Logi - Komputery traca połączenie z siecią

Od jakiegoś czasu walczę bezskutecznie z pewnym problemem.
W biurze mam podpięte pod switcha trzy komputery i drukarkę sieciową. Jakieś trzy tygodnie temu zauważyłem, że wszystkie komputery w biurowej sieci tracą na jakiś czas połączenie z internetem - zdarzało się, że wystarczyło wyłączyć losowo jeden z nich i wszystko wracało do normy. Postanowiłem sprawdzić pingi do switcha (zdaje się, ze powinno być coś koło 1ms). Wszystko było jak należy, ale zauważyłem, że gdy tylko mój komputer, albo laptop zaczyna głośniej "chodzić", wtedy pingi rosną do nawet 500ms. Jak się okazało, po sprawdzeniu w menadżerze zadań, pewne procesy obciążały procesor w 99% - przeważnie iexplorer (chociaż wcale go nie uruchamiałem) lub rzadziej mstsc. Wystarczyło zamknąć proces obciążający i wszystko wracało do normy. Dziwne jest również to, że w procesach jest uruchomiany dwu lub trzykrotnie kalkulator, (calc.exe) jako niewidoczny proces, pomimo to, że go również nie uruchamiałem! Przy próbie zamknięcia któregoś z kalkulatorów następuje automatyczne, ponowne jego uruchomienie. Drukarka też już nie działa.
Mam zainstalowany na komputerach Norton Internet Security 2006 z aktualną definicją wirusów, codziennie skanuję system MKS Online, mam zainstalowany SuperAntiSpyware 4.1.1046 jak również aktualnego Spybota, ale nic nie wykazują. Proszę o pomoc
Poniżej wklejam loga z HijackThis. Mogę ewentualnie w razie konieczności wstawić loga z GMERa

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11, on 2008-05-27
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\WINDOWS\system32\calc.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\WINDOWS\system32\calc.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Mozilla Firefox 2 Beta 1\firefox.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1045
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Ustawienia Outpost Firewall Pro - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall Pro\ie_bar.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Usługa Auto-Protect programu Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Usługa Norton Protection Center (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Windows WorkGroup (svrhost) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\svrhost.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows. - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\System..exe

--
End of file - 12808 bytes

dodam jeszcze, że w folderze IE znalazłem kilkadziesiąt plików down(*), gdzie * to liczby od 1 do pięćdziesięciu paru..... przy przeglądaniu zawartości folderu Norton wyłapał syfa w postaci trojana "Infostealer.Gampass"...... zmieniłem firewalla z Outposta na Kerio i zablokowałem IE, może to coś pomoże...

Infekcja jest :

O23 - Service: Windows WorkGroup (svrhost) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\svrhost.exe
O23 - Service: Windows. - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\System..exe

Pobierz ComboFix i daj loga. http://www.bezpieczenstwosystemow.pl/index.php?topic=18.0

Ten poniższy program poszukaj w Dodaj lub usuń programy i odinstaluj. To szpieg.
Wcześniej możesz wywalić go z autostartu fixując w HijackThis ten wpis :

O4 - Startup: PowerReg Scheduler V3.exe

Daj może logi z combofixa dla pewności że nic nie siedzi jak zrobić

Usunąłem przy pomocy HijackThis to świństewko z autostartu, ale nie znalazłem PowerReg Scheduler w dodaj/usuń program. Znalazłem za to w danych aplikacji jakiś pojedynczy plik uruchamialny PowerReg - skasowałem. Oto log z combofixa:

ComboFix 08-05-21.3 - Administrator 2008-05-28 8:10:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.452 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
.
---- Previous Run -------
.
C:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NAVAPSVC
-------\Service_navapsvc
-------\Legacy_NAVAPSVC
-------\Service_navapsvc


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-27 13:03 . 2008-05-27 13:04 <DIR> d-------- C:\Program Files\Odkurzacz
2008-05-27 12:27 . 2008-05-27 12:27 <DIR> d-------- C:\Program Files\Kerio
2008-05-27 12:27 . 2002-04-15 12:28 102,912 --------- C:\WINDOWS\system32\drivers\FWDRV.SYS
2008-05-27 10:39 . 2008-05-27 10:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 11:26 . 2008-05-26 11:27 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-26 11:26 . 2008-05-26 11:26 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-26 11:05 . 2008-05-26 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Office Genuine Advantage
2008-05-21 09:22 . 2008-05-21 09:33 <DIR> d-------- C:\Program Files\RegCleaner
2008-05-21 09:04 . 2008-05-11 14:38 765,440 ---hs---- C:\WINDOWS\system32\_rejo.exe
2008-05-20 15:06 . 2008-05-20 15:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-20 15:06 . 2008-05-20 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\SUPERAntiSpyware.com
2008-05-20 15:06 . 2008-05-20 15:06 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\SUPERAntiSpyware.com
2008-05-20 15:05 . 2008-05-20 15:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 14:42 . 2008-05-20 14:42 <DIR> d-------- C:\HaxFix
2008-05-20 14:42 . 2008-05-20 14:41 449,462 --a------ C:\HaxFix.exe
2008-05-20 14:23 . 2008-05-20 14:27 <DIR> d-------- C:\fixwareout
2008-05-20 13:59 . 2008-05-27 13:18 394 --a------ C:\WINDOWS\gmer.ini
2008-05-20 09:17 . 2008-05-20 09:17 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2008-05-19 15:35 . 2008-05-19 15:35 <DIR> d-------- C:\WINDOWS\system32\pl
2008-05-19 15:35 . 2008-05-19 15:35 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-19 15:35 . 2008-04-14 22:51 32,866 --------- C:\WINDOWS\slrundll.exe
2008-05-19 15:29 . 2008-05-19 15:29 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-05-19 14:37 . 2008-05-19 20:30 760,832 ---hs---- C:\WINDOWS\system32\_System..exe
2008-05-19 10:57 . 2008-05-27 13:17 100 --a------ C:\index.ini
2008-05-19 10:53 . 2008-05-19 15:10 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-05-16 14:48 . 2008-05-16 14:56 <DIR> d-------- C:\Program Files\SkanerOnline
2008-05-14 12:26 . 2008-05-14 12:26 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Mikrotik
2008-05-09 15:29 . 2008-05-09 15:32 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\ForgottenRiddles
2008-05-09 13:44 . 2008-05-09 13:44 <DIR> d-------- C:\Program Files\BFG
2008-04-30 15:19 . 2008-02-11 10:20 733,696 ---hs---- C:\WINDOWS\system32\_svrhost.exe
2008-04-30 15:19 . 2008-02-11 10:20 733,696 -r-h----- C:\svrhost.exe
2008-04-30 07:55 . 2008-05-27 13:15 <DIR> d-------- C:\Program Files\NAPI-PROJEKT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 06:02 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Leadertech
2008-05-28 05:35 --------- d-----w C:\Program Files\Mozilla Firefox 2 Beta 1
2008-05-27 13:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-27 11:15 --------- d-----w C:\Program Files\XviD
2008-05-27 11:15 --------- d-----w C:\Program Files\SopCast
2008-05-27 11:15 --------- d-----w C:\Program Files\FlashGet
2008-05-27 11:15 --------- d-----w C:\Program Files\BitComet
2008-05-27 11:15 --------- d-----w C:\Program Files\AVIcodec
2008-05-27 11:15 --------- d-----w C:\Program Files\Altiris
2008-05-27 11:15 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\LimeWire
2008-05-27 10:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-26 12:44 --------- d-----w C:\Program Files\Folder Lock
2008-05-26 10:15 --------- d-----w C:\Program Files\Winamp
2008-05-26 10:09 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Winamp
2008-05-21 05:55 --------- d-----w C:\Program Files\BearPaw 2400CU Plus
2008-05-21 05:54 --------- d-----w C:\Program Files\HPQ
2008-05-21 05:54 --------- d-----w C:\Program Files\eac
2008-05-21 05:54 --------- d-----w C:\Program Files\DivX
2008-05-16 13:06 --------- d-----w C:\Program Files\DAEMON Tools
2008-04-23 11:53 --------- d-----w C:\Program Files\Lizardtech
2008-04-23 11:53 --------- d-----w C:\Program Files\Common Files\LizardTech Shared
2008-04-15 13:01 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-14 20:52 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 20:52 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 20:52 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 20:52 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 20:51 70,144 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 20:51 285,696 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 20:51 149,504 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 20:51 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 20:51 1,035,264 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 20:04 73,472 ----a-w C:\WINDOWS\system32\drivers\sr.sys
2008-04-14 20:03 80,256 ----a-w C:\WINDOWS\system32\drivers\parport.sys
2008-04-14 20:03 68,608 ----a-w C:\WINDOWS\system32\drivers\pci.sys
2008-04-14 20:03 46,848 ----a-w C:\WINDOWS\system32\drivers\p3.sys
2008-04-14 20:03 120,320 ----a-w C:\WINDOWS\system32\drivers\pcmcia.sys
2008-04-14 19:52 800,000 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-14 19:52 153,856 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-14 19:50 24,960 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-14 19:48 37,632 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys
2008-04-14 19:47 40,832 ----a-w C:\WINDOWS\system32\drivers\crusoe.sys
2008-04-14 19:46 5,504 ----a-w C:\WINDOWS\system32\drivers\intelide.sys
2008-04-14 19:46 40,448 ----a-w C:\WINDOWS\system32\drivers\intelppm.sys
2008-04-14 19:41 65,280 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 19:41 53,248 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 19:39 25,728 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-14 19:35 58,880 ----a-w C:\WINDOWS\system32\drivers\redbook.sys
2008-04-14 19:35 273,920 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 19:33 44,672 ----a-w C:\WINDOWS\system32\drivers\fips.sys
2008-04-14 19:31 52,864 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-14 19:30 701,440 ------w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-04-14 19:30 39,936 ----a-w C:\WINDOWS\system32\drivers\processr.sys
2008-04-14 19:30 327,040 ------w C:\WINDOWS\system32\drivers\ati2mtaa.sys
2008-04-14 19:28 41,856 ----a-w C:\WINDOWS\system32\drivers\amdk7.sys
2008-04-14 19:28 41,472 ----a-w C:\WINDOWS\system32\drivers\amdk6.sys
2008-04-14 19:25 23,296 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-14 19:24 30,208 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-14 19:24 188,544 ----a-w C:\WINDOWS\system32\drivers\acpi.sys
2008-04-13 22:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 22:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 22:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 22:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 22:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 22:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 22:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 22:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 22:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 22:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 22:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 22:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 22:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 22:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 22:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 22:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 22:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 22:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 22:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 22:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 22:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 22:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 22:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 22:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 22:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 22:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 22:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 22:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 22:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 22:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 22:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 22:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 22:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 22:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 22:26 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 22:26 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 22:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 22:26 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 22:26 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 22:25 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 22:24 88,192 ----a-w C:\WINDOWS\system32\drivers\irda.sys
2008-04-13 22:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-02-11 08:20 733,696 --sh--w C:\WINDOWS\system32\_svrhost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-11-14 11:12 1849032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 22:51 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 22:51 1695232]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]
"Odkurzacz-MCD"="C:\Program Files\Odkurzacz\odk_mcd.exe" [2008-03-03 14:44 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 16:22 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 16:19 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 16:23 114688]
"RTHDCPL"="RTHDCPL.EXE" [2005-03-08 14:26 13924864 C:\WINDOWS\RTHDCPL.EXE]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2005-10-04 15:23 86016]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 20:01 525824]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 16:57 133016]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-03-07 23:01 53096]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 12:22 517768]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-10-30 00:40 245760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 22:51 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\agnitum\outpos~1\wl_hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIVF"= DivX412.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 fwdrv;Kerio Personal Firewall Driver;C:\WINDOWS\system32\Drivers\fwdrv.sys [2002-04-15 12:28]
R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 17:40]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-09-07 09:07]
S2 BulkUsb;USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 00:15]
S2 svrhost;Windows WorkGroup;C:\Program Files\Common Files\Microsoft Shared\MSINFO\svrhost.exe [2008-02-11 10:20]
S2 Window;Window;C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejo.exe [2008-05-11 14:38]
S2 Windows.;Windows.;C:\Program Files\Common Files\Microsoft Shared\MSINFO\System..exe [2008-05-19 20:30]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 00:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{256af7e6-e8ee-11dc-8230-001635aea896}]
\Shell\Auto\command - F:\svrhost.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL svrhost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f6e6ad6-21b5-11dd-8269-001635aea896}]
\Shell\Auto\command - F:\svrhost.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL svrhost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0e752ec-fc66-11db-8141-001635aea896}]
\Shell\Auto\command - F:\svrhost.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL svrhost.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 18:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Uruchom pełne skanowanie systemu - Administrator.job"

