Trojan


(system) #1

Koń trojański Trojan-PSW.Win32.OnLineGames.qmf Plik: C:\WINDOWS\system32\amvo.exe

Trojan został usuniety przez kaspersky'ego(taki bynajmniej otrzymalem komunikat) ale pozostawil po sobie maly problem. Wchodzac do "Moj komputer" i przy probie wejscia na dysk np "D" pojawia sie opcja "za pomoca jakiego programu otworzyc.." Nie jestem ekspertem w tych sprawach dlatego pytam co musze zrobic by normalnie dostac sie na zawarosc swojego dysku??dzieki za odpowiedzi!!


(Kamil2993) #2

heh , mamy do samo w sQl na wszystkich kompach :slight_smile: , daj logi z HJT


(Leon$) #3

Pobierz Combofix http://www.bezpieczenstwosystemow.pl/index.php?topic=18.0

przeskanuj nim system daj log na forum

:slight_smile:


(system) #4

Umieszczam loga ale niech mi ktos wytlumaczy bo problem juz znikl po puszczeniu Combofixa???

log ponizej

ComboFix 08-02.05.3 - Michal 2008-02-05 15:55:21.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.411 [GMT 1:00]

Running from: D:\programy-instalki\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

C:\Program Files\myglobalsearch

C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.JAR

C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.MANIFEST

C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.JAR

C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.MANIFEST

C:\Program Files\myglobalsearch\bar\1.bin\M9PLUGIN.DLL

C:\Program Files\myglobalsearch\bar\1.bin\MGSBAR.DLL

C:\Program Files\myglobalsearch\bar\1.bin\NPMYGLSH.DLL

C:\Program Files\myglobalsearch\bar\Cache\00344336

C:\Program Files\myglobalsearch\bar\Cache\009DB450.bin

C:\Program Files\myglobalsearch\bar\Cache\009DB7FA.bin

C:\Program Files\myglobalsearch\bar\Cache\009DC690.bin

C:\Program Files\myglobalsearch\bar\Cache\files.ini

C:\Program Files\myglobalsearch\bar\History\search

C:\Program Files\myglobalsearch\bar\Settings\prevcfg.htm

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))

.

2008-02-05 14:10 . 2008-02-05 14:10

2008-02-01 20:20 . 2008-02-01 20:25

2008-01-27 18:08 . 2008-02-01 10:34 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat

2008-01-27 18:08 . 2008-01-27 18:16 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat

2008-01-27 18:07 . 2008-01-27 18:07

2008-01-27 18:07 . 2008-02-05 14:22

2008-01-27 18:07 . 2008-02-05 15:57 6,003,232 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-01-27 18:07 . 2008-02-05 14:20 83,936 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-01-27 18:07 . 2008-02-05 15:57 76,576 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2008-01-27 18:07 . 2008-02-05 14:20 9,956 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx

2008-01-27 17:59 . 2008-01-27 17:59

2008-01-21 01:51 . 2004-12-07 09:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll

2008-01-21 01:51 . 2006-01-30 11:32 5,632 --a------ C:\WINDOWS\system32\pxc25pm.dll

2008-01-21 01:50 . 2008-01-21 01:53

2008-01-20 08:07 . 2008-01-20 08:07 33,292 --a------ C:\WINDOWS\system32\drivers\scdemu.sys

2008-01-10 16:08 . 2008-01-10 16:15 294 --a------ C:\WINDOWS\SchDwgUtility99SE.ini

2008-01-09 15:35 . 2008-01-09 15:35 215 --a------ C:\Untitled5.asv

2008-01-08 15:24 . 2008-01-08 15:24

2008-01-08 12:54 . 2008-01-08 13:00

2008-01-06 19:47 . 2008-01-06 19:47

2008-01-06 19:47 . 2008-01-06 19:47 32 --a------ C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2008-01-06 19:44 . 2008-01-06 19:44

2008-01-06 19:44 . 2008-01-06 19:44

2008-01-06 19:44 . 2008-01-06 21:24

2008-01-06 19:44 . 2008-01-06 19:44

2008-01-06 19:36 . 2008-01-10 16:15 273,619 --a------ C:\WINDOWS\CLIENT99SE.rcs

2008-01-06 19:36 . 2008-01-06 19:36 273,619 --a------ C:\WINDOWS\CLIENT99SE.~cs

2008-01-06 19:36 . 2008-01-10 16:15 8,632 --a------ C:\WINDOWS\CLIENT99SE.raf

2008-01-06 19:36 . 2008-01-06 19:36 8,632 --a------ C:\WINDOWS\CLIENT99SE.~af

2008-01-06 19:36 . 2008-01-10 16:15 3,036 --a------ C:\WINDOWS\CLIENT99SE.ndr

2008-01-06 19:36 . 2008-01-10 16:15 2,618 --a------ C:\WINDOWS\AdvSch99SE.dft

2008-01-06 19:30 . 2008-01-10 16:05 758 --a------ C:\WINDOWS\ProHelp99SE.INI

2008-01-06 19:27 . 2008-01-06 19:30

2008-01-06 19:27 . 2008-01-06 19:27

2008-01-06 18:37 . 2008-01-06 18:57

2008-01-06 18:37 . 2008-01-06 18:37

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-05 14:50 --------- d-----w C:\Documents and Settings\Michal\Dane aplikacji\uTorrent

2008-01-27 17:01 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP

2008-01-26 17:14 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-01-25 19:08 --------- d-----w C:\Program Files\PSIM

2008-01-25 13:55 --------- d-----w C:\Documents and Settings\Michal\Dane aplikacji\Canon

