcClient;rcClient;c:\program files\OA10\rcClient --> c:\program files\OA10\rcClient [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 19:19 13592]
S3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [26.5.2010 15:20 74752]
S3 oaServerNT;oaServerNT;c:\program files\OA10\oaServerNT --> c:\program files\OA10\oaServerNT [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [23.9.2002 13:00 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Obsah adrese 'Naplnovan lohy'

2011-01-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Doplkov sken -------
.
uStart Page = hxxp://www.ghorice.cz/
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=%s
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {A7F17E52-CE4A-4939-A585-14A28CEFE9CC} = 192.168.180.2,192.168.176.3,192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\user\Data aplikac\Mozilla\Firefox\Profiles\bq9kvfv0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.ghorice.cz
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-13 16:39
Windows 5.1.2600 Service Pack 3 NTFS

skenovn skrytch proces ...

skenovn skrytch poloek 'Po sputn' ...

skenovn skrytch soubor ...

sken byl spen dokonen
skryt soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\oaServerNT]
"ImagePath"="c:\program files\OA10\oaServerNT"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rcClient]
"ImagePath"="c:\program files\OA10\rcClient"
.
--------------------- Knihovny navzan na bc procesy ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\NETWIN32.DLL
.
Celkov as: 2011-01-13 16:40:09
ComboFix-quarantined-files.txt 2011-01-13 15:40

Ped sputnm: 3799740416
Po sputn: 3784470528

- - End Of File - - 9E164F4F0D9377649C72E6BBEAE7FB9E

[Rudy]

Ještě dočistíme. Přesuňte ComboFix na plochu. Otevřte poznámkový blok a zkopírujte do něj:

Collect::
c:\windows\system32\tmp8E676.FOT
c:\windows\system32\tmp70776.FOT
c:\windows\system32\tmp64776.FOT
c:\windows\system32\tmp55776.FOT
c:\windows\system32\tmp48776.FOT
c:\windows\system32\tmp47776.FOT

Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkazy ze skriptu.