Wirus czy trojan ufo

Dla specjalistów Bezpieczeństwo
#1

Witam, ostatnio na kompie mam jakiegos wira, najprowdpodobnie ufo :confused:

Oto log z ComboFix:

ComboFix 08-06-20.4 - ppp 2008-06-28 18:57:33.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.256 [GMT 2:00]

Running from: C:\Documents and Settings\ppp\Pulpit\SZYMKA\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Program Files\version.txt

C:\WINDOWS\system32\fsmgmt.dll

.

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 )))))))))))))))))))))))))))))))

.

2099-03-01 01:06 . 2001-10-26 18:05 17,920 --a------ C:\WINDOWS\system32\drivers\sermouse.sys

2099-03-01 01:06 . 2001-10-26 18:05 17,920 --a–c— C:\WINDOWS\system32\dllcache\sermouse.sys

2008-06-11 07:30 . 2008-06-14 20:01 273,024 -----c— C:\WINDOWS\system32\dllcache\bthport.sys

2008-06-10 18:02 . 2008-03-12 02:37 107,864 --a------ C:\WINDOWS\system32\tsccvid.dll

2008-06-10 18:01 . 2008-06-10 18:01

2008-06-10 18:01 . 2008-06-10 18:01

2008-06-08 15:49 . 2008-06-08 15:49

2008-06-02 20:58 . 2008-06-02 20:59

2008-06-02 16:50 . 2008-06-02 16:50

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-23 15:10 --------- d-----w C:\Documents and Settings\ppp\Dane aplikacji\GanymedeNet

2008-06-23 09:52 --------- d-----w C:\Program Files\Tibia

2008-06-20 19:09 --------- d-----w C:\Program Files\Gadu-Gadu

2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-06-10 17:09 --------- d-----w C:\Documents and Settings\ppp\Dane aplikacji\Nokia

2008-05-25 16:29 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Hagel Technologies

2008-05-25 15:10 --------- d-----w C:\Program Files\Tajemnicza Wyspa

2008-05-25 15:05 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-05-25 13:17 --------- d-----w C:\Program Files\SKP2008

2008-05-24 09:40 --------- d-----w C:\Documents and Settings\ppp\Dane aplikacji\Tibia

2008-05-23 17:29 --------- d-----w C:\Program Files\Nokia

2008-05-23 17:28 --------- d-----w C:\Documents and Settings\ppp\Dane aplikacji\PC Suite

2008-05-23 17:27 --------- d-----w C:\Program Files\Common Files\PCSuite

2008-05-23 17:27 --------- d-----w C:\Program Files\Common Files\Nokia

2008-05-23 17:24 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Downloaded Installations

2008-05-19 15:30 --------- d-----w C:\Program Files\Ganymede

2008-05-15 12:21 --------- d-----w C:\Program Files\WebServ

2008-05-15 12:19 --------- d-----w C:\Program Files\No-IP

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-05-06 13:46 --------- d-----w C:\Program Files\Football Generation

2008-04-28 15:32 --------- d-----w C:\Program Files\SKP2007

2008-03-26 15:16 2,154,294 ----a-w C:\Program Files\UO0002.bmp

2008-03-26 15:09 2,154,294 ----a-w C:\Program Files\UO0001.bmp

2007-01-06 15:20 204 ----a-w C:\Program Files\2G25JEQ2.bat

2006-02-27 10:42 175 —ha-w C:\Documents and Settings\ppp\Dane aplikacji\hpothb07.dat