Wklej do notatnika :

File::
C:\svrhost.exe
C:\WINDOWS\system32\_svrhost.exe
C:\WINDOWS\system32\_System..exe
C:\WINDOWS\system32\_rejo.exe

Driver::
svrhost
System
rejo

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{256af7e6-e8ee-11dc-8230-001635aea896}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f6e6ad6-21b5-11dd-8269-001635aea896}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0e752ec-fc66-11db-8141-001635aea896}]

Zapisz jako CFScript.txt, przeciągnij i upuść na ikonkę ComboFixa.
Uzyskany po usuwaniu log wkleić na forum.

Pendrive sprawdzić tym programem : Flash Disinfector
Poczytaj : http://www.searchengines.pl/index.php?show...t=0#entry369724
Pobierz : http://www.techsupportforum.com/sectools/s...Disinfector.exe

log z combofixa po zaleconym zabiegu:

ComboFix 08-05-21.3 - Administrator 2008-05-29 8:16:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.443 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::
C:\svrhost.exe
C:\WINDOWS\system32\_rejo.exe
C:\WINDOWS\system32\_svrhost.exe
C:\WINDOWS\system32\_System..exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\svrhost.exe
C:\WINDOWS\system32\_svrhost.exe
C:\WINDOWS\system32\_rejo.exe . . . . failed to delete
C:\WINDOWS\system32\_System..exe . . . . failed to delete
.
---- Previous Run -------
.
C:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NAVAPSVC
-------\Service_navapsvc
-------\Legacy_NAVAPSVC
-------\Service_navapsvc
-------\Legacy_NAVAPSVC
-------\Legacy_SVRHOST
-------\Service_navapsvc
-------\Service_svrhost


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-29 08:20 . 2008-05-11 14:38 765,440 --------- C:\WINDOWS\system32\_rejo.exe
2008-05-29 08:20 . 2008-05-19 20:30 760,832 --------- C:\WINDOWS\system32\_System..exe
2008-05-29 08:13 . 2008-05-29 08:15 13,140 --a------ C:\WINDOWS\system32\Down(2).exe
2008-05-28 14:40 . 2008-05-28 14:43 <DIR> d-------- C:\Rune
2008-05-27 13:03 . 2008-05-27 13:04 <DIR> d-------- C:\Program Files\Odkurzacz
2008-05-27 12:27 . 2008-05-27 12:27 <DIR> d-------- C:\Program Files\Kerio
2008-05-27 12:27 . 2002-04-15 12:28 102,912 --------- C:\WINDOWS\system32\drivers\FWDRV.SYS
2008-05-27 10:39 . 2008-05-27 10:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 11:26 . 2008-05-26 11:27 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-26 11:26 . 2008-05-26 11:26 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-26 11:05 . 2008-05-26 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Office Genuine Advantage
2008-05-21 09:22 . 2008-05-21 09:33 <DIR> d-------- C:\Program Files\RegCleaner
2008-05-20 15:06 . 2008-05-20 15:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-20 15:06 . 2008-05-20 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\SUPERAntiSpyware.com
2008-05-20 15:06 . 2008-05-20 15:06 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\SUPERAntiSpyware.com
2008-05-20 15:05 . 2008-05-20 15:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 14:42 . 2008-05-20 14:42 <DIR> d-------- C:\HaxFix
2008-05-20 14:42 . 2008-05-20 14:41 449,462 --a------ C:\HaxFix.exe
2008-05-20 14:23 . 2008-05-20 14:27 <DIR> d-------- C:\fixwareout
2008-05-20 13:59 . 2008-05-27 13:18 394 --a------ C:\WINDOWS\gmer.ini
2008-05-20 09:17 . 2008-05-20 09:17 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2008-05-19 15:35 . 2008-05-19 15:35 <DIR> d-------- C:\WINDOWS\system32\pl
2008-05-19 15:35 . 2008-05-19 15:35 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-19 15:35 . 2008-04-14 22:51 32,866 --------- C:\WINDOWS\slrundll.exe
2008-05-19 15:29 . 2008-05-19 15:29 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-05-19 10:57 . 2008-05-27 13:17 100 --a------ C:\index.ini
2008-05-19 10:53 . 2008-05-19 15:10 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-05-16 14:48 . 2008-05-16 14:56 <DIR> d-------- C:\Program Files\SkanerOnline
2008-05-14 12:26 . 2008-05-14 12:26 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Mikrotik
2008-05-09 15:29 . 2008-05-09 15:32 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\ForgottenRiddles
2008-05-09 13:44 . 2008-05-09 13:44 <DIR> d-------- C:\Program Files\BFG
2008-04-30 07:55 . 2008-05-27 13:15 <DIR> d-------- C:\Program Files\NAPI-PROJEKT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 05:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-29 05:42 --------- d-----w C:\Program Files\Mozilla Firefox 2 Beta 1
2008-05-28 06:02 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Leadertech
2008-05-27 11:15 --------- d-----w C:\Program Files\XviD
2008-05-27 11:15 --------- d-----w C:\Program Files\SopCast
2008-05-27 11:15 --------- d-----w C:\Program Files\FlashGet
2008-05-27 11:15 --------- d-----w C:\Program Files\BitComet
2008-05-27 11:15 --------- d-----w C:\Program Files\AVIcodec
2008-05-27 11:15 --------- d-----w C:\Program Files\Altiris
2008-05-27 11:15 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\LimeWire
2008-05-27 10:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-26 12:44 --------- d-----w C:\Program Files\Folder Lock
2008-05-26 10:15 --------- d-----w C:\Program Files\Winamp
2008-05-26 10:09 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Winamp
2008-05-21 05:55 --------- d-----w C:\Program Files\BearPaw 2400CU Plus
2008-05-21 05:54 --------- d-----w C:\Program Files\HPQ
2008-05-21 05:54 --------- d-----w C:\Program Files\eac
2008-05-21 05:54 --------- d-----w C:\Program Files\DivX
2008-05-16 13:06 --------- d-----w C:\Program Files\DAEMON Tools
2008-04-23 11:53 --------- d-----w C:\Program Files\Lizardtech
2008-04-23 11:53 --------- d-----w C:\Program Files\Common Files\LizardTech Shared
2008-04-15 13:01 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-14 20:52 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 20:52 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 20:52 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 20:52 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 20:51 70,144 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 20:51 285,696 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 20:51 149,504 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 20:51 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 20:51 1,035,264 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 20:49 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 20:49 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 20:49 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 20:49 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 20:49 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 20:49 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2008-04-14 20:04 73,472 ----a-w C:\WINDOWS\system32\drivers\sr.sys
2008-04-14 20:03 80,256 ----a-w C:\WINDOWS\system32\drivers\parport.sys
2008-04-14 20:03 68,608 ----a-w C:\WINDOWS\system32\drivers\pci.sys
2008-04-14 20:03 46,848 ----a-w C:\WINDOWS\system32\drivers\p3.sys
2008-04-14 20:03 120,320 ----a-w C:\WINDOWS\system32\drivers\pcmcia.sys
2008-04-14 19:52 800,000 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-14 19:52 153,856 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-14 19:50 24,960 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-14 19:48 37,632 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys
2008-04-14 19:47 40,832 ----a-w C:\WINDOWS\system32\drivers\crusoe.sys
2008-04-14 19:46 5,504 ----a-w C:\WINDOWS\system32\drivers\intelide.sys
2008-04-14 19:46 40,448 ----a-w C:\WINDOWS\system32\drivers\intelppm.sys
2008-04-14 19:41 65,280 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 19:41 53,248 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 19:39 25,728 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-14 19:35 58,880 ----a-w C:\WINDOWS\system32\drivers\redbook.sys
2008-04-14 19:35 273,920 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 19:33 44,672 ----a-w C:\WINDOWS\system32\drivers\fips.sys
2008-04-14 19:31 52,864 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-14 19:30 701,440 ------w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-04-14 19:30 39,936 ----a-w C:\WINDOWS\system32\drivers\processr.sys
2008-04-14 19:30 327,040 ------w C:\WINDOWS\system32\drivers\ati2mtaa.sys
2008-04-14 19:28 41,856 ----a-w C:\WINDOWS\system32\drivers\amdk7.sys
2008-04-14 19:28 41,472 ----a-w C:\WINDOWS\system32\drivers\amdk6.sys
2008-04-14 19:25 23,296 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-14 19:24 30,208 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-14 19:24 188,544 ----a-w C:\WINDOWS\system32\drivers\acpi.sys
2008-04-13 22:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 22:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 22:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 22:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 22:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 22:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 22:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 22:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 22:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 22:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 22:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 22:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 22:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 22:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 22:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 22:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 22:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 22:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 22:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 22:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 22:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 22:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 22:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 22:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 22:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 22:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 22:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 22:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 22:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 22:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 22:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 22:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 22:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 22:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 22:26 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 22:26 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-28_ 8.16.09.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-28 06:13:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-29 06:20:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-11-14 11:12 1849032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 22:51 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 22:51 1695232]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]
"Odkurzacz-MCD"="C:\Program Files\Odkurzacz\odk_mcd.exe" [2008-03-03 14:44 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 16:22 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 16:19 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 16:23 114688]
"RTHDCPL"="RTHDCPL.EXE" [2005-03-08 14:26 13924864 C:\WINDOWS\RTHDCPL.EXE]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2005-10-04 15:23 86016]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 20:01 525824]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 16:57 133016]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-03-07 23:01 53096]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 12:22 517768]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-10-30 00:40 245760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 22:51 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\agnitum\outpos~1\wl_hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIVF"= DivX412.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 fwdrv;Kerio Personal Firewall Driver;C:\WINDOWS\system32\Drivers\fwdrv.sys [2002-04-15 12:28]
R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 17:40]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-09-07 09:07]
S2 BulkUsb;USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 00:15]
S2 Window;Window;C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejo.exe [2008-05-11 14:38]
S2 Windows.;Windows.;C:\Program Files\Common Files\Microsoft Shared\MSINFO\System..exe [2008-05-19 20:30]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 00:15]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 18:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Uruchom pełne skanowanie systemu - Administrator.job"


no i jeszcze jedno - po ściągnięciu Flash Disinfector, Norton poinformował, że jest on zainfekowany wirusem w32.SillyFDS - czy to normalne?

Jeśli teraz Combo nie będzie mógł usunąć, to przejdziemy do trybu awaryjnego. Na razie w trybie normalnym.

Wklej do notatnika :

File::
C:\WINDOWS\system32\_rejo.exe
C:\WINDOWS\system32\_System..exe
C:\WINDOWS\system32\Down(2).exe

Driver::
rejo
System.

Zapisz jako CFScript.txt, przeciągnij i upuść na ikonkę ComboFix

Czy to znasz ?

C:\Rune

To jest folder na dysku C, został utworzony 2008-05-28.

Norton poinformował, że jest on zainfekowany wirusem w32.SillyFDS - czy to normalne?

Tak. ComboFix również może być postrzegany przez programy antywirusowe jako wirus, a przecież wcale nim nie jest. Te programy są zbudowane podobnie jak oprogramowanie szkodliwe, stąd alarmy.
Dlatego przed uruchomieniem czyścicieli (w tym Combo) powinieneś wyłączyć ochronę w czasie rzeczywistym Nortona.

katalog Rune został utworzony tymczasowo przeze mnie.

nowy log z combofixa:

ComboFix 08-05-21.3 - Administrator 2008-05-30 8:11:33.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.496 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::
C:\WINDOWS\system32\_rejo.exe
C:\WINDOWS\system32\_System..exe
C:\WINDOWS\system32\Down(2).exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Down(2).exe
C:\WINDOWS\system32\_rejo.exe . . . . failed to delete
C:\WINDOWS\system32\_System..exe . . . . failed to delete
.
---- Previous Run -------
.
C:\Autorun.inf
C:\svrhost.exe
C:\WINDOWS\system32\_svrhost.exe
C:\WINDOWS\system32\_rejo.exe . . . . failed to delete
C:\WINDOWS\system32\_System..exe . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NAVAPSVC
-------\Service_navapsvc
-------\Legacy_NAVAPSVC
-------\Service_navapsvc
-------\Legacy_NAVAPSVC
-------\Legacy_SVRHOST
-------\Service_navapsvc
-------\Service_svrhost
-------\Legacy_NAVAPSVC
-------\Service_navapsvc


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-30 08:15 . 2008-05-11 14:38 765,440 --------- C:\WINDOWS\system32\_rejo.exe
2008-05-30 08:15 . 2008-05-19 20:30 760,832 --------- C:\WINDOWS\system32\_System..exe
2008-05-27 13:03 . 2008-05-27 13:04 <DIR> d-------- C:\Program Files\Odkurzacz
2008-05-27 12:27 . 2008-05-27 12:27 <DIR> d-------- C:\Program Files\Kerio
2008-05-27 12:27 . 2002-04-15 12:28 102,912 --------- C:\WINDOWS\system32\drivers\FWDRV.SYS
2008-05-27 10:39 . 2008-05-27 10:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 11:26 . 2008-05-26 11:27 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-26 11:26 . 2008-05-26 11:26 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-26 11:05 . 2008-05-26 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Office Genuine Advantage
2008-05-21 09:22 . 2008-05-21 09:33 <DIR> d-------- C:\Program Files\RegCleaner
2008-05-20 15:06 . 2008-05-20 15:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-20 15:06 . 2008-05-20 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\SUPERAntiSpyware.com
2008-05-20 15:06 . 2008-05-20 15:06 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\SUPERAntiSpyware.com
2008-05-20 15:05 . 2008-05-20 15:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 14:42 . 2008-05-20 14:42 <DIR> d-------- C:\HaxFix
2008-05-20 14:42 . 2008-05-20 14:41 449,462 --a------ C:\HaxFix.exe
2008-05-20 14:23 . 2008-05-20 14:27 <DIR> d-------- C:\fixwareout
2008-05-20 13:59 . 2008-05-27 13:18 394 --a------ C:\WINDOWS\gmer.ini
2008-05-20 09:17 . 2008-05-20 09:17 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2008-05-19 15:35 . 2008-05-19 15:35 <DIR> d-------- C:\WINDOWS\system32\pl
2008-05-19 15:35 . 2008-05-19 15:35 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-19 15:35 . 2008-04-14 22:51 32,866 --------- C:\WINDOWS\slrundll.exe
2008-05-19 15:29 . 2008-05-19 15:29 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-05-19 10:57 . 2008-05-27 13:17 100 --a------ C:\index.ini
2008-05-19 10:53 . 2008-05-19 15:10 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-05-16 14:48 . 2008-05-16 14:56 <DIR> d-------- C:\Program Files\SkanerOnline
2008-05-14 12:26 . 2008-05-14 12:26 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Mikrotik
2008-05-09 15:29 . 2008-05-09 15:32 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\ForgottenRiddles
2008-04-30 07:55 . 2008-05-27 13:15 <DIR> d-------- C:\Program Files\NAPI-PROJEKT
2008-04-23 13:53 . 2008-04-23 13:53 <DIR> d-------- C:\Program Files\Common Files\LizardTech Shared
2008-04-14 22:51 . 2008-04-14 22:51 20,992 --------- C:\WINDOWS\system32\spupdwxp.exe
2008-04-14 22:51 . 2008-04-14 22:51 20,992 --------- C:\WINDOWS\system32\faxpatch.exe
2008-04-14 22:51 . 2008-04-14 22:51 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-04-14 22:05 . 2008-04-14 22:05 1,950 --------- C:\WINDOWS\system32\pid.inf
2008-04-12 03:00 . 2008-04-23 13:10 <DIR> d-------- C:\671a4d9a9dce85e7cd73b67391c3b554

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 13:46 --------- d-----w C:\Program Files\Mozilla Firefox 2 Beta 1
2008-05-29 13:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-28 06:02 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Leadertech
2008-05-27 11:15 --------- d-----w C:\Program Files\XviD
2008-05-27 11:15 --------- d-----w C:\Program Files\SopCast
2008-05-27 11:15 --------- d-----w C:\Program Files\FlashGet
2008-05-27 11:15 --------- d-----w C:\Program Files\BitComet
2008-05-27 11:15 --------- d-----w C:\Program Files\AVIcodec
2008-05-27 11:15 --------- d-----w C:\Program Files\Altiris
2008-05-27 11:15 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\LimeWire
2008-05-27 10:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-26 12:44 --------- d-----w C:\Program Files\Folder Lock
2008-05-26 10:15 --------- d-----w C:\Program Files\Winamp
2008-05-26 10:09 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Winamp
2008-05-21 05:54 --------- d-----w C:\Program Files\HPQ
2008-05-21 05:54 --------- d-----w C:\Program Files\eac
2008-05-21 05:54 --------- d-----w C:\Program Files\DivX
2008-05-16 13:06 --------- d-----w C:\Program Files\DAEMON Tools
2008-04-23 11:53 --------- d-----w C:\Program Files\Lizardtech
2008-04-15 13:01 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-14 20:52 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 20:52 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 20:52 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 20:52 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 20:51 70,144 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 20:51 285,696 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 20:51 149,504 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 20:51 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 20:51 1,035,264 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 20:04 73,472 ----a-w C:\WINDOWS\system32\drivers\sr.sys
2008-04-14 20:03 80,256 ----a-w C:\WINDOWS\system32\drivers\parport.sys
2008-04-14 20:03 68,608 ----a-w C:\WINDOWS\system32\drivers\pci.sys
2008-04-14 20:03 46,848 ----a-w C:\WINDOWS\system32\drivers\p3.sys
2008-04-14 20:03 120,320 ----a-w C:\WINDOWS\system32\drivers\pcmcia.sys
2008-04-14 19:52 800,000 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-14 19:52 153,856 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-14 19:50 24,960 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-14 19:48 37,632 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys
2008-04-14 19:47 40,832 ----a-w C:\WINDOWS\system32\drivers\crusoe.sys
2008-04-14 19:46 5,504 ----a-w C:\WINDOWS\system32\drivers\intelide.sys
2008-04-14 19:46 40,448 ----a-w C:\WINDOWS\system32\drivers\intelppm.sys
2008-04-14 19:41 65,280 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 19:41 53,248 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 19:39 25,728 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-14 19:35 58,880 ----a-w C:\WINDOWS\system32\drivers\redbook.sys
2008-04-14 19:35 273,920 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 19:33 44,672 ----a-w C:\WINDOWS\system32\drivers\fips.sys
2008-04-14 19:31 52,864 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-14 19:30 701,440 ------w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-04-14 19:30 39,936 ----a-w C:\WINDOWS\system32\drivers\processr.sys
2008-04-14 19:30 327,040 ------w C:\WINDOWS\system32\drivers\ati2mtaa.sys
2008-04-14 19:28 41,856 ----a-w C:\WINDOWS\system32\drivers\amdk7.sys
2008-04-14 19:28 41,472 ----a-w C:\WINDOWS\system32\drivers\amdk6.sys
2008-04-14 19:25 23,296 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-14 19:24 30,208 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-14 19:24 188,544 ----a-w C:\WINDOWS\system32\drivers\acpi.sys
2008-04-13 22:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 22:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 22:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 22:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 22:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 22:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 22:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 22:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 22:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 22:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 22:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 22:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 22:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 22:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 22:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 22:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 22:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 22:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 22:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 22:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 22:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 22:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 22:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 22:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 22:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 22:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 22:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 22:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 22:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 22:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 22:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 22:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 22:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 22:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 22:26 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 22:26 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 22:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 22:26 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 22:26 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 22:25 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 22:24 88,192 ----a-w C:\WINDOWS\system32\drivers\irda.sys
2008-04-13 22:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 22:23 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 22:23 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-28_ 8.16.09.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-28 06:13:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 06:14:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-11-14 11:12 1849032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 22:51 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 22:51 1695232]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]
"Odkurzacz-MCD"="C:\Program Files\Odkurzacz\odk_mcd.exe" [2008-03-03 14:44 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 16:22 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 16:19 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 16:23 114688]
"RTHDCPL"="RTHDCPL.EXE" [2005-03-08 14:26 13924864 C:\WINDOWS\RTHDCPL.EXE]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2005-10-04 15:23 86016]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 20:01 525824]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 16:57 133016]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-03-07 23:01 53096]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 12:22 517768]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-10-30 00:40 245760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 22:51 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\agnitum\outpos~1\wl_hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIVF"= DivX412.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 fwdrv;Kerio Personal Firewall Driver;C:\WINDOWS\system32\Drivers\fwdrv.sys [2002-04-15 12:28]
R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 17:40]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-09-07 09:07]
S2 BulkUsb;USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 00:15]
S2 Window;Window;C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejo.exe [2008-05-11 14:38]
S2 Windows.;Windows.;C:\Program Files\Common Files\Microsoft Shared\MSINFO\System..exe [2008-05-19 20:30]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 00:15]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 18:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Uruchom pełne skanowanie systemu - Administrator.job"

Combo niestety wykłada się przy usuwaniu , albo... No nic. Spróbujmy inaczej :

Pobierasz :
1. http://www.bezpieczenstwosystemow.pl/index.php?topic=3198.0 (skanowanie Kasperskym może być długie)
2. http://www.bezpieczenstwosystemow.pl/index.php?topic=3195.0
3. http://cybertrash.pl/Tata/TESTY/Dr.Web%20C...%20CureIt_.html

I na koniec w trybie awaryjnym ComboFix. Powtarzamy skrypt do usuwania :

File::
C:\WINDOWS\system32\_rejo.exe
C:\WINDOWS\system32\_System..exe

Driver::
rejo
System.

ComboFix listuje zmiany w programach maksymalnie do trzech miesięcy wstecz dlatego nie wszystko może być widać w logu.

Czy to znasz , bo wygląda jak kod licencji ?

C:\671a4d9a9dce85e7cd73b67391c3b554

Dajesz logi z wszystkich programów. Powodzenia.

oto logi:

1. Kaspersky Virus Removal Tool

Scan
----
Scanned: 926172
Detected: 25
Untreated: 24
Start time: 2008-06-03 08:16
Duration: 03:38:32
Finish time: 2008-06-03 11:54


Detected
--------
Status Object
------ ------
will be deleted when the computer is restarted: Trojan program Backdoor.Win32.Hupigon.axor File: c:\program files\common files\microsoft shared\msinfo\svrhost.exe//ASPack//PE_Patch
detected: Trojan program Backdoor.Win32.Hupigon.axbr File: c:\program files\common files\microsoft shared\msinfo\rejo.exe//PE_Patch//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE
detected: Trojan program Backdoor.Win32.Hupigon.axbr File: c:\program files\common files\microsoft shared\msinfo\system..exe//PE_Patch//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE
detected: Trojan program Backdoor.Win32.Hupigon.axor File: C:\svrhost.exe//ASPack//PE_Patch
detected: Trojan program Trojan-Dropper.Win32.Agent.dwb File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\10CF5CB3.exe//CryptFF
detected: Trojan program Trojan.Win32.DNSChanger.jb File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\20882A90//CryptFF//stream//Script
detected: Trojan program Trojan.Win32.DNSChanger.jb File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\20882A90.exe//CryptFF
detected: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\596E541B.EXE//CryptFF
detected: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\769C681D.EXE//CryptFF
detected: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\76A9100F.EXE//CryptFF
detected: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\76AC3A0B.EXE//CryptFF
detected: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\76CD5DE7.EXE//CryptFF
detected: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\78A625DE.EXE//CryptFF
detected: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\7BD37C5F.EXE//CryptFF
detected: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\7BDA5058.EXE//CryptFF
detected: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\7DEB6212.EXE//CryptFF
detected: Trojan program Trojan-Dropper.Win32.Mudrop.dv File: C:\Downloads\WinRAR.3.62.PL.Full\winrar.3.62.final.pl-patch.exe
detected: Trojan program Backdoor.Win32.Hupigon.axbr File: C:\QooBox\Quarantine\catchme2008-05-29_ 81849.84.zip/_rejo.exe//PE_Patch//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE
detected: Trojan program Backdoor.Win32.Hupigon.axor File: C:\QooBox\Quarantine\catchme2008-05-29_ 81849.84.zip/_svrhost.exe//ASPack//PE_Patch
detected: Trojan program Backdoor.Win32.Hupigon.axbr File: C:\QooBox\Quarantine\catchme2008-05-29_ 81849.84.zip/_System..exe//PE_Patch//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE
detected: Trojan program Backdoor.Win32.Hupigon.axbr File: C:\QooBox\Quarantine\catchme2008-05-30_ 81336.29.zip/_rejo.exe//PE_Patch//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE
detected: Trojan program Backdoor.Win32.Hupigon.axbr File: C:\QooBox\Quarantine\catchme2008-05-30_ 81336.29.zip/_System..exe//PE_Patch//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE
detected: Trojan program Backdoor.Win32.Hupigon.axbr File: C:\WINDOWS\system32\_rejo.exe//PE_Patch//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE
detected: Trojan program Backdoor.Win32.Hupigon.axor File: C:\WINDOWS\system32\_svrhost.exe//ASPack//PE_Patch
detected: Trojan program Backdoor.Win32.Hupigon.axbr File: C:\WINDOWS\system32\_System..exe//PE_Patch//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE//

Po naprawieniu:

Scan
----
Scanned: 926172
Detected: 25
Untreated: 2
Start time: 2008-06-03 08:16
Duration: 03:38:32
Finish time: 2008-06-03 11:54


