prosim o kontrolu logu

[Koca]

Prosím o kontrolu

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:28:07, on 14.5.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode with network support

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\explorer.exe
I:\HijackThis.exe
D:\WINDOWS\system32\dwwin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - D:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - D:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Softonic English TC Toolbar - {4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8} - D:\Program Files\Softonic_English_TC\tbSof1.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - D:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - D:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: &Crawler lišta - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - D:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: Softonic English TC Toolbar - {4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8} - D:\Program Files\Softonic_English_TC\tbSof1.dll
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] "D:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1952002968
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - D:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O21 - SSODL: oledll - {59945B67-9234-9234-D929-7F84D923BC79} - D:\WINDOWS\system32\wh18tokl.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICQ Service - Unknown owner - D:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\system32\oodag.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 7846 bytes

[Reklama]

[Damned]

Stáhni si Malwarebytes' Anti-Malware
Nainstaluj a spusť ho
- na konci instalace se ujisti že máš zvoleny/zatrhnuty obě možnosti:
Aktualizace Malwarebytes' Anti-Malware a Spustit aplikaci Malwarebytes' Anti-Malware, pokud jo tak klikni na tlačítko konec
- pokud bude nalezena aktualizace, tak se stáhne a nainstaluje
- program se po té spustí a nech vybranou možnost Provést rychlý sken a klikni na tlačítko Skenovat
- po proběhnutí programu se ti objeví hláška tak klikni na OK a pak na tlačítko Zobrazit výsledky
- pak zvol možnost uložit log a ulož si log na plochu
- po té klikni na tlačítko Exit, objeví se ti hláška tak zvol Ano
(zatím nic nemaž!).
Vlož sem pak obsah toho logu.

[Koca]

Malwarebytes' Anti-Malware 1.36
Verze databáze: 1945
Windows 5.1.2600 Service Pack 3

15.5.2009 13:35:25
mbam-log-2009-05-15 (13-35-12).txt

Typ skenu: Rychlý sken
Objektu skenováno: 77537
Uplynulý cas: 2 minute(s), 26 second(s)

Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 0
Infikované hodnoty registru: 1
Infikované položky dat registru: 0
Infikované složky: 0
Infikované soubory: 0

Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)

Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)

Infikované klíce registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované hodnoty registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\oledll (Trojan.Agent) -> No action taken.

Infikované položky dat registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované složky:
(Žádné zákerné položky nebyly zjišteny)

Infikované soubory:
(Žádné zákerné položky nebyly zjišteny)

[Damned]

Máš tam málo služeb, moc málo

Takže spusť znovu MbAM a dej Scan
- po proběhnutí programu se ti objeví hláška tak klikni na OK a pak na tlačítko Show Results
- ujistit se že máš zatrhnuté všechny vypsané nálezy a klikni na tlačítko Remove Selected
- když skončí odstraňování tak se ti zobrazí log, tak ho sem dej.
- pak zvol v programu OK a pak program ukonči přes Exit

Vypni rezidentní štíty antiviru
Stáhni si ComboFix (by sUBs)
a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[Koca]

Tak jsem zkusil ten program přeinstalovat a udělat test znovu.

Jinak tenhle krok jsem neudělal, jelikož mi od tohoto kroku nenašel:
pak na tlačítko Show Results
- ujistit se že máš zatrhnuté všechny vypsané nálezy a klikni na tlačítko Remove Selected
- když skončí odstraňování tak se ti zobrazí log, tak ho sem dej.
- pak zvol v programu OK a pak program ukonči přes Exit

Show result nikde nebylo.
Dal jsem rychly sken, oskenovalo vyběhla nějaká hláška dal jsem ok a pak jsem nevěděl

MbAM log:
Malwarebytes' Anti-Malware 1.36
Database version: 2137
Windows 5.1.2600 Service Pack 3

15.5.2009 20:57:08
mbam-log-2009-05-15 (20-57-08).txt

Scan type: Quick Scan
Objects scanned: 90433
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Combofix log:

ComboFix 09-05-15.01 - Paja 15.05.2009 21:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.650 [GMT 2:00]
Spuštěný z: d:\documents and settings\Paja\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090514-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Vytvořen nový Bod Obnovení
.

