Koń trojański Trojan-PSW.Win32.OnLineGames.qmf Plik: C:\WINDOWS\system32\amvo.exe
Trojan został usuniety przez kaspersky’ego(taki bynajmniej otrzymalem komunikat) ale pozostawil po sobie maly problem. Wchodzac do “Moj komputer” i przy probie wejscia na dysk np “D” pojawia sie opcja “za pomoca jakiego programu otworzyc…” Nie jestem ekspertem w tych sprawach dlatego pytam co musze zrobic by normalnie dostac sie na zawarosc swojego dysku??dzieki za odpowiedzi!!
heh , mamy do samo w sQl na wszystkich kompach 
, daj logi z HJT
Pobierz Combofix http://www.bezpieczenstwosystemow.pl/index.php?topic=18.0
przeskanuj nim system daj log na forum
Umieszczam loga ale niech mi ktos wytlumaczy bo problem juz znikl po puszczeniu Combofixa???
log ponizej
ComboFix 08-02.05.3 - Michal 2008-02-05 15:55:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.411 [GMT 1:00]
Running from: D:\programy-instalki\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.JAR
C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.MANIFEST
C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.JAR
C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.MANIFEST
C:\Program Files\myglobalsearch\bar\1.bin\M9PLUGIN.DLL
C:\Program Files\myglobalsearch\bar\1.bin\MGSBAR.DLL
C:\Program Files\myglobalsearch\bar\1.bin\NPMYGLSH.DLL
C:\Program Files\myglobalsearch\bar\Cache\00344336
C:\Program Files\myglobalsearch\bar\Cache\009DB450.bin
C:\Program Files\myglobalsearch\bar\Cache\009DB7FA.bin
C:\Program Files\myglobalsearch\bar\Cache\009DC690.bin
C:\Program Files\myglobalsearch\bar\Cache\files.ini
C:\Program Files\myglobalsearch\bar\History\search
C:\Program Files\myglobalsearch\bar\Settings\prevcfg.htm
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.
2008-02-05 14:10 . 2008-02-05 14:10
2008-02-01 20:20 . 2008-02-01 20:25
2008-01-27 18:08 . 2008-02-01 10:34 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-27 18:08 . 2008-01-27 18:16 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-27 18:07 . 2008-01-27 18:07
2008-01-27 18:07 . 2008-02-05 14:22
2008-01-27 18:07 . 2008-02-05 15:57 6,003,232 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-27 18:07 . 2008-02-05 14:20 83,936 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-27 18:07 . 2008-02-05 15:57 76,576 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-27 18:07 . 2008-02-05 14:20 9,956 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-27 17:59 . 2008-01-27 17:59
2008-01-21 01:51 . 2004-12-07 09:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-01-21 01:51 . 2006-01-30 11:32 5,632 --a------ C:\WINDOWS\system32\pxc25pm.dll
2008-01-21 01:50 . 2008-01-21 01:53
2008-01-20 08:07 . 2008-01-20 08:07 33,292 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
2008-01-10 16:08 . 2008-01-10 16:15 294 --a------ C:\WINDOWS\SchDwgUtility99SE.ini
2008-01-09 15:35 . 2008-01-09 15:35 215 --a------ C:\Untitled5.asv
2008-01-08 15:24 . 2008-01-08 15:24
2008-01-08 12:54 . 2008-01-08 13:00
2008-01-06 19:47 . 2008-01-06 19:47
2008-01-06 19:47 . 2008-01-06 19:47 32 --a------ C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2008-01-06 19:44 . 2008-01-06 19:44
2008-01-06 19:44 . 2008-01-06 19:44
2008-01-06 19:44 . 2008-01-06 21:24
2008-01-06 19:44 . 2008-01-06 19:44
2008-01-06 19:36 . 2008-01-10 16:15 273,619 --a------ C:\WINDOWS\CLIENT99SE.rcs
2008-01-06 19:36 . 2008-01-06 19:36 273,619 --a------ C:\WINDOWS\CLIENT99SE.~cs
2008-01-06 19:36 . 2008-01-10 16:15 8,632 --a------ C:\WINDOWS\CLIENT99SE.raf
2008-01-06 19:36 . 2008-01-06 19:36 8,632 --a------ C:\WINDOWS\CLIENT99SE.~af
2008-01-06 19:36 . 2008-01-10 16:15 3,036 --a------ C:\WINDOWS\CLIENT99SE.ndr
2008-01-06 19:36 . 2008-01-10 16:15 2,618 --a------ C:\WINDOWS\AdvSch99SE.dft
2008-01-06 19:30 . 2008-01-10 16:05 758 --a------ C:\WINDOWS\ProHelp99SE.INI
2008-01-06 19:27 . 2008-01-06 19:30
2008-01-06 19:27 . 2008-01-06 19:27
2008-01-06 18:37 . 2008-01-06 18:57
2008-01-06 18:37 . 2008-01-06 18:37
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 14:50 --------- d-----w C:\Documents and Settings\Michal\Dane aplikacji\uTorrent
2008-01-27 17:01 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-01-26 17:14 --------- d–h--w C:\Program Files\InstallShield Installation Information
2008-01-25 19:08 --------- d-----w C:\Program Files\PSIM
2008-01-25 13:55 --------- d-----w C:\Documents and Settings\Michal\Dane aplikacji\Canon
2008-01-08 14:25 --------- d-----w C:\Documents and Settings\Michal\Dane aplikacji\Ahead
2008-01-03 22:02 --------- d-----w C:\Program Files\Damian Pasternak
2008-01-02 16:14 --------- d-----w C:\Program Files\ElcomSoft
2008-01-02 12:41 --------- d-----w C:\Program Files\Słownik
2008-01-02 12:41 --------- d-----w C:\Program Files\Common Files\Borland Shared
2007-12-26 22:00 --------- d-----w C:\Program Files\Common Files\DirectX
2007-12-15 18:17 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-12-15 18:17 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-15 18:17 22,328 ----a-w C:\Documents and Settings\Michal\Dane aplikacji\PnkBstrK.sys
