ComboFix 08-06-20.4 - Mateusz 2008-06-24 19:32:44.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.698 [GMT 2:00] Running from: F:\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\amvo.exe C:\WINDOWS\system32\amvo0.dll L:\Autorun.inf . . . . failed to delete . ((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 ))))))))))))))))))))))))))))))) . 2008-06-24 19:27 . 2008-06-24 19:27 2008-06-24 19:27 . 2008-06-24 19:27 . 2008-06-24 14:00 . 2008-06-24 14:00 2008-06-24 11:20 . 2008-06-22 07:46 112,086 -r-hs---- C:\udr.com 2008-06-24 09:14 . 2008-06-24 09:14 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll 2008-06-24 08:41 . 2008-06-24 08:41 2008-06-23 20:57 . 2008-06-24 15:17 49 --a------ C:\WINDOWS\NeroDigital.ini 2008-06-23 14:02 . 2008-06-23 14:02 2008-06-23 11:55 . 2008-06-23 11:57 2008-06-23 10:51 . 2008-06-23 10:51 2008-06-23 10:51 . 2008-06-23 10:51 2008-06-23 10:46 . 2008-06-23 10:46 2008-06-23 10:46 . 2008-06-23 10:50 2008-06-23 10:46 . 2008-06-23 10:46 2008-06-22 16:46 . 2008-06-22 16:46 421 --a------ C:\WINDOWS\ODBC.INI 2008-06-22 16:45 . 2003-06-19 01:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll 2008-06-22 16:38 . 2008-06-22 16:38 2008-06-22 16:37 . 2008-06-22 16:40 2008-06-22 16:37 . 2008-06-22 16:37 2008-06-22 16:22 . 2008-06-22 16:22 30,304 --a------ C:\WINDOWS\Mode 2008-06-22 16:22 . 2008-06-22 16:22 5,120 --ahs---- C:\WINDOWS\system32\Thumbs.db 2008-06-22 14:49 . 2008-06-22 14:49 2008-06-22 14:49 . 2008-01-19 00:45 333,203 -rahs---- C:\bootmgr 2008-06-22 14:49 . 2008-06-22 14:49 8,192 -ra-s---- C:\BOOTSECT.BAK 2008-06-22 14:07 . 2008-04-14 19:51 171,136 -rahs---- C:\grldr 2008-06-22 14:02 . 2008-06-22 14:02 2008-06-22 11:43 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll 2008-06-22 11:35 . 2008-06-24 13:43 2008-06-22 11:10 . 2008-06-22 11:22 2008-06-22 11:06 . 2008-06-22 11:06 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2008-06-22 10:22 . 2007-04-10 14:01 337,792 -----c— C:\WINDOWS\system32\dllcache\WgaTray.exe 2008-06-22 10:21 . 2007-04-10 14:01 236,928 -----c— C:\WINDOWS\system32\dllcache\WgaLogon.dll 2008-06-22 10:08 . 2008-06-22 13:26 1,905 --a------ C:\WINDOWS\diagwrn.xml 2008-06-22 10:08 . 2008-06-22 13:26 1,905 --a------ C:\WINDOWS\diagerr.xml 2008-06-22 09:13 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll 2008-06-22 09:13 . 2003-02-28 18:26 46,352 --a------ C:\WINDOWS\setdebug.exe 2008-06-22 09:13 . 2003-02-28 16:54 7,315 --a------ C:\WINDOWS\system32\javasup.vxd 2008-06-22 09:13 . 2003-02-28 16:35 6,550 --a------ C:\WINDOWS\jautoexp.dat 2008-06-22 09:13 . 2003-02-28 16:38 113 --a------ C:\WINDOWS\system32\zonedon.reg 2008-06-22 09:13 . 2003-02-28 16:38 113 --a------ C:\WINDOWS\system32\zonedoff.reg 2008-06-21 22:16 . 2006-05-03 11:57 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe 2008-06-21 22:15 . 2008-06-22 10:02 2008-06-21 22:11 . 2008-06-21 22:11 2008-06-21 17:50 . 2008-06-21 17:50 2008-06-21 17:46 . 2008-06-21 17:46 2008-06-21 15:05 . 2008-06-21 15:05 2008-06-19 13:44 . 2004-08-03 23:08 26,496 --a–c— C:\WINDOWS\system32\dllcache\usbstor.sys 2008-06-17 16:06 . 2006-08-21 11:14 128,896 -----c— C:\WINDOWS\system32\dllcache\fltmgr.sys 2008-06-17 16:06 . 2006-08-21 11:14 23,040 -----c— C:\WINDOWS\system32\dllcache\fltmc.exe 2008-06-17 16:06 . 2006-08-21 14:28 16,896 -----c— C:\WINDOWS\system32\dllcache\fltlib.dll 2008-06-16 23:05 . 2007-07-09 15:20 582,656 -----c— C:\WINDOWS\system32\dllcache\rpcrt4.dll 2008-06-16 22:59 . 2008-06-14 20:01 273,024 -----c— C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-16 22:44 . 2006-10-04 16:06 1,197,294 -----c— C:\WINDOWS\system32\dllcache\sysmain.sdb 2008-06-16 22:44 . 