Infostealer.gampass

Hugouš · Příspěvekod **Hugouš** » 25 kvě 2009 13:02

Dobrý den,
vždy po zapnutí PC mi NIS 2009 vyhodí hlášku Infostealer.gampass není možné odstranit - přístup odepřen. NIS 2009 to neumí opravit. Prosím o radu.
Děkuji Jirka

zasílám HiJack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:45, on 25.5.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\conime.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Výřezy obrazovky a spuštění aplikace OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ction2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = IT4U.local
O17 - HKLM\Software\..\Telephony: DomainName = IT4U.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = IT4U.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = IT4U.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe

--
End of file - 8812 bytes

Reklama

Damned · Příspěvekod **Damned** » 25 kvě 2009 13:57

Stáhni si Malwarebytes' Anti-Malware
Nainstaluj a spusť ho
- na konci instalace se ujisti že máš zvoleny/zatrhnuty obě možnosti:
Aktualizace Malwarebytes' Anti-Malware a Spustit aplikaci Malwarebytes' Anti-Malware, pokud jo tak klikni na tlačítko konec
- pokud bude nalezena aktualizace, tak se stáhne a nainstaluje
- program se po té spustí a nech vybranou možnost Provést rychlý sken a klikni na tlačítko Skenovat
- po proběhnutí programu se ti objeví hláška tak klikni na OK a pak na tlačítko Zobrazit výsledky
- pak zvol možnost uložit log a ulož si log na plochu
- po té klikni na tlačítko Exit, objeví se ti hláška tak zvol Ano
(zatím nic nemaž!).
Vlož sem pak obsah toho logu.

Hugouš · Příspěvekod **Hugouš** » 25 kvě 2009 14:14

Tak tady je výsledný log.

Jirka

Malwarebytes' Anti-Malware 1.36
Verze databáze: 2176
Windows 6.0.6001 Service Pack 1

25.5.2009 14:08:29
mbam-log-2009-05-25 (14-08-09).txt

Typ skenu: Rychlý sken
Objektu skenováno: 81269
Uplynulý cas: 5 minute(s), 15 second(s)

Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 0
Infikované hodnoty registru: 0
Infikované položky dat registru: 1
Infikované složky: 0
Infikované soubory: 0

Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)

Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)

Infikované klíce registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované hodnoty registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované položky dat registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.

Infikované složky:
(Žádné zákerné položky nebyly zjišteny)

Infikované soubory:
(Žádné zákerné položky nebyly zjišteny)

Damned · Příspěvekod **Damned** » 25 kvě 2009 14:28

Takže spusť znovu MbAM a dej Scan
- po proběhnutí programu se ti objeví hláška tak klikni na OK a pak na tlačítko Show Results
- ujistit se že máš zatrhnuté všechny vypsané nálezy a klikni na tlačítko Remove Selected
- když skončí odstraňování tak se ti zobrazí log, tak ho sem dej.
- pak zvol v programu OK a pak program ukonči přes Exit

Vypni rezidentní štít antiviru (pokud máš tak i antispyware).
Stáhni si ComboFix (by sUBs)
nebo ComboFix (subs)
a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

Hugouš · Příspěvekod **Hugouš** » 25 kvě 2009 15:01

Spustil jsem MbAM a scan, vše OK. Nalezlo to jednu infekci, dal jsem Remove. Log jsem ale neuložil a nakopíroval sem do e-mailu. Dal jsem OK a bohužel se mi zrestartovala mašina. Ale snad jsem našel ten správný.

Ostatní po ComboFixu pošlu následně (musím zavřít toto okno)

Malwarebytes' Anti-Malware 1.36
Verze databáze: 2176
Windows 6.0.6001 Service Pack 1

25.5.2009 14:33:02
mbam-log-2009-05-25 (14-33-02).txt

Typ skenu: Rychlý sken
Objektu skenováno: 81193
Uplynulý cas: 3 minute(s), 54 second(s)

Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 0
Infikované hodnoty registru: 0
Infikované položky dat registru: 1
Infikované složky: 0
Infikované soubory: 0

Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)

Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)

Infikované klíce registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované hodnoty registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované položky dat registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Infikované složky:
(Žádné zákerné položky nebyly zjišteny)

Infikované soubory:
(Žádné zákerné položky nebyly zjišteny)

Hugouš · Příspěvekod **Hugouš** » 25 kvě 2009 15:14

Ještě log po ComboFixu

ComboFix 09-05-24.07 - svoboda 25.05.2009 14:59.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1250.420.1029.18.1527.637 [GMT 2:00]
Spuštěný z: c:\users\svoboda\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\x64

.
((((((((((((((((((((((((( Soubory vytvořené od 2009-04-25 do 2009-05-25 )))))))))))))))))))))))))))))))
.

2009-05-25 10:39 . 2009-05-25 10:39 -------- d-----w c:\program files\Trend Micro
2009-05-25 10:10 . 2008-12-11 06:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-05-25 10:10 . 2009-04-03 09:18 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-05-25 10:10 . 2008-12-18 10:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-25 10:09 . 2009-05-25 10:14 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-25 10:09 . 2008-12-10 09:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-05-25 10:09 . 2009-05-25 10:15 -------- d-----w c:\program files\Spyware Doctor
2009-05-25 10:09 . 2009-05-25 10:09 -------- d-----w c:\users\svoboda\AppData\Roaming\PC Tools
2009-05-25 10:09 . 2009-05-25 10:09 -------- d-----w c:\progra~2\PC Tools
2009-05-25 07:51 . 2009-05-25 07:51 -------- d-----w c:\users\svoboda\AppData\Roaming\Malwarebytes
2009-05-25 07:51 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-25 07:51 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-25 07:51 . 2009-05-25 07:51 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-25 07:51 . 2009-05-25 07:51 -------- d-----w c:\progra~2\Malwarebytes
2009-05-22 13:56 . 2009-05-22 13:56 -------- d-----w c:\program files\Enigma Software Group
2009-05-22 13:04 . 2009-05-22 13:05 -------- d-----w c:\program files\Ontrack
2009-05-22 12:07 . 2009-05-22 12:18 -------- d-----w c:\program files\File Scavenger 3.2
2009-05-21 14:31 . 2009-05-21 14:31 -------- d-----w C:\Foto
2009-05-21 13:02 . 2009-05-21 13:02 -------- d-----w c:\program files\Active Data Recovery Services
2009-05-13 07:26 . 2009-05-13 07:26 -------- d-----w c:\users\svoboda\AppData\Local\Apps
2009-05-06 07:02 . 2009-05-06 07:02 -------- d-----w c:\progra~2\WindowsSearch
2009-04-30 11:30 . 2009-05-18 07:08 -------- d-----w c:\program files\Gacela
2009-04-30 07:14 . 2009-04-30 07:14 -------- d-----w c:\progra~2\FLEXnet
2009-04-30 07:01 . 2009-04-30 07:01 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-27 07:57 . 2009-05-22 14:27 -------- d-----w c:\program files\Common Files\LightScribe
2009-04-27 07:56 . 2009-04-27 08:22 -------- d-----w c:\users\svoboda\AppData\Local\Ahead
2009-04-27 07:54 . 2009-05-15 13:44 -------- d-----w c:\users\svoboda\AppData\Roaming\Ahead
2009-04-27 07:50 . 2009-04-27 07:50 -------- d-----w c:\progra~2\Nero
2009-04-27 07:50 . 2009-04-27 07:56 -------- d-----w c:\program files\Common Files\Ahead
2009-04-27 07:50 . 2009-04-27 07:50 -------- d-----w c:\program files\Nero
2009-04-27 07:41 . 2009-04-27 07:41 -------- d-----w c:\users\svoboda\AppData\Roaming\InterVideo
2009-04-27 07:27 . 2009-05-11 09:34 -------- d-----w c:\users\svoboda\AppData\Local\Adobe
2009-04-27 07:24 . 2009-05-13 07:33 -------- d-----w c:\program files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 12:43 . 2008-01-21 06:01 598832 ----a-w c:\windows\system32\perfh005.dat
2009-05-25 12:43 . 2008-01-21 06:01 114992 ----a-w c:\windows\system32\perfc005.dat
2009-05-25 12:35 . 2009-04-23 10:13 12 ----a-w c:\windows\bthservsdp.dat
2009-05-22 13:06 . 2009-04-23 10:27 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-22 13:03 . 2009-04-24 07:54 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-13 11:27 . 2009-04-24 08:27 100944 ----a-w c:\users\svoboda\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-13 07:14 . 2009-05-13 07:14 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2009-05-13 06:33 . 2009-04-23 13:07 -------- d-----w c:\progra~2\Microsoft Help
2009-05-13 06:31 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-05-06 06:56 . 2009-04-23 13:13 -------- d-----w c:\program files\Microsoft Works
2009-04-27 07:14 . 2009-04-24 10:59 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-27 06:49 . 2009-04-24 10:58 -------- d-----w c:\progra~2\Symantec
2009-04-24 10:59 . 2009-04-24 10:58 -------- d-----w c:\progra~2\Norton
2009-04-24 10:59 . 2009-04-24 10:59 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-04-24 10:59 . 2009-04-24 10:59 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-24 10:59 . 2009-04-24 10:59 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-24 10:59 . 2009-04-24 10:59 -------- d-----w c:\program files\Symantec
2009-04-24 10:58 . 2009-04-24 10:59 25136 ----a-r c:\windows\system32\drivers\SymIMV.sys
2009-04-24 10:58 . 2009-04-24 10:58 -------- d-----w c:\program files\Norton Internet Security
2009-04-24 10:58 . 2009-04-24 10:58 -------- d-----w c:\progra~2\NortonInstaller
2009-04-24 10:58 . 2009-04-24 10:58 -------- d-----w c:\program files\NortonInstaller
2009-04-24 07:58 . 2009-04-24 07:58 -------- d-----w c:\progra~2\InstallShield
2009-04-24 07:58 . 2009-04-24 07:58 -------- d-----w c:\program files\Macrovision Corp
2009-04-24 07:57 . 2009-04-24 07:57 -------- d-----w c:\program files\InterVideo
2009-04-24 07:55 . 2009-04-24 07:55 -------- d-----w c:\program files\Common Files\InterVideo
2009-04-24 06:43 . 2009-04-24 06:43 -------- d-----w c:\program files\Twist Inspire
2009-04-24 06:43 . 2009-04-24 06:43 -------- d-----w c:\program files\Crystal Decisions
2009-04-24 06:43 . 2009-04-24 06:43 -------- d-----w c:\program files\Common Files\Crystal Decisions
2009-04-23 13:34 . 2009-04-23 13:11 -------- d-----w c:\program files\Microsoft.NET
2009-04-23 13:33 . 2009-04-23 13:27 -------- d-----w c:\program files\Microsoft Small Business
2009-04-23 13:25 . 2009-04-23 13:23 -------- d-----w c:\program files\Microsoft SQL Server
2009-04-23 13:13 . 2006-11-02 12:37 -------- d-----w c:\program files\MSBuild
2009-04-23 13:09 . 2009-04-23 13:09 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-04-23 12:21 . 2009-04-23 10:28 -------- d-----w c:\program files\Hewlett-Packard
2009-04-23 12:10 . 2009-04-23 12:10 -------- d-----w c:\program files\HP PCMCIA Smart Card Reader
2009-04-23 11:56 . 2009-04-23 11:56 -------- d-----w c:\program files\Cisco
2009-04-23 11:55 . 2009-04-23 11:55 -------- d-----w c:\program files\Broadcom
2009-04-23 11:55 . 2009-04-23 11:55 6656 ----a-w c:\windows\system32\bcmwlrc.dll
2009-04-23 10:40 . 2009-04-23 10:40 -------- d-----w c:\program files\HPQ
2009-04-23 10:27 . 2009-04-23 10:27 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-04-23 09:06 . 2009-04-23 09:06 -------- d-----w c:\program files\Fingerprint Sensor
2009-04-23 08:13 . 2009-04-23 08:13 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-04-23 08:13 . 2009-04-23 08:13 -------- d-----w c:\program files\Synaptics
2009-04-23 08:12 . 2009-04-23 08:12 -------- d-----w c:\program files\Analog Devices
2009-04-23 08:03 . 2006-11-02 10:25 665600 ----a-w c:\windows\inf\drvindex.dat
2009-04-23 07:26 . 2009-04-23 07:26 -------- d-----w c:\program files\LSI SoftModem
2009-04-23 07:03 . 2009-04-23 07:03 -------- d-----w c:\program files\Intel
2009-04-23 06:40 . 2009-04-23 06:40 -------- d-----w c:\program files\HP
2009-04-23 06:32 . 2008-11-17 05:23 3636864 ----a-w c:\windows\system32\drivers\NETw5x32.sys
2009-04-23 06:32 . 2008-06-20 07:33 2756608 ----a-w c:\windows\system32\NETw5r32.dll
2009-04-23 06:32 . 2008-06-20 07:32 663552 ----a-w c:\windows\system32\NETw5c32.dll
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Plocha
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Oblíbené položky
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Šablony
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Nabídka Start
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Dokumenty
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Data aplikací
2009-03-17 03:38 . 2009-04-23 06:37 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-23 06:37 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-08 11:34 . 2009-05-06 06:48 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2009-05-06 06:48 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2009-05-06 06:48 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2009-05-06 06:48 109056 ----a-w c:\windows\system32\iesysprep.dll
2009-03-08 11:33 . 2009-05-06 06:48 109568 ----a-w c:\windows\system32\PDMSetup.exe
2009-03-08 11:33 . 2009-05-06 06:48 132608 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-08 11:33 . 2009-05-06 06:48 107520 ----a-w c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-05-06 06:48 107008 ----a-w c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-05-06 06:48 103936 ----a-w c:\windows\system32\SetDepNx.exe
2009-03-08 11:33 . 2009-05-06 06:48 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2009-05-06 06:48 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2009-05-06 06:48 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2009-05-06 06:48 66560 ----a-w c:\windows\system32\wextract.exe
2009-03-08 11:32 . 2009-05-06 06:48 169472 ----a-w c:\windows\system32\iexpress.exe
2009-03-08 11:31 . 2009-05-06 06:48 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2009-05-06 06:48 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2009-05-06 06:48 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2009-05-06 06:48 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-03 04:46 . 2009-04-23 06:37 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:46 . 2009-04-23 06:37 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:39 . 2009-04-23 06:37 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-23 06:37 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-23 06:37 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-23 06:37 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-23 06:37 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-23 06:37 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-23 06:37 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-23 06:37 17408 ----a-w c:\windows\system32\iashost.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-13 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-13 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-13 129560]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-02-26 177456]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