((((((((((((((((((((((((( Soubory vytvořené od 2009-04-15 do 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-15 18:54 . 2009-05-15 18:54 -------- d-----w d:\windows\LastGood
2009-05-15 11:31 . 2009-04-06 13:32 15504 ----a-w d:\windows\system32\drivers\mbam.sys
2009-05-15 11:31 . 2009-04-06 13:32 38496 ----a-w d:\windows\system32\drivers\mbamswissarmy.sys
2009-05-15 11:31 . 2009-05-15 11:31 -------- d-----w d:\program files\Malwarebytes' Anti-Malware
2009-05-14 18:14 . 2009-05-14 18:14 -------- d-----w d:\program files\HD Tune
2009-05-13 15:55 . 2009-05-13 15:55 -------- d-----w d:\program files\Lineage II - PTS_PTS
2009-05-12 16:26 . 2009-05-13 15:55 -------- d-----w d:\documents and settings\Administrator\Data aplikací
2009-05-12 16:26 . 2009-05-13 15:55 -------- d-----w d:\documents and settings\Administrator\Šablony
2009-05-12 16:26 . 2009-05-13 15:55 -------- d-s---w d:\documents and settings\Administrator
2009-04-29 15:39 . 2009-04-29 15:39 -------- d-----w d:\program files\TopCD
2009-04-25 15:04 . 2009-04-25 15:04 -------- d-----w d:\program files\HarrysFilters3
2009-04-16 17:06 . 2009-02-06 10:10 227840 -c----w d:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 17:06 . 2009-03-06 14:23 284160 -c----w d:\windows\system32\dllcache\pdh.dll
2009-04-16 17:06 . 2009-02-09 11:25 111104 -c----w d:\windows\system32\dllcache\services.exe
2009-04-16 17:06 . 2009-02-09 10:56 401408 -c----w d:\windows\system32\dllcache\rpcss.dll
2009-04-16 17:06 . 2009-02-09 10:56 473600 -c----w d:\windows\system32\dllcache\fastprox.dll
2009-04-16 17:06 . 2009-02-09 10:56 684032 -c----w d:\windows\system32\dllcache\advapi32.dll
2009-04-16 17:06 . 2009-02-09 10:56 728064 -c----w d:\windows\system32\dllcache\lsasrv.dll
2009-04-16 17:06 . 2009-02-09 10:56 453120 -c----w d:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 17:06 . 2009-02-09 10:56 709632 -c----w d:\windows\system32\dllcache\ntdll.dll
2009-04-16 16:54 . 2008-04-21 21:15 216576 -c----w d:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 15:55 . 2009-03-31 12:48 -------- d-----w d:\program files\Lineage II
2009-05-05 14:43 . 2009-01-14 16:36 -------- d--h--w d:\program files\InstallShield Installation Information
2009-05-04 14:50 . 2009-03-15 08:14 -------- d-----w d:\program files\Batman
2009-05-01 13:33 . 2009-01-15 07:08 -------- d-----w d:\program files\Spyware Terminator
2009-04-17 06:54 . 2006-03-02 12:00 47206 ----a-w d:\windows\system32\perfc005.dat
2009-04-17 06:54 . 2006-03-02 12:00 312970 ----a-w d:\windows\system32\perfh005.dat
2009-04-15 07:42 . 2009-04-15 07:42 43520 ----a-w d:\windows\system32\CmdLineExt03.dll
2009-04-13 07:54 . 2009-04-07 15:42 -------- d-----w d:\program files\QIP Infium
2009-04-13 07:54 . 2009-04-07 15:36 -------- d-----w d:\program files\QIP
2009-04-13 07:52 . 2009-03-15 12:19 -------- d-----w d:\program files\BitComet
2009-04-10 12:24 . 2009-04-10 12:06 -------- d-----w d:\program files\PQDVD
2009-04-09 14:02 . 2009-04-07 18:02 -------- d-----w d:\program files\MediaCell Video Converter
2009-04-07 18:01 . 2009-04-07 18:01 -------- d-----w d:\program files\Common Files\DVDVideoSoft
2009-04-07 15:21 . 2009-04-07 15:21 86016 ----a-w d:\windows\system32\wh18tokl.dll
2009-03-31 13:12 . 2009-03-31 13:12 -------- d-----w d:\program files\Common Files\INCA Shared
2009-03-27 14:52 . 2009-01-23 20:51 -------- d-----w d:\program files\Common Files\Adobe
2009-03-20 16:47 . 2009-03-20 16:47 -------- d-----w d:\program files\AviSynth 2.5
2009-03-20 16:45 . 2009-03-20 16:45 -------- d-----w d:\program files\eRightSoft
2009-03-06 14:23 . 2006-03-02 12:00 284160 ----a-w d:\windows\system32\pdh.dll
2009-03-03 00:14 . 2006-03-02 12:00 826368 ----a-w d:\windows\system32\wininet.dll
2009-02-20 17:13 . 2006-03-02 12:00 78336 ----a-w d:\windows\system32\ieencode.dll
2006-05-03 10:06 . 2009-03-20 16:45 163328 --sh--r d:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-03-20 16:45 31232 --sh--r d:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-03-20 16:45 216064 --sh--r d:\windows\system32\nbDX.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "d:\program files\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]
"{4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8}"= "d:\program files\Softonic_English_TC\tbSof1.dll" [2009-03-08 1883672]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CLASSES_ROOT\clsid\{4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8}]
2009-03-08 08:37 1883672 ----a-w d:\program files\Softonic_English_TC\tbSof1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8}"= "d:\program files\Softonic_English_TC\tbSof1.dll" [2009-03-08 1883672]

