Win32/PSW.OnlineGames.NMY

JuniorPoznan · 30 Maj 2008 19:13

Ja mam bardzo duży problem z wirusem Win32/PSW.OnlineGames.NMY. Nod32 go przepuścił i caly czas wyskakuje mi komunikat o tym wirusie, ale nie ma opcji jego usunięcia. Niestety mam zbyt ograniczoną wiedzę żeby rozwiązać ten problem. Pomożecie mi?

Podaje log z ComboFixa:

ComboFix 08-05-27.4 - user 2008-05-28 22:18:54.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.169 [GMT 2:00] Running from: C:\Documents and Settings\user\Pulpit\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\autorun.inf C:\WINDOWS\system32\amvo.exe C:\WINDOWS\system32\amvo0.dll C:\WINDOWS\system32\amvo1.dll D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 ))))))))))))))))))))))))))))))) . 2008-05-25 12:41 . 2008-05-26 09:51 109,447 -r-hs---- C:\qa8sywva.cmd 2008-05-22 11:51 . 2008-05-22 11:50 107,828 -r-hs---- C:\tfk8.exe 2008-05-22 11:09 . 2008-05-22 11:09 2008-05-21 19:24 . 2008-05-21 19:31 2,516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2008-05-21 19:24 . 2008-05-21 19:31 88 -r-hs---- C:\WINDOWS\system32\FD54DABEA5.sys 2008-05-21 19:23 . 2008-05-21 19:23 2008-05-21 19:22 . 2008-05-21 19:22 2008-05-21 19:18 . 2008-05-21 19:18 2008-05-21 18:53 . 2008-05-21 18:53 2008-05-21 18:53 . 2008-05-21 18:53 2008-05-21 18:53 . 2008-05-21 18:54 2008-05-18 18:49 . 2008-05-16 09:11 104,617 -r-hs---- C:\d.cmd 2008-05-16 13:35 . 2008-05-16 13:35 2008-05-12 19:52 . 2008-05-12 19:52 678 --a------ C:\WINDOWS\system32\acadstk.dmp 2008-05-12 19:52 . 2008-05-12 19:52 136 --a------ C:\WINDOWS\system32\acad.err . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-28 20:05 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\Skype 2008-05-28 19:58 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\skypePM 2008-05-22 10:26 --------- d-----w C:\Program Files\eMule 2008-05-21 17:24 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\Corel 2008-05-21 17:22 --------- d-----w C:\Program Files\Corel 2008-05-19 06:56 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\U3 2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:52 178,976 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-08 16:48 6,656 ----a-w C:\WINDOWS\system32\haspvdd.dll 2008-03-03 10:07 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat 2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2007-12-03 15:20 55,888 ----a-w C:\Documents and Settings\user\Dane aplikacji\GDIPFONTCACHEV1.DAT 2007-04-16 19:43 5,320,856 ----a-w C:\Program Files\ps2pdf995.exe 2007-04-16 19:36 2,452,632 ----a-w C:\Program Files\pdf995s.exe 2007-01-02 18:50 2,189,426 ----a-w C:\Program Files\patch_winamp532_(http://www.programs.pl).exe 2007-01-02 18:43 6,566,912 ----a-w C:\Program Files\winamp532_full.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 14:00 15360] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24 1694208] “NBJ”=“C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” [2005-08-09 14:28 1961984] “Konnekt”=“C:\Program Files\Konnekt\konnekt.exe” [2005-05-24 23:41 503808] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2008-02-01 18:22 21898024] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 09:39 2119104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “High Definition Audio Property Page Shortcut”=“HDAShCut.exe” [2004-10-27 16:21 61952 C:\WINDOWS\system32\HdAShCut.exe] “SoundMAXPnP”=“C:\Program Files\Analog Devices\Core\smax4pnp.exe” [2005-05-20 03:11 925696] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-08-11 22:43 7630848] “nwiz”=“nwiz.exe” [2006-08-11 22:43 1519616 C:\WINDOWS\system32\nwiz.exe] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50 155648] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2006-10-30 19:25 921600] “NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-08-11 22:43 86016] “RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2004-11-02 21:24 32768] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2006-11-27 23:29 35328] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43 83608] “EPSON Stylus CX3600 Series”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.exe” [2004-03-04 05:00 98304] “TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2008-01-08 10:16 185896] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 23:16 39792] “Picasa Media Detector”=“C:\Program Files\Picasa2\PicasaMediaDetector.exe” [2006-04-20 01:17 421888] “Corel File Shell Monitor”=“C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe” [2008-01-15 15:18 16200] “Corel Photo Downloader”=“C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe” [2007-12-14 13:35 531784] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-02 14:00 15360] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-31 20:56:20 108544] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “vidc.DIV3”= DivXc32.dll “vidc.DIV4”= DivXc32f.dll “msacm.divxa32”= DivXa32.acm “VIDC.X264”= x264vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] “AntiVirusDisableNotify”=dword:00000001 “UpdatesDisableNotify”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “C:\Program Files\Konnekt\konnekt.exe”= “C:\WINDOWS\system32\dpvsetup.exe”= “C:\Program Files\eMule\emule.exe”= “C:\Program Files\Gadu-Gadu\gg.exe”= “%windir%\Network Diagnostic\xpnetdiag.exe”= “C:\Program Files\Skype\Phone\Skype.exe”= *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-28 22:23:47 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe - C:\Program Files\Eset\pr_imon.dll . Completion time: 2008-05-28 22:26:15 ComboFix-quarantined-files.txt 2008-05-28 20:26:11 Pre-Run: 31,505,563,648 bajtów wolnych Post-Run: 31,946,203,136 bajtów wolnych 124 — E O F — 2008-05-27 17:54:43

baldys16 · 30 Maj 2008 19:16

wrzuć loga z hijackthisa

Leon1 · 30 Maj 2008 20:11

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix