Problem z wirusem/robakiem a.bat

FoO-FoO · 1 Marzec 2008 12:08

Witam czytalem już coś o tym na forum, ale możecie mi krok po kroku wyjasnic co zrobic zeby sie tego pozbyć ?

Mam Avasta i niby usuwa tgo wirusa ale po zrestartowaniu kompa nadal go wykrywa :?

Pomozecie ?

Kamil2993 · 1 Marzec 2008 12:20

daj logi z HJT

system · 1 Marzec 2008 12:20

Daj logi z HijackThis

FoO-FoO · 1 Marzec 2008 12:25

Log z Combofixa http://wklej.org/id/c1bff027c5

Log z hijackThis http://wklej.org/id/c08927083b

Luki_2 · 1 Marzec 2008 12:40

Proponuje włączyć skanowanie przy rozruchu ;]

Możliwe że usunie raz a porządnie :]

Bo po prostu możliwe bardzo, że nie może usunąć tego wirusa i powiadamia znów o jego wykryciu…

Jest jeszcze jedna możliwość, ale na razie przeanalizuj to i zrób te logi jak mówili poprzednicy

FoO-FoO · 1 Marzec 2008 12:43

Logi zrobilem i przy rozruchu juz skanowalem i tez mowilo ze usunelo a jednak nie

FoO-FoO · 1 Marzec 2008 15:10

Nie pomogło

FoO-FoO · 2 Marzec 2008 08:20

Nikt nie wie jak rozwiazac problem ?

FoO-FoO · 2 Marzec 2008 09:43

Lokalizacja to C:\a.bat

Moge go zobaczyc dopoki nic nie wcisne w avascie na poczatku przy uruchomieniu kompa

FoO-FoO · 2 Marzec 2008 12:29

hmmmmmm Jak już zaczynacie pisac cos w tym temacie to nie piszcie po to tylko żeby zaspamowac sobi jednym postem, tylko po to zeby pomoc :!: :!: :!:

addmir · 2 Marzec 2008 12:50

Wklej do notatnika:

File::

C:\a.bat

C:\WINDOWS\system32\verify.exe

C:\WINDOWS\system32\mirc631.exe


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

Plik -> zapisz jako -> CFScript.txt

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie plik C: ** Qoobox**

FoO-FoO · 2 Marzec 2008 13:08

CUD Wirus zniknął

Jeszcze na wszelki wypadek daje loga:

