proszę o sprawdzenie i pomoc mam problem z BehavesLike:Win32

botdefender po przejechaniu cclinerem blokuje mi coś takiego:

-Plik c:\documents and settings\basia\ustawienia lokalne\temporary internet files\content.ie5\1bb8ruhh\newplanet[1].exe
zainfekowany przez BehavesLike:Win32.SiteHijack
-Plik c:\documents and settings\basia\ustawienia lokalne\temporary internet files\content.ie5\1bb8ruhh\newpla~1.exe
zainfekowany przez BehavesLike:Win32.SiteHijack
-Plik c:\documents and settings\basia\ustawienia lokalne\temporary internet files\content.ie5\46ljylg2\newpla~1.exe
zainfekowany przez BehavesLike:Win32.SiteHijack
-Plik c:\documents and settings\basia\ustawienia lokalne\temporary internet files\content.ie5\46ljylg2\newpla~1.exe
zainfekowany przez BehavesLike:Win32.SiteHijack
-Plik c:\documents and settings\basia\ustawienia lokalne\temporary internet files\content.ie5\46ljylg2\newpla~1.exe
zainfekowany przez BehavesLike:Win32.SiteHijack
itp.

poniżej raport z combofix:

Kod:

ComboFix 08-08-09.06 - BASIA 2008-08-10 16:15:41.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1250.1.1045.18.624 [GMT 2:00]
Running from: C:\Documents and Settings\BASIA\Pulpit\ComboFix.exe
 * Created a new restore point
 * Resident AV is active


[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2008-07-10 to 2008-08-10  )))))))))))))))))))))))))))))))
.

