Win32:Trojan-gen


(Sobs) #1

BŁAGAM WAS NAPISZCIE MI JAK MAM USUNĄC TEGO TROJANA Win32:Trojan-gen {Other}

WYKRYŁ MI GO AVAST I ZNAJDUJE SIE ON C:\WINDOWS\TEMP\NT4A7232.exe NIE POTRAFIE GO USUNĄĆ ZADNYM PROGRAMEM. NIE ZNAM SIE ZA BARDZO NA USUWANIU WIRUSÓW, JEDYNE CO POTRAFIE ZROBIC TO FORMAT, WIĘC PROSZE WAS NAPISZCIE MI KROK PO KROKU CO ROBIĆ. #-o


(Leon$) #2

pobierz ATF Cleaner http://cybertrash.pl/images/tata/ATF/ATF.html wyczyść tempy

Pobierz Combofix http://www.searchengines.pl/index.php?s ... ntry395642

przeskanuj daj log

Pobierz HijackThis http://forum.dobreprogramy.pl/viewtopic.php?f=16&t=36654 przeskanuj system daj log

kolejność jak podałem

:slight_smile:


(Sobs) #3

OKEJ POBIERAM :slight_smile:


(Kambor4) #4

1)Caps Lock:Off


(Sobs) #5

omboFix 08-06-30.2 - NTN 2008-07-01 19:05:01.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.1.1250.1.1045.18.207 [GMT 1:00]

Running from: C:\Documents and Settings\NTN\Pulpit\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\iexplorer.exe

C:\WINDOWS\system32\loadsftpf.dat

.

((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))

.

2008-07-01 18:13 . 2008-07-01 18:13

2008-07-01 18:13 . 2008-07-01 18:13

2008-06-30 21:16 . 2008-06-30 21:22

2008-06-29 10:28 . 2008-06-29 10:28 85,504 --a------ C:\WINDOWS\twain_16.dll

2008-06-29 10:14 . 2008-06-30 22:40 32,120 --a------ C:\WINDOWS\system32\wpx2.cpx

2008-06-29 10:10 . 2008-06-29 10:10 109,056 --a------ C:\WINDOWS\system32\wpx5.cpx

2008-06-29 10:10 . 2008-06-29 10:10 20,552 --a------ C:\WINDOWS\system32\wpx7.cpx

2008-06-29 00:08 . 2008-06-29 00:08 13,646 --a------ C:\WINDOWS\system32\wpa.bak

2008-06-13 12:55 . 2008-06-13 12:55

2008-06-13 12:55 . 2008-06-13 12:55 0 --a------ C:\WINDOWS\iPlayer.INI

2008-06-09 21:06 . 2008-06-09 21:06

2008-06-09 21:06 . 2008-06-09 21:06

2008-06-09 21:06 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-06-09 21:05 . 2008-06-09 21:06

2008-06-09 21:05 . 2008-06-09 21:05

2008-06-09 20:37 . 2008-06-09 20:37

2008-06-09 20:37 . 2003-03-18 20:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll

2008-06-09 07:52 . 2008-06-09 07:52

2008-06-09 07:52 . 2008-06-28 22:36 69 --a------ C:\WINDOWS\NeroDigital.ini

2008-06-09 07:49 . 2008-06-16 12:33

2008-06-09 07:48 . 2008-06-09 07:48

2008-06-09 07:48 . 2008-06-09 07:50

2008-06-09 07:48 . 2008-06-09 07:48

2008-06-09 07:48 . 2008-06-09 07:48 316,640 --a------ C:\WINDOWS\WMSysPr9.prx

2008-06-09 07:47 . 2008-06-09 07:52

2008-06-09 07:47 . 2001-03-08 18:30 24,064 --------- C:\WINDOWS\system32\msxml3a.dll

2008-06-09 07:46 . 2008-06-09 07:46

2008-06-09 07:46 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll

2008-06-09 07:46 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll

2008-06-05 21:08 . 2002-08-29 01:32 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

2008-06-05 21:00 . 2008-06-05 21:00

2008-06-05 21:00 . 2008-06-05 21:00 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav

2008-06-05 21:00 . 2008-06-05 21:00 125,690 --a------ C:\WINDOWS\system32\LoopyMusic.wav

2008-06-05 21:00 . 2008-06-20 23:04 60,416 --a------ C:\WINDOWS\ALCFDRTM.VER

2008-06-05 21:00 . 2008-06-05 21:00 60,416 --a------ C:\WINDOWS\ALCFDRTM.EXE

2008-06-04 09:30 . 2008-06-04 09:30

2008-06-04 09:23 . 2008-06-29 18:09

2008-06-04 09:22 . 2008-06-04 09:23

2008-06-04 09:22 . 2008-07-01 17:23

2008-06-04 09:22 . 2008-06-04 09:22 32 --a------ C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2008-06-04 09:20 . 2008-06-04 09:20

2008-06-04 09:20 . 2008-06-04 09:20

2008-06-04 09:20 . 2008-07-01 18:49

2008-06-04 09:20 . 2008-06-04 09:20

2008-06-03 22:55 . 2008-07-01 18:13

2008-06-03 22:55 . 2008-06-03 22:55

2008-06-03 22:55 . 2008-06-03 22:55

2008-06-03 22:55 . 2008-06-03 23:09

2008-06-03 22:55 . 2008-06-03 22:55

2008-06-03 22:55 . 2008-06-03 22:55

2008-06-03 22:55 . 2008-06-03 22:55

2008-06-03 22:55 . 2008-06-03 22:55

2008-06-03 22:55 . 2008-06-09 21:06

2008-06-03 22:55 . 2008-06-13 12:55

2008-06-03 22:55 . 2008-06-29 00:08

2008-06-03 22:55 . 2008-06-03 23:10

2008-06-03 22:54 . 2008-07-01 19:00

2008-06-03 22:54 . 2008-06-03 22:54

2008-06-03 22:54 . 2008-06-03 22:55

2008-06-03 22:54 . 2008-06-03 23:12

2008-06-03 22:54 . 2008-06-04 09:22

2008-06-03 22:54 . 2008-06-03 23:12

2008-06-03 22:54 . 2008-06-03 23:22

2008-06-03 22:54 . 2003-04-16 13:00 1,901,593 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT

2008-06-03 22:54 . 2003-04-16 13:00 1,086,182 -ra------ C:\WINDOWS\SET3.tmp

2008-06-03 22:54 . 2003-04-16 13:00 486,272 --a--c--- C:\WINDOWS\system32\dllcache\NT5INF.CAT

2008-06-03 22:54 . 2003-04-16 13:00 13,923 -ra------ C:\WINDOWS\SET7.tmp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-09 06:46 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-06-04 20:50 --------- d-----w C:\Program Files\Common Files\Adobe

2008-06-03 22:52 --------- d-----w C:\Program Files\Realtek Sound Manager

2008-06-03 22:52 --------- d-----w C:\Program Files\AvRack

2008-06-03 22:51 --------- d-----w C:\Documents and Settings\NTN\Dane aplikacji\InterTrust

2008-06-03 22:46 --------- d-----w C:\Program Files\Creative

2008-06-03 22:46 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-06-03 22:29 --------- d-----w C:\Program Files\SubEdit-Player

2008-06-03 22:12 --------- d-----w C:\Program Files\Usługi online

2008-06-03 22:12 --------- d-----w C:\Program Files\microsoft frontpage

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2003-04-16 13:00 13312]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:26 22014760]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-11-14 11:54 2131392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10 56928]

"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]

"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-02-12 12:23 1620480]

"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-02-12 12:19 1050112]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 00:19 79224]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

"SoundMan"="SOUNDMAN.EXE" [2004-06-18 09:31 67584 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-04-16 13:00 13312]

R1 aswSP;avast! Self Protection;C:\WINDOWS\System32\drivers\aswSP.sys [2008-05-16 00:20]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]

"Windows"= basempjaf32.dll

*Newly Created Service* - CATCHME

.

  • ORPHANS REMOVED - - - -

HKCU-Run-iexplorer - C:\WINDOWS\iexplorer.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-01 19:05:58

Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\csrss.exe

  • C:\WINDOWS\system32\basempjaf32.dll

.

Completion time: 2008-07-01 19:06:23

ComboFix-quarantined-files.txt 2008-07-01 18:06:20

Pre-Run: 27,957,080,064 bajtów wolnych

Post-Run: 28,069,138,432 bajtów wolnych

140

to jest to?? :wink:

W dniu 01.07.2008 , o godzinie 20:09 został dopisany post przez magneto1

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:09:44, on 2008-07-01

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\Program Files\Nero\Nero 7\InCD\InCD.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\NTN\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla HiJackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.eu/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM..\Run: [securDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

O4 - HKLM..\Run: [inCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe

O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=21871

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--

End of file - 6106 bytes

W dniu 01.07.2008 , o godzinie 20:16 został dopisany post przez magneto1

no i co dalej ??? :?: [-o<

W dniu 01.07.2008 , o godzinie 20:20 został dopisany post przez magneto1

leon, come on :slight_smile:

W dniu 01.07.2008 , o godzinie 20:26 został dopisany post przez magneto1

Pomocy!!

W dniu 01.07.2008 , o godzinie 20:29 został dopisany post przez magneto1

Leon$ , [-o<

W dniu 01.07.2008 , o godzinie 20:30 został dopisany post przez magneto1

co mam dalej robić?? prosze piszciee [-o<


(Leon$) #6

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri ... iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

:slight_smile:


(Sobs) #7

kur***, Leon komputer mi sie cały czas restartuje loaduje sie Xp do pewnego miejsca i znowu restartuje.. !!

W dniu 01.07.2008 , o godzinie 20:55 został dopisany post przez magneto1

zrobiłem wszystko tak jak napisałes, zaczął kasowac gdy skonczył zaczął sie restartowac i teraz cały czas sie restartuje.

W dniu 01.07.2008 , o godzinie 21:01 został dopisany post przez magneto1

co mam teraz zrobić????


(Kapi10072) #8

Trojan Gen?? to pewnie z jakiegoś keygena avast! jest bardzo nanie bardzo wyczulony