Trojan-problem


(mały67) #1

Witam!Jestem nowy na forum.Mam problem z wirusem o nazwie Win32:OnLineGames-DIK.Przy włączaniu komputera program Avast wykrywa tegoż wirusa,za każdym razem przenoszę go do kwaranntany ale to nic nie daje.Proszę o pomoc w jaki sposób sie pozbyć,jakiego programu użyć.Prosiłbym jak to zrobić krok po kroku ponieważ nigdy nie miałem do czynienia z usuwaniem wirusów.Zgóry dziękuję.


(system) #2

Sproboj programu Trojan Remover, można go ściagnac na tym portalu.

Mnie usunął bardzo zjadliwego trojana.

Program jest po angielsku ale jest prosty w użyciu. Jeśli znasz podstawy angielskiego bez problemu sobie poradzisz.


(Leon$) #3

Pobierz Combofix http://forum.dobreprogramy.pl/viewtopic.php?f=16&t=36654 przeskanuj system daj log

potem

log HijackThis

kolejność skanu jak podałem

:slight_smile:


(mały67) #4

ComboFix 08-05-01.3 - oem 2008-05-05 18:22:41.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.657 [GMT 2:00]

Running from: C:\Documents and Settings\oem\Pulpit\trojan\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

C:\v.exe

C:\WINDOWS\system32\amvo.exe

C:\WINDOWS\system32\amvo0.dll

C:\WINDOWS\xmg.exe

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))

.

2008-05-05 17:48 . 2008-05-05 17:52

2008-05-05 17:46 . 2008-05-05 17:54

2008-05-05 17:46 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll

2008-05-05 17:46 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll

2008-05-05 17:46 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll

2008-04-28 13:43 . 2008-04-28 13:42 104,269 -r-hs---- C:\jfvkcsy.bat

2008-04-27 19:35 . 2008-04-21 08:12 104,925 -r-hs---- C:\dwvo.cmd

2008-04-27 19:35 . 2008-05-03 12:53 103,480 --a------ C:\WINDOWS\system32\amvo.exe.vir

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-05 16:22 --------- d-----w C:\Program Files\Neostrada TP

2008-03-23 18:12 --------- d-----w C:\Program Files\Mindscape

2008-03-23 18:12 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\The Learning Company

2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-16 09:05 662,016 ----a-w C:\WINDOWS\system32\wininet.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]

"Gadu-Gadu"="D:\gg\Gadu-Gadu\gg.exe" [2007-05-10 16:36 2111176]

"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25 1961984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]

"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 11:21 16270848 C:\WINDOWS\RTHDCPL.exe]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-03-07 02:49 8425472]

"nwiz"="nwiz.exe" [2007-03-07 02:49 1622016 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-03-07 02:49 81920]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]

"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [2003-10-16 18:07 24576]

"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2003-10-16 18:07 20480]

"WOOTASKBARICON"="C:\Program Files\Neostrada TP\taskbaricon.exe" [2003-10-16 18:07 53248]

"WinampAgent"="D:\winamp\winampa.exe" [2007-05-15 00:22 35328]

"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-29 20:40 155648]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Reader Speed Launch.lnk - D:\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]

DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-06-17 11:07:28 966756]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"D:\gg\Gadu-Gadu\gg.exe"=

"%windir%\Network Diagnostic\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{365c84aa-c775-11dc-b9a8-4d6564696130}]

\Shell\AutoRun\command - F:\dwvo.cmd

\Shell\explore\Command - F:\dwvo.cmd

\Shell\open\Command - F:\dwvo.cmd

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-05 18:24:39

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-05-05 18:25:16

ComboFix-quarantined-files.txt 2008-05-05 16:25:13

Pre-Run: 40,149,454,848 bajtów wolnych

Post-Run: 40,426,463,232 bajtów wolnych

92 --- E O F --- 2008-04-09 19:02:22

W dniu 05.05.2008 , o godzinie 18:30 został dopisany post przez mały67

teraz co dalej?


(Gutek) #5

Wklej do Notatnika:

File::

C:\jfvkcsy.bat

C:\dwvo.cmd

C:\WINDOWS\system32\amvo.exe.vir

F:\dwvo.cmd


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: **** Qoobox.

Po tym nowy log z Combo oraz skan http://www.kaspersky.pl/virusscanner.html


(mały67) #6

nowy log

ComboFix 08-05-01.3 - oem 2008-05-05 18:44:42.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.615 [GMT 2:00]

Running from: C:\Documents and Settings\oem\Pulpit\trojan\ComboFix.exe

Command switches used :: C:\Documents and Settings\oem\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

FILE ::

C:\dwvo.cmd

C:\jfvkcsy.bat

C:\WINDOWS\system32\amvo.exe.vir

F:\dwvo.cmd

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\dwvo.cmd

C:\jfvkcsy.bat

C:\WINDOWS\system32\amvo.exe.vir

.

((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))

.

2008-05-05 18:35 . 2008-05-05 18:35

2008-05-05 17:48 . 2008-05-05 17:52

2008-05-05 17:46 . 2008-05-05 17:54

2008-05-05 17:46 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll

2008-05-05 17:46 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll

2008-05-05 17:46 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-05 16:36 --------- d-----w C:\Program Files\Neostrada TP

2008-03-23 18:12 --------- d-----w C:\Program Files\Mindscape

2008-03-23 18:12 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\The Learning Company

2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-16 09:05 662,016 ----a-w C:\WINDOWS\system32\wininet.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]

"Gadu-Gadu"="D:\gg\Gadu-Gadu\gg.exe" [2007-05-10 16:36 2111176]

"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25 1961984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]

"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 11:21 16270848 C:\WINDOWS\RTHDCPL.exe]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-03-07 02:49 8425472]

"nwiz"="nwiz.exe" [2007-03-07 02:49 1622016 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-03-07 02:49 81920]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]

"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [2003-10-16 18:07 24576]

"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2003-10-16 18:07 20480]

"WOOTASKBARICON"="C:\Program Files\Neostrada TP\taskbaricon.exe" [2003-10-16 18:07 53248]

"WinampAgent"="D:\winamp\winampa.exe" [2007-05-15 00:22 35328]

"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-29 20:40 155648]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Reader Speed Launch.lnk - D:\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]

DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-06-17 11:07:28 966756]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"D:\gg\Gadu-Gadu\gg.exe"=

"%windir%\Network Diagnostic\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-05 18:45:17

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-05-05 18:45:38

ComboFix-quarantined-files.txt 2008-05-05 16:45:35

ComboFix2.txt 2008-05-05 16:25:17

Pre-Run: 40,404,250,624 bajtów wolnych

Post-Run: 40,397,946,880 bajtów wolnych

91 --- E O F --- 2008-04-09 19:02:22


(Gutek) #7

Jest Ok, ale - Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350


(mały67) #8

Dzięki za pomoc.