[HKEY_CLASSES_ROOT\clsid\{4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4FF5F6EA-FFAF-43E5-9A01-361C0893C3E8}"= "d:\program files\Softonic_English_TC\tbSof1.dll" [2009-03-08 1883672]

[HKEY_CLASSES_ROOT\clsid\{4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="d:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 335872]
"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SpywareTerminator"="d:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-01-15 2267136]
"NeroFilterCheck"="d:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SoundMan"="SOUNDMAN.EXE" - d:\windows\soundman.exe [2006-08-03 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

d:\documents and settings\Paja\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

d:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Strong\\StrongDC.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"d:\\Program Files\\HLSW\\hlsw.exe"=
"d:\\Program Files\\sixteen tons entertainment\\Emergency 4\\Em4.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\ICQ6.5\\ICQ.exe"=
"d:\\Program Files\\Opera\\opera.exe"=
"d:\\Program Files\\uTorrent\\utorrent.exe"=
"d:\\WINDOWS\\system32\\dllhost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16765:TCP"= 16765:TCP:BitComet 16765 TCP
"16765:UDP"= 16765:UDP:BitComet 16765 UDP

R1 aswSP;avast! Self Protection;d:\windows\system32\drivers\aswSP.sys [15.1.2009 8:45 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;d:\windows\system32\drivers\sp_rsdrv2.sys [15.1.2009 9:08 142592]
R2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [15.1.2009 8:45 20560]
R2 ICQ Service;ICQ Service;d:\program files\ICQ6Toolbar\ICQ Service.exe [24.1.2009 21:16 222456]
R3 PSched;Plánovač paketů technologie QoS;d:\windows\system32\drivers\psched.sys [2.3.2006 14:00 69120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d67f742-e2d3-11dd-9ffe-000fea1ead6b}]
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL s.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68641101-25aa-11de-a09a-000fea1ead6b}]
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL s.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd1ec73f-31a4-11de-a0b9-000fea1ead6b}]
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL s.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1cbc12d-ec7a-11dd-a014-000fea1ead6b}]
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL s.exe
.
Obsah adresáře 'Naplánované úlohy'

2009-05-15 d:\windows\Tasks\Google Software Updater.job
- d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-23 15:20]
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKCU-Run-BitComet - d:\program files\BitComet\BitComet.exe


.
------- Doplňkový sken -------
.
uStart Page = start.qip.ru
uDefault_Search_URL = hxxp://search.qip.ru
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: &Winamp Search - d:\documents and settings\All Users\Data aplikací\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Crawler Search - tbr:iemenu
IE: E&xportovat do aplikace Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - d:\progra~1\Crawler\Toolbar\ctbr.dll
FF - ProfilePath - d:\documents and settings\Paja\Data aplikací\Mozilla\Firefox\Profiles\uklh3c6t.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.qip.ru
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - component: d:\documents and settings\Paja\Data aplikací\Mozilla\Firefox\Profiles\uklh3c6t.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: d:\program files\Crawler\Toolbar\firefox\components\xcomm.dll
FF - component: d:\program files\Crawler\Toolbar\firefox\components\xshared.dll
FF - component: d:\program files\Crawler\Toolbar\firefox\components\xsupport.dll
FF - component: d:\program files\Crawler\Toolbar\firefox\components\xwsg.dll
FF - component: d:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: d:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: d:\program files\Opera\program\plugins\nprpjplug.dll

---- NASTAVENÍ FIREFOXU ----
d:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 21:02
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1844823847-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:6a,cb,51,11,ea,3f,be,30,0c,4a,8b,20,9b,07,df,02,8b,37,25,e5,96,a8,56,
41,9d,a4,c1,9d,e3,f4,87,5d,03,fc,94,e6,57,20,0a,38,a2,54,a3,8f,dc,55,54,d4,\
"??"=hex:36,43,1f,70,03,28,d0,83,98,3b,58,e2,d7,ad,bb,d1

[HKEY_USERS\S-1-5-21-1292428093-1844823847-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:75,68,88,53,1b,11,72,2c,cc,70,2a,87,31,3a,28,e7,32,9f,b3,07,d7,
f3,5d,39,c2,be,03,41,8b,16,8a,41,55,72,69,f1,8d,ce,94,ac,20,d3,b4,01,9e,f1,\
"rkeysecu"=hex:4b,b6,97,fc,61,62,00,b8,88,1e,74,9b,5c,65,97,8d