c:\users\svoboda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Věýezy obrazovky a spuçtŘnˇ aplikace OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\users\svoboda\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\
Věýezy obrazovky a spuçtŘnˇ aplikace OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4A1A04D8-A554-4790-9885-6C358DDCFA5D}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{1598A482-9CD3-4B33-9F13-582719FB4B2B}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{CBDD4BC7-3317-443B-B9F1-A7024A7F1204}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D9BC4052-3CFF-48F3-BA43-D966C9226476}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{14A5DBAB-CBE1-4276-8D6F-D3D8B713FCA5}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{557A7D69-ADA7-4B2B-A28F-7EEB79C600D0}c:\\program files\\microsoft office\\office12\\outlook.exe"= UDP:c:\program files\microsoft office\office12\outlook.exe:Microsoft Office Outlook
"UDP Query User{854360C6-4BD2-417C-913E-D5AB32F677F0}c:\\program files\\microsoft office\\office12\\outlook.exe"= TCP:c:\program files\microsoft office\office12\outlook.exe:Microsoft Office Outlook
"{0FF920F9-E384-4FE2-B698-DDF8EA6282D1}"= UDP:990:LocalSubnet:LocalSubnet|IF={9859FF6A-38BB-4669-8F24-86E7FE9EF8C3}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [25.5.2009 12:10 130936]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1005000.086\SymEFA.sys [24.4.2009 12:58 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\NIS\1005000.086\BHDrvx86.sys [24.4.2009 12:58 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1005000.086\cchpx86.sys [24.4.2009 12:58 482352]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSvix86.sys [20.5.2009 8:27 292912]
R2 hpsrv;HP Service;c:\windows\System32\hpservice.exe [31.1.2008 14:47 18944]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe [24.4.2009 12:58 115560]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [4.12.2006 16:13 292384]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [21.1.2008 4:23 179712]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [23.4.2009 12:28 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [21.5.2009 11:50 101936]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [17.11.2008 15:40 3668480]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\NIS\1005000.086\symndisv.sys [24.4.2009 12:58 39984]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [25.5.2009 12:09 348752]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

SafeBoot-procexp90.Sys

.
------- Doplňkový sken -------
.
uStart Page = www.seznam.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 15:03
Windows 6.0.6001 Service Pack 1 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Celkový čas: 2009-05-25 15:05
ComboFix-quarantined-files.txt 2009-05-25 13:04

Před spuštěním: Volných bajtů: 103 587 450 880
Po spuštění: Volných bajtů: 103 621 902 336

241 --- E O F --- 2009-05-13 07:06

Damned · Příspěvekod **Damned** » 25 kvě 2009 15:45

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:

File::
c:\users\svoboda\AppData\Local\GDIPFONTCACHEV1.DAT
c:\windows\inf\drvindex.dat

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe
a když se oba soubory překryjí, skript upusť.

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

Damned · Příspěvekod **Damned** » 25 kvě 2009 16:36

Potomčervené soubory zkontroluj na Virustotalu .

c:\windows\system32\wextract.exe
c:\windows\system32\drivers\mchInjDrv.sys

Dej sem poté odkazy na výsledky.

Hugouš · Příspěvekod **Hugouš** » 26 kvě 2009 09:16

Dobrý den, mám zde tedy další výsledky:

z ComboFixu:

ComboFix 09-05-25.05 - svoboda 26.05.2009 8:40.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1250.420.1029.18.1527.576 [GMT 2:00]
Spuštěný z: c:\users\svoboda\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Soubory vytvořené od 2009-04-26 do 2009-05-26 )))))))))))))))))))))))))))))))
.

2009-05-25 10:39 . 2009-05-25 10:39 -------- d-----w c:\program files\Trend Micro
2009-05-25 10:10 . 2008-12-11 06:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-05-25 10:10 . 2009-04-03 09:18 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-05-25 10:10 . 2008-12-18 10:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-25 10:09 . 2009-05-25 10:14 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-25 10:09 . 2008-12-10 09:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-05-25 10:09 . 2009-05-25 10:15 -------- d-----w c:\program files\Spyware Doctor
2009-05-25 10:09 . 2009-05-25 10:09 -------- d-----w c:\users\svoboda\AppData\Roaming\PC Tools
2009-05-25 10:09 . 2009-05-25 10:09 -------- d-----w c:\progra~2\PC Tools
2009-05-25 07:51 . 2009-05-25 07:51 -------- d-----w c:\users\svoboda\AppData\Roaming\Malwarebytes
2009-05-25 07:51 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-25 07:51 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-25 07:51 . 2009-05-25 07:51 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-25 07:51 . 2009-05-25 07:51 -------- d-----w c:\progra~2\Malwarebytes
2009-05-22 13:56 . 2009-05-22 13:56 -------- d-----w c:\program files\Enigma Software Group
2009-05-22 13:04 . 2009-05-22 13:05 -------- d-----w c:\program files\Ontrack
2009-05-22 12:07 . 2009-05-22 12:18 -------- d-----w c:\program files\File Scavenger 3.2
2009-05-21 14:31 . 2009-05-21 14:31 -------- d-----w C:\Foto
2009-05-21 13:02 . 2009-05-21 13:02 -------- d-----w c:\program files\Active Data Recovery Services
2009-05-13 07:26 . 2009-05-13 07:26 -------- d-----w c:\users\svoboda\AppData\Local\Apps
2009-05-06 07:02 . 2009-05-06 07:02 -------- d-----w c:\progra~2\WindowsSearch
2009-04-30 11:30 . 2009-05-18 07:08 -------- d-----w c:\program files\Gacela
2009-04-30 07:14 . 2009-04-30 07:14 -------- d-----w c:\progra~2\FLEXnet
2009-04-30 07:01 . 2009-04-30 07:01 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-27 07:57 . 2009-05-22 14:27 -------- d-----w c:\program files\Common Files\LightScribe
2009-04-27 07:56 . 2009-04-27 08:22 -------- d-----w c:\users\svoboda\AppData\Local\Ahead
2009-04-27 07:54 . 2009-05-15 13:44 -------- d-----w c:\users\svoboda\AppData\Roaming\Ahead
2009-04-27 07:50 . 2009-04-27 07:50 -------- d-----w c:\progra~2\Nero
2009-04-27 07:50 . 2009-04-27 07:56 -------- d-----w c:\program files\Common Files\Ahead
2009-04-27 07:50 . 2009-04-27 07:50 -------- d-----w c:\program files\Nero
2009-04-27 07:41 . 2009-04-27 07:41 -------- d-----w c:\users\svoboda\AppData\Roaming\InterVideo
2009-04-27 07:27 . 2009-05-11 09:34 -------- d-----w c:\users\svoboda\AppData\Local\Adobe
2009-04-27 07:24 . 2009-05-13 07:33 -------- d-----w c:\program files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-26 06:22 . 2008-01-21 06:01 598832 ----a-w c:\windows\system32\perfh005.dat
2009-05-26 06:22 . 2008-01-21 06:01 114992 ----a-w c:\windows\system32\perfc005.dat
2009-05-25 14:20 . 2009-04-23 10:13 12 ----a-w c:\windows\bthservsdp.dat
2009-05-22 13:06 . 2009-04-23 10:27 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-22 13:03 . 2009-04-24 07:54 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-13 11:27 . 2009-04-24 08:27 100944 ----a-w c:\users\svoboda\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-13 07:14 . 2009-05-13 07:14 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2009-05-13 06:33 . 2009-04-23 13:07 -------- d-----w c:\progra~2\Microsoft Help
2009-05-13 06:31 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-05-06 06:56 . 2009-04-23 13:13 -------- d-----w c:\program files\Microsoft Works
2009-04-27 07:14 . 2009-04-24 10:59 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-27 06:49 . 2009-04-24 10:58 -------- d-----w c:\progra~2\Symantec
2009-04-24 10:59 . 2009-04-24 10:58 -------- d-----w c:\progra~2\Norton
2009-04-24 10:59 . 2009-04-24 10:59 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-04-24 10:59 . 2009-04-24 10:59 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-24 10:59 . 2009-04-24 10:59 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-24 10:59 . 2009-04-24 10:59 -------- d-----w c:\program files\Symantec
2009-04-24 10:58 . 2009-04-24 10:59 25136 ----a-r c:\windows\system32\drivers\SymIMV.sys
2009-04-24 10:58 . 2009-04-24 10:58 -------- d-----w c:\program files\Norton Internet Security
2009-04-24 10:58 . 2009-04-24 10:58 -------- d-----w c:\progra~2\NortonInstaller
2009-04-24 10:58 . 2009-04-24 10:58 -------- d-----w c:\program files\NortonInstaller
2009-04-24 07:58 . 2009-04-24 07:58 -------- d-----w c:\progra~2\InstallShield