2008-08-10 15:30 . 2008-08-10 15:30   <DIR>   d--------   C:\Program Files\Lavasoft
2008-08-10 15:30 . 2008-08-10 15:37   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-08-10 13:17 . 2008-08-10 13:17   <DIR>   d--------   C:\WINDOWS\LastGood
2008-08-10 13:17 . 2008-08-10 15:18   <DIR>   d--------   C:\WINDOWS\BDOSCAN8
2008-07-29 20:40 . 2008-07-29 20:41   <DIR>   d--------   C:\Program Files\Spybot - Search & Destroy
2008-07-29 20:40 . 2008-08-10 16:09   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-07-29 18:25 . 2008-07-29 18:25   <DIR>   d--------   C:\WINDOWS\system32\pl
2008-07-29 18:25 . 2008-07-29 18:25   <DIR>   d--------   C:\WINDOWS\system32\bits
2008-07-29 18:25 . 2008-07-29 18:25   <DIR>   d--------   C:\WINDOWS\l2schemas
2008-07-29 18:21 . 2008-07-29 18:26   <DIR>   d--------   C:\WINDOWS\ServicePackFiles
2008-07-29 18:01 . 2004-08-04 00:35   327,040   ---------   C:\WINDOWS\system32\drivers\ati2mtaa.sys
2008-07-27 18:30 . 2008-07-27 18:33   <DIR>   d--------   C:\Documents and Settings\BASIA\Dane aplikacji\U3
2008-07-26 17:59 . 2008-07-26 17:59   75   --a------   C:\WINDOWS\system32\1217087952.(null)
2008-07-26 13:05 . 2008-07-26 13:05   <DIR>   d--------   C:\WINDOWS\system32\Kaspersky Lab
2008-07-26 13:05 . 2008-07-26 13:05   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-07-26 12:52 . 2008-07-26 12:52   <DIR>   d--------   C:\Program Files\CCleaner
2008-07-18 21:13 . 2008-07-18 21:13   <DIR>   d--------   C:\Program Files\Option
2008-07-14 12:33 . 2008-07-14 12:33   <DIR>   d--------   C:\Documents and Settings\szkolenie\Dane aplikacji\Teleca
2008-07-14 12:32 . 2008-07-14 12:32   <DIR>   d--------   C:\Documents and Settings\szkolenie\Dane aplikacji\Sony Ericsson
2008-07-14 12:31 . 2008-07-14 12:31   <DIR>   d--------   C:\Documents and Settings\szkolenie\Dane aplikacji\PC Suite
2008-07-11 21:23 . 2008-07-11 21:23   <DIR>   d--------   C:\Documents and Settings\BASIA\Dane aplikacji\Ulead Systems
2008-07-11 21:14 . 2008-07-11 21:14   <DIR>   d--------   C:\SmartSound Software
2008-07-11 21:12 . 2008-07-11 21:12   <DIR>   d--------   C:\WINDOWS\system32\Quicktime
2008-07-11 21:12 . 2008-07-11 21:12   <DIR>   d--------   C:\Program Files\SmartSound Software
2008-07-11 21:12 . 2008-07-11 21:12   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\SmartSound Software Inc
2008-07-11 21:10 . 2008-07-11 21:10   <DIR>   d--------   C:\WINDOWS\system32\windows media
2008-07-11 21:10 . 2008-07-11 21:10   <DIR>   d--h-----   C:\WINDOWS\msdownld.tmp
2008-07-11 21:08 . 2008-07-11 21:08   <DIR>   d--------   C:\Program Files\Common Files\SONY Digital Images
2008-07-11 21:04 . 2008-07-11 21:04   <DIR>   d--------   C:\Program Files\Windows Media Components
2008-07-11 21:04 . 2008-07-11 21:04   <DIR>   d--------   C:\Program Files\Ulead Systems
2008-07-11 21:04 . 2008-07-11 21:04   <DIR>   d--------   C:\Program Files\Common Files\Ulead Systems
2008-07-11 21:04 . 2008-07-11 21:23   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Ulead Systems
2008-07-11 20:44 . 2008-07-11 20:44   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Pinnacle VideoSpin
2008-07-11 20:41 . 2008-07-11 20:57   <DIR>   d--------   C:\Program Files\Pinnacle
2008-07-11 20:41 . 2008-07-11 20:41   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\VideoSpin
2008-07-11 20:39 . 2008-07-11 20:39   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Pinnacle
2008-07-10 14:09 . 2007-04-04 12:43   23,176   -ra------   C:\WINDOWS\system32\drivers\s716nd5.sys
2008-07-10 14:08 . 2007-04-04 12:43   100,360   -ra------   C:\WINDOWS\system32\drivers\s716mgmt.sys
2008-07-10 14:08 . 2007-04-04 12:43   98,952   -ra------   C:\WINDOWS\system32\drivers\s716unic.sys
2008-07-10 14:08 . 2007-04-04 12:43   98,568   -ra------   C:\WINDOWS\system32\drivers\s716obex.sys
2008-07-10 14:08 . 2007-04-04 12:43   11,016   -ra------   C:\WINDOWS\system32\drivers\s716cr.sys
2008-07-10 13:59 . 2007-04-04 12:43   108,552   -ra------   C:\WINDOWS\system32\drivers\s716mdm.sys
2008-07-10 13:59 . 2007-04-04 12:43   83,208   -ra------   C:\WINDOWS\system32\drivers\s716bus.sys
2008-07-10 13:59 . 2007-04-04 12:43   15,112   -ra------   C:\WINDOWS\system32\drivers\s716mdfl.sys
2008-07-10 13:59 . 2007-04-04 12:43   12,424   -ra------   C:\WINDOWS\system32\drivers\s716whnt.sys
2008-07-10 13:59 . 2007-04-04 12:43   12,424   -ra------   C:\WINDOWS\system32\drivers\s716wh.sys
2008-07-10 13:59 . 2007-04-04 12:43   12,424   -ra------   C:\WINDOWS\system32\drivers\s716cmnt.sys
2008-07-10 13:59 . 2007-04-04 12:43   12,424   -ra------   C:\WINDOWS\system32\drivers\s716cm.sys
2008-07-10 13:58 . 2008-07-10 13:58   <DIR>   d--------   C:\Program Files\Sony
2008-07-10 13:54 . 2008-07-10 14:09   <DIR>   d--------   C:\Documents and Settings\BASIA\Dane aplikacji\Teleca
2008-07-10 13:47 . 2008-07-10 13:47   <DIR>   d--------   C:\Program Files\Sony Ericsson
2008-07-10 13:47 . 2008-07-10 13:49   <DIR>   d--------   C:\Program Files\Common Files\Teleca Shared
2008-07-10 13:47 . 2008-07-10 13:47   <DIR>   d--------   C:\Program Files\Common Files\Sony Ericsson Shared
2008-07-10 13:47 . 2008-07-10 13:47   <DIR>   d--------   C:\Documents and Settings\BASIA\Dane aplikacji\Sony Ericsson
2008-07-10 13:45 . 2008-07-10 13:47   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Teleca
2008-07-10 13:45 . 2008-07-10 13:47   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Sony Ericsson
2008-07-10 10:59 . 2008-07-16 12:23   <DIR>   d--------   C:\Documents and Settings\BASIA\Dane aplikacji\Nokia Multimedia Player