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="962FE691583C890F664D2A2E265B9AF3D317DF4EE68669412A8C79F396AD76134607969F0F3D97142CF2F70266F86E93394CFD026321737A5672320DFEF00501CA436C42F861953F8E10FC62F8C2DC873C5C6D933EA720938470CC7BE99C09813FB5111DC72F0BA001EB028F37C55B8AC8243B849D4D77153898B79C6429B90C60C5F108FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC7933A9C6AECB7A5D1407A2D97226D213B555145C8B3846E0844995ABD1CAD84D41AF0940014A47162F06412B5144355BC072BA88ACC894EAB254A577C027E8DF28646D642976AD92D9A9651D25F631DBD43E773DDABB9CA149666468B3A6F8B969EF19CBBDB7471D5568107EA4A631609CA4C52536D03D0C4C14B76AFC779CBB8AE279CBE0C7060848EE572C633A9E52000F86BF623F75CA822468C46F3C0FD55302E18DB7D57A3D9C1F3551780D85AD2A1AFBDE86AE6C0CF712A40E650B2D0FD147098B6C85DC35808E8BF07E7114830A1B51A94F3C6996FE0EFD31BA6C7A02D75D0819ACED8780E6079C5F9329A0F6D317129AEA79D9432AFA68EE50601BDBF9A55DDAA998F94205068F495BECA1C1FCC9AE818EEA4E0051F03FDA8BD75AE090356D479985D531553D7029FA69B1ADC020FA007109FBCC91B9BDDC5339A5653A53FCAD35A8631A95912E541E3E931D9F3D2F8D4EC13BC04A570731955E0FD4D7FCB5AD3BE78CDA489C9B6DF2FEA9045C77E8F4E4760A83207B20E54295CA2D8DE328BB6C1F60E6332C726EACB3FB6AFCDAA855F9FA08537B0FF0DF4F9F350044EA45A18F9B124661C14B27825936EB4EA3D0A0D41AFA0108AC49D633B34BF4AAAAE37B6CA27993201326B82D5FA8BADDC52B1DC00ECCF036245957EC7C2F45B1703DBAD26A8F7D020968186D2AC61980E7E4E60E8A871EB9F8B640FA96A6BF8DBC71A3939DF3C8DD42570F0411A8DFCCE30CEB0F34DD950BE15A46E3951B46384402CD83DA6ACB4C8F9F3C39608AFB1D4818EF9CA2A5F7E6CC226FAFFC9ACF6D6FD5A8FDB55872ACF5CE1156D7CCEC91D85E0992E3D57A4CD54F98EA49D665B05A38F25E36CABB20305B522BACF1C70C8A1EA14F790D667FD38771266827A7C555554188D4EEBA0E2B1A1B098522343408F57938D60B1A89CB547E753A83C535E440FD608317961F87C6D949FEAA6E7631EAA2B2663505B67A2295F2178B08CCC2EF6551233C8A431D02CEC229FA470117E383AC84132E95CFC2E4B9C87FC81EDA3F07480C7866ABF14E0FD68825A24680AF571403D3AD7C6EECEA6B0BC6747ECC6B49B5880A8D4EC79307E7936378FE687DAD5DA547B182ADB7FA2D92EA10856E18E3115854F6658C9CF15BB81055A57DE1E700A6627A039AA23E2684"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(684)
d:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2584)
d:\progra~1\WINDOW~2\wmpband.dll
d:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
d:\program files\Common Files\Ahead\Lib\MFC71U.DLL
d:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
Celkový čas: 2009-05-15 21:03
ComboFix-quarantined-files.txt 2009-05-15 19:03

Před spuštěním: Volných bajtů: 51 518 140 416
Po spuštění: Volných bajtů: 51 539 382 272

WindowsXP-KB310994-SP2-Home-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

211 --- E O F --- 2009-04-29 18:01

[Damned]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:

File::
c:\windows\system32\wh18tokl.dll

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

[Koca]

ComboFix log:
ComboFix 09-05-15.01 - Paja 16.05.2009 7:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.643 [GMT 2:00]
Spuštěný z: d:\documents and settings\Paja\Plocha\ComboFix.exe
Použité ovládací přepínače :: d:\documents and settings\Paja\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090515-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
c:\windows\system32\wh18tokl.dll
.

