Witam czy mógłby ktoś mi pomóc z trojanem u.exe.
Zrobiłem log z combofixa:
ComboFix 09-03-06.02 - Rado 2009-03-10 21:24:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.1023.578 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Rado\Pulpit\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090310-0] *On-access scanning enabled* (Updated)
* Utworzono nowy punkt przywracania
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
c:\windows\system32\AutoRun.inf
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_OULTRAF
-------\Service_oUltraf
((((((((((((((((((((((((( Pliki utworzone od 2009-02-10 do 2009-03-10 )))))))))))))))))))))))))))))))
.
2009-03-10 17:37 . 2009-03-10 17:37
2009-03-10 15:52 . 2009-03-10 15:52 8,192 --ahs---- c:\windows\system32\Thumbs.db
2009-03-09 22:37 . 2009-03-08 11:15 108,446 -r-hs---- C:\i.com
2009-02-19 12:10 . 2009-02-19 12:10
2009-02-19 12:09 . 2009-02-19 12:09
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-10 20:26 --------- d-----w c:\program files\Kalendarz XP
2009-03-10 20:22 --------- d-----w c:\documents and settings\Rado\Dane aplikacji\Skype
2009-02-20 06:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-20 06:11 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-10-14 16:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012008101420081015\index.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360]
“updateMgr”=“c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [2006-03-30 313472]
“SpybotSD TeaTimer”=“c:\program files\Spybot - Search & Destroy\TeaTimer.exe” [2009-01-26 2144088]
“Nowe Gadu-Gadu”=“c:\program files\Nowe Gadu-Gadu\gg.exe” [2009-02-16 9302632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“c:\program files\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 144784]
“RaidTool”=“c:\program files\VIA\RAID\raid_tool.exe” [2005-02-25 589824]
“ATIPTA”=“c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2005-04-28 344064]
“SynTPLpr”=“c:\program files\Synaptics\SynTP\SynTPLpr.exe” [2005-03-18 98393]
“SynTPEnh”=“c:\program files\Synaptics\SynTP\SynTPEnh.exe” [2005-03-18 688217]
“NeroFilterCheck”=“c:\windows\system32\NeroCheck.exe” [2001-07-09 155648]
“InstantOn”=“c:\program files\CyberLink\PowerCinema Linux\ion_install.exe” [2005-05-11 93640]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-02-05 81000]
“HP Software Update”=“c:\program files\HP\HP Software Update\HPWuSchd2.exe” [2007-03-11 49152]
“High Definition Audio Property Page Shortcut”=“HDAShCut.exe” [2004-10-27 c:\windows\system32\HdAShCut.exe]
“SoundMan”=“SOUNDMAN.EXE” [2005-03-10 c:\windows\SOUNDMAN.EXE]
“AlcWzrd”=“ALCWZRD.EXE” [2005-03-10 c:\windows\ALCWZRD.EXE]
“Alcmtr”=“ALCMTR.EXE” [2005-03-10 c:\windows\ALCMTR.EXE]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360]
c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Kalendarz XP.lnk - c:\program files\Kalendarz XP\Kalendarz.exe [2007-06-07 882176]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.X264”= x264vfw.dll
“VIDC.HFYU”= huffyuv.dll
“vidc.i263”= i263_32.drv
“msacm.l3fhg”= mp3fhg.acm
“msacm.imc”= imc32.acm
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\Gadu-Gadu\gg.exe”=
“c:\Program Files\Alwil Software\Avast4\ashAvast.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“c:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe”=
“c:\Program Files\HP\Digital Imaging\bin\hpqste08.exe”=
“c:\Program Files\HP\Digital Imaging\bin\hposid01.exe”=
“c:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe”=
“c:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe”=
“c:\Program Files\HP\Digital Imaging\bin\hpoews01.exe”=
“c:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe”=
“e:\GRA\Launcher.exe”=
“c:\Program Files\Skype\Phone\Skype.exe”=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-01 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-01 20560]
R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\SLDRV\slazldrv.sys [2007-06-07 230448]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{116b7e1a-19c5-11dc-a398-0012f0596f0e}]
\Shell\AutoRun\command - v.cmd
\Shell\explore\Command - v.cmd
\Shell\open\Command - v.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{1c59ac6a-99e7-11dc-a46e-0012f0596f0e}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{1fb66b32-3fb9-11dd-a5bb-0012f0596f0e}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{31eb5d08-1624-11dd-a55a-0012f0596f0e}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4af9a290-a8dd-11dc-a488-0012f0596f0e}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ae7482bf-2ed0-11dc-a3ba-0012f0596f0e}]
\Shell\AutoRun\command - v.cmd
\Shell\explore\Command - v.cmd
\Shell\open\Command - v.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{bddb65c3-497f-11dc-a3f8-0012f0596f0e}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
.
-
-
-
- USUNIĘTO PUSTE WPISY - - - -
-
-
Notify-AtiExtEvent - (no file)
.
------- Skan uzupełniający -------
.
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: mks.com.pl\www
FF - ProfilePath - c:\documents and settings\Rado\Dane aplikacji\Mozilla\Firefox\Profiles\xyw4vgdy.default\
FF - prefs.js: browser.search.selectedEngine - Allegro
FF - prefs.js: browser.startup.homepage - www.wp.pl
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-10 21:28:14
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\slserv.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Czas ukończenia: 2009-03-10 21:31:00 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2009-03-10 20:30:58
Przed: 2 789 040 128 bajtów wolnych
Po: 2,793,234,432 bajtów wolnych
WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Home Edition” /noexecute=optin /fastdetect
163 — E O F — 2009-02-25 14:19:29