Detected
--------
Status Object
------ ------
will be deleted when the computer is restarted: Trojan program Backdoor.Win32.Hupigon.axor File: c:\program files\common files\microsoft shared\msinfo\svrhost.exe//ASPack//PE_Patch
deleted: Trojan program Backdoor.Win32.Hupigon.axbr File: c:\program files\common files\microsoft shared\msinfo\rejo.exe//PE_Patch//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE
will be deleted when the computer is restarted: Trojan program Backdoor.Win32.Hupigon.axbr File: c:\program files\common files\microsoft shared\msinfo\system..exe//PE_Patch//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE
deleted: Trojan program Backdoor.Win32.Hupigon.axor File: C:\svrhost.exe//ASPack//PE_Patch
deleted: Trojan program Trojan-Dropper.Win32.Agent.dwb File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\10CF5CB3.exe//CryptFF
deleted: Trojan program Trojan.Win32.DNSChanger.jb File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\20882A90//CryptFF//stream//Script
deleted: Trojan program Trojan.Win32.DNSChanger.jb File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\20882A90.exe//CryptFF
deleted: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\596E541B.EXE//CryptFF
deleted: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\769C681D.EXE//CryptFF
deleted: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\76A9100F.EXE//CryptFF
deleted: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\76AC3A0B.EXE//CryptFF
deleted: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\76CD5DE7.EXE//CryptFF
deleted: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\78A625DE.EXE//CryptFF
deleted: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\7BD37C5F.EXE//CryptFF
deleted: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\7BDA5058.EXE//CryptFF
deleted: Trojan program Backdoor.Win32.Hupigon.lnu File: C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\7DEB6212.EXE//CryptFF
deleted: Trojan program Trojan-Dropper.Win32.Mudrop.dv File: C:\Downloads\WinRAR.3.62.PL.Full\winrar.3.62.final.pl-patch.exe
deleted: Trojan program Backdoor.Win32.Hupigon.axbr File: C:\QooBox\Quarantine\catchme2008-05-29_ 81849.84.zip/_rejo.exe//PE_Patch//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE
deleted: Trojan program Backdoor.Win32.Hupigon.axor File: C:\QooBox\Quarantine\catchme2008-05-29_ 81849.84.zip/_svrhost.exe//ASPack//PE_Patch
deleted: Trojan program Backdoor.Win32.Hupigon.axbr File: C:\QooBox\Quarantine\catchme2008-05-29_ 81849.84.zip/_System..exe//PE_Patch//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE
deleted: Trojan program Backdoor.Win32.Hupigon.axbr File: C:\QooBox\Quarantine\catchme2008-05-30_ 81336.29.zip/_rejo.exe//PE_Patch//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE
deleted: Trojan program Backdoor.Win32.Hupigon.axbr File: C:\QooBox\Quarantine\catchme2008-05-30_ 81336.29.zip/_System..exe//PE_Patch//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE
will be deleted when the computer is restarted: Trojan program Backdoor.Win32.Hupigon.axbr File: C:\WINDOWS\system32\_rejo.exe//PE_Patch//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE
detected: Trojan program Backdoor.Win32.Hupigon.axor File: C:\WINDOWS\system32\_svrhost.exe//ASPack//PE_Patch
detected: Trojan program Backdoor.Win32.Hupigon.axbr File: C:\WINDOWS\system32\_System..exe//PE_Patch//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE//PE_Patch.MaskPE


2. SDFix w trybie awaryjnym:


SDFix: Version 1.187
Run by Administrator on 2008-06-03 at 12:43

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\t\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 12:51:44
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 3
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 3
disk error: C:\Documents and Settings\Administrator\ntuser.dat, 3
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 3 Jun 2008 765,440 ..SH. --- "C:\WINDOWS\system32\_rejo.exe"
Tue 3 Jun 2008 733,696 A.SH. --- "C:\WINDOWS\system32\_svrhost.exe"
Tue 3 Jun 2008 760,832 A.SH. --- "C:\WINDOWS\system32\_System..exe"
Tue 3 Jun 2008 765,440 A.SH. --- "C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejo.exe"

Finished!

3. ComboFix w trybie awaryjnym

ComboFix 08-06-01.6 - Administrator 2008-06-03 13:28:14.4 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.796 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::
C:\WINDOWS\system32\_rejo.exe
C:\WINDOWS\system32\_System..exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_rejo.exe
C:\WINDOWS\system32\_System..exe
.
---- Previous Run -------
.
C:\Autorun.inf
C:\svrhost.exe
C:\WINDOWS\system32\_svrhost.exe
C:\WINDOWS\system32\Down(2).exe
C:\WINDOWS\system32\_rejo.exe . . . . failed to delete
C:\WINDOWS\system32\_System..exe . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NAVAPSVC
-------\Service_navapsvc
-------\Legacy_NAVAPSVC
-------\Service_navapsvc
-------\Legacy_NAVAPSVC
-------\Legacy_SVRHOST
-------\Service_navapsvc
-------\Service_svrhost
-------\Legacy_NAVAPSVC
-------\Service_navapsvc


((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.

2008-06-03 12:59 . 2008-06-03 13:01 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-06-03 12:40 . 2008-06-03 12:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-03 08:15 . 2008-06-03 13:23 223,264 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-03 08:15 . 2008-06-03 13:23 3,692 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-03 07:51 . 2008-06-03 07:51 <DIR> d-------- C:\t
2008-05-30 11:07 . 2008-06-03 11:52 733,696 --ahs---- C:\WINDOWS\system32\_svrhost.exe
2008-05-28 08:11 . 2008-05-30 08:13 53,248 --a------ C:\WINDOWS\psexesvc.#xe
2008-05-27 13:03 . 2008-06-03 07:37 <DIR> d-------- C:\Program Files\Odkurzacz
2008-05-27 12:27 . 2008-05-30 11:09 <DIR> d-------- C:\Program Files\Kerio
2008-05-27 10:39 . 2008-05-27 10:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 11:26 . 2008-05-26 11:27 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-26 11:26 . 2008-05-26 11:26 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-26 11:05 . 2008-05-26 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Office Genuine Advantage
2008-05-21 09:22 . 2008-05-21 09:33 <DIR> d-------- C:\Program Files\RegCleaner
2008-05-20 15:06 . 2008-05-20 15:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-20 15:06 . 2008-05-20 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\SUPERAntiSpyware.com
2008-05-20 15:06 . 2008-05-20 15:06 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\SUPERAntiSpyware.com
2008-05-20 15:05 . 2008-05-20 15:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 14:42 . 2008-05-20 14:42 <DIR> d-------- C:\HaxFix
2008-05-20 14:42 . 2008-05-20 14:41 449,462 --a------ C:\HaxFix.exe
2008-05-20 14:23 . 2008-05-20 14:27 <DIR> d-------- C:\fixwareout
2008-05-20 13:59 . 2008-05-27 13:18 394 --a------ C:\WINDOWS\gmer.ini
2008-05-20 09:17 . 2008-05-20 09:17 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Dane aplikacji\Search Settings
2008-05-20 09:17 . 2008-05-20 09:17 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2008-05-19 15:35 . 2008-05-19 15:35 <DIR> d-------- C:\WINDOWS\system32\pl
2008-05-19 15:35 . 2008-05-19 15:35 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-19 15:35 . 2008-04-14 22:51 32,866 --------- C:\WINDOWS\slrundll.exe
2008-05-19 15:29 . 2008-05-19 15:29 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-05-19 10:57 . 2008-05-27 13:17 100 --a------ C:\index.ini
2008-05-19 10:53 . 2008-05-19 15:10 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-05-16 14:48 . 2008-05-16 14:56 <DIR> d-------- C:\Program Files\SkanerOnline
2008-05-14 12:26 . 2008-05-14 12:26 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Mikrotik
2008-05-09 15:29 . 2008-05-09 15:32 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\ForgottenRiddles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 11:25 --------- d-----w C:\Program Files\Mozilla Firefox 2 Beta 1
2008-06-03 11:13 498 ----a-w C:\sccfg.sys
2008-06-03 05:51 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-03 05:51 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-03 05:51 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-03 05:51 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-03 05:51 --------- d-----w C:\Program Files\Symantec
2008-06-03 05:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-30 11:20 --------- d-----w C:\Program Files\Folder Lock
2008-05-28 06:02 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Leadertech
2008-05-27 11:15 --------- d-----w C:\Program Files\XviD
2008-05-27 11:15 --------- d-----w C:\Program Files\SopCast
2008-05-27 11:15 --------- d-----w C:\Program Files\NAPI-PROJEKT
2008-05-27 11:15 --------- d-----w C:\Program Files\FlashGet
2008-05-27 11:15 --------- d-----w C:\Program Files\BitComet
2008-05-27 11:15 --------- d-----w C:\Program Files\AVIcodec
2008-05-27 11:15 --------- d-----w C:\Program Files\Altiris
2008-05-27 11:15 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\LimeWire
2008-05-27 10:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-26 10:15 --------- d-----w C:\Program Files\Winamp
2008-05-26 10:09 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Winamp
2008-05-21 05:54 --------- d-----w C:\Program Files\HPQ
2008-05-21 05:54 --------- d-----w C:\Program Files\eac
2008-05-21 05:54 --------- d-----w C:\Program Files\DivX
2008-05-16 13:06 --------- d-----w C:\Program Files\DAEMON Tools
2008-05-16 06:35 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-23 11:53 --------- d-----w C:\Program Files\Lizardtech
2008-04-23 11:53 --------- d-----w C:\Program Files\Common Files\LizardTech Shared
2008-04-15 13:01 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-14 21:16 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 20:56 332,288 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 20:52 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 20:52 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 20:52 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 20:52 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 20:52 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 20:52 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 20:52 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 20:50 999,936 ----a-w C:\WINDOWS\system32\syssetup.dll
2008-04-14 20:49 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 20:48 5,632 ----a-w C:\WINDOWS\system32\wmi.dll
2008-04-14 20:48 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll
2008-04-14 20:48 1,449,472 ----a-w C:\WINDOWS\system32\winntbbu.dll
2008-04-14 20:47 57,375 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 20:43 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 20:42 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 20:36 3,584 ----a-w C:\WINDOWS\system32\icmp.dll
2008-04-14 20:35 9,344 ----a-w C:\WINDOWS\system32\framebuf.dll
2008-04-14 20:35 569,856 ----a-w C:\WINDOWS\system32\gpedit.dll
2008-04-14 20:33 3,072 ----a-w C:\WINDOWS\system32\dpnlobby.dll
2008-04-14 20:33 3,072 ----a-w C:\WINDOWS\system32\dpnaddr.dll
2008-04-14 20:31 16,896 ----a-w C:\WINDOWS\system32\cfgmgr32.dll
2008-04-14 20:30 285,696 ----a-w C:\WINDOWS\system32\atmfd.dll
2008-04-14 20:04 73,472 ----a-w C:\WINDOWS\system32\drivers\sr.sys
2008-04-14 20:03 80,256 ----a-w C:\WINDOWS\system32\drivers\parport.sys
2008-04-14 20:03 68,608 ----a-w C:\WINDOWS\system32\drivers\pci.sys
2008-04-14 20:03 46,848 ----a-w C:\WINDOWS\system32\drivers\p3.sys
2008-04-14 20:03 120,320 ----a-w C:\WINDOWS\system32\drivers\pcmcia.sys
2008-04-14 19:59 2,146,816 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-14 19:59 2,025,472 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-14 19:55 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-14 19:52 89,600 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-14 19:52 89,600 ------w C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-04-14 19:52 800,000 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-14 19:52 153,856 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-14 19:50 80,896 ------w C:\WINDOWS\system32\msshavmsg.dll
2008-04-14 19:50 24,960 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-14 19:48 37,632 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys
2008-04-14 19:47 40,832 ----a-w C:\WINDOWS\system32\drivers\crusoe.sys
2008-04-14 19:46 5,504 ----a-w C:\WINDOWS\system32\drivers\intelide.sys
2008-04-14 19:46 40,448 ----a-w C:\WINDOWS\system32\drivers\intelppm.sys
2008-04-14 19:45 49,664 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-14 19:43 563,200 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-14 19:41 65,280 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 19:41 53,248 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 19:39 25,728 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-14 19:37 10,240 ----a-w C:\WINDOWS\system32\gpkrsrc.dll
2008-04-14 19:35 67,584 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-14 19:35 58,880 ----a-w C:\WINDOWS\system32\drivers\redbook.sys
2008-04-14 19:35 273,920 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 19:35 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-14 19:33 44,672 ----a-w C:\WINDOWS\system32\drivers\fips.sys
2008-04-14 19:31 52,864 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-14 19:30 701,440 ------w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-04-14 19:30 39,936 ----a-w C:\WINDOWS\system32\drivers\processr.sys
2008-04-14 19:30 327,040 ------w C:\WINDOWS\system32\drivers\ati2mtaa.sys
2008-04-14 19:28 41,856 ----a-w C:\WINDOWS\system32\drivers\amdk7.sys
2008-04-14 19:28 41,472 ----a-w C:\WINDOWS\system32\drivers\amdk6.sys
2008-04-14 19:25 23,296 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-14 19:24 30,208 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-14 19:24 188,544 ----a-w C:\WINDOWS\system32\drivers\acpi.sys
2008-04-13 22:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 22:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 22:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 22:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 22:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 22:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 22:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 22:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 22:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-28_ 8.16.09.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-28 06:13:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-03 11:24:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 17:12:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-03 10:40:32 8,474,624 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-06-03 10:40:32 528,384 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-01 17:12:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-03 10:40:30 8,474,624 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-06-03 10:40:30 528,384 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-02-11 08:20:40 733,696 --sh--w C:\WINDOWS\system32\_svrhost.exe
+ 2008-06-03 09:52:11 733,696 --sha-w C:\WINDOWS\system32\_svrhost.exe
- 2002-04-15 10:28:32 102,912 ------w C:\WINDOWS\system32\drivers\FWDRV.SYS
+ 2004-11-02 08:00:52 262,144 ----a-w C:\WINDOWS\system32\drivers\fwdrv.sys
+ 2007-07-05 12:34:52 134,160 ----a-w C:\WINDOWS\system32\drivers\klif.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-11-14 11:12 1849032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 22:51 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 22:51 1695232]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]
"Odkurzacz-MCD"="C:\Program Files\Odkurzacz\odk_mcd.exe" [2008-03-03 14:44 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 16:22 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 16:19 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 16:23 114688]
"RTHDCPL"="RTHDCPL.EXE" [2005-03-08 14:26 13924864 C:\WINDOWS\RTHDCPL.EXE]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2005-10-04 15:23 86016]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 20:01 525824]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 16:57 133016]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-03-07 23:01 53096]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 12:22 517768]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-10-30 00:40 245760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 22:51 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\agnitum\outpos~1\wl_hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIVF"= DivX412.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2004-11-02 10:00]
S2 BulkUsb;USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 00:15]
S2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 17:40]
S2 setup_7.0.0.180_18.05.2008_22-36;setup_7.0.0.180_18.05.2008_22-36;"C:\Documents and Settings\All Users\Pulpit\Kaspersky Lab Tool\setup_7.0.0.180_18.05.2008_22-36.exe" -r []
S2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-09-07 09:07]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 00:15]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 18:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Uruchom pełne skanowanie systemu - Administrator.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exef/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 13:30:03
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-03 13:31:01
ComboFix-quarantined-files.txt 2008-06-03 11:30:45