((((((((((((((((((((((((( Soubory vytvořené od 2009-04-16 do 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-15 11:31 . 2009-04-06 13:32 15504 ----a-w d:\windows\system32\drivers\mbam.sys
2009-05-15 11:31 . 2009-04-06 13:32 38496 ----a-w d:\windows\system32\drivers\mbamswissarmy.sys
2009-05-15 11:31 . 2009-05-15 11:31 -------- d-----w d:\program files\Malwarebytes' Anti-Malware
2009-05-14 18:14 . 2009-05-14 18:14 -------- d-----w d:\program files\HD Tune
2009-05-13 15:55 . 2009-05-13 15:55 -------- d-----w d:\program files\Lineage II - PTS_PTS
2009-05-12 16:26 . 2009-05-13 15:55 -------- d-----w d:\documents and settings\Administrator\Data aplikací
2009-05-12 16:26 . 2009-05-13 15:55 -------- d-----w d:\documents and settings\Administrator\Šablony
2009-05-12 16:26 . 2009-05-13 15:55 -------- d-s---w d:\documents and settings\Administrator
2009-04-29 15:39 . 2009-04-29 15:39 -------- d-----w d:\program files\TopCD
2009-04-25 15:04 . 2009-04-25 15:04 -------- d-----w d:\program files\HarrysFilters3
2009-04-16 17:06 . 2009-02-06 10:10 227840 -c----w d:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 17:06 . 2009-03-06 14:23 284160 -c----w d:\windows\system32\dllcache\pdh.dll
2009-04-16 17:06 . 2009-02-09 11:25 111104 -c----w d:\windows\system32\dllcache\services.exe
2009-04-16 17:06 . 2009-02-09 10:56 401408 -c----w d:\windows\system32\dllcache\rpcss.dll
2009-04-16 17:06 . 2009-02-09 10:56 473600 -c----w d:\windows\system32\dllcache\fastprox.dll
2009-04-16 17:06 . 2009-02-09 10:56 684032 -c----w d:\windows\system32\dllcache\advapi32.dll
2009-04-16 17:06 . 2009-02-09 10:56 728064 -c----w d:\windows\system32\dllcache\lsasrv.dll
2009-04-16 17:06 . 2009-02-09 10:56 453120 -c----w d:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 17:06 . 2009-02-09 10:56 709632 -c----w d:\windows\system32\dllcache\ntdll.dll
2009-04-16 16:54 . 2008-04-21 21:15 216576 -c----w d:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 15:55 . 2009-03-31 12:48 -------- d-----w d:\program files\Lineage II
2009-05-05 14:43 . 2009-01-14 16:36 -------- d--h--w d:\program files\InstallShield Installation Information
2009-05-04 14:50 . 2009-03-15 08:14 -------- d-----w d:\program files\Batman
2009-05-01 13:33 . 2009-01-15 07:08 -------- d-----w d:\program files\Spyware Terminator
2009-04-17 06:54 . 2006-03-02 12:00 47206 ----a-w d:\windows\system32\perfc005.dat
2009-04-17 06:54 . 2006-03-02 12:00 312970 ----a-w d:\windows\system32\perfh005.dat
2009-04-15 07:42 . 2009-04-15 07:42 43520 ----a-w d:\windows\system32\CmdLineExt03.dll
2009-04-13 07:54 . 2009-04-07 15:42 -------- d-----w d:\program files\QIP Infium
2009-04-13 07:54 . 2009-04-07 15:36 -------- d-----w d:\program files\QIP
2009-04-13 07:52 . 2009-03-15 12:19 -------- d-----w d:\program files\BitComet
2009-04-10 12:24 . 2009-04-10 12:06 -------- d-----w d:\program files\PQDVD
2009-04-09 14:02 . 2009-04-07 18:02 -------- d-----w d:\program files\MediaCell Video Converter
2009-04-07 18:01 . 2009-04-07 18:01 -------- d-----w d:\program files\Common Files\DVDVideoSoft
2009-04-07 15:21 . 2009-04-07 15:21 86016 ----a-w d:\windows\system32\wh18tokl.dll
2009-03-31 13:12 . 2009-03-31 13:12 -------- d-----w d:\program files\Common Files\INCA Shared
2009-03-27 14:52 . 2009-01-23 20:51 -------- d-----w d:\program files\Common Files\Adobe
2009-03-20 16:47 . 2009-03-20 16:47 -------- d-----w d:\program files\AviSynth 2.5
2009-03-20 16:45 . 2009-03-20 16:45 -------- d-----w d:\program files\eRightSoft
2009-03-06 14:23 . 2006-03-02 12:00 284160 ----a-w d:\windows\system32\pdh.dll
2009-03-03 00:14 . 2006-03-02 12:00 826368 ----a-w d:\windows\system32\wininet.dll
2009-02-20 17:13 . 2006-03-02 12:00 78336 ----a-w d:\windows\system32\ieencode.dll
2006-05-03 10:06 . 2009-03-20 16:45 163328 --sh--r d:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-03-20 16:45 31232 --sh--r d:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-03-20 16:45 216064 --sh--r d:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-15_19.02.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-16 05:16 . 2009-05-16 05:16 16384 d:\windows\Temp\Perflib_Perfdata_6d0.dat
+ 2009-01-15 07:06 . 2007-11-30 12:39 18296 d:\windows\system32\spmsg.dll
- 2009-01-15 07:06 . 2007-08-10 18:43 18296 d:\windows\system32\spmsg.dll
- 2009-01-14 18:21 . 2009-04-29 18:01 35088 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-01-14 18:21 . 2009-05-15 19:25 35088 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-01-14 18:21 . 2009-04-29 18:01 18704 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-01-14 18:21 . 2009-05-15 19:25 18704 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-01-14 18:21 . 2009-05-15 19:25 20240 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-01-14 18:21 . 2009-04-29 18:01 20240 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-01-14 18:21 . 2009-04-29 18:01 888080 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-14 18:21 . 2009-05-15 19:25 888080 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-14 18:21 . 2009-05-15 19:25 272648 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-01-14 18:21 . 2009-04-29 18:01 272648 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-01-14 18:21 . 2009-04-29 18:01 922384 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-01-14 18:21 . 2009-05-15 19:25 922384 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-01-14 18:21 . 2009-05-15 19:25 845584 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-01-14 18:21 . 2009-04-29 18:01 845584 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-01-14 18:21 . 2009-04-29 18:01 217864 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-01-14 18:21 . 2009-05-15 19:25 217864 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2009-01-14 18:21 . 2009-04-29 18:01 184080 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-01-14 18:21 . 2009-05-15 19:25 184080 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2009-01-14 18:21 . 2009-04-29 18:01 159504 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-01-14 18:21 . 2009-05-15 19:25 159504 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-04-14 03:21 . 2008-09-10 01:16 1307648 d:\windows\system32\msxml6.dll
+ 2008-04-14 03:21 . 2008-09-10 01:16 1307648 d:\windows\system32\dllcache\msxml6.dll
- 2009-01-14 18:21 . 2009-04-29 18:01 1172240 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-01-14 18:21 . 2009-05-15 19:25 1172240 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-01-14 18:21 . 2009-05-15 19:25 1165584 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2009-01-14 18:21 . 2009-04-29 18:01 1165584 d:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-01-28 15:07 . 2009-05-07 07:16 24699336 d:\windows\system32\MRT.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "d:\program files\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]
"{4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8}"= "d:\program files\Softonic_English_TC\tbSof1.dll" [2009-03-08 1883672]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CLASSES_ROOT\clsid\{4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8}]
2009-03-08 08:37 1883672 ----a-w d:\program files\Softonic_English_TC\tbSof1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8}"= "d:\program files\Softonic_English_TC\tbSof1.dll" [2009-03-08 1883672]