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 14:17   81,984   ----a-w   C:\WINDOWS\system32\bdod.bin
2008-08-10 13:30   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2008-08-02 17:55   ---------   d-----w   C:\Documents and Settings\BASIA\Dane aplikacji\Azureus
2008-07-29 19:29   ---------   d---a-w   C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-07-29 18:34   ---------   d-----w   C:\Program Files\Spyware Doctor
2008-07-11 19:12   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-07-11 18:54   ---------   d-----w   C:\Program Files\InterVideo
2008-07-09 13:53   ---------   d-----w   C:\Documents and Settings\BASIA\Dane aplikacji\Nokia
2008-07-09 13:46   ---------   d-----w   C:\Program Files\Nokia
2008-07-09 13:46   ---------   d-----w   C:\Program Files\Common Files\PCSuite
2008-07-09 13:46   ---------   d-----w   C:\Program Files\Common Files\Nokia
2008-07-09 13:45   ---------   d-----w   C:\Program Files\PC Connectivity Solution
2008-07-09 13:45   ---------   d-----w   C:\Program Files\DIFX
2008-07-09 13:43   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\Installations
2008-07-07 13:18   ---------   d-----w   C:\Program Files\Azureus
2008-07-07 12:29   685,576   ----a-w   C:\WINDOWS\unins000.exe
2008-07-02 11:42   ---------   d-----w   C:\Documents and Settings\BASIA\Dane aplikacji\Image Zone Express
2008-07-02 11:28   3,532   ----a-w   C:\drmHeader.bin
2008-06-23 10:18   ---------   d-----w   C:\Program Files\AC3Filter
2008-06-20 17:48   246,784   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51   361,600   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40   138,496   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08   225,856   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 17:36   273,024   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-05-16 09:58   12,632   ----a-w   C:\WINDOWS\system32\lsdelete.exe
2008-03-08 07:31   284   ----a-w   C:\Documents and Settings\BASIA\Dane aplikacji\wklnhst.dat
2007-11-13 16:55   138   ----a-w   C:\Program Files\INSTALL.LOG
2007-02-24 10:45   56   --sh--r   C:\WINDOWS\system32\8CAC7D0476.sys
2008-01-06 17:37   104   --sh--r   C:\WINDOWS\system32\F34C0D0BB4.sys
2008-01-06 17:37   10,022   --sha-w   C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 19:21 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 15:57 1289000]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 10:14 528384]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-11-13 18:54 372736]
"BDNewsAgent"="c:\progra~1\softwin\bitdef~1\bdnagent.exe" [2005-06-09 11:28 9728]
"BDSwitchAgent"="c:\progra~1\softwin\bitdef~1\bdswitch.exe" [2005-04-06 14:09 33280]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 14:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 08:22 89541 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-08-04 14:16 266240 C:\WINDOWS\system32\TPSMain.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 19:21 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

C:\Documents and Settings\BASIA\Menu Start\Programy\Autostart\
Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2007-01-13 23:58:27 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I263"= i263_32.drv
"msacm.ac3filter"= ac3filter.acm
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Tlen.pl\\tlen.exe"=
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\java.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59550:TCP"= 59550:TCP:azureus
"4662:TCP"= 4662:TCP:emulek-tcp
"4672:UDP"= 4672:UDP:emulek-udp
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R2 NwSapAgent;Agent SAP;C:\WINDOWS\system32\svchost.exe [2008-04-14 19:21]
R2 tdudf;TOSHIBA UDF File System Driver;C:\WINDOWS\system32\DRIVERS\tdudf.sys [2006-06-28 11:50]
R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 21:42]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2006-01-12 16:21]
S3 GTF32BUS;GT F32 BUS;C:\WINDOWS\system32\DRIVERS\gtf32bus.sys [2007-04-17 05:25]
S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-04-17 05:25]
S3 qcusbmdm;Qualcomm Proprietary USB Driver (PID 3197);C:\WINDOWS\system32\DRIVERS\qcusbmdm.sys [2003-03-11 01:12]
S3 qcusbser;Qualcomm Diagnostic Port 3197;C:\WINDOWS\system32\DRIVERS\qcusbser.sys [2003-03-11 01:12]
S3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 14:27]
S3 s716bus;Sony Ericsson Device 716 driver (WDM);C:\WINDOWS\system32\DRIVERS\s716bus.sys [2007-04-04 12:43]
S3 s716mdfl;Sony Ericsson Device 716 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s716mdfl.sys [2007-04-04 12:43]
S3 s716mdm;Sony Ericsson Device 716 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s716mdm.sys [2007-04-04 12:43]
S3 s716mgmt;Sony Ericsson Device 716 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s716mgmt.sys [2007-04-04 12:43]
S3 s716nd5;Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (NDIS);C:\WINDOWS\system32\DRIVERS\s716nd5.sys [2007-04-04 12:43]
S3 s716obex;Sony Ericsson Device 716 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s716obex.sys [2007-04-04 12:43]
S3 s716unic;Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (WDM);C:\WINDOWS\system32\DRIVERS\s716unic.sys [2007-04-04 12:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f9deb62-5bf9-11dd-af72-0016e37e9d61}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - AAWSERVICE
*Newly Created Service* - AD-WATCH_CONNECT_FILTER
*Newly Created Service* - AD-WATCH_REAL-TIME_SCANNER
*Newly Created Service* - AD-WATCH_REGISTRY_FILTER
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2007-06-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
.
.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: E&ksportuj do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{3DF53BD6-4B76-495B-91E7-BA7CA0C2DE0E}: NameServer = 192.168.1.1
O17 -: HKLM\CCS\Interface\{CD4539AB-D471-42A8-ADD8-39B9C7F361C4}: NameServer = 192.168.1.1