2009-04-24 07:58 . 2009-04-24 07:58 -------- d-----w c:\program files\Macrovision Corp
2009-04-24 07:57 . 2009-04-24 07:57 -------- d-----w c:\program files\InterVideo
2009-04-24 07:55 . 2009-04-24 07:55 -------- d-----w c:\program files\Common Files\InterVideo
2009-04-24 06:43 . 2009-04-24 06:43 -------- d-----w c:\program files\Twist Inspire
2009-04-24 06:43 . 2009-04-24 06:43 -------- d-----w c:\program files\Crystal Decisions
2009-04-24 06:43 . 2009-04-24 06:43 -------- d-----w c:\program files\Common Files\Crystal Decisions
2009-04-23 13:34 . 2009-04-23 13:11 -------- d-----w c:\program files\Microsoft.NET
2009-04-23 13:33 . 2009-04-23 13:27 -------- d-----w c:\program files\Microsoft Small Business
2009-04-23 13:25 . 2009-04-23 13:23 -------- d-----w c:\program files\Microsoft SQL Server
2009-04-23 13:13 . 2006-11-02 12:37 -------- d-----w c:\program files\MSBuild
2009-04-23 13:09 . 2009-04-23 13:09 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-04-23 12:21 . 2009-04-23 10:28 -------- d-----w c:\program files\Hewlett-Packard
2009-04-23 12:10 . 2009-04-23 12:10 -------- d-----w c:\program files\HP PCMCIA Smart Card Reader
2009-04-23 11:56 . 2009-04-23 11:56 -------- d-----w c:\program files\Cisco
2009-04-23 11:55 . 2009-04-23 11:55 -------- d-----w c:\program files\Broadcom
2009-04-23 11:55 . 2009-04-23 11:55 6656 ----a-w c:\windows\system32\bcmwlrc.dll
2009-04-23 10:40 . 2009-04-23 10:40 -------- d-----w c:\program files\HPQ
2009-04-23 10:27 . 2009-04-23 10:27 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-04-23 09:06 . 2009-04-23 09:06 -------- d-----w c:\program files\Fingerprint Sensor
2009-04-23 08:13 . 2009-04-23 08:13 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-04-23 08:13 . 2009-04-23 08:13 -------- d-----w c:\program files\Synaptics
2009-04-23 08:12 . 2009-04-23 08:12 -------- d-----w c:\program files\Analog Devices
2009-04-23 08:03 . 2006-11-02 10:25 665600 ----a-w c:\windows\inf\drvindex.dat
2009-04-23 07:26 . 2009-04-23 07:26 -------- d-----w c:\program files\LSI SoftModem
2009-04-23 07:03 . 2009-04-23 07:03 -------- d-----w c:\program files\Intel
2009-04-23 06:40 . 2009-04-23 06:40 -------- d-----w c:\program files\HP
2009-04-23 06:32 . 2008-11-17 05:23 3636864 ----a-w c:\windows\system32\drivers\NETw5x32.sys
2009-04-23 06:32 . 2008-06-20 07:33 2756608 ----a-w c:\windows\system32\NETw5r32.dll
2009-04-23 06:32 . 2008-06-20 07:32 663552 ----a-w c:\windows\system32\NETw5c32.dll
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Plocha
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Oblíbené položky
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Šablony
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Nabídka Start
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Dokumenty
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Data aplikací
2009-03-17 03:38 . 2009-04-23 06:37 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-23 06:37 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-08 11:34 . 2009-05-06 06:48 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2009-05-06 06:48 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2009-05-06 06:48 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2009-05-06 06:48 109056 ----a-w c:\windows\system32\iesysprep.dll
2009-03-08 11:33 . 2009-05-06 06:48 109568 ----a-w c:\windows\system32\PDMSetup.exe
2009-03-08 11:33 . 2009-05-06 06:48 132608 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-08 11:33 . 2009-05-06 06:48 107520 ----a-w c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-05-06 06:48 107008 ----a-w c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-05-06 06:48 103936 ----a-w c:\windows\system32\SetDepNx.exe
2009-03-08 11:33 . 2009-05-06 06:48 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2009-05-06 06:48 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2009-05-06 06:48 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2009-05-06 06:48 66560 ----a-w c:\windows\system32\wextract.exe
2009-03-08 11:32 . 2009-05-06 06:48 169472 ----a-w c:\windows\system32\iexpress.exe
2009-03-08 11:31 . 2009-05-06 06:48 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2009-05-06 06:48 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2009-05-06 06:48 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2009-05-06 06:48 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-03 04:46 . 2009-04-23 06:37 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:46 . 2009-04-23 06:37 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:39 . 2009-04-23 06:37 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-23 06:37 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-23 06:37 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-23 06:37 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-23 06:37 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-23 06:37 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-23 06:37 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-23 06:37 17408 ----a-w c:\windows\system32\iashost.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-13 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-13 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-13 129560]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-02-26 177456]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