2002-09-02 19:58 993 ----a-w C:\Program Files\DSJ.CFG

2002-09-02 19:58 13 ----a-w C:\Program Files\SETSOUND.CFG

2002-09-01 19:01 693 ----a-w C:\Program Files\DSJ.HIS

2002-09-01 19:01 1,222 ----a-w C:\Program Files\REC-USA.RPL

2002-02-23 15:04 1,222 ----a-w C:\Program Files\REC-SLO.RPL

2002-02-23 15:02 1,222 ----a-w C:\Program Files\REC-CHI.RPL

2002-02-23 15:00 1,222 ----a-w C:\Program Files\REC-CAN.RPL

2002-02-23 14:48 5 ----a-w C:\Program Files\SETLANG.CFG

2002-02-20 10:54 19,456 ----a-w C:\Program Files\kljlojnkjno.doc

2002-02-12 17:58 1,222 ----a-w C:\Program Files\REC-LAT.RPL

2002-02-12 17:54 1,222 ----a-w C:\Program Files\REC-SUI.RPL

2002-02-10 19:59 1,222 ----a-w C:\Program Files\REC-LIT.RPL

2002-02-10 19:54 1,222 ----a-w C:\Program Files\REC-EST.RPL

2002-02-10 19:08 1,222 ----a-w C:\Program Files\REC-RUS.RPL

2001-04-05 15:47 1,222 ----a-w C:\Program Files\REC-AUT.RPL

2001-04-05 15:44 1,222 ----a-w C:\Program Files\REC-CZE.RPL

2001-04-05 15:37 1,222 ----a-w C:\Program Files\REC-FIN.RPL

2001-03-27 19:53 1,222 ----a-w C:\Program Files\REC-ITA.RPL

2001-03-27 19:48 1,222 ----a-w C:\Program Files\REC-ENG.RPL

2001-03-27 19:47 1,222 ----a-w C:\Program Files\REC-JPN.RPL

2001-03-27 19:45 1,222 ----a-w C:\Program Files\REC-POL.RPL

2001-03-27 19:39 1,222 ----a-w C:\Program Files\REC-BLR.RPL

2001-03-25 16:35 1,222 ----a-w C:\Program Files\REC-AUS.RPL

2001-03-25 09:29 514 ----a-w C:\Program Files\WEB-REC.DSJ

2001-03-08 20:22 1,222 ----a-w C:\Program Files\REC-GER.RPL

2001-03-08 20:15 1,222 ----a-w C:\Program Files\REC-BEL.RPL

2001-03-08 19:49 1,222 ----a-w C:\Program Files\REC-NOR.RPL

2001-03-08 19:41 1,222 ----a-w C:\Program Files\REC-ISL.RPL

2001-03-02 12:28 1,222 ----a-w C:\Program Files\REC-IRL.RPL

2001-03-02 12:21 1,222 ----a-w C:\Program Files\REC-HUN.RPL

2001-03-02 07:18 1,222 ----a-w C:\Program Files\REC-SVK.RPL

2001-03-02 07:13 1,222 ----a-w C:\Program Files\REC-FRA.RPL

2001-03-01 07:03 1,222 ----a-w C:\Program Files\REC-DEN.RPL

2001-03-01 06:59 1,222 ----a-w C:\Program Files\REC-KZK.RPL

2001-02-27 18:32 1,222 ----a-w C:\Program Files\REC-UKR.RPL

2001-01-08 16:17 1,606 ----a-w C:\Program Files\WORLDCUP.SAV

2001-01-06 21:13 356 ----a-w C:\Program Files\FILE_ID.DIZ

2001-01-06 21:10 6,607 ----a-w C:\Program Files\BT2000.NFO

2001-01-06 20:56 574,508 ----a-w C:\Program Files\DSJ.DAT

2001-01-06 18:43 168,128 ----a-w C:\Program Files\DSJ.EXE

2000-05-12 14:16 1,441 ----a-w C:\Program Files\quadcon.nfo

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-05-10 16:36 2111176]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 09:44 15360]

“DU Meter”=“C:\WINDOWS\system32\DUMeter.exe” []

“PcSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2005-11-30 16:56 1306624]

“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-04-22 14:51 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CAP3ON”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE” [2002-08-21 17:00 22528]

“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2004-10-15 15:22 77824]

“HPDJ Taskbar Utility”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe” [2001-10-15 14:30 196608]

“Share-to-Web Namespace Daemon”=“C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe” [2002-04-11 04:19 69632]

“Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” [2005-06-07 00:46 57344]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe” [2007-05-02 04:15 75520]

“PCSuiteTrayApplication”=“C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE” [2005-12-13 08:49 217088]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 09:44 15360]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

“RunNarrator”=“Narrator.exe” [2004-08-04 09:44 55296 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“VIDC.AP41”= APmpg4v1.dll

“vidc.rt21”= IR21_R.DLL

“vidc.ir21”= IR21_R.DLL

“vidc.div3”= DivXc32.dll

“vidc.div4”= DivXc32f.dll

“vidc.dvx4”= divx4.dll

“vidc.i263”= i263_32.drv

“vidc.dmb1”= m3jpeg32.dll

“vidc.mjpg”= m3jpeg32.dll

“vidc.dcmj”= MCMJPG32.DLL

“msacm.imc”= IMC32.ACM

“msacm.wrpr”= aviwrap.dll

“vidc.wrpr”= aviwrap.dll

“msacm.divxa32”= DivXa32.acm

“vidc.3ivx”= 3ivxVfWCodec.dll

“vidc.ffds”= C:\Kodeki\ffdshow\ffdshow.ax

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Messenger\msmsgs.exe”=

“C:\WINDOWS\system32\dplaysvr.exe”=

“C:\WINDOWS\system32\dpvsetup.exe”=

“C:\Program Files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlservr.exe”=

“C:\Program Files\EA SPORTS\FIFA 07\fifa07.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\Documents and Settings\ppp\Application Data\PowerChallenge\PowerSoccer\PowerSoccer.exe”=

“C:\Documents and Settings\ppp\Pulpit\SZYMKA\LoozikOTS\LoozikOTS.exe”=

R0 HWFProt;Hywave File Protector HWFProt;C:\WINDOWS\system32\Drivers\HWFProt.sys [2003-05-11 16:20]

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]

R2 HASPSrv;HASPSrv;C:\WINDOWS\system32\HASPSrv.exe [2005-06-30 03:58]

R2 Kmm4xNT;Kmm4xNT;C:\WINDOWS\system32\drivers\Kmm4xNT.sys [1999-10-01 14:13]

R2 MSSQL$CDN_OPTIMA;MSSQL$CDN_OPTIMA;C:\Program Files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlservr.exe [2002-12-17 17:26]

R2 port_nt;port_nt;C:\WINDOWS\system32\Drivers\port_nt.sys [2001-11-08 17:02]

R3 es1969;Sterownik audio ESS 1969 (WDM);C:\WINDOWS\system32\drivers\es1969.sys [2001-08-17 21:19]

R3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 07:58]

S3 KMM4xUSB;KMM4xUSB Driver (kmm4xusb.sys);C:\WINDOWS\system32\Drivers\KMM4xUSB.sys [2003-06-02 22:10]

S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

S3 SQLAgent$CDN_OPTIMA;SQLAgent$CDN_OPTIMA;C:\Program Files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlagent.EXE [2002-12-17 17:23]

S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 08:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{24466d22-47ce-11da-b3b4-000e509367d7}]

\Shell\Auto\command - E:\UFO.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3f1e0dd2-1ead-11d9-9f42-4d6564696130}]

\Shell\Auto\command - E:\Song.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Song.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{53739a09-7717-11da-b471-000e509367d7}]

\Shell\Auto\command - F:\UFO.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-28 19:06:17

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\CAP3RSK.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3SWK.EXE

C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Java\jre1.5.0_12\bin\jucheck.exe

C:\WINDOWS\system32\imapi.exe

.

**************************************************************************

.

Completion time: 2008-06-28 19:16:18 - machine was rebooted [ppp]

ComboFix-quarantined-files.txt 2008-06-28 17:16:09

Pre-Run: 23,439,175,680 bajtów wolnych

Post-Run: 24,023,441,408 bajt˘w wolnych

199 — E O F — 2008-06-20 07:45:25

http://wklejto.pl/4213

Co mam zrobic zeby sie tego wira pozbyc ?? Prosze o pomoc