Win32//Agent - koń trojański

Witam,

od kilku dni mam problem ze stale pojawiającym się komunikatem: prawdopodobnie masz wirusa Win 32/agent (lub jakiś inny).

Program Nod32 niestety nie jest w stanie go usunąc:/

prośba o pomoc.

poniżej log.

Logfile of HijackThis v1.99.1

Scan saved at 18:41:55, on 2009-01-01

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\svshost.exe

C:\WINDOWS\System32\Clock.exe

C:\WINDOWS\System32\eXtream.exe

C:\WINDOWS\System32\KB15763.exe

C:\WINDOWS\System32\RunDll32.exe

C:\WINDOWS\htpatch.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\System32\algs.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\Gayarab.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\Winamp Remote\bin\OrbTray.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Gadu-Gadu\gg.exe

C:\Documents and Settings\Kozi\Pulpit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: SrchHook Class - {F4F10C1D-87C7-404A-B4B3-000000000000} - C:\PROGRA~1\DAP\SBSearch.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM…\Run: [HTpatch] C:\WINDOWS\htpatch.exe

O4 - HKLM…\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM…\Run: [egui] “C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice

O4 - HKLM…\Run: [mmsass] mmdmm.exe

O4 - HKLM…\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM…\Run: [Windows Insecure] Clock.exe

O4 - HKLM…\Run: [WinDLL (tmp.exe)] rundll32.exe C:\WINDOWS\System32\tmp.exe,start

O4 - HKLM…\Run: [MicroSoft ssadsadas3s1] eXtream.exe

O4 - HKLM…\Run: [XP HOT F1XS] KB15763.exe

O4 - HKLM…\Run: [sECRETSERVICE] C:\WINDOWS\System32\Gayarab.exe

O4 - HKLM…\Run: [WinDLL (redyLive.exe)] rundll32.exe C:\WINDOWS\System32\redyLive.exe,start

O4 - HKLM…\Run: [WinDLL (vinampd.exe)] rundll32.exe C:\WINDOWS\System32\vinampd.exe,start

O4 - HKLM…\RunServices: [mmsass] mmdmm.exe

O4 - HKLM…\RunServices: [Windows Insecure] Clock.exe

O4 - HKLM…\RunServices: [MicroSoft ssadsadas3s1] eXtream.exe

O4 - HKLM…\RunServices: [XP HOT F1XS] KB15763.exe

O4 - HKLM…\RunOnce: [Windows Insecure] Clock.exe

O4 - HKLM…\RunOnce: [MicroSoft ssadsadas3s1] eXtream.exe

O4 - HKLM…\RunOnce: [XP HOT F1XS] KB15763.exe

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background

O4 - HKCU…\Run: [bitTorrent DNA] “C:\Program Files\DNA\btdna.exe”

O4 - HKCU…\Run: [Windows Insecure] Clock.exe

O4 - HKCU…\Run: [MicroSoft ssadsadas3s1] eXtream.exe

O4 - HKCU…\Run: [XP HOT F1XS] KB15763.exe

O4 - HKCU…\Run: [Orb] “C:\Program Files\Winamp Remote\bin\OrbTray.exe” /background

O4 - HKCU…\RunOnce: [Windows Insecure] Clock.exe

O4 - HKCU…\RunOnce: [MicroSoft ssadsadas3s1] eXtream.exe

O4 - HKCU…\RunOnce: [XP HOT F1XS] KB15763.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O15 - Trusted Zone: http://mks.com.pl

O15 - Trusted Zone: http://*.grono.net

O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: q4v11r9 - Unknown owner - C:\WINDOWS\system32\svshost.exe

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350

Pobierz program SDFix

Witam,

Dziękuje bardzo za pomoc. poniżej raporty.