c:\users\svoboda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Věýezy obrazovky a spuçtŘnˇ aplikace OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4A1A04D8-A554-4790-9885-6C358DDCFA5D}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{1598A482-9CD3-4B33-9F13-582719FB4B2B}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{CBDD4BC7-3317-443B-B9F1-A7024A7F1204}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D9BC4052-3CFF-48F3-BA43-D966C9226476}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{14A5DBAB-CBE1-4276-8D6F-D3D8B713FCA5}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{557A7D69-ADA7-4B2B-A28F-7EEB79C600D0}c:\\program files\\microsoft office\\office12\\outlook.exe"= UDP:c:\program files\microsoft office\office12\outlook.exe:Microsoft Office Outlook
"UDP Query User{854360C6-4BD2-417C-913E-D5AB32F677F0}c:\\program files\\microsoft office\\office12\\outlook.exe"= TCP:c:\program files\microsoft office\office12\outlook.exe:Microsoft Office Outlook
"{0FF920F9-E384-4FE2-B698-DDF8EA6282D1}"= UDP:990:LocalSubnet:LocalSubnet|IF={9859FF6A-38BB-4669-8F24-86E7FE9EF8C3}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [25.5.2009 12:10 130936]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1005000.086\SymEFA.sys [24.4.2009 12:58 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\NIS\1005000.086\BHDrvx86.sys [24.4.2009 12:58 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1005000.086\cchpx86.sys [24.4.2009 12:58 482352]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSvix86.sys [20.5.2009 8:27 292912]
R2 hpsrv;HP Service;c:\windows\System32\hpservice.exe [31.1.2008 14:47 18944]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe [24.4.2009 12:58 115560]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [4.12.2006 16:13 292384]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [21.1.2008 4:23 179712]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [23.4.2009 12:28 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [21.5.2009 11:50 101936]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [17.11.2008 15:40 3668480]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\NIS\1005000.086\symndisv.sys [24.4.2009 12:58 39984]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [25.5.2009 12:09 348752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Doplňkový sken -------
.
uStart Page = www.seznam.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-26 08:44
Windows 6.0.6001 Service Pack 1 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Celkový čas: 2009-05-26 8:45
ComboFix-quarantined-files.txt 2009-05-26 06:45
ComboFix2.txt 2009-05-26 06:38
ComboFix3.txt 2009-05-25 13:05

Před spuštěním: Volných bajtů: 103 646 695 424
Po spuštění: Volných bajtů: 103 618 904 064

233 --- E O F --- 2009-05-13 07:06

dále z Hijacku
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:45, on 25.5.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\conime.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Výřezy obrazovky a spuštění aplikace OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ction2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = IT4U.local
O17 - HKLM\Software\..\Telephony: DomainName = IT4U.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = IT4U.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = IT4U.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe

--
End of file - 8812 bytes

odkazy z Virustotalu

http://www.virustotal.com/cs/analisis/e ... 1243321205

ten druhý soubor v počítači nemám.

Damned · Příspěvekod **Damned** » 26 kvě 2009 15:55

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:

File Look::
c:\windows\System32\drivers\mchInjDrv.sys

File::
c:\users\svoboda\AppData\Local\GDIPFONTCACHEV1.DAT
c:\windows\inf\drvindex.dat

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe
a když se oba soubory překryjí, skript upusť.

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

Hugouš · Příspěvekod **Hugouš** » 26 kvě 2009 16:37

CFScript.txt:

ComboFix 09-05-25.05 - svoboda 26.05.2009 16:18.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1250.420.1029.18.1527.630 [GMT 2:00]
Spuštěný z: c:\users\svoboda\Desktop\ComboFix.exe
Použité ovládací přepínače :: c:\users\svoboda\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Soubory vytvořené od 2009-04-26 do 2009-05-26 )))))))))))))))))))))))))))))))
.

