Witam!Jestem nowy na forum.Mam problem z wirusem o nazwie Win32:OnLineGames-DIK.Przy włączaniu komputera program Avast wykrywa tegoż wirusa,za każdym razem przenoszę go do kwaranntany ale to nic nie daje.Proszę o pomoc w jaki sposób sie pozbyć,jakiego programu użyć.Prosiłbym jak to zrobić krok po kroku ponieważ nigdy nie miałem do czynienia z usuwaniem wirusów.Zgóry dziękuję.
Sproboj programu Trojan Remover, można go ściagnac na tym portalu.
Mnie usunął bardzo zjadliwego trojana.
Program jest po angielsku ale jest prosty w użyciu. Jeśli znasz podstawy angielskiego bez problemu sobie poradzisz.
Pobierz Combofix http://forum.dobreprogramy.pl/viewtopic.php?f=16&t=36654 przeskanuj system daj log
potem
log HijackThis
kolejność skanu jak podałem
ComboFix 08-05-01.3 - oem 2008-05-05 18:22:41.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.657 [GMT 2:00]
Running from: C:\Documents and Settings\oem\Pulpit\trojan\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
C:\v.exe
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\xmg.exe
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))
.
2008-05-05 17:48 . 2008-05-05 17:52
2008-05-05 17:46 . 2008-05-05 17:54
2008-05-05 17:46 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-05-05 17:46 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-05-05 17:46 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-04-28 13:43 . 2008-04-28 13:42 104,269 -r-hs---- C:\jfvkcsy.bat
2008-04-27 19:35 . 2008-04-21 08:12 104,925 -r-hs---- C:\dwvo.cmd
2008-04-27 19:35 . 2008-05-03 12:53 103,480 --a------ C:\WINDOWS\system32\amvo.exe.vir
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 16:22 --------- d-----w C:\Program Files\Neostrada TP
2008-03-23 18:12 --------- d-----w C:\Program Files\Mindscape
2008-03-23 18:12 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\The Learning Company
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:05 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 14:00 15360]
“Gadu-Gadu”=“D:\gg\Gadu-Gadu\gg.exe” [2007-05-10 16:36 2111176]
“NBJ”=“C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” [2005-10-11 18:25 1961984]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SkyTel”=“SkyTel.EXE” [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
“RTHDCPL”=“RTHDCPL.EXE” [2006-11-14 11:21 16270848 C:\WINDOWS\RTHDCPL.exe]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2007-03-07 02:49 8425472]
“nwiz”=“nwiz.exe” [2007-03-07 02:49 1622016 C:\WINDOWS\system32\nwiz.exe]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2007-03-07 02:49 81920]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-03-29 19:37 79224]
“WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 18:07 24576]
“WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 18:07 20480]
“WOOTASKBARICON”=“C:\Program Files\Neostrada TP\taskbaricon.exe” [2003-10-16 18:07 53248]
“WinampAgent”=“D:\winamp\winampa.exe” [2007-05-15 00:22 35328]
“Sony Ericsson PC Suite”=“C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” [2005-10-26 17:17 159744]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-10-29 20:40 155648]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-02 14:00 15360]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - D:\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-06-17 11:07:28 966756]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusOverride”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“D:\gg\Gadu-Gadu\gg.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{365c84aa-c775-11dc-b9a8-4d6564696130}]
\Shell\AutoRun\command - F:\dwvo.cmd
\Shell\explore\Command - F:\dwvo.cmd
\Shell\open\Command - F:\dwvo.cmd
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-05 18:24:39
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-05 18:25:16
ComboFix-quarantined-files.txt 2008-05-05 16:25:13
Pre-Run: 40,149,454,848 bajtów wolnych
Post-Run: 40,426,463,232 bajtów wolnych
92 — E O F — 2008-04-09 19:02:22
W dniu 05.05.2008 , o godzinie 18:30 został dopisany post przez mały67
teraz co dalej?
Wklej do Notatnika:
File::
C:\jfvkcsy.bat
C:\dwvo.cmd
C:\WINDOWS\system32\amvo.exe.vir
F:\dwvo.cmd
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: ** Qoobox**.
Po tym nowy log z Combo oraz skan http://www.kaspersky.pl/virusscanner.html
nowy log
ComboFix 08-05-01.3 - oem 2008-05-05 18:44:42.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.615 [GMT 2:00]
Running from: C:\Documents and Settings\oem\Pulpit\trojan\ComboFix.exe
Command switches used :: C:\Documents and Settings\oem\Pulpit\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
FILE ::
C:\dwvo.cmd
C:\jfvkcsy.bat
C:\WINDOWS\system32\amvo.exe.vir
F:\dwvo.cmd
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\dwvo.cmd
C:\jfvkcsy.bat
C:\WINDOWS\system32\amvo.exe.vir
.
((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))
.
2008-05-05 18:35 . 2008-05-05 18:35
2008-05-05 17:48 . 2008-05-05 17:52
2008-05-05 17:46 . 2008-05-05 17:54
2008-05-05 17:46 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-05-05 17:46 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-05-05 17:46 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 16:36 --------- d-----w C:\Program Files\Neostrada TP
2008-03-23 18:12 --------- d-----w C:\Program Files\Mindscape
2008-03-23 18:12 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\The Learning Company
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:05 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 14:00 15360]
“Gadu-Gadu”=“D:\gg\Gadu-Gadu\gg.exe” [2007-05-10 16:36 2111176]
“NBJ”=“C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” [2005-10-11 18:25 1961984]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SkyTel”=“SkyTel.EXE” [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
“RTHDCPL”=“RTHDCPL.EXE” [2006-11-14 11:21 16270848 C:\WINDOWS\RTHDCPL.exe]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2007-03-07 02:49 8425472]
“nwiz”=“nwiz.exe” [2007-03-07 02:49 1622016 C:\WINDOWS\system32\nwiz.exe]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2007-03-07 02:49 81920]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-03-29 19:37 79224]
“WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 18:07 24576]
“WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 18:07 20480]
“WOOTASKBARICON”=“C:\Program Files\Neostrada TP\taskbaricon.exe” [2003-10-16 18:07 53248]
“WinampAgent”=“D:\winamp\winampa.exe” [2007-05-15 00:22 35328]
“Sony Ericsson PC Suite”=“C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” [2005-10-26 17:17 159744]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-10-29 20:40 155648]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-02 14:00 15360]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - D:\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-06-17 11:07:28 966756]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusOverride”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“D:\gg\Gadu-Gadu\gg.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-05 18:45:17
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-05 18:45:38
ComboFix-quarantined-files.txt 2008-05-05 16:45:35
ComboFix2.txt 2008-05-05 16:25:17
Pre-Run: 40,404,250,624 bajtów wolnych
Post-Run: 40,397,946,880 bajtów wolnych
91 — E O F — 2008-04-09 19:02:22
Dzięki za pomoc.