ComboFix 08-03-01.3 - Patryk 2008-03-02 13:59:50.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.520 [GMT 1:00] Running from: C:\Documents and Settings\Patryk\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Patryk\Pulpit\CFScript.txt WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED FILE :: C:\a.bat C:\WINDOWS\system32\mirc631.exe C:\WINDOWS\system32\verify.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\mirc631.exe C:\WINDOWS\system32\verify.exe . ((((((((((((((((((((((((( Files Created from 2008-02-02 to 2008-03-02 ))))))))))))))))))))))))))))))) . 2008-03-02 10:03 . 2008-03-02 10:03 2008-03-02 10:03 . 2008-03-02 10:03 2008-03-02 10:03 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-03-02 09:38 . 2008-03-02 09:38 2008-03-02 09:38 . 2008-03-02 09:38 2008-03-02 09:22 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx 2008-03-02 09:22 . 2003-11-19 13:59 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll 2008-03-02 09:22 . 2004-05-11 09:56 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll 2008-03-02 09:22 . 2004-02-05 20:53 389,120 --a------ C:\WINDOWS\system32\ACTSKN43.OCX 2008-03-02 09:22 . 2004-01-09 10:54 188,416 --a------ C:\WINDOWS\system32\actsplash.ocx 2008-03-02 09:22 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx 2008-03-02 09:22 . 2000-07-15 05:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL 2008-03-02 09:22 . 2001-03-28 22:02 89,088 --a------ C:\WINDOWS\system32\ProgressBar4.ocx 2008-03-02 09:22 . 1999-01-26 19:36 11,012 --a------ C:\WINDOWS\system32\threadapi.tlb 2008-03-01 23:44 . 2008-03-01 23:46 2008-03-01 13:21 . 2008-03-01 13:21 2008-03-01 12:57 . 2008-03-01 16:03 2008-02-29 23:55 . 2008-03-01 19:02 2008-02-29 12:25 . 2008-02-29 12:25 2008-02-21 21:23 . 2008-03-01 19:25 2008-02-21 02:57 . 2008-02-21 02:57 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll 2008-02-18 18:10 . 2008-02-18 18:10 65 --a------ C:\WINDOWS\WaterIllusion.ini 2008-02-15 00:17 . 2008-02-15 00:18 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe 2008-02-12 02:28 . 2008-02-12 02:28 2008-02-12 02:28 . 2008-02-12 02:29 2008-02-10 01:47 . 2008-02-10 01:47 2008-02-09 22:49 . 2008-02-09 22:58 2008-02-09 21:51 . 2008-02-09 21:51 2008-02-07 23:33 . 2008-02-07 23:33 2008-02-07 23:33 . 2008-02-13 18:57 2008-02-02 15:52 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll 2008-02-02 15:36 . 2008-02-02 15:36 2008-02-02 15:31 . 2008-02-02 15:31 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-02 11:37 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-03-02 11:37 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2008-03-02 11:09 --------- d-----w C:\Documents and Settings\Patryk\Dane aplikacji\Skype 2008-03-02 08:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-03-02 08:13 --------- d-----w C:\Documents and Settings\Patryk\Dane aplikacji\skypePM 2008-03-02 00:37 --------- d-----w C:\Documents and Settings\Patryk\Dane aplikacji\Xfire 2008-03-01 15:03 --------- d-----w C:\Program Files\Xfire 2008-02-29 23:54 --------- d-----w C:\Program Files\English Translator 3 2008-02-24 01:24 --------- d-----w C:\Program Files\Opera 2008-02-22 19:15 --------- d-----w C:\Program Files\NAPI-PROJEKT 2008-02-22 00:03 --------- d-----w C:\Documents and Settings\Patryk\Dane aplikacji\LimeWire 2008-02-18 17:10 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2008-02-03 21:36 --------- d-----w C:\Program Files\Common Files\Adobe 2008-02-03 21:35 --------- d–h--w C:\Program Files\InstallShield Installation Information 2008-01-31 11:28 --------- d-----w C:\Program Files\WarRock 2008-01-30 18:18 --------- d-----w C:\Documents and Settings\Patryk\Dane aplikacji\Image Zone Express 2008-01-24 19:43 --------- d-----w C:\Documents and Settings\Patryk\Dane aplikacji\HP 2008-01-18 14:22 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help 2008-01-17 18:04 --------- d-----w C:\Program Files\MSN Messenger 2008-01-17 15:37 --------- d-----w C:\Program Files\LEXMA 2008-01-12 13:42 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe 2008-01-12 13:40 22,328 ----a-w C:\Documents and Settings\Patryk\Dane aplikacji\PnkBstrK.sys 2008-01-12 13:27 --------- d-----w C:\Program Files\Activision 2008-01-11 22:41 --------- d-----w C:\Program Files\Valve 2008-01-11 22:41 --------- d-----w C:\Program Files\sXe Injected 2008-01-09 18:57 --------- d-----w C:\Program Files\Gadu-Gadu 2007-12-20 18:53 892,928 ----a-w C:\WINDOWS\system32\iconv.dll 2007-12-20 18:52 921,600 ----a-w C:\WINDOWS\system32\vorbisenc.dll 2007-12-20 18:52 237,568 ----a-w C:\WINDOWS\system32\OggDS.dll 2007-12-20 18:51 45,056 ----a-w C:\WINDOWS\system32\ogg.dll 2007-12-20 18:51 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll 2007-12-20 18:51 1,415,680 ----a-w C:\WINDOWS\system32\WMV9VCM.dll 2007-12-20 18:50 9,216 ----a-w C:\WINDOWS\system32\cpuinf32.dll 2007-12-20 18:50 245,760 ----a-w C:\WINDOWS\system32\mplvpx.dll 2007-12-20 18:48 740,442 ----a-w C:\WINDOWS\system32\DivX.dll 2007-12-20 18:48 1,559,040 ----a-w C:\WINDOWS\system32\xvidcore.dll 2007-12-20 17:31 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat 2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Windows 32-bit DLL Integrity Verifier”=“verify.exe” [] “SoundMan”=“SOUNDMAN.EXE” [2004-12-22 10:09 77824 C:\WINDOWS\SOUNDMAN.EXE] “NVRTCLK”=“C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe” [2003-12-30 10:44 24576] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2005-06-15 10:20 6803456] “nwiz”=“nwiz.exe” [2005-06-15 10:20 1519616 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2005-06-15 10:20 86016] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 14:00 79224] “TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-12-23 22:51 185896] “!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 10:25 6731312] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] “Windows 32-bit DLL Integrity Verifier”=“verify.exe” [] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] “nltide_3”=“advpack.dll” [2007-10-11 00:52 124928 C:\WINDOWS\system32\advpack.dll] [HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch] --a------ 2008-01-24 09:22 2476408 C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray] --------- 2005-10-27 11:00 299008 C:\Program Files\Creative\Shared Files\CamTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] --a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWBMOUSE] C:\Program Files\LEXMA\Laser Mouse Driver\1.0\MOUSE32A.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync] --a------ 2006-06-27 16:21 1449984 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-12-23 22:51 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “C:\Program Files\Activision\Call of Duty 2\CoD2MP_s.exe”= “C:\Program Files\Xfire\xfire.exe”= “C:\Program Files\Gadu-Gadu\gg.exe”= “C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”= “C:\Program Files\Microsoft Office\Office12\GROOVE.EXE”= “C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”= “C:\WINDOWS\system32\PnkBstrA.exe”= “C:\WINDOWS\system32\PnkBstrB.exe”= “C:\Program Files\MSN Messenger\msnmsgr.exe”= “C:\Program Files\MSN Messenger\livecall.exe”= “C:\Program Files\Valve\hl.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe”= “C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe”= “C:\Program Files\HP\Digital Imaging\bin\hposid01.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe”= “C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe”= “C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe”= “C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe”= “C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe”= “C:\Program Files\mIRC\mirc.exe”= “C:\Program Files\LimeWire\LimeWire.exe”= “C:\Program Files\Skype\Phone\Skype.exe”= R3 V0260VID;Live! Cam Vista IM;C:\WINDOWS\system32\DRIVERS\V0260Vid.sys [2006-11-03 23:45] S3 ACRUSBTM;ACRUSBTM;C:\WINDOWS\system32\drivers\ACRUSBTM.SYS [2007-08-02 11:35] S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2006-09-13 18:19] S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08] *Newly Created Service* - AAWSERVICE *Newly Created Service* - AVG_ANTI-SPYWARE_DRIVER *Newly Created Service* - AVG_ANTI-SPYWARE_GUARD . Contents of the ‘Scheduled Tasks’ folder “2008-02-23 21:08:49 C:\WINDOWS\Tasks\WebReg psc 1400 series.job” - C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-02 14:01:40 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-03-02 14:02:25 ComboFix-quarantined-files.txt 2008-03-02 13:02:16 ComboFix2.txt 2008-03-01 12:17:56 . 2008-01-18 14:22:42 — E O F —

addmir · 2 Marzec 2008 13:46

Ja już nic nie widzę.

Gutek · 2 Marzec 2008 20:11

Otwórz Notatnik i wklej w nim to:

Windows Registry Editor Version 5.00 


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows 32-bit DLL Integrity Verifier"=-


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

"Windows 32-bit DLL Integrity Verifier"=-

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350