2009-05-25 10:39 . 2009-05-25 10:39 -------- d-----w c:\program files\Trend Micro
2009-05-25 07:51 . 2009-05-25 07:51 -------- d-----w c:\users\svoboda\AppData\Roaming\Malwarebytes
2009-05-25 07:51 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-25 07:51 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-25 07:51 . 2009-05-25 07:51 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-25 07:51 . 2009-05-25 07:51 -------- d-----w c:\progra~2\Malwarebytes
2009-05-22 13:56 . 2009-05-22 13:56 -------- d-----w c:\program files\Enigma Software Group
2009-05-22 13:04 . 2009-05-22 13:05 -------- d-----w c:\program files\Ontrack
2009-05-21 14:31 . 2009-05-21 14:31 -------- d-----w C:\Foto
2009-05-21 13:02 . 2009-05-21 13:02 -------- d-----w c:\program files\Active Data Recovery Services
2009-05-13 07:26 . 2009-05-13 07:26 -------- d-----w c:\users\svoboda\AppData\Local\Apps
2009-05-06 07:02 . 2009-05-06 07:02 -------- d-----w c:\progra~2\WindowsSearch
2009-04-30 11:30 . 2009-05-18 07:08 -------- d-----w c:\program files\Gacela
2009-04-30 07:14 . 2009-04-30 07:14 -------- d-----w c:\progra~2\FLEXnet
2009-04-30 07:01 . 2009-04-30 07:01 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-27 07:57 . 2009-05-22 14:27 -------- d-----w c:\program files\Common Files\LightScribe
2009-04-27 07:56 . 2009-04-27 08:22 -------- d-----w c:\users\svoboda\AppData\Local\Ahead
2009-04-27 07:54 . 2009-05-15 13:44 -------- d-----w c:\users\svoboda\AppData\Roaming\Ahead
2009-04-27 07:50 . 2009-04-27 07:50 -------- d-----w c:\progra~2\Nero
2009-04-27 07:50 . 2009-04-27 07:56 -------- d-----w c:\program files\Common Files\Ahead
2009-04-27 07:50 . 2009-04-27 07:50 -------- d-----w c:\program files\Nero
2009-04-27 07:41 . 2009-04-27 07:41 -------- d-----w c:\users\svoboda\AppData\Roaming\InterVideo
2009-04-27 07:27 . 2009-05-11 09:34 -------- d-----w c:\users\svoboda\AppData\Local\Adobe
2009-04-27 07:24 . 2009-05-13 07:33 -------- d-----w c:\program files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-26 13:47 . 2008-01-21 06:01 598832 ----a-w c:\windows\system32\perfh005.dat
2009-05-26 13:47 . 2008-01-21 06:01 114992 ----a-w c:\windows\system32\perfc005.dat
2009-05-26 13:42 . 2009-04-23 10:27 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-26 13:41 . 2009-04-23 10:13 12 ----a-w c:\windows\bthservsdp.dat
2009-05-22 13:03 . 2009-04-24 07:54 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-13 11:27 . 2009-04-24 08:27 100944 ----a-w c:\users\svoboda\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-13 07:14 . 2009-05-13 07:14 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2009-05-13 06:33 . 2009-04-23 13:07 -------- d-----w c:\progra~2\Microsoft Help
2009-05-13 06:31 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-05-06 06:56 . 2009-04-23 13:13 -------- d-----w c:\program files\Microsoft Works
2009-04-27 07:14 . 2009-04-24 10:59 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-27 06:49 . 2009-04-24 10:58 -------- d-----w c:\progra~2\Symantec
2009-04-24 10:59 . 2009-04-24 10:58 -------- d-----w c:\progra~2\Norton
2009-04-24 10:59 . 2009-04-24 10:59 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-04-24 10:59 . 2009-04-24 10:59 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-24 10:59 . 2009-04-24 10:59 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-24 10:59 . 2009-04-24 10:59 -------- d-----w c:\program files\Symantec
2009-04-24 10:58 . 2009-04-24 10:59 25136 ----a-r c:\windows\system32\drivers\SymIMV.sys
2009-04-24 10:58 . 2009-04-24 10:58 -------- d-----w c:\program files\Norton Internet Security
2009-04-24 10:58 . 2009-04-24 10:58 -------- d-----w c:\progra~2\NortonInstaller
2009-04-24 10:58 . 2009-04-24 10:58 -------- d-----w c:\program files\NortonInstaller
2009-04-24 07:58 . 2009-04-24 07:58 -------- d-----w c:\progra~2\InstallShield
2009-04-24 07:58 . 2009-04-24 07:58 -------- d-----w c:\program files\Macrovision Corp
2009-04-24 07:57 . 2009-04-24 07:57 -------- d-----w c:\program files\InterVideo
2009-04-24 07:55 . 2009-04-24 07:55 -------- d-----w c:\program files\Common Files\InterVideo
2009-04-24 06:43 . 2009-04-24 06:43 -------- d-----w c:\program files\Twist Inspire
2009-04-24 06:43 . 2009-04-24 06:43 -------- d-----w c:\program files\Crystal Decisions
2009-04-24 06:43 . 2009-04-24 06:43 -------- d-----w c:\program files\Common Files\Crystal Decisions
2009-04-23 13:34 . 2009-04-23 13:11 -------- d-----w c:\program files\Microsoft.NET
2009-04-23 13:33 . 2009-04-23 13:27 -------- d-----w c:\program files\Microsoft Small Business
2009-04-23 13:25 . 2009-04-23 13:23 -------- d-----w c:\program files\Microsoft SQL Server
2009-04-23 13:13 . 2006-11-02 12:37 -------- d-----w c:\program files\MSBuild
2009-04-23 13:09 . 2009-04-23 13:09 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-04-23 12:21 . 2009-04-23 10:28 -------- d-----w c:\program files\Hewlett-Packard
2009-04-23 12:10 . 2009-04-23 12:10 -------- d-----w c:\program files\HP PCMCIA Smart Card Reader
2009-04-23 11:56 . 2009-04-23 11:56 -------- d-----w c:\program files\Cisco
2009-04-23 11:55 . 2009-04-23 11:55 -------- d-----w c:\program files\Broadcom
2009-04-23 11:55 . 2009-04-23 11:55 6656 ----a-w c:\windows\system32\bcmwlrc.dll
2009-04-23 10:40 . 2009-04-23 10:40 -------- d-----w c:\program files\HPQ
2009-04-23 10:27 . 2009-04-23 10:27 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-04-23 09:06 . 2009-04-23 09:06 -------- d-----w c:\program files\Fingerprint Sensor
2009-04-23 08:13 . 2009-04-23 08:13 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-04-23 08:13 . 2009-04-23 08:13 -------- d-----w c:\program files\Synaptics
2009-04-23 08:12 . 2009-04-23 08:12 -------- d-----w c:\program files\Analog Devices
2009-04-23 08:03 . 2006-11-02 10:25 665600 ----a-w c:\windows\inf\drvindex.dat
2009-04-23 07:26 . 2009-04-23 07:26 -------- d-----w c:\program files\LSI SoftModem
2009-04-23 07:03 . 2009-04-23 07:03 -------- d-----w c:\program files\Intel
2009-04-23 06:40 . 2009-04-23 06:40 -------- d-----w c:\program files\HP
2009-04-23 06:32 . 2008-11-17 05:23 3636864 ----a-w c:\windows\system32\drivers\NETw5x32.sys
2009-04-23 06:32 . 2008-06-20 07:33 2756608 ----a-w c:\windows\system32\NETw5r32.dll
2009-04-23 06:32 . 2008-06-20 07:32 663552 ----a-w c:\windows\system32\NETw5c32.dll
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Plocha
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Oblíbené položky
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Šablony
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Nabídka Start
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Dokumenty
2009-04-22 14:41 . 2009-04-22 14:41 -------- d-sh--w c:\progra~2\Data aplikací
2009-03-17 03:38 . 2009-04-23 06:37 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-23 06:37 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-08 11:34 . 2009-05-06 06:48 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2009-05-06 06:48 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2009-05-06 06:48 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2009-05-06 06:48 109056 ----a-w c:\windows\system32\iesysprep.dll
2009-03-08 11:33 . 2009-05-06 06:48 109568 ----a-w c:\windows\system32\PDMSetup.exe
2009-03-08 11:33 . 2009-05-06 06:48 132608 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-08 11:33 . 2009-05-06 06:48 107520 ----a-w c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-05-06 06:48 107008 ----a-w c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-05-06 06:48 103936 ----a-w c:\windows\system32\SetDepNx.exe
2009-03-08 11:33 . 2009-05-06 06:48 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2009-05-06 06:48 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2009-05-06 06:48 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2009-05-06 06:48 66560 ----a-w c:\windows\system32\wextract.exe
2009-03-08 11:32 . 2009-05-06 06:48 169472 ----a-w c:\windows\system32\iexpress.exe
2009-03-08 11:31 . 2009-05-06 06:48 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2009-05-06 06:48 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2009-05-06 06:48 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2009-05-06 06:48 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-03 04:46 . 2009-04-23 06:37 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:46 . 2009-04-23 06:37 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:39 . 2009-04-23 06:37 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-23 06:37 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-23 06:37 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-23 06:37 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-23 06:37 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-23 06:37 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-23 06:37 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-23 06:37 17408 ----a-w c:\windows\system32\iashost.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-13 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-13 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-13 129560]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-02-26 177456]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