2008-01-08 14:25 --------- d-----w C:\Documents and Settings\Michal\Dane aplikacji\Ahead

2008-01-03 22:02 --------- d-----w C:\Program Files\Damian Pasternak

2008-01-02 16:14 --------- d-----w C:\Program Files\ElcomSoft

2008-01-02 12:41 --------- d-----w C:\Program Files\Słownik

2008-01-02 12:41 --------- d-----w C:\Program Files\Common Files\Borland Shared

2007-12-26 22:00 --------- d-----w C:\Program Files\Common Files\DirectX

2007-12-15 18:17 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe

2007-12-15 18:17 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2007-12-15 18:17 22,328 ----a-w C:\Documents and Settings\Michal\Dane aplikacji\PnkBstrK.sys

2007-12-15 18:17 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2007-12-13 22:16 --------- d-----w C:\Documents and Settings\Michal\Dane aplikacji\CyberLink

2007-12-13 22:15 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\CyberLink

2007-12-12 09:51 --------- d-----w C:\Documents and Settings\Michal\Dane aplikacji\AdobeUM

2007-12-12 09:46 --------- d-----w C:\Program Files\Common Files\Adobe

2007-12-10 16:43 --------- d-----w C:\Program Files\BearShare

2007-12-07 20:24 --------- d-----w C:\Documents and Settings\Michal\Dane aplikacji\Media Player Classic

2007-12-07 18:10 --------- d-----w C:\Program Files\DivX

2007-12-07 17:06 --------- d-----w C:\Documents and Settings\Michal\Dane aplikacji\ArcSoft

2007-12-07 16:35 --------- d-----w C:\Program Files\Canon

2007-12-07 16:34 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared

2007-12-07 16:34 --------- d-----w C:\Documents and Settings\Michal\Dane aplikacji\ScanSoft

2007-12-07 16:34 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\SSScanWizard

2007-12-07 16:34 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\SSScanAppDataDir

2007-12-07 16:33 --------- d-----w C:\Program Files\ScanSoft

2007-12-07 16:30 --------- d-----w C:\Program Files\ArcSoft

2007-12-06 20:54 --------- d-----w C:\Program Files\AC3Filter

2007-12-06 20:50 --------- d-----w C:\Program Files\ffdshow

2007-12-06 20:34 --------- d-----w C:\Program Files\MarBit

2007-12-03 19:05 16,957,072 ----a-w C:\7-11_xp32_dd_54435.exe

2007-12-02 21:43 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-11-07 09:29 723,968 ----a-w C:\WINDOWS\system32\lsasrv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:44 15360]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]

"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]

"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 12:24 167368]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-11-14 11:54 2131392]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-10-14 10:37 110592]

"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 12:49 16269312 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]

"SMSERIAL"="C:\WINDOWS\sm56hlpr.exe" [2006-03-21 15:54 544768]

"Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [2005-10-17 17:09 987136]

"ACU"="C:\Program Files\Atheros\ACU.exe" [2006-07-04 15:09 336001]

"ACMON"="C:\Program Files\ASUS\Splendid\ACMON.exe" [2006-05-30 10:28 811008]

"NB Probe"="" []

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-26 12:12 161328]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10 56928]

"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]

"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-15 19:04 35328]

"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 18:01 90112]

"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38 49152]

"MsmqIntCert"="regsvr32 /s mqrt.dll" []

"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-01-29 23:02 200768]

"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 08:05 217088]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:44 15360]

R2 ghaio;ghaio;C:\Program Files\ASUS\NB Probe\SPM\ghaio.sys [2003-08-20 11:28]

R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;C:\WINDOWS\System32\StkCSrv.exe [2007-02-07 11:44]

R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\ATK0100\ASNDIS5.SYS [2004-05-28 03:13]

R3 AtcL002;NDIS Miniport Driver for Attansic L2 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl02_xp.sys [2006-08-14 04:40]

R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;C:\WINDOWS\system32\Drivers\StkCMini.sys [2007-02-13 05:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7b64f652-9d8c-11dc-a3a5-00e06ff4ad63}]

\Shell\AutoRun\command - EXPLORER.EXE

\Shell\explore\Command - EXPLORER.EXE

\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{92a22da4-d3bb-11dc-a481-001d60619063}]

\Shell\AutoRun\command - H:\2ifetri.cmd

\Shell\explore\Command - H:\2ifetri.cmd

\Shell\open\Command - H:\2ifetri.cmd

*Newly Created Service* - SCDEMU

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]

msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-05 15:57:59

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-02-05 15:58:58

ComboFix-quarantined-files.txt 2008-02-05 14:58:55

.

2008-01-09 22:23:52 --- E O F ---


(Leon$) #5

Ponieważ Combo usunoł pliki za to odpowiedzialne

Otwórz notatnik i wklej

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NB Probe"=-

"MsmqIntCert"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

zapisz jako plik.reg >> wszystkie pliki >> scal z rejestrem >> restart

b57f17008275c957m.jpg

powstanie plik o takiej ikonie

062aec4c9b51c033m.jpg

w który dwa razy klikniesz potwierdzisz chęć dodania do rejestru potem restart

usuń ręcznie folder C: \Qoobox

:slight_smile:


(system) #6

Ciegi bardzo za pomoc i sorki ze tak brutalnie umiescilem tego loga ale dopiero co przeczytalem regulamin dotyczacy ich umieszczania :slight_smile:


(Gutek) #7

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

Daj log kontorlnie po wykonaniu czyszczenia