[HKEY_CLASSES_ROOT\clsid\{4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4FF5F6EA-FFAF-43E5-9A01-361C0893C3E8}"= "d:\program files\Softonic_English_TC\tbSof1.dll" [2009-03-08 1883672]

[HKEY_CLASSES_ROOT\clsid\{4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="d:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 335872]
"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SpywareTerminator"="d:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-01-15 2267136]
"NeroFilterCheck"="d:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SoundMan"="SOUNDMAN.EXE" - d:\windows\soundman.exe [2006-08-03 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

d:\documents and settings\Paja\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

d:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Strong\\StrongDC.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"d:\\Program Files\\HLSW\\hlsw.exe"=
"d:\\Program Files\\sixteen tons entertainment\\Emergency 4\\Em4.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\ICQ6.5\\ICQ.exe"=
"d:\\Program Files\\Opera\\opera.exe"=
"d:\\Program Files\\uTorrent\\utorrent.exe"=
"d:\\WINDOWS\\system32\\dllhost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16765:TCP"= 16765:TCP:BitComet 16765 TCP
"16765:UDP"= 16765:UDP:BitComet 16765 UDP

R1 aswSP;avast! Self Protection;d:\windows\system32\drivers\aswSP.sys [15.1.2009 8:45 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;d:\windows\system32\drivers\sp_rsdrv2.sys [15.1.2009 9:08 142592]
R2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [15.1.2009 8:45 20560]
R2 ICQ Service;ICQ Service;d:\program files\ICQ6Toolbar\ICQ Service.exe [24.1.2009 21:16 222456]
R3 PSched;Plánovač paketů technologie QoS;d:\windows\system32\drivers\psched.sys [2.3.2006 14:00 69120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d67f742-e2d3-11dd-9ffe-000fea1ead6b}]
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL s.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68641101-25aa-11de-a09a-000fea1ead6b}]
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL s.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd1ec73f-31a4-11de-a0b9-000fea1ead6b}]
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL s.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1cbc12d-ec7a-11dd-a014-000fea1ead6b}]
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL s.exe
.
Obsah adresáře 'Naplánované úlohy'

2009-05-16 d:\windows\Tasks\Google Software Updater.job
- d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-23 15:20]
.
.
------- Doplňkový sken -------
.
uStart Page = start.qip.ru
uDefault_Search_URL = hxxp://search.qip.ru
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: &Winamp Search - d:\documents and settings\All Users\Data aplikací\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Crawler Search - tbr:iemenu
IE: E&xportovat do aplikace Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - d:\progra~1\Crawler\Toolbar\ctbr.dll
FF - ProfilePath - d:\documents and settings\Paja\Data aplikací\Mozilla\Firefox\Profiles\uklh3c6t.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.qip.ru
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - component: d:\documents and settings\Paja\Data aplikací\Mozilla\Firefox\Profiles\uklh3c6t.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: d:\program files\Crawler\Toolbar\firefox\components\xcomm.dll
FF - component: d:\program files\Crawler\Toolbar\firefox\components\xshared.dll
FF - component: d:\program files\Crawler\Toolbar\firefox\components\xsupport.dll
FF - component: d:\program files\Crawler\Toolbar\firefox\components\xwsg.dll
FF - component: d:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: d:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: d:\program files\Opera\program\plugins\nprpjplug.dll

---- NASTAVENÍ FIREFOXU ----
d:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 07:32
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1844823847-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:6a,cb,51,11,ea,3f,be,30,0c,4a,8b,20,9b,07,df,02,8b,37,25,e5,96,a8,56,
41,9d,a4,c1,9d,e3,f4,87,5d,03,fc,94,e6,57,20,0a,38,a2,54,a3,8f,dc,55,54,d4,\
"??"=hex:36,43,1f,70,03,28,d0,83,98,3b,58,e2,d7,ad,bb,d1

[HKEY_USERS\S-1-5-21-1292428093-1844823847-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:75,68,88,53,1b,11,72,2c,cc,70,2a,87,31,3a,28,e7,32,9f,b3,07,d7,
f3,5d,39,c2,be,03,41,8b,16,8a,41,55,72,69,f1,8d,ce,94,ac,20,d3,b4,01,9e,f1,\
"rkeysecu"=hex:4b,b6,97,fc,61,62,00,b8,88,1e,74,9b,5c,65,97,8d

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="962FE691583C890F664D2A2E265B9AF3D317DF4EE68669412A8C79F396AD76134607969F0F3D97142CF2F70266F86E93394CFD026321737A5672320DFEF00501CA436C42F861953F8E10FC62F8C2DC873C5C6D933EA720938470CC7BE99C09813FB5111DC72F0BA001EB028F37C55B8AC8243B849D4D77153898B79C6429B90C60C5F108FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC7933A9C6AECB7A5D1407A2D97226D213B555145C8B3846E0844995ABD1CAD84D41AF0940014A47162F06412B5144355BC072BA88ACC894EAB254A577C027E8DF28646D642976AD92D9A9651D25F631DBD43E773DDABB9CA149666468B3A6F8B969EF19CBBDB7471D5568107EA4A631609CA4C52536D03D0C4C14B76AFC779CBB8AE279CBE0C7060848EE572C633A9E52000F86BF623F75CA822468C46F3C0FD55302E18DB7D57A3D9C1F3551780D85AD2A1AFBDE86AE6C0CF712A40E650B2D0FD147098B6C85DC35808E8BF07E7114830A1B51A94F3C6996FE0EFD31BA6C7A02D75D0819ACED8780E6079C5F9329A0F6D317129AEA79D9432AFA68EE50601BDBF9A55DDAA998F94205068F495BECA1C1FCC9AE818EEA4E0051F03FDA8BD75AE090356D479985D531553D7029FA69B1ADC020FA007109FBCC91B9BDDC5339A5653A53FCAD35A8631A95912E541E3E931D9F3D2F8D4EC13BC04A570731955E0FD4D7FCB5AD3BE78CDA489C9B6DF2FEA9045C77E8F4E4760A83207B20E54295CA2D8DE328BB6C1F60E6332C726EACB3FB6AFCDAA855F9FA08537B0FF0DF4F9F350044EA45A18F9B124661C14B27825936EB4EA3D0A0D41AFA0108AC49D633B34BF4AAAAE37B6CA27993201326B82D5FA8BADDC52B1DC00ECCF036245957EC7C2F45B1703DBAD26A8F7D020968186D2AC61980E7E4E60E8A871EB9F8B640FA96A6BF8DBC71A3939DF3C8DD42570F0411A8DFCCE30CEB0F34DD950BE15A46E3951B46384402CD83DA6ACB4C8F9F3C39608AFB1D4818EF9CA2A5F7E6CC226FAFFC9ACF6D6FD5A8FDB55872ACF5CE1156D7CCEC91D85E0992E3D57A4CD54F98EA49D665B05A38F25E36CABB20305B522BACF1C70C8A1EA14F790D667FD38771266827A7C555554188D4EEBA0E2B1A1B098522343408F57938D60B1A89CB547E753A83C535E440FD608317961F87C6D949FEAA6E7631EAA2B2663505B67A2295F2178B08CCC2EF6551233C8A431D02CEC229FA470117E383AC84132E95CFC2E4B9C87FC81EDA3F07480C7866ABF14E0FD68825A24680AF571403D3AD7C6EECEA6B0BC6747ECC6B49B5880A8D4EC79307E7936378FE687DAD5DA547B182ADB7FA2D92EA10856E18E3115854F6658C9CF15BB81055A57DE1E700A6627A039AA23E2684"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(692)
d:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2252)
d:\progra~1\WINDOW~2\wmpband.dll
d:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
d:\program files\Common Files\Ahead\Lib\MFC71U.DLL
d:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
Celkový čas: 2009-05-16 7:33
ComboFix-quarantined-files.txt 2009-05-16 05:33
ComboFix2.txt 2009-05-15 19:04

