Pomoc przy usunięciu trojama win 32

Dla specjalistów Bezpieczeństwo
#1

Proszę o pomoc przy usunięcie trojana win 32

wcześniej usuwałem z innego komputera lecz tu nie mam pliku winhost

podaje logo z combofixa:

ComboFix 08-06-20.4 - Macio 2008-06-28 17:04:24.20 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.650 [GMT 2:00]

Running from: C:\Documents and Settings\Macio\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 )))))))))))))))))))))))))))))))

.

2008-06-25 23:00 . 2008-06-25 23:01

2008-06-25 23:00 . 2008-06-25 23:00 520,192 --a------ C:\WINNT\system32\Grand Theft Auto IV Screenshot.scr

2008-06-22 12:04 . 2008-06-22 12:04 421 --a------ C:\WINNT\ODBC.INI

2008-06-22 12:02 . 2008-06-22 12:02

2008-06-22 12:01 . 2008-06-22 12:02

2008-06-22 12:00 . 2008-06-22 12:03

2008-06-22 12:00 . 2008-06-22 12:03

2008-06-22 12:00 . 2008-06-28 14:32

2008-06-16 16:04 . 2008-06-16 16:09 139,264 --a------ C:\WINNT\War3Unin.exe

2008-06-16 16:04 . 2008-06-16 16:10 50,821 --a------ C:\WINNT\War3Unin.dat

2008-06-16 16:04 . 2008-06-16 16:09 2,829 --a------ C:\WINNT\War3Unin.pif

2008-06-14 22:59 . 2008-06-14 22:59

2008-06-07 12:27 . 2008-06-07 12:27

2008-06-07 12:26 . 2008-06-08 01:49 43,520 --a------ C:\WINNT\system32\CmdLineExt03.dll

2008-06-05 19:36 . 2008-06-05 19:36

2008-06-03 15:07 . 2008-06-03 15:08

2008-05-31 21:10 . 2008-05-31 21:10

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-27 11:29 --------- d-----w C:\Documents and Settings\Macio\Dane aplikacji\uTorrent

2008-06-12 09:42 --------- d-----w C:\Program Files\Lx_cats

2008-06-08 00:14 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-06-02 16:22 --------- d-----w C:\Documents and Settings\Macio\Dane aplikacji\OpenOffice.org2

2008-05-19 17:37 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment

2008-05-15 19:53 70,656 ----a-w C:\WINNT\ScUnin.exe

2008-05-04 21:22 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Age of Empires 3

2008-05-03 03:00 --------- d-----w C:\Documents and Settings\Macio\Dane aplikacji\vlc

2008-05-03 01:50 --------- d-----w C:\Program Files\VideoLAN

2008-04-26 19:10 5,613,863 ----a-w C:\WINNT\volvo.exe

2008-04-26 19:10 36,352 ----a-w C:\WINNT\volvo.scr

2008-02-29 22:39 9,546,098 ----a-w C:\Documents and Settings\Macio\Dane aplikacji\Example_Music.zip

.

((((((((((((((((((((((((((((( snapshot_2008-06-24_14.43.42,78 )))))))))))))))))))))))))))))))))))))))))

.

  • 2008-06-24 12:27:46 2,048 --s-a-w C:\WINNT\bootstat.dat

  • 2008-06-28 14:31:41 2,048 --s-a-w C:\WINNT\bootstat.dat

  • 2008-06-28 14:32:00 16,384 ----atw C:\WINNT\system32\config\systemprofile\Ustawienia lokalne\Temp\Perflib_Perfdata_6c8.dat

  • 2008-06-25 21:00:45 34,304 ----a-w C:\WINNT\system32\Grand Theft Auto IV Screenshot dir\saver1.dll

  • 2008-06-25 21:00:45 18,192 ----a-w C:\WINNT\system32\Grand Theft Auto IV Screenshot dir\saver2.dll

  • 2007-06-11 20:04:36 190,696 ----a-r C:\WINNT\system32\Macromed\Flash\FlashUtil9d.exe

  • 2008-06-25 21:00:39 48,749 ----a-w C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINNT\system32\ctfmon.exe” [2004-08-04 02:44 15360]

“DAEMON Tools Lite”=“E:\Program Files\DAEMON Tools Lite\daemon.exe” [2008-04-01 11:39 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NvCplDaemon”=“C:\WINNT\system32\NvCpl.dll” [2006-10-31 08:35 7634944]

“nwiz”=“nwiz.exe” [2006-10-31 08:35 1622016 C:\WINNT\system32\nwiz.exe]

“NvMediaCenter”=“C:\WINNT\system32\NvMcTray.dll” [2006-10-31 08:35 86016]

“Lexmark 5200 series”=“C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe” []

“QuickTime Task”=“C:\WINNT\system32\qttask.exe” [2008-01-22 23:46 98304]

“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 16:40 155648]

“PWRISOVM.EXE”=“e:\Program Files\PowerISO\PWRISOVM.EXE” [2007-08-07 02:05 200704]

“NVMixerTray”=“C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe” []

“RTHDCPL”=“RTHDCPL.EXE” [2007-01-30 12:54 16116224 C:\WINNT\RTHDCPL.exe]

“SkyTel”=“SkyTel.EXE” [2006-05-16 12:04 2879488 C:\WINNT\SkyTel.exe]

“avast!”=“d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-05-16 01:19 79224]

“LXBTCATS”=“C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll” [2004-02-23 15:47 61440]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINNT\system32\CTFMON.EXE” [2004-08-04 02:44 15360]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

“nlsf”=“move” []

“tscuninstall”=“C:\WINNT\system32\tscupgrd.exe” [2004-08-04 02:33 44544]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

Microsoft Office.lnk - C:\Program Files\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxwvv]

xxyxwvv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusOverride”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\WINNT\system32\usmt\migwiz.exe”=

“C:\Program Files\uTorrent\uTorrent.exe”=

“D:\Program Files\Gadu-Gadu\gg.exe”=

“E:\Warcraft III\Warcraft III.exe”=

R1 aswSP;avast! Self Protection;C:\WINNT\system32\drivers\aswSP.sys [2008-05-16 01:20]

R2 aswFsBlk;aswFsBlk;C:\WINNT\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-28 17:05:35

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXBTCATS = rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16???

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-06-28 17:06:05

ComboFix-quarantined-files.txt 2008-06-28 15:06:01

ComboFix2.txt 2008-06-24 12:51:42

ComboFix3.txt 2008-06-24 12:43:57

ComboFix4.txt 2008-06-10 13:34:33

ComboFix5.txt 2008-05-24 16:02:58

Pre-Run: 6,740,054,016 bajtów wolnych

Post-Run: 6,777,511,936 bajtów wolnych

114 — E O F — 2008-06-28 11:31:51

i z Hijacka:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:16:10, on 2008-06-28

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

d:\Program Files\Alwil Software\Avast4\ashServ.exe

E:\Program Files\PowerISO\PWRISOVM.EXE

C:\WINNT\RTHDCPL.EXE

D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINNT\system32\ctfmon.exe

E:\Program Files\DAEMON Tools Lite\daemon.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\svchost.exe

d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

d:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINNT\system32\notepad.exe

C:\WINNT\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM…\Run: [Lexmark 5200 series] “C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe”

O4 - HKLM…\Run: [QuickTime Task] “C:\WINNT\system32\qttask.exe” -atboottime

O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM…\Run: [PWRISOVM.EXE] e:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM…\Run: [NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”

O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM…\Run: [skyTel] SkyTel.EXE

O4 - HKLM…\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\Run: [LXBTCATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe

O4 - HKCU…\Run: [DAEMON Tools Lite] “E:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-20…\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS\S-1-5-18…\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User ‘Default user’)

O4 - HKUS.DEFAULT…\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘Default user’)

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: Registration Heroes of Might Magic 5 - Hammers of Fate.LNK = E:\Program Files\Ubisoft\Heroes of Might and Magic V\registrationa1\RegistrationReminder.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE

O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll

O20 - Winlogon Notify: xxyxwvv - xxyxwvv.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINNT\system32\lxbtcoms.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

End of file - 6089 bytes

#2

Otwórz notatnik i wklej

zapisz jako plik.reg >> wszystkie pliki >> scal z rejestrem >> restart

b57f17008275c957m.jpg

powstanie plik o takiej ikonie

062aec4c9b51c033m.jpg

w który dwa razy klikniesz potwierdzisz chęć dodania do rejestru potem restart

zrób optymalizacje uruchamiania http://cybertrash.netarteria.pl/cyber/index.php/topic,378.0.html

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html pokaż raport stronę uruchomić przez IE

:slight_smile: