Trudno usuwalne trojany, próbowałem różnych rozwiązań i nic

Dariusz_J · 3 Grudzień 2007 21:58

Witam,

Jak w temacie. Sprawa jest ciekawa - NOD32 nie widzi żadnych trojanów, tymczasem wykrywa je AdAware w liczbie 7 pod postacią:

Win32.Backdoor.Agent
Win32.TrojanSpy.Peed

AdAware nie może ich usunąć - po restarcie i ponownym skanowaniu tym programem znów się pojawiają. Przeskanowałem dysk VirtmundoBeGone oraz SmitfraudFix. Oto log z tego drugiego, wskazujący na trojany:

SDFix: Version 1.100 Run by Daru on 2007-12-03 at 22:28 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\DOCUME~1\DARU~1\USTAWI~1\Temp\nspE.tmp - Deleted Could Not Remove C:\WINDOWS\system32\wsnpoem\audio.dll Could Not Remove C:\WINDOWS\system32\wsnpoem\video.dll Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- C:\WINDOWS\system32\wsnpoem\audio.dll Found C:\WINDOWS\system32\wsnpoem\video.dll Found File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Finished

Ponieważ usunął jeden z nich a 2 pozostawił, próbowałem usunąć je manualnie za pomocą Avengera, ale wyskakuje error.

Nie pozostaje mi nic innego, tylko poprosić o pomoc. Z góry dziękuję.

Gutek · 3 Grudzień 2007 22:07

do usunięcia folder w trybie awaryjnym

Daj log z ComboFix

Dariusz_J · 3 Grudzień 2007 22:40

Oto log z ComboFix:

ComboFix 07-12-02.7 - Daruś 2007-12-03 23:34:40.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.145 [GMT 1:00] Running from: C:\Documents and Settings\Daruś\Pulpit\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 ))))))))))))))))))))))))))))))) . 2007-12-03 00:51 . 2007-12-03 00:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-12-03 00:51 . 2007-12-03 00:51 1,409 --a------ C:\WINDOWS\QTFont.for 2007-11-23 00:53 . 2007-11-23 00:53 42,496 --a------ C:\wndmnol.exe 2007-11-21 19:41 . 2007-11-21 19:41 2007-11-11 18:31 . 2004-07-22 12:15 4,096 --a------ C:\WINDOWS\system32\reboot.exe 2007-11-11 18:30 . 2007-11-11 18:30 2007-11-11 14:47 . 2007-11-11 14:47 4,037,632 --a------ C:\odk109update1.exe 2007-11-10 12:25 . 2007-11-10 12:25 2007-11-10 12:12 . 2007-11-10 12:12 1,206,366 --a------ C:\wrar371.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-03 21:36 --------- d-----w C:\Program Files\Neostrada TP 2007-11-20 19:24 --------- d-----w C:\Program Files\DivX 2007-11-17 21:32 --------- d-----w C:\Program Files\Odkurzacz 2007-11-01 20:55 --------- d-----w C:\Program Files\ShaftProfiler 2007-10-21 10:32 --------- d-----w C:\Program Files\Canon 2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-10-15 16:56 --------- d-----w C:\Program Files\BulletProofSoft.com 2007-10-10 16:08 --------- d-----w C:\Program Files\QuickTime 2007-10-07 21:01 --------- d-----w C:\Documents and Settings\Daruś\Dane aplikacji\HP 2007-10-07 20:55 --------- d-----w C:\Program Files\HP 2007-10-07 20:55 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\HP 2007-10-07 20:53 --------- d-----w C:\Program Files\Common Files\Sonic Shared 2007-10-07 20:53 --------- d-----w C:\Program Files\Common Files\HP 2007-10-07 20:53 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Sonic 2007-10-07 20:49 --------- d-----w C:\Program Files\Hewlett-Packard 2007-10-07 20:49 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard 2007-04-16 22:21 463 ----a-w C:\Documents and Settings\Daruś\Dane aplikacji\hvsvyngfto[6].dat 2006-02-19 01:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2007-05-03 09:02] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “VTTimer”=“VTTimer.exe” [2005-03-07 20:33 C:\WINDOWS\system32\VTTimer.exe] “VTTrayp”=“VTtrayp.exe” [2005-01-11 00:33 C:\WINDOWS\system32\VTTrayp.exe] “SoundMan”=“SOUNDMAN.EXE” [2004-12-22 10:09 C:\WINDOWS\SOUNDMAN.EXE] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 13:49] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\GestMaj.exe” [2004-10-14 15:55] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-08-17 19:36] “LWBMOUSE”=“C:\Program Files\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE” [2001-11-09 07:47] “Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe” [2007-03-09 10:09] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-09-17 19:33] “HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 01:41] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 18:51] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2001-10-26 18:29] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22] HP Photosmart Premier - Szybkie uruchomienie.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 06:56:20] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 07:15:54] VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2007-08-14 15:12:53] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] 2007-03-09 10:09 63712 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2007-10-10 18:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe R0 viamraid;viamraid;C:\WINDOWS\System32\DRIVERS\viamraid.sys R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\System32\DRIVERS\e4usbaw.sys S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\System32\Drivers\e4ldr.sys . ************************************************************************** catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-03 23:36:55 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … C:\WINDOWS\system32\ntos.exe 124928 bytes executable C:\WINDOWS\system32\wsnpoem scan completed successfully hidden files: 2 ************************************************************************** . Completion time: 2007-12-03 23:37:49 C:\ComboFix-quarantined-files.txt … 2007-09-03 20:02 C:\ComboFix2.txt … 2007-09-03 20:02 C:\ComboFix3.txt … 2007-09-03 19:26 . — E O F —