Před spuštěním: Volných bajtů: 51 470 503 936
Po spuštění: Volných bajtů: 51 460 096 000

237 --- E O F --- 2009-05-15 19:25



hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:52, on 16.5.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\ICQ6Toolbar\ICQ Service.exe
D:\WINDOWS\system32\oodag.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\explorer.exe
D:\TC UP\TOTALCMD.EXE
J:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.qip.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = start.qip.ru
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - D:\Program Files\Winamp Toolbar\winamptb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: Softonic English TC Toolbar - {4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8} - D:\Program Files\Softonic_English_TC\tbSof1.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - D:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - D:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Softonic English TC Toolbar - {4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8} - D:\Program Files\Softonic_English_TC\tbSof1.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - D:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: &Crawler lišta - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - D:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: Softonic English TC Toolbar - {4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8} - D:\Program Files\Softonic_English_TC\tbSof1.dll
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Winamp Search - D:\Documents and Settings\All Users\Data aplikací\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1952002968
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - D:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICQ Service - Unknown owner - D:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\system32\oodag.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 9510 bytes

[Damned]

No sláva, konečně máme nějaké služby.

Spusť si HJT a fixni (zaškrtnout políčko před hodnotou a zmáčknout "Fix checked")

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.qip.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = start.qip.ru
R3 - URLSearchHook: (no name) - - (no file)
O8 - Extra context menu item: &Winamp Search - D:\Documents and Settings\All Users\Data aplikací\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe (file missing)

Déle nevím, k čemu tam máš Adware (myslím Crawler). Pokud ho nepotřebuješ k dejchání, tak ho odinstaluj.

Až to uděláš, vypni si Body obnovení.
Pak si stáhni Killbox ↓, rozbal archív na ploše, spusť Killbox a do adresního řádku programu zkopíruj tuto cestu:
c:\windows\system32\wh18tokl.dll
Zaškrtni políčko "Delete on Reboot" a zmáčkni bílé "X" v červeným kruhu.

Po restartu spusť znovu Body obnovení, poté spusť Mbam a dej sem z něho log.

[Koca]

Vše jsem udělal podle návodu.

Přidávám log z Mbam

Malwarebytes' Anti-Malware 1.36
Database version: 2137
Windows 5.1.2600 Service Pack 3

16.5.2009 21:53:24
mbam-log-2009-05-16 (21-53-24).txt

Scan type: Quick Scan
Objects scanned: 91412
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Damned]

V Mbam není nic, dej sem ještě log z HJT pro kontrolu. Dělá to ještě nějaký skopičiny?

[Koca]

Přikládám log a jinak myslím, že pc už jede v pohodě snad.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:06, on 17.5.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\Program Files\ICQ6Toolbar\ICQ Service.exe
D:\WINDOWS\system32\oodag.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - D:\Program Files\Winamp Toolbar\winamptb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: Softonic English TC Toolbar - {4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8} - D:\Program Files\Softonic_English_TC\tbSof1.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - D:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Softonic English TC Toolbar - {4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8} - D:\Program Files\Softonic_English_TC\tbSof1.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - D:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: Softonic English TC Toolbar - {4ff5f6ea-ffaf-43e5-9a01-361c0893c3e8} - D:\Program Files\Softonic_English_TC\tbSof1.dll
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1952002968
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICQ Service - Unknown owner - D:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\system32\oodag.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 8671 bytes

[Damned]

V logu už nic nevidím, tak mnoho štěstí při surfování