[wirus]fun.xls.exe prosze o pomoc

Kolega przyszedl z pendrive i teraz na kazdym z dyskow mam cos takeiego jak fun.xls.exe i autorun.inf, usuniecie tych plikow nic nie daje.

to jest moj log z combofix prosze o pomoc jak moge to usunac, dziekuje z gory:


ComboFix 08-08-28.06 - Szary Wilk 2008-08-29 20:25:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.741 [GMT 2:00]
Running from: C:\Documents and Settings\Szary Wilk\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\ufdata2000.log
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-29 20:27 . 2008-08-29 20:27 129 ---hs---- C:\AUTORUN.INF
2008-08-29 19:58 . 2008-08-29 19:58 49,152 --a------ C:\WINDOWS\system32\msime82.exe
2008-08-29 19:58 . 2008-08-29 19:58 49,152 --a------ C:\WINDOWS\system32\msfun80.exe
2008-08-29 19:58 . 2008-08-29 19:58 49,152 --a------ C:\WINDOWS\system32\algsrvs.exe
2008-08-29 19:58 . 2008-08-29 19:58 49,152 ---hs---- C:\fun.xls.exe
2008-08-27 16:06 . 2008-08-27 16:06 278,728 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-08-27 16:06 . 2008-08-27 16:06 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-08-27 15:49 . 2008-08-27 15:49 <DIR> d-------- C:\Program Files\Nobilis
2008-08-27 09:51 . 2008-08-27 09:51 <DIR> d-------- C:\Program Files\QuickTime
2008-08-26 23:01 . 2008-08-26 23:21 <DIR> d-------- C:\Documents and Settings\Szary Wilk\Dane aplikacji\mIRC
2008-08-25 20:32 . 2008-08-25 20:33 <DIR> d-------- C:\Program Files\MoorHunt
2008-08-23 19:06 . 2008-08-23 19:06 <DIR> d-------- C:\Documents and Settings\Szary Wilk\.jpi_cache
2008-08-23 19:06 . 2008-08-23 19:06 <DIR> d-------- C:\Documents and Settings\Szary Wilk\.java
2008-08-20 21:47 . 2008-08-20 21:47 <DIR> d-------- C:\Program Files\Ventrilo
2008-08-20 21:47 . 2008-08-20 21:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-20 21:37 . 2008-08-20 21:41 <DIR> d-------- C:\Documents and Settings\Szary Wilk\Dane aplikacji\Ventrilo
2008-08-20 01:59 . 2008-08-20 02:10 <DIR> d-------- C:\Program Files\SkanerOnline
2008-08-20 00:20 . 2008-08-20 00:27 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-08-20 00:20 . 2008-08-20 00:27 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-08-19 19:35 . 2008-08-19 19:35 <DIR> d-------- C:\Program Files\SpeedFan
2008-08-19 19:35 . 2008-08-19 19:35 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-08-19 19:09 . 2008-08-19 19:09 <DIR> d-------- C:\Program Files\IObit
2008-08-19 15:20 . 2008-08-19 15:20 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-19 14:59 . 2008-08-19 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-08-19 14:11 . 2008-08-19 14:11 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-19 14:11 . 2008-08-19 14:58 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-08-19 09:53 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-08-19 09:53 . 2008-06-14 20:01 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-19 09:51 . 2008-08-19 15:04 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-08-18 23:02 . 2008-08-26 13:50 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-08-18 22:58 . 2008-08-29 20:05 <DIR> d-a------ C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-08-18 22:55 . 2008-08-18 22:58 <DIR> d-------- C:\Program Files\Trojan Remover
2008-08-18 22:55 . 2008-08-18 22:55 <DIR> d-------- C:\Documents and Settings\Szary Wilk\Dane aplikacji\Simply Super Software
2008-08-18 22:55 . 2008-08-18 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Simply Super Software
2008-08-18 22:55 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-08-18 22:55 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-08-18 22:55 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-08-18 22:55 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-08-18 22:55 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-08-06 19:22 . 2008-08-06 19:23 <DIR> d-------- C:\opimal

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-26 21:21 --------- d-----w C:\Program Files\NAPI-PROJEKT
2008-08-26 11:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-26 11:49 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Symantec
2008-08-20 00:19 --------- d-----w C:\Documents and Settings\Szary Wilk\Dane aplikacji\Azureus
2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:41 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 14:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
"Steam"="e:\gry\steam\steam.exe" [BU]
"MsServer"="msfun80.exe" [2008-08-29 19:58 49152 C:\WINDOWS\system32\msfun80.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-08-18 22:57 909904]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-08-27 09:51 413696]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"IMJPMIG8.2"="msime82.exe" [2008-08-29 19:58 49152 C:\WINDOWS\system32\msime82.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2002-12-31 14:00 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-06-14 22:05:45 1205840]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 22:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
"aux"= ctwdm32.dll
"aux1"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\programy\\Ares\\Ares.exe"=
"D:\\programy\\Azureus\\Azureus.exe"=
"C:\\Program Files\\NAPI-PROJEKT\\napisy.exe"=
"D:\\programy\\Gadu-Gadu\\gg.exe"=
"F:\\Warcraft III\\Frozen Throne.exe"=
"F:\\Warcraft III\\pickup.listchecker.exe"=
"F:\\Warcraft III\\Warcraft III.exe"=
"F:\\Warcraft III\\war3.exe"=
"F:\\Warcraft III\\worldedit.exe"=
"F:\\Warcraft III\\World Editor.exe"=
"F:\\Warcraft III\\BNUpdate.exe"=

S2 E4LOADER;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [2007-01-04 13:47]
S2 ELOADER;General Purpose USB Driver (adildr.sys);C:\WINDOWS\system32\Drivers\adildr.sys [2007-02-07 16:50]
S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys [2004-07-12 05:57]
S3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys [2007-01-04 13:48]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 23:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13428951-74be-11dd-9713-00508ded2afa}]
\Shell\Auto\command - H:\fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e190d39c-e327-11db-ad11-806d6172696f}]
\Shell\AutoRun\command - G:\Autorun.exe root.ini
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://google.pl/

O16 -: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab
C:\WINDOWS\Downloaded Program Files\SkanerOnline.inf
C:\WINDOWS\system32\SkanerOnlineUninstall.exe
C:\WINDOWS\system32\SkanerOnline.dll
.
.
------- File Associations (Beta) -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
piffile="%1" %*"
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 20:27:28
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\algsrvs.exe
C:\WINDOWS\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2008-08-29 20:28:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 18:28:44
ComboFix2.txt 2008-08-29 18:20:31

Pre-Run: 41,275,736,064 bajtów wolnych
Post-Run: 41,266,847,744 bajt˘w wolnych

178 --- E O F --- 2008-08-19 13:04:37

Wklej do notatnika :

File::
C:\AUTORUN.INF
C:\WINDOWS\system32\msime82.exe
C:\WINDOWS\system32\msfun80.exe
C:\WINDOWS\system32\algsrvs.exe
C:\fun.xls.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.2"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13428951-74be-11dd-9713-00508ded2afa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e190d39c-e327-11db-ad11-806d6172696f}]

Plik zapisz jako CFScript.txt , przeciągnij i upuść na ikonkę ComboFixa. Powstały log wklej na forum.

Następnie skan : http://cybertrash.pl/Tata/MBAM/Malwarebyte...ti-Malware.html