Jak usunąć wirusa?

Dla specjalistów Bezpieczeństwo
#1

nie wiem jak usanac wirusa wiec prosze pomozcie

to jest

AntiVir PersonalEdition Classic

Report file date: 20 lutego 2007 12:45

Scanning for 675072 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Dodatek Service Pack. 1) [5.1.2600]

Username: dorota

Computer name: DOROTA-GEMRZV4B

Version information:

BUILD.DAT : 217 12749 Bytes 2006-12-05 17:00:00

AVSCAN.EXE : 7.0.3.5 208936 Bytes 2007-02-20 10:47:36

AVSCAN.DLL : 7.0.3.1 35880 Bytes 2006-12-05 16:00:24

LUKE.DLL : 7.0.3.2 143400 Bytes 2006-10-31 16:07:48

LUKERES.DLL : 7.0.2.0 9256 Bytes 2006-12-05 16:00:24

ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 2006-05-31 15:30:08

ANTIVIR1.VDF : 6.37.0.153 3131392 Bytes 2007-01-12 10:47:38

ANTIVIR2.VDF : 6.37.1.85 598016 Bytes 2007-02-14 10:47:38

ANTIVIR3.VDF : 6.37.1.118 56832 Bytes 2007-02-20 10:47:38

AVEWIN32.DLL : 7.3.1.37 2306560 Bytes 2007-02-20 10:47:38

AVPREF.DLL : 7.0.2.0 23592 Bytes 2006-11-03 10:53:46

AVREP.DLL : 6.37.1.100 1142824 Bytes 2007-02-20 10:47:38

AVRPBASE.DLL : 7.0.0.0 2162728 Bytes 2006-03-30 08:43:32

AVPACK32.DLL : 7.2.0.5 368680 Bytes 2006-10-23 15:21:32

AVREG.DLL : 7.0.1.2 30760 Bytes 2007-02-20 10:47:36

NETNT.DLL : No Information!

RCIMAGE.DLL : 7.0.1.3 2097192 Bytes 2006-11-08 12:26:28

RCTEXT.DLL : 7.0.12.1 77864 Bytes 2006-12-05 16:00:22

Configuration settings for the scan:

Jobname…: ShlExt

Configuration file…: C:\DOCUME~1\dorota\USTAWI~1\Temp\d51645b0.avp

Logging…: low

Primary action…: interactive

Secondary action…: ignore

Scan master boot sector…: off

Scan boot sector…: on

Boot sectors…: C:,

Scan memory…: on

Process scan…: off

Scan registry…: off

Scan all files…: Intelligent file selection

Scan archives…: on

Recursion depth…: 20

Smart extensions…: on

Macro heuristic…: on

File heuristic…: medium

Expanded search settings…: 0x00000032

Start of the scan: 20 lutego 2007 12:45

Start scanning boot sectors:

Boot sector ‘C:’

[NOTE] No virus was found!

Starting the file scan:

Begin scan in ‘C:’

C:\PAGEFILE.SYS

[WARNING] The file could not be opened!

C:\hiberfil.sys

[WARNING] The file could not be opened!

End of the scan: 20 lutego 2007 13:07

Used time: 22:28 min

The scan has been done completely.

2793 Scanning directories

218055 Files were scanned

0 viruses and/or unwanted programs were found

0 files were deleted

0 files were repaired

0 files were moved to quarantine

0 files were renamed

2 Files cannot be scanned

218055 Files not concerned

2941 Archives were scanned

2 Warnings

3 Notes

raport z dysku c:

#2

Begin scan in ‘C:’

C:\PAGEFILE.SYS

[WARNING] The file could not be opened!

C:\hiberfil.sys

[WARNING] The file could not be opened!

To są pliki systemowe :slight_smile: Nie można ich otworzyć poprostu. A tak to nie masz żadnych wirusów. Wystarczy troche angielskiego znać. Pozdrawiam serdecznie.

#3

Zmień tytuł tematu na konkretny

Proszę opisać problem, jakiego wirusa, skąd te podejrzenia infekcji

Wyczyść katalog TEMP

Start=>Uruchom=>%temp%=>I usuń wszystko co sie tam znajduje

Wklej logaHijackThis i SilentRunners

#4

hmmm skoro nie mam wirusa to dlaczego wyskakuje mi na pasku narzedzi taki komunikat : system alert???

#5

Użyj narzędzia SmitFraudFix z opcji numer 2 w trybie awaryjnym.

Po wykonaniu pokaż log z HijackThis, SilentRunners oraz zawartość pliku c:\rapport.txt

#6

to jest niby ten raport i co dalej?? chyba jest to wyzsza szkola jazdy i moge nie dac rady…

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS]

“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”]

“swg” = “C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [“Google Inc.”]

“MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”]

“WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data]

“SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe” [“Sun Microsystems, Inc.”]

“WireLessMouse” = “C:\Program Files\Multimedia Mouse Driver\StartAutorun.exe MouseDrv.exe” [empty string]

“UninstalTime” = “chkdisk.exe” [null data]

“HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”]

“SpyDawn” = “C:\Program Files\SpyDawn\SpyDawn.exe /h” [file not found]

“avgnt” = ““C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”]

HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided)

\StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided)

-> {HKLM…CLSID} = “Google Toolbar Helper”

\InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”]

“{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”]

“{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”]

“{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”]

“{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning”

-> {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

<> “{2016a466-91a2-43c6-97d8-2fd380f065ef}” = “eitheror”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\System32\higehsg.dll” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

“eitheror” = “{2016a466-91a2-43c6-97d8-2fd380f065ef}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\System32\higehsg.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”

-> {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”

-> {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]

Group Policies {GPedit.msc branch and setting}:

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\Documents and Settings\dorota\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\Documents and Settings\dorota\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Enabled Screen Saver:

HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS]

#7

aaaaaa log z Silenta jest urwany. Czekaj ciepliwie aż skończy. :wink:

#8

W logu widać fałszywca SpyDawn:

Najnowsza wersja SmitFraudFix tj. 2.143 usuwa to w całości dlatego użyj go z opcji numer 2 będąc w trybie awaryjnym.

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

http://forum.dobreprogramy.pl/viewtopic … 329#539329

Poza tym widać jeden szkodliwy plik, którego już nie usuwa SmitFraudFix. Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:

C:\WINDOWS\system32\chkdisk.exe

Klikasz X czerwony i restart kompa.

Start => uruchom => wpisz regedit i kliknij OK => przejdź do klucza:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

i skasuj z prawokliku znajdującą się tam wartość UninstalTime

Po wykonaniu wklej log z HijackThis, nowy log z Silenta oraz zawartość pliku c:\rapport.txt

#9

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Pozdrawiam Gutek2222