Witam mam komputer ktory wrzuca mi trojana na pendrive i dalej sie rozprzestrzenia
oto log z combo fixa
ComboFix 09-04-01.01 - LUKI 2009-04-02 11:21:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.1022.581 [GMT 2:00]
Uruchomiony z: c:\documents and settings\LUKI\Pulpit\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
FW: Kaspersky Anti-Virus *disabled*
* Utworzono nowy punkt przywracania
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32_000006_.tmp.dll
c:\windows\system32_000009_.tmp.dll
.
((((((((((((((((((((((((( Pliki utworzone od 2009-03-02 do 2009-04-02 )))))))))))))))))))))))))))))))
.
2009-04-01 07:04 . 2009-04-01 07:05
2009-04-01 07:04 . 2009-04-01 07:07
2009-03-30 11:52 . 2009-02-03 23:15 81,920 -r-hs---- c:\windows\test.exe
2009-03-23 10:29 . 2009-03-23 10:29
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 09:23 89,936 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-02 09:23 803,104 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-02 09:23 258,356 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-02 09:23 17,963,040 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-02 05:05 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab
2009-03-23 08:40 --------- d-----w c:\program files\Yahoo!
2009-03-23 08:38 --------- d-----w c:\program files\Winamp
2009-03-23 08:32 --------- d-----w c:\program files\CCleaner
2009-03-17 08:02 --------- d-----w c:\program files\Common Files\Adobe
2009-02-20 06:12 --------- d-----w c:\program files\EGSoftware
2009-02-16 06:31 --------- d-----w c:\program files\K-Lite Codec Pack
2009-02-06 11:56 --------- d-----w c:\documents and settings\LUKI\Dane aplikacji\U3
2009-02-06 10:13 --------- d-----w c:\program files\KonwerterDWG
2009-02-06 10:13 --------- d-----w c:\program files\Common Files\Mochcom Shared
2009-02-03 17:56 89,601 ----a-w c:\windows\system32\drivers\klick.dat
2009-02-03 17:56 101,287 ----a-w c:\windows\system32\drivers\klin.dat
2008-09-22 06:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012008092220080923\index.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360]
“Gadu-Gadu”=“c:\program files\Gadu-Gadu\gg.exe” [2008-03-20 2127296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2006-08-11 7630848]
“NvMediaCenter”=“c:\windows\system32\NvMcTray.dll” [2006-08-11 86016]
“WinampAgent”=“c:\program files\Winamp\winampa.exe” [2008-09-12 36352]
“AVP”=“c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe” [2008-10-06 231952]
“RTHDCPL”=“RTHDCPL.EXE” [2006-06-28 c:\windows\RTHDCPL.EXE]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360]
c:\documents and settings\LUKI\Menu Start\Programy\Autostart\
Skr˘t do access_iso.lnk - D:\access_iso.bat [2008-06-23 116]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\LUKI\Pulpit\PC300628.JPG
FriendlyName=
[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
–a------ 2009-02-27 18:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
–a------ 2008-04-14 19:21 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
–a------ 2006-01-12 16:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a------ 2007-04-06 14:00 77824 c:\program files\Java\jre1.6.0\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
–a------ 2006-08-11 22:43 1519616 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
–a------ 2006-05-16 18:04 2879488 c:\windows\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\test]
-r-hs---- 2009-02-03 23:15 81920 c:\windows\test.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“Symantec Core LC”=2 (0x2)
“SPBBCSvc”=2 (0x2)
“SNDSrvc”=2 (0x2)
“SAVScan”=3 (0x3)
“ose”=3 (0x3)
“NSCService”=3 (0x3)
“navapsvc”=2 (0x2)
“MDM”=2 (0x2)
“LiveUpdate”=3 (0x3)
“Harmonogram automatycznej usługi LiveUpdate”=2 (0x2)
“ccSetMgr”=2 (0x2)
“ccProxy”=2 (0x2)
“ccISPwdSvc”=3 (0x3)
“ccEvtMgr”=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-05-30 24344]
R3 KMM4xUSB;KMM4xUSB Driver (kmm4xusb.sys);c:\windows\system32\drivers\kmm4xusb.sys [2003-06-02 101884]
R3 scrusb2a;SmartCard-Reader USB 2A;c:\windows\system32\drivers\scrusb2a.sys [2007-03-10 74474]
S2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;“c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe” --> c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [?]
S2 Kmm4xNT;Kmm4xNT;c:\windows\system32\drivers\KMM4XNT.SYS [2007-10-17 95484]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c5cc22ac-e744-11db-9a36-003005a1a2fe}]
\Shell\AutoRun\command - k:\driver\usb\–Ľ‡‘Š•†‘Í€ŚŽ
\Shell\open\command - k:\driver\usb\–Ľ‡‘Š•†‘Í€ŚŽ
.
-
-
-
- USUNIĘTO PUSTE WPISY - - - -
-
-
MSConfigStartUp-ADSTOP - c:\documents and settings\LUKI\Pulpit\ADSTOP.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.onet.pl/
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\LUKI\Dane aplikacji\Mozilla\Firefox\Profiles\0o2d71gl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/sli … ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/sli … pab&query=
FF - component: c:\documents and settings\LUKI\Dane aplikacji\Mozilla\Firefox\Profiles\0o2d71gl.default\extensions{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 11:24:40
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
-
-
-
-
-
-
- > ‘winlogon.exe’(1084)
-
-
-
-
-
c:\windows\system32\klogon.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\combofix\hidec.exe
c:\windows\system32\wscntfy.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Czas ukończenia: 2009-04-02 11:28:08 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2009-04-02 09:26:50
Przed: 43 226 963 968 bajtów wolnych
Po: 43,348,865,024 bajtów wolnych
WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /noexecute=optin /fastdetect
171 — E O F — 2009-03-24 05:56:24