SDFix: Version 1.136

Run by Kozi on 2009-01-03 at 11:02

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:

Checking Services:

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting…

Normal Mode:

Checking Files:

Trojan Files Found:

C:\ADWARE.EXE - Deleted

C:\WINDOWS\Temp\eraseme_01756.exe - Deleted

C:\WINDOWS\Temp\eraseme_03868.exe - Deleted

C:\WINDOWS\Temp\eraseme_05744.exe - Deleted

C:\WINDOWS\Temp\eraseme_08802.exe - Deleted

C:\WINDOWS\Temp\eraseme_08820.exe - Deleted

C:\WINDOWS\Temp\eraseme_12000.exe - Deleted

C:\WINDOWS\Temp\eraseme_12503.exe - Deleted

C:\WINDOWS\Temp\eraseme_12715.exe - Deleted

C:\WINDOWS\Temp\eraseme_12746.exe - Deleted

C:\WINDOWS\Temp\eraseme_12764.exe - Deleted

C:\WINDOWS\Temp\eraseme_12800.exe - Deleted

C:\WINDOWS\Temp\eraseme_13427.exe - Deleted

C:\WINDOWS\Temp\eraseme_13820.exe - Deleted

C:\WINDOWS\Temp\eraseme_14430.exe - Deleted

C:\WINDOWS\Temp\eraseme_14505.exe - Deleted

C:\WINDOWS\Temp\eraseme_15507.exe - Deleted

C:\WINDOWS\Temp\eraseme_16142.exe - Deleted

C:\WINDOWS\Temp\eraseme_17312.exe - Deleted

C:\WINDOWS\Temp\eraseme_17853.exe - Deleted

C:\WINDOWS\Temp\eraseme_17877.exe - Deleted

C:\WINDOWS\Temp\eraseme_18135.exe - Deleted

C:\WINDOWS\Temp\eraseme_18262.exe - Deleted

C:\WINDOWS\Temp\eraseme_18822.exe - Deleted

C:\WINDOWS\Temp\eraseme_20554.exe - Deleted

C:\WINDOWS\Temp\eraseme_20648.exe - Deleted

C:\WINDOWS\Temp\eraseme_23206.exe - Deleted

C:\WINDOWS\Temp\eraseme_26045.exe - Deleted

C:\WINDOWS\Temp\eraseme_26202.exe - Deleted

C:\WINDOWS\Temp\eraseme_27051.exe - Deleted

C:\WINDOWS\Temp\eraseme_31823.exe - Deleted

C:\WINDOWS\Temp\eraseme_33880.exe - Deleted

C:\WINDOWS\Temp\eraseme_34478.exe - Deleted

C:\WINDOWS\Temp\eraseme_34573.exe - Deleted

C:\WINDOWS\Temp\eraseme_35741.exe - Deleted

C:\WINDOWS\Temp\eraseme_36111.exe - Deleted

C:\WINDOWS\Temp\eraseme_38406.exe - Deleted

C:\WINDOWS\Temp\eraseme_40547.exe - Deleted

C:\WINDOWS\Temp\eraseme_40868.exe - Deleted

C:\WINDOWS\Temp\eraseme_41475.exe - Deleted

C:\WINDOWS\Temp\eraseme_41656.exe - Deleted

C:\WINDOWS\Temp\eraseme_42554.exe - Deleted

C:\WINDOWS\Temp\eraseme_43432.exe - Deleted

C:\WINDOWS\Temp\eraseme_44012.exe - Deleted

C:\WINDOWS\Temp\eraseme_44041.exe - Deleted

C:\WINDOWS\Temp\eraseme_45244.exe - Deleted

C:\WINDOWS\Temp\eraseme_45868.exe - Deleted

C:\WINDOWS\Temp\eraseme_50063.exe - Deleted

C:\WINDOWS\Temp\eraseme_50124.exe - Deleted

C:\WINDOWS\Temp\eraseme_50717.exe - Deleted

C:\WINDOWS\Temp\eraseme_51737.exe - Deleted

C:\WINDOWS\Temp\eraseme_52451.exe - Deleted

C:\WINDOWS\Temp\eraseme_55670.exe - Deleted

C:\WINDOWS\Temp\eraseme_56221.exe - Deleted

C:\WINDOWS\Temp\eraseme_56602.exe - Deleted

C:\WINDOWS\Temp\eraseme_57586.exe - Deleted

C:\WINDOWS\Temp\eraseme_58376.exe - Deleted

C:\WINDOWS\Temp\eraseme_60652.exe - Deleted

C:\WINDOWS\Temp\eraseme_62083.exe - Deleted

C:\WINDOWS\Temp\eraseme_63510.exe - Deleted

C:\WINDOWS\Temp\eraseme_65300.exe - Deleted

C:\WINDOWS\Temp\eraseme_65832.exe - Deleted