Pre-Run: 90,817,560,576 bajtów wolnych
Post-Run: 90,827,440,128 bajtów wolnych

272 --- E O F --- 2008-05-16 10:33:55


Niestety, nie udało mi się zrobić loga z cureit.

Usuwanie w Combo też nie wychodzi. Usługi zostały jednak usunięte, może więc bedzie łatwiej.

Trzeba spróbować zrobić to ręcznie.

Przejdziesz do trybu awaryjnego, poszukasz tych plików :

C:\WINDOWS\system32\_rejo.exe
C:\WINDOWS\system32\_System..exe

Spróbuj je następnie usunąć przez Shift+Delete

O wynikach usuwania poinformuj.

najlepsze jest to, że tych plików nie ma w folderze system32 (pokazuje również pliki ukryte)...

Po wyszukaniu okazało się, że:

rejo.exe (nie wiem, czy to "ten" plik) siedzi w C:\Program Files\Common Files\Microsoft Shared\MSInfo

natomiast SYSTEM..EXE-154CB5FF.pf (również nie wiem, czy o to chodzi) na C:\WINDOWS\Prefetch

jestem na 99% przekonany, że Backdoor.Win32.Hupigon.axor i jemu podobne rozprzestrzeniły się u mnie poprzez pamięć przenośną - przy skanowaniu Kaspersky Virus Removal Tool zawsze pokazuje, że flaszka jest zainfekowana i nawet zabieg przy pomocy Flash_Disinfector nic nie pomaga...

EDIT>
Po ponownym przeskanowaniu KVRT flaszka jest już jednak czysta. Niestety, skasowany został plik svrhost.exe i chyba dla tego nie mogę otworzyć sticka dwuklikiem, a jedynie przez eksplorację. Czy przy okazji można by coś na to zaradzić?

najlepsze jest to, że tych plików nie ma w folderze system32 (pokazuje również pliki ukryte)...

Musisz włączyć żeby pokazywało chronione pliki systemu operacyjnego ponieważ on ma atrybut systemowy (czerwone s) :

--ahs---- C:\WINDOWS\system32\_svrhost.exe

Szukaj plików o tych nazwach w folderze System32:

_svrhost.exe
_rejo.exe
_System..exe


"C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejo.exe" również skasuj.

Usuwanie w trybie awaryjnym, pamiętaj o tym !

C:\Windows\Prefetch. Otwórz go i usuń z niego wszystkie elementy.

Użyj także funkcji Szukaj, być może siedzą gdzieś jeszcze pliki o tych nazwach.

Przeczyść też system tym programem : http://cybertrash.pl/images/tata/CCleaner/CCleaner.html

Jak już to wszystko zrobisz (jeśli się uda) to :

Menu Start>>Uruchom , wpisz ComboFix /u i enter. Skasuj folder C:\Qoobox

Na koniec wyłącz na chwilę i włącz ponownie przywracanie systemu.

Pobierz ponownie ComboFix i zrób skanowanie : http://www.bezpieczenstwosystemow.pl/index.php?topic=18.0

i nawet zabieg przy pomocy Flash_Disinfector nic nie pomaga...

Disinfector też wszystkiego nie usuwa. W tym wypadku jedynie sformatowanie pendrive unieszkodliwi wirusa.

i chyba dla tego nie mogę otworzyć sticka dwuklikiem, a jedynie przez eksplorację. Czy przy okazji można by coś na to zaradzić?

Dzięki temu virus nie zainstaluje się na komputerze automatycznie, bezpośrednio po podpięciu.

Zrobiłem wszystko, oprócz ostatniego zalecenia. Niestety, z podanej lokalizacji nie można ściągnąć combofixa.

Na tym powinno pójść : http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Dzięki. Trochę przeraziłem się czytając końcówkę n/t disk errorów. Oto log:

ComboFix 08-06-05.3 - Administrator 2008-06-06 10:02:46.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.210 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.

((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-05 08:20 . 2008-06-05 08:20 <DIR> d-------- C:\Program Files\CCleaner
2008-06-04 12:46 . 2008-06-04 12:46 7,168 --a------ C:\WINDOWS\system32\drivers\utexnjq5.sys
2008-06-03 12:59 . 2008-06-03 13:01 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-06-03 12:40 . 2008-06-03 12:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-03 08:15 . 2008-06-05 15:26 630,816 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-03 08:15 . 2008-06-05 15:26 7,628 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-03 07:51 . 2008-06-03 07:51 <DIR> d-------- C:\t
2008-05-28 08:11 . 2008-05-30 08:13 53,248 --a------ C:\WINDOWS\psexesvc.#xe
2008-05-27 13:03 . 2008-06-03 07:37 <DIR> d-------- C:\Program Files\Odkurzacz
2008-05-27 12:27 . 2008-05-30 11:09 <DIR> d-------- C:\Program Files\Kerio
2008-05-27 10:39 . 2008-05-27 10:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 11:26 . 2008-05-26 11:27 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-26 11:26 . 2008-05-26 11:26 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-26 11:05 . 2008-05-26 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Office Genuine Advantage
2008-05-21 09:22 . 2008-05-21 09:33 <DIR> d-------- C:\Program Files\RegCleaner
2008-05-20 15:06 . 2008-06-04 07:38 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-20 15:06 . 2008-05-20 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\SUPERAntiSpyware.com
2008-05-20 15:06 . 2008-05-20 15:06 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\SUPERAntiSpyware.com
2008-05-20 15:05 . 2008-05-20 15:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 14:42 . 2008-05-20 14:42 <DIR> d-------- C:\HaxFix
2008-05-20 14:42 . 2008-05-20 14:41 449,462 --a------ C:\HaxFix.exe
2008-05-20 14:23 . 2008-05-20 14:27 <DIR> d-------- C:\fixwareout
2008-05-20 13:59 . 2008-05-27 13:18 394 --a------ C:\WINDOWS\gmer.ini
2008-05-20 09:17 . 2008-05-20 09:17 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Dane aplikacji\Search Settings
2008-05-20 09:17 . 2008-05-20 09:17 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2008-05-19 15:35 . 2008-05-19 15:35 <DIR> d-------- C:\WINDOWS\system32\pl
2008-05-19 15:35 . 2008-05-19 15:35 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-19 15:35 . 2008-04-14 22:51 32,866 --------- C:\WINDOWS\slrundll.exe
2008-05-19 15:29 . 2008-05-19 15:29 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-05-19 10:57 . 2008-05-27 13:17 100 --a------ C:\index.ini
2008-05-19 10:53 . 2008-05-19 15:10 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-05-16 14:48 . 2008-05-16 14:56 <DIR> d-------- C:\Program Files\SkanerOnline
2008-05-14 12:26 . 2008-05-14 12:26 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Mikrotik
2008-05-09 15:29 . 2008-05-09 15:32 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\ForgottenRiddles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 05:43 --------- d-----w C:\Program Files\Mozilla Firefox 2 Beta 1
2008-06-05 08:21 --------- d-----w C:\Program Files\FlashGet
2008-06-05 06:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-05 06:22 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-06-04 09:08 --------- d-----w C:\Program Files\Folder Lock
2008-06-03 05:51 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-03 05:51 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-03 05:51 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-03 05:51 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-03 05:51 --------- d-----w C:\Program Files\Symantec
2008-05-28 06:02 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Leadertech
2008-05-27 11:15 --------- d-----w C:\Program Files\XviD
2008-05-27 11:15 --------- d-----w C:\Program Files\SopCast
2008-05-27 11:15 --------- d-----w C:\Program Files\NAPI-PROJEKT
2008-05-27 11:15 --------- d-----w C:\Program Files\BitComet
2008-05-27 11:15 --------- d-----w C:\Program Files\AVIcodec
2008-05-27 11:15 --------- d-----w C:\Program Files\Altiris
2008-05-27 11:15 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\LimeWire
2008-05-27 10:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-26 10:15 --------- d-----w C:\Program Files\Winamp
2008-05-26 10:09 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Winamp
2008-05-21 05:54 --------- d-----w C:\Program Files\HPQ
2008-05-21 05:54 --------- d-----w C:\Program Files\eac
2008-05-21 05:54 --------- d-----w C:\Program Files\DivX
2008-05-16 13:06 --------- d-----w C:\Program Files\DAEMON Tools
2008-05-16 06:35 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-23 11:53 --------- d-----w C:\Program Files\Lizardtech
2008-04-23 11:53 --------- d-----w C:\Program Files\Common Files\LizardTech Shared
2008-04-15 13:01 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-14 21:16 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 20:56 332,288 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 20:52 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 20:52 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 20:52 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 20:52 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 20:52 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 20:52 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 20:52 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 20:50 999,936 ----a-w C:\WINDOWS\system32\syssetup.dll
2008-04-14 20:49 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 20:48 5,632 ----a-w C:\WINDOWS\system32\wmi.dll
2008-04-14 20:48 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll
2008-04-14 20:48 1,449,472 ----a-w C:\WINDOWS\system32\winntbbu.dll
2008-04-14 20:47 57,375 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 20:43 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 20:42 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 20:36 3,584 ----a-w C:\WINDOWS\system32\icmp.dll
2008-04-14 20:35 9,344 ----a-w C:\WINDOWS\system32\framebuf.dll
2008-04-14 20:35 569,856 ----a-w C:\WINDOWS\system32\gpedit.dll
2008-04-14 20:33 3,072 ----a-w C:\WINDOWS\system32\dpnlobby.dll
2008-04-14 20:33 3,072 ----a-w C:\WINDOWS\system32\dpnaddr.dll
2008-04-14 20:31 16,896 ----a-w C:\WINDOWS\system32\cfgmgr32.dll
2008-04-14 20:30 285,696 ----a-w C:\WINDOWS\system32\atmfd.dll
2008-04-14 20:04 73,472 ----a-w C:\WINDOWS\system32\drivers\sr.sys
2008-04-14 20:03 80,256 ----a-w C:\WINDOWS\system32\drivers\parport.sys
2008-04-14 20:03 68,608 ----a-w C:\WINDOWS\system32\drivers\pci.sys
2008-04-14 20:03 46,848 ----a-w C:\WINDOWS\system32\drivers\p3.sys
2008-04-14 20:03 120,320 ----a-w C:\WINDOWS\system32\drivers\pcmcia.sys
2008-04-14 19:59 2,146,816 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-14 19:59 2,025,472 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-14 19:55 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-14 19:52 89,600 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-14 19:52 89,600 ------w C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-04-14 19:52 800,000 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-14 19:52 153,856 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-14 19:50 80,896 ------w C:\WINDOWS\system32\msshavmsg.dll
2008-04-14 19:50 24,960 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-14 19:48 37,632 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys
2008-04-14 19:47 40,832 ----a-w C:\WINDOWS\system32\drivers\crusoe.sys
2008-04-14 19:46 5,504 ----a-w C:\WINDOWS\system32\drivers\intelide.sys
2008-04-14 19:46 40,448 ----a-w C:\WINDOWS\system32\drivers\intelppm.sys
2008-04-14 19:45 49,664 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-14 19:43 563,200 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-14 19:41 65,280 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 19:41 53,248 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 19:39 25,728 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-14 19:37 10,240 ----a-w C:\WINDOWS\system32\gpkrsrc.dll
2008-04-14 19:35 67,584 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-14 19:35 58,880 ----a-w C:\WINDOWS\system32\drivers\redbook.sys
2008-04-14 19:35 273,920 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 19:35 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-14 19:33 44,672 ----a-w C:\WINDOWS\system32\drivers\fips.sys
2008-04-14 19:31 52,864 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-14 19:30 701,440 ------w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-04-14 19:30 39,936 ----a-w C:\WINDOWS\system32\drivers\processr.sys
2008-04-14 19:30 327,040 ------w C:\WINDOWS\system32\drivers\ati2mtaa.sys
2008-04-14 19:28 41,856 ----a-w C:\WINDOWS\system32\drivers\amdk7.sys
2008-04-14 19:28 41,472 ----a-w C:\WINDOWS\system32\drivers\amdk6.sys
2008-04-14 19:25 23,296 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-14 19:24 30,208 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-14 19:24 188,544 ----a-w C:\WINDOWS\system32\drivers\acpi.sys
2008-04-13 22:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 22:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 22:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 22:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 22:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 22:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 22:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 22:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 22:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-11-14 11:12 1849032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 22:51 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 22:51 1695232]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-04 07:38 1506544]
"Odkurzacz-MCD"="C:\Program Files\Odkurzacz\odk_mcd.exe" [2008-03-03 14:44 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 16:22 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 16:19 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 16:23 114688]
"RTHDCPL"="RTHDCPL.EXE" [2005-03-08 14:26 13924864 C:\WINDOWS\RTHDCPL.EXE]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2005-10-04 15:23 86016]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 20:01 525824]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 16:57 133016]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-03-07 23:01 53096]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 12:22 517768]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-10-30 00:40 245760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 22:51 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\agnitum\outpos~1\wl_hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIVF"= DivX412.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2004-11-02 10:00]
R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 17:40]
R2 setup_7.0.0.180_18.05.2008_22-36;setup_7.0.0.180_18.05.2008_22-36;"C:\Documents and Settings\All Users\Pulpit\Kaspersky Lab Tool\setup_7.0.0.180_18.05.2008_22-36.exe" -r []
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-09-07 09:07]
S2 BulkUsb;USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 00:15]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 00:15]
S3 utexnjq5;AVZ Kernel Driver;C:\WINDOWS\system32\Drivers\utexnjq5.sys [2008-06-04 12:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{256af7e6-e8ee-11dc-8230-001635aea896}]
\Shell\Auto\command - svrhost.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL svrhost.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 18:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Uruchom pełne skanowanie systemu - Administrator.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exef/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 10:05:50
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


disk error: C:\WINDOWS\system32\drivers\
disk error: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\
disk error: C:\WINDOWS\system32\
disk error: C:\WINDOWS\TEMP\
disk error: C:\WINDOWS\
disk error: C:\WINDOWS\system32\wbem\
disk error: C:\Program Files\Common Files\
disk error: C:\Documents and Settings\Administrator\Dane aplikacji\
disk error: C:\
disk error: C:\Program Files\
disk error: C:\WINDOWS\Downloaded Program Files\
disk error: C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart\
disk error: C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
disk error: C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\
disk error: C:\WINDOWS\Fonts\

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2008-06-06 10:07:03
ComboFix-quarantined-files.txt 2008-06-06 08:06:56
ComboFix2.txt 2008-06-03 11:31:02

Pre-Run: 104,918,114,304 bajtów wolnych
Post-Run: 104,903,675,904 bajtów wolnych

248 --- E O F --- 2008-05-16 10:33:55

Wklej do notatnika :

