Ongelma TrojanDownloader:n kanssa

Viestiketju Virukset ja haittaohjelmat -osiossa. Ketjun avasi Betonip 30.12.2005.

  1. Betonip

    Betonip Member

    Liittynyt:
    12.10.2004
    Viestejä:
    61
    Kiitokset:
    0
    Pisteet:
    16
    Löysin pikkuveljen koneelta viruksen TrojanDownloader.Win32.Zlob.Gen ja olen vaikka millä yrittänyt saada virusta pois, onnistumatta kuitenkaan. Virus myös asentaa joitain malware- ja SpyAxe-ohjelmia, jotka kyllä voi poistaa, mutta vajaan minuutin sisään se asentaa ne uudelleen.

    Olen kokeillut lähes kaikkea mitä osaan tehdä, joten jos joku on kohdannut saman ongelman tai keksii ratkaisun kuinka nuo sitkeimmät virukset saadaan pois, olisin avusta enemmän kuin kiitollinen!!

    Ohjelmia, joita olen käyttänyt tähän mennessä: Ad-Aware Se Personal, Spybot Search & Destroy, Norman Antivirus, CWShredder, Stinger Antivirus, Advanced System Optimizer V2. Myös "restore pointit" olen Windowsista (XP) ottanut pois päältä.

    Kiitos avusta etukäteen!!

    -Tommi-
     
    Betonip, 30.12.2005
    #1
  2.  
  3. spertti

    spertti Active member

    Liittynyt:
    01.06.2005
    Viestejä:
    1,222
    Kiitokset:
    0
    Pisteet:
    66
    Toi on tosiaankin SpyAxe, joka vaatii oman fixinsä. Lähetä HjT-loki, ohjelman saat täältä -> http://koti.mbnet.fi/pattaya1/HijackThis.exe .
    Tallenna hakemistoon c:\hjt\, käynnistä, klikkaa do a system scan and save a logfile ja lähetä loki tänne. Niin katsellaan missä mennään.
     
    spertti, 30.12.2005
    #2
  4. Betonip

    Betonip Member

    Liittynyt:
    12.10.2004
    Viestejä:
    61
    Kiitokset:
    0
    Pisteet:
    16
    Logfile of HijackThis v1.99.1
    Scan saved at 13:07:42, on 31.12.2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Norman\Bin\ZLH.EXE
    C:\Program Files\DaemonTools\daemon.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\ATI-CPanel\atiptaxx.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Samurize\Client.exe
    C:\Program Files\LClock\LClock.exe
    C:\Program Files\RocketDock\RocketDock.exe
    C:\Program Files\UberIcon\UberIcon Manager.exe
    C:\Program Files\YzShadow\YzShadow.exe
    C:\Program Files\Opera\Opera.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Documents and Settings\Järjestelmänvalvoja\Omat tiedostot\Uusi kansio\ewido anti-malware\ewidoctrl.exe
    C:\Documents and Settings\Järjestelmänvalvoja\Omat tiedostot\Uusi kansio\ewido anti-malware\ewidoguard.exe
    C:\Norman\Npf\BIN\NPFSVICE.EXE
    C:\Norman\Bin\Zanda.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Norman\Npf\BIN\npfmsg2.exe
    C:\Norman\bin\NJEEVES.EXE
    C:\WINDOWS\System32\alg.exe
    C:\Norman\Nvc\bin\nvcoas.exe
    C:\Norman\Nvc\BIN\NIP.EXE
    C:\Norman\Nvc\BIN\nipsvc.exe
    C:\Norman\Nvc\BIN\NVCSCHED.EXE
    C:\Norman\Nvc\bin\cclaw.exe
    C:\hjt\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp5D43.tmp (file missing)
    O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Bin\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\DaemonTools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Client Default.lnk = C:\Program Files\Samurize\Client.exe
    O4 - Startup: LClock.lnk = C:\Program Files\LClock\LClock.exe
    O4 - Startup: RocketDock.lnk = C:\Program Files\RocketDock\RocketDock.exe
    O4 - Startup: UberIcon.lnk = C:\Program Files\UberIcon\UberIcon Manager.exe
    O4 - Startup: YzShadow.lnk = C:\Program Files\YzShadow\YzShadow.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Järjestelmänvalvoja\Omat tiedostot\Uusi kansio\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Järjestelmänvalvoja\Omat tiedostot\Uusi kansio\ewido anti-malware\ewidoguard.exe
    O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
    O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
    O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
    O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

     
    Betonip, 31.12.2005
    #3
  5. -kemisti-

    -kemisti- Active member

    Liittynyt:
    06.06.2005
    Viestejä:
    6,305
    Kiitokset:
    0
    Pisteet:
    96
    Fixaa HjT:llä (do a system scan only, merkkaa ja paina fix checked):

    O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp5D43.tmp (file missing)
    O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h

    Hae smitrem täältä -> http://noahdfear.geekstogo.com/click counter/click.php?id=1
    Tallenna työpöydälle ja tuplaklikkaa sitä, jolloin se luo smitRem-kansion työpöydälle.