O16 -: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab
C:\WINDOWS\Downloaded Program Files\SkanerOnline.inf
C:\WINDOWS\system32\SkanerOnlineUninstall.exe
C:\WINDOWS\system32\SkanerOnline.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 16:18:14
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="c:\usr/MYSQL/bin/mysqld.exe"
.
Completion time: 2008-08-10 16:19:33
ComboFix-quarantined-files.txt  2008-08-10 14:19:27

Pre-Run: 10,419,671,040 bajtów wolnych
Post-Run: 10,408,660,992 bajtów wolnych

228   --- E O F ---   2008-07-30 14:53:02

Wyłącz wszystkie przeglądarki i Przeczyść komputer Ccleanerem

Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod:

File::
C:\WINDOWS\system32\1217087952.(null)

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f9deb62-5bf9-11dd-af72-0016e37e9d61}]


Plik zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu
[obrazek nie jest już dostępny]
Rozpocznie się usuwanie i powstanie log, daj ten log na forum.

Logi dajesz na wklej.eu a w poście dajesz tylko link

raport z ComboFix

http://www.wklejto.pl/7704

Log wyglada na czysty

usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum

lub

Dr.WEB CureIt!

Raport ze skanowania Dr.WEB CureIt

RegUBP2b-BASIA.reg C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy\Snapshots2 Trojan.StartPage.1505 Usunięty.
A0025202.exe\327882R2FWJFW\psexec.cfexe C:\System Volume Information\_restore{66F09DF5-6F42-4194-B254-F04802346CCA}\RP66\A0025202.exe Program.PsExec.171
A0025202.exe C:\System Volume Information\_restore{66F09DF5-6F42-4194-B254-F04802346CCA}\RP66 Archiwum zawierające zainfekowane obiekty Przeniesiony.
A0027480.reg C:\System Volume Information\_restore{66F09DF5-6F42-4194-B254-F04802346CCA}\RP68 Trojan.StartPage.1505 Usunięty.
A0027581.reg C:\System Volume Information\_restore{66F09DF5-6F42-4194-B254-F04802346CCA}\RP68 Trojan.StartPage.1505 Usunięty.
A0027688.reg C:\System Volume Information\_restore{66F09DF5-6F42-4194-B254-F04802346CCA}\RP70 Trojan.StartPage.1505 Usunięty.
A0027691.exe\327882R2FWJFW\psexec.cfexe C:\System Volume Information\_restore{66F09DF5-6F42-4194-B254-F04802346CCA}\RP70\A0027691.exe Program.PsExec.171
A0027691.exe C:\System Volume Information\_restore{66F09DF5-6F42-4194-B254-F04802346CCA}\RP70 Archiwum zawierające zainfekowane obiekty Przeniesiony.
A0027818.reg C:\System Volume Information\_restore{66F09DF5-6F42-4194-B254-F04802346CCA}\RP71 Trojan.StartPage.1505 Usunięty.
A0027839.exe\327882R2FWJFW\psexec.cfexe C:\System Volume Information\_restore{66F09DF5-6F42-4194-B254-F04802346CCA}\RP71\A0027839.exe Program.PsExec.171
A0027839.exe C:\System Volume Information\_restore{66F09DF5-6F42-4194-B254-F04802346CCA}\RP71 Archiwum zawierające zainfekowane obiekty Przeniesiony.
stream013\MSOffice.dll C:\WINDOWS\Downloaded Installations\Internet Cleanup.msi\stream013 Trojan.Popuper.origin
stream013 C:\WINDOWS\Downloaded Installations\Internet Cleanup.msi Archiwum zawierające zainfekowane obiekty
Internet Cleanup.msi C:\WINDOWS\Downloaded Installations Archiwum zawierające zainfekowane obiekty Przeniesiony.

Wyłącz i Włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Po tym powinno być ok

teraz jest ok ale musiałem jeszcze ręcznie (eraser) wyczyścić cooki i temp

dzięki za pomoc