c:\users\svoboda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Věýezy obrazovky a spuçtŘnˇ aplikace OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4A1A04D8-A554-4790-9885-6C358DDCFA5D}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{1598A482-9CD3-4B33-9F13-582719FB4B2B}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{CBDD4BC7-3317-443B-B9F1-A7024A7F1204}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D9BC4052-3CFF-48F3-BA43-D966C9226476}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{14A5DBAB-CBE1-4276-8D6F-D3D8B713FCA5}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{557A7D69-ADA7-4B2B-A28F-7EEB79C600D0}c:\\program files\\microsoft office\\office12\\outlook.exe"= UDP:c:\program files\microsoft office\office12\outlook.exe:Microsoft Office Outlook
"UDP Query User{854360C6-4BD2-417C-913E-D5AB32F677F0}c:\\program files\\microsoft office\\office12\\outlook.exe"= TCP:c:\program files\microsoft office\office12\outlook.exe:Microsoft Office Outlook
"{0FF920F9-E384-4FE2-B698-DDF8EA6282D1}"= UDP:990:LocalSubnet:LocalSubnet|IF={9859FF6A-38BB-4669-8F24-86E7FE9EF8C3}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1005000.086\SymEFA.sys [24.4.2009 12:58 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\NIS\1005000.086\BHDrvx86.sys [24.4.2009 12:58 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1005000.086\cchpx86.sys [24.4.2009 12:58 482352]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSvix86.sys [20.5.2009 8:27 292912]
R2 hpsrv;HP Service;c:\windows\System32\hpservice.exe [31.1.2008 14:47 18944]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe [24.4.2009 12:58 115560]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [4.12.2006 16:13 292384]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [21.1.2008 4:23 179712]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [23.4.2009 12:28 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [21.5.2009 11:50 101936]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [17.11.2008 15:40 3668480]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\NIS\1005000.086\symndisv.sys [24.4.2009 12:58 39984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Doplňkový sken -------
.
uStart Page = www.seznam.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-26 16:23
Windows 6.0.6001 Service Pack 1 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Celkový čas: 2009-05-26 16:25
ComboFix-quarantined-files.txt 2009-05-26 14:25
ComboFix2.txt 2009-05-26 06:45
ComboFix3.txt 2009-05-26 06:38
ComboFix4.txt 2009-05-25 13:05

Před spuštěním: Volných bajtů: 98 709 139 456
Po spuštění: Volných bajtů: 98 688 008 192

220 --- E O F --- 2009-05-13 07:06

HiJack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:45, on 25.5.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\conime.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Výřezy obrazovky a spuštění aplikace OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ction2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = IT4U.local
O17 - HKLM\Software\..\Telephony: DomainName = IT4U.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = IT4U.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = IT4U.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe

--
End of file - 8812 bytes

Damned · Příspěvekod **Damned** » 26 kvě 2009 16:49

Vydrž, poprosil jsem o pomoc člověka, který už ten Infostealer.gampass odstraňoval a zná Visty lépe než já.

Infostealer.gampass Vyřešeno

Infostealer.gampass

Re: Infostealer.gampass

Re: Infostealer.gampass

Re: Infostealer.gampass

Re: Infostealer.gampass

Re: Infostealer.gampass

Re: Infostealer.gampass

Re: Infostealer.gampass

Re: Infostealer.gampass

Re: Infostealer.gampass

Re: Infostealer.gampass

Re: Infostealer.gampass

Kdo je online