[ bobby1907 @ 16.12.2005. 22:02 ] @
kako da se resim trojanca Prorat.19 Imam Nod32 ali mu nista ne moze osim sto ga je locirao na dve datoteke u Windowsu/system 32/reginv.dll i winkey.dll H E L P |
[ bobby1907 @ 16.12.2005. 22:02 ] @
[ Goran Mijailovic @ 16.12.2005. 22:04 ] @
Probaj da odradis full computer scan iz safe moda valjda ce mnogohvaljeni NOD32 uspeti da ga ocisti.
http://vil.mcafeesecurity.com/vil/content/v_103064.htm http://www.sophos.com/virusinfo/analyses/trojprorat19.html http://secunia.com/virus_information/19288/prorat-19/ [Ovu poruku je menjao Goran Mijailovic dana 16.12.2005. u 23:12 GMT+1] [ Goran Mijailovic @ 16.12.2005. 22:15 ] @
Eh da pre ciscenja iskljuci sistem restore.
[ delalt @ 16.12.2005. 23:07 ] @
Nezgodan trojanac, pogledaj instrukcije za uklanjanje, moraćeš ručno i
strogo pazi da ne preskočiš koji korak: http://securityresponse.symant...venc/data/backdoor.prorat.html Ja sam jednom samo tako uspio da ga se riješim bez kompletne reinstalacije. Ne znam da li je to bila ista verzija koju ti pominješ, pa potraži i druga uputstva ali se fokusiraj na ručno uklanjanje. [ Goran Mijailovic @ 16.12.2005. 23:18 ] @
Ma sta ima da bude neugodno, ode u safe mod i rucno obrises sledece fajlove:
Citat: # %Windows%\services.exe # %Windows%\system\sservice.exe # %Windows%\system32\fservice.exe # %Windows%\system32\reginv.dll (Hides the Trojan process from the process list) # %Windows%\system32\winkey.dll (Logs keystrokes belonging to application windows) # %Windows%\ktd32.atm (Stores recorded keystrokes) Takodje u registry bazi pobrises sledece kljuceve: Citat: # HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" Explorer.exe %Windir%\system32\fservice.exe # HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} "StubPath" %Windir%\system\sservice.exe # HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ policies\Explorer\Run "DirectX For Microsoft® Windows" %Windir%\system32\fservice.exe Onda uzmes Kaspersky i preskeniras ceo kompjuter, a i a² antitrojan ga prepoznaje. Naravno najpre iskljucis System Restore. [ Goran Mijailovic @ 16.12.2005. 23:27 ] @
Svakako proveri i ovo uputstvo sa symantecovog sajta.
znaci ako nadjes bilo sta od ovoga brisi: Citat: # %System%\Main.exe # %System%\Loader.exe # %System%\Msmsg.exe # %System%\Winserv.dll # %System%\Fservice.exe # %System%\Sservice.exe # %Windir%\Winlogon.exe Citat: # %System%\wininv.dll # %System%\winkey.dll Popravi izmene u registry bazi: Citat: # Adds a value at one or more of the following locations in the Windows registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Policies\Explorer\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run The following values have been seen added: "MSNMESENGER"="%System%\Main.exe" "DirectX for Microsoft Windows"="%System%\Fservice.exe" "DirectX for Microsoft Windows"="%System%\Sservice.exe" "StubPath"="C:\Windows\system\Sservice.exe" # Modifies the value data of: Shell in the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon from: "explorer.exe" to: "explorer.exe %System%\Fservice.exe" I na kraju osim izmena u registry bazi moze i ovako: Citat: 1. Disable System Restore (Windows Me/XP). 2. Update the virus definitions. 3. Restart the computer in Safe mode (Windows 95/98/Me) or Safe mode with Command Prompt (Windows 2000/XP). 4. Reverse the changes made to the registry. 5. Restart the computer in Safe mode or VGA mode (Windows Me/XP). 6. Run a full system scan and delete all the files detected as Backdoor.Prorat. For specific details on each of these steps, read the following instructions. [Ovu poruku je menjao Goran Mijailovic dana 17.12.2005. u 00:37 GMT+1] [ bobby1907 @ 17.12.2005. 20:04 ] @
Hvala ti napomoci, uspeo sam da se resim trojanca preko programa SAV 32 CLI!
[ Goran Mijailovic @ 17.12.2005. 20:17 ] @
Da to je SOPHOS-ov opsti alat za uklanjanje trojanaca, a evo i linka (do kojeg se stize preko onog sto je dat gore).
http://www.sophos.com/support/disinfection/trojan.html Copyright (C) 2001-2024 by www.elitesecurity.org. All rights reserved.
|