2007-12-15 18:17 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-13 22:16 --------- d-----w C:\Documents and Settings\Michal\Dane aplikacji\CyberLink
2007-12-13 22:15 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\CyberLink
2007-12-12 09:51 --------- d-----w C:\Documents and Settings\Michal\Dane aplikacji\AdobeUM
2007-12-12 09:46 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-10 16:43 --------- d-----w C:\Program Files\BearShare
2007-12-07 20:24 --------- d-----w C:\Documents and Settings\Michal\Dane aplikacji\Media Player Classic
2007-12-07 18:10 --------- d-----w C:\Program Files\DivX
2007-12-07 17:06 --------- d-----w C:\Documents and Settings\Michal\Dane aplikacji\ArcSoft
2007-12-07 16:35 --------- d-----w C:\Program Files\Canon
2007-12-07 16:34 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-07 16:34 --------- d-----w C:\Documents and Settings\Michal\Dane aplikacji\ScanSoft
2007-12-07 16:34 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\SSScanWizard
2007-12-07 16:34 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\SSScanAppDataDir
2007-12-07 16:33 --------- d-----w C:\Program Files\ScanSoft
2007-12-07 16:30 --------- d-----w C:\Program Files\ArcSoft
2007-12-06 20:54 --------- d-----w C:\Program Files\AC3Filter
2007-12-06 20:50 --------- d-----w C:\Program Files\ffdshow
2007-12-06 20:34 --------- d-----w C:\Program Files\MarBit
2007-12-03 19:05 16,957,072 ----a-w C:\7-11_xp32_dd_54435.exe
2007-12-02 21:43 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-07 09:29 723,968 ----a-w C:\WINDOWS\system32\lsasrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 08:44 15360]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 17:24 1694208]
“StartCCC”=“C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 12:35 90112]
“DAEMON Tools”=“C:\Program Files\DAEMON Tools\daemon.exe” [2007-08-16 12:24 167368]
“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-11-14 11:54 2131392]
“updateMgr”=“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [2006-03-30 16:45 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“HControl”=“C:\WINDOWS\ATK0100\HControl.exe” [2006-10-14 10:37 110592]
“RTHDCPL”=“RTHDCPL.EXE” [2006-10-30 12:49 16269312 C:\WINDOWS\RTHDCPL.exe]
“SkyTel”=“SkyTel.EXE” [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
“SMSERIAL”=“C:\WINDOWS\sm56hlpr.exe” [2006-03-21 15:54 544768]
“Wireless Console 2”=“C:\Program Files\Wireless Console 2\wcourier.exe” [2005-10-17 17:09 987136]
“ACU”=“C:\Program Files\Atheros\ACU.exe” [2006-07-04 15:09 336001]
“ACMON”=“C:\Program Files\ASUS\Splendid\ACMON.exe” [2006-05-30 10:28 811008]
“NB Probe”="" []
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-03-26 12:12 161328]
“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2006-11-23 15:10 56928]
“LanguageShortcut”=“C:\Program Files\CyberLink\PowerDVD\Language\Language.exe” [2006-12-05 22:55 54832]
“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2007-02-15 19:04 35328]
“Power_Gear”=“C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe” [2006-07-26 18:01 90112]
“Omnipage”=“C:\Program Files\ScanSoft\OmniPageSE\opware32.exe” [2002-06-03 11:38 49152]
“MsmqIntCert”=“regsvr32 /s mqrt.dll” []
“AVP”=“C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe” [2007-01-29 23:02 200768]
“PWRISOVM.EXE”=“C:\Program Files\PowerISO\PWRISOVM.EXE” [2008-01-20 08:05 217088]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 08:44 15360]
R2 ghaio;ghaio;C:\Program Files\ASUS\NB Probe\SPM\ghaio.sys [2003-08-20 11:28]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;C:\WINDOWS\System32\StkCSrv.exe [2007-02-07 11:44]
R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\ATK0100\ASNDIS5.SYS [2004-05-28 03:13]
R3 AtcL002;NDIS Miniport Driver for Attansic L2 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl02_xp.sys [2006-08-14 04:40]
R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;C:\WINDOWS\system32\Drivers\StkCMini.sys [2007-02-13 05:41]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7b64f652-9d8c-11dc-a3a5-00e06ff4ad63}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{92a22da4-d3bb-11dc-a481-001d60619063}]
\Shell\AutoRun\command - H:\2ifetri.cmd
\Shell\explore\Command - H:\2ifetri.cmd
\Shell\open\Command - H:\2ifetri.cmd
*Newly Created Service* - SCDEMU
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 15:57:59
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-05 15:58:58
ComboFix-quarantined-files.txt 2008-02-05 14:58:55
.
2008-01-09 22:23:52 — E O F —
Ponieważ Combo usunoł pliki za to odpowiedzialne
Otwórz notatnik i wklej
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NB Probe"=-
"MsmqIntCert"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]
zapisz jako plik.reg >> wszystkie pliki >> scal z rejestrem >> restart
powstanie plik o takiej ikonie
w który dwa razy klikniesz potwierdzisz chęć dodania do rejestru potem restart
usuń ręcznie folder C: \Qoobox
Ciegi bardzo za pomoc i sorki ze tak brutalnie umiescilem tego loga ale dopiero co przeczytalem regulamin dotyczacy ich umieszczania
Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ
Pozdrawiam Gutek2222
Daj log kontorlnie po wykonaniu czyszczenia