File::
C:\WINDOWS\system32\drivers\utexnjq5.sys

Driver::
utexnjq5

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{256af7e6-e8ee-11dc-8230-001635aea896}]

log:
ComboFix 08-06-05.3 - Administrator 2008-06-06 15:29:04.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.565 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UTEXNJQ5
-------\Service_utexnjq5


((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-05 08:20 . 2008-06-05 08:20 <DIR> d-------- C:\Program Files\CCleaner
2008-06-04 12:46 . 2008-06-04 12:46 7,168 --a------ C:\WINDOWS\system32\drivers\utexnjq5.sys
2008-06-03 12:59 . 2008-06-03 13:01 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-06-03 12:40 . 2008-06-03 12:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-03 08:15 . 2008-06-06 15:32 839,712 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-03 08:15 . 2008-06-06 15:32 10,892 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-03 07:51 . 2008-06-03 07:51 <DIR> d-------- C:\t
2008-05-28 08:11 . 2008-05-30 08:13 53,248 --a------ C:\WINDOWS\psexesvc.#xe
2008-05-27 13:03 . 2008-06-03 07:37 <DIR> d-------- C:\Program Files\Odkurzacz
2008-05-27 12:27 . 2008-05-30 11:09 <DIR> d-------- C:\Program Files\Kerio
2008-05-27 10:39 . 2008-05-27 10:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 11:26 . 2008-05-26 11:27 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-26 11:26 . 2008-05-26 11:26 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-26 11:05 . 2008-05-26 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Office Genuine Advantage
2008-05-21 09:22 . 2008-05-21 09:33 <DIR> d-------- C:\Program Files\RegCleaner
2008-05-20 15:06 . 2008-06-04 07:38 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-20 15:06 . 2008-05-20 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\SUPERAntiSpyware.com
2008-05-20 15:06 . 2008-05-20 15:06 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\SUPERAntiSpyware.com
2008-05-20 15:05 . 2008-05-20 15:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 14:42 . 2008-05-20 14:42 <DIR> d-------- C:\HaxFix
2008-05-20 14:42 . 2008-05-20 14:41 449,462 --a------ C:\HaxFix.exe
2008-05-20 14:23 . 2008-05-20 14:27 <DIR> d-------- C:\fixwareout
2008-05-20 13:59 . 2008-05-27 13:18 394 --a------ C:\WINDOWS\gmer.ini
2008-05-20 09:17 . 2008-05-20 09:17 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Dane aplikacji\Search Settings
2008-05-20 09:17 . 2008-05-20 09:17 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2008-05-19 15:35 . 2008-05-19 15:35 <DIR> d-------- C:\WINDOWS\system32\pl
2008-05-19 15:35 . 2008-05-19 15:35 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-19 15:35 . 2008-04-14 22:51 32,866 --------- C:\WINDOWS\slrundll.exe
2008-05-19 15:29 . 2008-05-19 15:29 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-05-19 10:57 . 2008-05-27 13:17 100 --a------ C:\index.ini
2008-05-19 10:53 . 2008-05-19 15:10 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-05-16 14:48 . 2008-05-16 14:56 <DIR> d-------- C:\Program Files\SkanerOnline
2008-05-14 12:26 . 2008-05-14 12:26 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Mikrotik
2008-05-09 15:29 . 2008-05-09 15:32 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\ForgottenRiddles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 12:23 --------- d-----w C:\Program Files\Mozilla Firefox 2 Beta 1
2008-06-06 11:23 --------- d-----w C:\Program Files\Folder Lock
2008-06-06 08:45 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-06-05 08:21 --------- d-----w C:\Program Files\FlashGet
2008-06-05 06:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-03 05:51 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-03 05:51 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-03 05:51 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-03 05:51 --------- d-----w C:\Program Files\Symantec
2008-05-28 06:02 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Leadertech
2008-05-27 11:15 --------- d-----w C:\Program Files\XviD
2008-05-27 11:15 --------- d-----w C:\Program Files\SopCast
2008-05-27 11:15 --------- d-----w C:\Program Files\NAPI-PROJEKT
2008-05-27 11:15 --------- d-----w C:\Program Files\BitComet
2008-05-27 11:15 --------- d-----w C:\Program Files\AVIcodec
2008-05-27 11:15 --------- d-----w C:\Program Files\Altiris
2008-05-27 11:15 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\LimeWire
2008-05-27 10:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-26 10:15 --------- d-----w C:\Program Files\Winamp
2008-05-26 10:09 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Winamp
2008-05-21 05:54 --------- d-----w C:\Program Files\HPQ
2008-05-21 05:54 --------- d-----w C:\Program Files\eac
2008-05-21 05:54 --------- d-----w C:\Program Files\DivX
2008-05-16 13:06 --------- d-----w C:\Program Files\DAEMON Tools
2008-04-23 11:53 --------- d-----w C:\Program Files\Lizardtech
2008-04-23 11:53 --------- d-----w C:\Program Files\Common Files\LizardTech Shared
2008-04-15 13:01 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-14 20:52 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 20:52 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 20:52 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 20:52 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 20:51 769,024 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
2008-04-14 20:51 744,448 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
2008-04-14 20:51 70,144 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 20:51 285,696 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 20:51 18,432 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\hscupd.exe
2008-04-14 20:51 171,520 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
2008-04-14 20:51 149,504 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 20:51 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 20:51 1,035,264 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 20:49 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 20:49 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 20:49 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 20:49 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 20:49 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 20:49 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2008-04-14 20:04 73,472 ----a-w C:\WINDOWS\system32\drivers\sr.sys
2008-04-14 20:03 80,256 ----a-w C:\WINDOWS\system32\drivers\parport.sys
2008-04-14 20:03 68,608 ----a-w C:\WINDOWS\system32\drivers\pci.sys
2008-04-14 20:03 46,848 ----a-w C:\WINDOWS\system32\drivers\p3.sys
2008-04-14 20:03 120,320 ----a-w C:\WINDOWS\system32\drivers\pcmcia.sys
2008-04-14 19:52 800,000 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-14 19:52 153,856 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-14 19:50 24,960 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-14 19:48 37,632 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys
2008-04-14 19:47 40,832 ----a-w C:\WINDOWS\system32\drivers\crusoe.sys
2008-04-14 19:46 5,504 ----a-w C:\WINDOWS\system32\drivers\intelide.sys
2008-04-14 19:46 40,448 ----a-w C:\WINDOWS\system32\drivers\intelppm.sys
2008-04-14 19:41 65,280 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 19:41 53,248 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 19:39 25,728 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-14 19:35 58,880 ----a-w C:\WINDOWS\system32\drivers\redbook.sys
2008-04-14 19:35 273,920 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 19:33 44,672 ----a-w C:\WINDOWS\system32\drivers\fips.sys
2008-04-14 19:31 52,864 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-14 19:30 701,440 ------w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-04-14 19:30 39,936 ----a-w C:\WINDOWS\system32\drivers\processr.sys
2008-04-14 19:30 327,040 ------w C:\WINDOWS\system32\drivers\ati2mtaa.sys
2008-04-14 19:28 41,856 ----a-w C:\WINDOWS\system32\drivers\amdk7.sys
2008-04-14 19:28 41,472 ----a-w C:\WINDOWS\system32\drivers\amdk6.sys
2008-04-14 19:25 23,296 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-14 19:24 30,208 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-14 19:24 188,544 ----a-w C:\WINDOWS\system32\drivers\acpi.sys
2008-04-13 22:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 22:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 22:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 22:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 22:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 22:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 22:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 22:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 22:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 22:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 22:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 22:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 22:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 22:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 22:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 22:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 22:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 22:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 22:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 22:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 22:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 22:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 22:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 22:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 22:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 22:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 22:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-06_10.06.37,70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-06 05:42:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-06 13:33:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-05-20 12:30:18 72,152 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-06 09:35:00 72,152 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-20 12:30:18 90,202 ----a-w C:\WINDOWS\system32\perfc015.dat
+ 2008-06-06 09:35:00 90,202 ----a-w C:\WINDOWS\system32\perfc015.dat
- 2008-05-20 12:30:18 444,528 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-06 09:35:00 444,528 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-05-20 12:30:18 503,698 ----a-w C:\WINDOWS\system32\perfh015.dat
+ 2008-06-06 09:35:00 503,698 ----a-w C:\WINDOWS\system32\perfh015.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-11-14 11:12 1849032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 22:51 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 22:51 1695232]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-04 07:38 1506544]
"Odkurzacz-MCD"="C:\Program Files\Odkurzacz\odk_mcd.exe" [2008-03-03 14:44 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 16:22 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 16:19 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 16:23 114688]
"RTHDCPL"="RTHDCPL.EXE" [2005-03-08 14:26 13924864 C:\WINDOWS\RTHDCPL.EXE]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2005-10-04 15:23 86016]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 20:01 525824]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 16:57 133016]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-03-07 23:01 53096]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 12:22 517768]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-10-30 00:40 245760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 22:51 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\agnitum\outpos~1\wl_hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIVF"= DivX412.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2004-11-02 10:00]
R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 17:40]
R2 setup_7.0.0.180_18.05.2008_22-36;setup_7.0.0.180_18.05.2008_22-36;"C:\Documents and Settings\All Users\Pulpit\Kaspersky Lab Tool\setup_7.0.0.180_18.05.2008_22-36.exe" -r []
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-09-07 09:07]
S2 BulkUsb;USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 00:15]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 00:15]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 18:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Uruchom pełne skanowanie systemu - Administrator.job"

Usuń ręcznie ten plik, bo Combo go nie ruszył :

C:\WINDOWS\system32\drivers\utexnjq5.sys

Poza tym czysto.

Skasuj C\Qoobox

Czy są jeszcze jakieś objawy infekcji ?

Żadnych innych objawów już nie zauważyłem. Dzięki za pomoc! Jesteś wielki!