C:\WINDOWS\Temp\eraseme_67005.exe - Deleted

C:\WINDOWS\Temp\eraseme_67042.exe - Deleted

C:\WINDOWS\Temp\eraseme_67503.exe - Deleted

C:\WINDOWS\Temp\eraseme_68167.exe - Deleted

C:\WINDOWS\Temp\eraseme_70610.exe - Deleted

C:\WINDOWS\Temp\eraseme_72065.exe - Deleted

C:\WINDOWS\Temp\eraseme_73137.exe - Deleted

C:\WINDOWS\Temp\eraseme_74147.exe - Deleted

C:\WINDOWS\Temp\eraseme_74258.exe - Deleted

C:\WINDOWS\Temp\eraseme_74740.exe - Deleted

C:\WINDOWS\Temp\eraseme_80261.exe - Deleted

C:\WINDOWS\Temp\eraseme_83656.exe - Deleted

C:\WINDOWS\Temp\eraseme_83724.exe - Deleted

C:\WINDOWS\Temp\eraseme_86335.exe - Deleted

C:\WINDOWS\Temp\eraseme_86348.exe - Deleted

C:\WINDOWS\Temp\eraseme_86583.exe - Deleted

C:\WINDOWS\Temp\eraseme_86685.exe - Deleted

C:\WINDOWS\Temp\eraseme_88041.exe - Deleted

C:\WINDOWS\system32\algs.exe - Deleted

C:\WINDOWS\system32\aliases.ini - Deleted

C:\WINDOWS\system32\i - Deleted

C:\WINDOWS\system32\mirc.ini - Deleted

C:\WINDOWS\system32\mmdmm.exe - Deleted

C:\WINDOWS\system32\remote.ini - Deleted

C:\WINDOWS\system32\servers.ini - Deleted

C:\WINDOWS\system32\svshost.exe - Deleted

Removing Temp Files…

ADS Check:

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-03 11:05:00

Windows 5.1.2600 NTFS

scanning hidden processes …

scanning hidden services & system hive …

scanning hidden registry entries …

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]

“Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,…

scanning hidden files …

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

“C:\Program Files\BitTorrent\bittorrent.exe”=“C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent”

“C:\WINDOWS\System32\msnsenger.exe”=“C:\WINDOWS\System32\msnsenger.exe:*:Enabled:msnsenger”

Remaining Files:


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 25 Apr 1999 21,167 A…H. — “C:\WINDOWS\system32\gon.exe”

Tue 30 Dec 2008 1,179,648 …SH. — “C:\WINDOWS\system32\redyLive.exe”

Sat 20 Dec 2008 94,208 …SH. — “C:\WINDOWS\system32\tmp.exe”

Tue 30 Dec 2008 1,187,840 …SH. — “C:\WINDOWS\system32\vinampd.exe”

Finished!

jak mam dodać loga z combofix?

Proszę o coś - Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350

INSTRUKCJA URUCHOMIENIA COMBO:

Sun 25 Apr 1999 21,167 A..H. --- "C:\WINDOWS\system32\gon.exe"

Tue 30 Dec 2008 1,179,648 ..SH. --- "C:\WINDOWS\system32\redyLive.exe"

Sat 20 Dec 2008 94,208 ..SH. --- "C:\WINDOWS\system32\tmp.exe"

Tue 30 Dec 2008 1,187,840 ..SH. --- "C:\WINDOWS\system32\vinampd.exe"

pliki do kasacji

Witam,

niestety nie mogę dac loga z Combo, gdyż pojawia mi sie taki komunikat this copy of ComboFix has expired. Please download an updated copy.

próbowałem sciągać nowesze wersje, jednak bez rezulultatu:/

jak mam usunąć te pliki, które zaznaczyłeś?

pozdrawiam

Pobierz The Avenger. Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w taką lupkę => w okienku, które się otworzy wklej:

kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).

To spróbuj - Daj log z Deckard’s System Scanner