    Käynnistä vikasietotilaan (F8 käynnistyksen yhteydessä), avaa smitRem-kansio ja tuplaklikkaa
    RunThis.bat. Seuraa ohjeita. Käynnistä kone uudestaan, lähetä uusi HjT-loki ja c:\smitfiles.txt-tiedoston sisältö.



     
    -kemisti-, 31.12.2005
    #4
  6. Betonip

    Betonip Member

    Liittynyt:
    12.10.2004
    Viestejä:
    61
    Kiitokset:
    0
    Pisteet:
    16
    Logfile of HijackThis v1.99.1
    Scan saved at 13:57:26, on 31.12.2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\hjt\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Bin\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\DaemonTools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Filter: text/html - (no CLSID) - (no file)
    O18 - Filter: text/plain - (no CLSID) - (no file)
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Järjestelmänvalvoja\Omat tiedostot\Uusi kansio\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Järjestelmänvalvoja\Omat tiedostot\Uusi kansio\ewido anti-malware\ewidoguard.exe
    O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
    O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
    O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
    O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe






    smitRem © log file
    version 2.8

    by noahdfear


    Microsoft Windows XP [versio 5.1.2600]

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    checking for ShudderLTD key

    ShudderLTD key not present!

    checking for PSGuard.com key


    PSGuard.com key not present!


    checking for WinHound.com key


    WinHound.com key not present!




    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    SpyAxeFix © by noahdfear

    spyaxe directory present

    spyaxe uninstaller present

    Starting spyaxe uninstaller

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    Winhound uninstaller NOT present
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Existing Pre-run Files


    ~~~ Program Files ~~~

    SpyAxe


    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system32 folder ~~~

    wbeconm.dll
    1024 dir
    msvol.tlb
    ld****.tmp
    nvctrl.exe


    ~~~ Icons in System32 ~~~

    ot.ico


    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~


    ~~~ Miscellaneous Files/folders ~~~




    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 752 'explorer.exe'

    Starting registry repairs

    Deleting files


    Remaining Post-run Files


    ~~~ Program Files ~~~

    SpyAxe


    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system32 folder ~~~



    ~~~ Icons in System32 ~~~



    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~



    ~~~ Miscellaneous Files/folders ~~~




    ~~~ Wininet.dll ~~~

    CLEAN! :)


    smitRem © log file
    version 2.8

    by noahdfear


    Microsoft Windows XP [versio 5.1.2600]

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    checking for ShudderLTD key

    ShudderLTD key not present!

    checking for PSGuard.com key


    PSGuard.com key not present!


    checking for WinHound.com key


    WinHound.com key not present!




    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    SpyAxeFix © by noahdfear

    spyaxe directory present

    spyaxe uninstaller present

    Starting spyaxe uninstaller

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    Winhound uninstaller NOT present
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Existing Pre-run Files


    ~~~ Program Files ~~~

    SpyAxe


    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system32 folder ~~~

    wbeconm.dll
    1024 dir
    msvol.tlb
    ld****.tmp
    nvctrl.exe


    ~~~ Icons in System32 ~~~

    ot.ico


    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~


    ~~~ Miscellaneous Files/folders ~~~




    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 752 'explorer.exe'

    Starting registry repairs

    Deleting files


    Remaining Post-run Files


    ~~~ Program Files ~~~

    SpyAxe


    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system32 folder ~~~



    ~~~ Icons in System32 ~~~



    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~



    ~~~ Miscellaneous Files/folders ~~~




    ~~~ Wininet.dll ~~~

    CLEAN! :)
     
    Betonip, 31.12.2005
    #5
  7. -kemisti-

    -kemisti- Active member

    Liittynyt:
    06.06.2005
    Viestejä:
    6,305
    Kiitokset:
    0
    Pisteet:
    96
    Fixaa nuo:

    O18 - Filter: text/html - (no CLSID) - (no file)
    O18 - Filter: text/plain - (no CLSID) - (no file)

    Ja poista, jos löytyy:

    C:\Program Files\==>SpyAxe<==

    Muuten on ok. Vielä ongelmia?
     
    -kemisti-, 31.12.2005
    #6
  8. Betonip

    Betonip Member

    Liittynyt:
    12.10.2004
    Viestejä:
    61
    Kiitokset:
    0
    Pisteet:
    16
    Ongelma korjautui, suurkiitos "spertille" ja "-kemistille-" !!

    Ja hyvää uutta vuotta 2006 kaikille!

    -Tommi-
     
    Betonip, 31.12.2005
    #7
  9. spertti

    spertti Active member

    Liittynyt:
    01.06.2005
    Viestejä:
    1,222
    Kiitokset:
    0
    Pisteet:
    66
    Hyvää uutta vuotta =)
     
    spertti, 31.12.2005
    #8
  10. -kemisti-

    -kemisti- Active member

    Liittynyt:
    06.06.2005
    Viestejä:
    6,305
    Kiitokset:
    0
    Pisteet:
    96
    Oikein hyvää uutta vuotta :)
     
    -kemisti-, 31.12.2005
    #9

Jaa tämä sivu