Pozdrawiam.

Gutek · 3 Grudzień 2007 23:02

Wklej do Notatnika:

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo

Dariusz_J · 4 Grudzień 2007 00:17

OK, zrobione…nowy log:

ComboFix 07-12-02.7 - Daruś 2007-12-04 1:09:48.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.154 [GMT 1:00] Running from: C:\Documents and Settings\Daruś\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Daruś\Pulpit\CFScript.txt * Created a new restore point FILE C:\odk109update1.exe C:\WINDOWS\system32\ntos.exe C:\wndmnol.exe C:\wrar371.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\odk109update1.exe C:\WINDOWS\system32\ntos.exe C:\WINDOWS\system32\wsnpoem\audio.dll C:\WINDOWS\system32\wsnpoem\audio.dll.cla C:\WINDOWS\system32\wsnpoem\video.dll C:\wndmnol.exe C:\wrar371.exe C:\WINDOWS\system32\wsnpoem . ((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 ))))))))))))))))))))))))))))))) . 2007-12-03 00:51 . 2007-12-03 00:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-12-03 00:51 . 2007-12-03 00:51 1,409 --a------ C:\WINDOWS\QTFont.for 2007-11-21 19:41 . 2007-11-21 19:41 2007-11-11 18:31 . 2004-07-22 12:15 4,096 --a------ C:\WINDOWS\system32\reboot.exe 2007-11-11 18:30 . 2007-11-11 18:30 2007-11-10 12:25 . 2007-11-10 12:25 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-04 00:13 --------- d-----w C:\Program Files\Neostrada TP 2007-11-20 19:24 --------- d-----w C:\Program Files\DivX 2007-11-17 21:32 --------- d-----w C:\Program Files\Odkurzacz 2007-11-01 20:55 --------- d-----w C:\Program Files\ShaftProfiler 2007-10-21 10:32 --------- d-----w C:\Program Files\Canon 2007-10-15 16:56 --------- d-----w C:\Program Files\BulletProofSoft.com 2007-10-10 16:08 --------- d-----w C:\Program Files\QuickTime 2007-10-07 20:55 --------- d-----w C:\Program Files\HP 2007-10-07 20:55 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\HP 2007-10-07 20:53 --------- d-----w C:\Program Files\Common Files\Sonic Shared 2007-10-07 20:53 --------- d-----w C:\Program Files\Common Files\HP 2007-10-07 20:53 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Sonic 2007-10-07 20:49 --------- d-----w C:\Program Files\Hewlett-Packard 2007-10-07 20:49 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2007-05-03 09:02] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “VTTimer”=“VTTimer.exe” [2005-03-07 20:33 C:\WINDOWS\system32\VTTimer.exe] “VTTrayp”=“VTtrayp.exe” [2005-01-11 00:33 C:\WINDOWS\system32\VTTrayp.exe] “SoundMan”=“SOUNDMAN.EXE” [2004-12-22 10:09 C:\WINDOWS\SOUNDMAN.EXE] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 13:49] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\GestMaj.exe” [2004-10-14 15:55] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-08-17 19:36] “LWBMOUSE”=“C:\Program Files\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE” [2001-11-09 07:47] “Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe” [2007-03-09 10:09] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-09-17 19:33] “HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 01:41] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 18:51] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2001-10-26 18:29] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22] HP Photosmart Premier - Szybkie uruchomienie.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 06:56:20] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 07:15:54] VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2007-08-14 15:12:53] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] 2007-03-09 10:09 63712 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2007-10-10 18:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe . ************************************************************************** catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-04 01:13:27 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-04 1:14:57 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-09-03 20:02 C:\ComboFix2.txt … 2007-12-03 23:37 C:\ComboFix3.txt … 2007-09-03 20:02 . — E O F —

Wygląda, że wszystko jest OK. Dzięki wielkie, Gutek !

Gutek · 4 Grudzień 2007 00:20

Powinno być ok