2006-10-04 16:06 764,868 -----c— C:\WINDOWS\system32\dllcache\apph_sp.sdb 2008-06-16 22:44 . 2006-10-04 16:06 217,118 -----c— C:\WINDOWS\system32\dllcache\apphelp.sdb 2008-06-16 22:43 . 2008-06-16 22:43 2008-06-16 22:41 . 2008-06-16 22:41 2008-06-16 22:41 . 2008-06-16 22:42 2008-06-16 21:39 . 2007-09-04 18:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll 2008-06-16 21:37 . 2008-06-16 21:38 2008-06-16 21:37 . 2003-03-19 05:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll 2008-06-16 21:37 . 2004-01-12 00:00 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2008-06-16 21:33 . 2008-06-16 21:35 2008-06-16 21:29 . 2004-08-04 00:44 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-06-16 21:27 . 2008-06-22 09:13 2008-06-16 21:24 . 2008-04-23 09:20 6,066,176 -----c— C:\WINDOWS\system32\dllcache\ieframe.dll 2008-06-16 21:24 . 2007-04-17 11:32 2,455,488 -----c— C:\WINDOWS\system32\dllcache\ieapfltr.dat 2008-06-16 21:24 . 2007-03-08 07:11 1,036,288 -----c— C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2008-06-16 21:24 . 2008-04-23 09:20 459,264 -----c— C:\WINDOWS\system32\dllcache\msfeeds.dll 2008-06-16 21:24 . 2008-04-23 09:20 383,488 -----c— C:\WINDOWS\system32\dllcache\ieapfltr.dll 2008-06-16 21:24 . 2008-04-23 09:20 267,776 -----c— C:\WINDOWS\system32\dllcache\iertutil.dll 2008-06-16 21:24 . 2008-04-23 09:20 63,488 -----c— C:\WINDOWS\system32\dllcache\icardie.dll 2008-06-16 21:24 . 2008-04-23 09:20 52,224 -----c— C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2008-06-16 21:24 . 2008-04-22 09:39 13,824 -----c— C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-06-16 21:23 . 2007-08-13 18:54 33,792 --a–c— C:\WINDOWS\system32\dllcache\custsat.dll 2008-06-16 21:19 . 2008-06-16 21:19 2008-06-16 20:50 . 2008-06-16 20:50 1,160 --a------ C:\WINDOWS\mozver.dat 2008-06-16 20:43 . 2008-06-16 20:43 2008-06-16 20:42 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe 2008-06-16 20:40 . 1998-01-23 14:15 304,640 --a------ C:\WINDOWS\IsUn0415.exe 2008-06-16 20:40 . 2000-03-29 16:17 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS 2008-06-16 20:40 . 2008-06-16 20:40 2,286 --a------ C:\WINDOWS\Ascd_tmp.ini 2008-06-16 20:31 . 2008-06-16 20:31 0 --a------ C:\WINDOWS\nsreg.dat 2008-06-16 20:06 . 2008-06-24 19:34 2008-06-16 20:06 . 2008-06-16 20:06 2008-06-16 20:06 . 2008-06-16 17:56 2008-06-16 20:06 . 2008-06-16 18:46 2008-06-16 20:06 . 2008-06-16 20:06 2008-06-16 20:06 . 2008-06-16 18:46 2008-06-16 20:06 . 2008-06-16 20:06 2008-06-16 20:06 . 2008-06-16 20:09 2008-06-16 18:59 . 2008-06-16 18:59 2008-06-16 18:48 . 2004-08-04 00:35 58,624 --a------ C:\WINDOWS\system32\drivers\redbook.sys 2008-06-16 18:48 . 2001-08-17 22:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys 2008-06-16 18:46 . 2008-06-24 19:27 2008-06-16 18:46 . 2008-06-16 18:46 2008-06-16 18:46 . 2008-06-16 18:46 2008-06-16 18:46 . 2008-06-16 17:56 2008-06-16 18:46 . 2008-06-16 18:46 2008-06-16 18:46 . 2008-06-16 18:46 2008-06-16 18:46 . 2008-06-16 18:46 2008-06-16 18:46 . 2008-06-16 18:46 2008-06-16 18:46 . 2008-06-16 18:46 2008-06-16 18:46 . 2008-06-16 18:46 2008-06-16 18:46 . 2008-06-24 09:45 2008-06-16 18:46 . 2008-06-24 09:45 2008-06-16 18:46 . 2008-06-22 11:42 2008-06-16 18:46 . 2008-06-23 10:51 2008-06-16 18:34 . 2004-08-23 13:50 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll 2008-06-16 18:29 . 2003-08-04 13:22 94,208 --a------ C:\WINDOWS\system32\W32n50.dll 2008-06-16 18:29 . 2003-08-04 13:22 16,128 --------- C:\WINDOWS\system32\PCANDIS5.SYS 2008-06-16 18:28 . 2008-06-16 18:28 2008-06-16 18:28 . 2008-06-24 09:26 2008-06-16 18:28 . 2008-06-22 11:14 2008-06-16 18:28 . 2002-11-01 20:15 45,175 --------- C:\WINDOWS\system32\plugincpl140_03.cpl 2008-06-16 18:28 . 2002-11-01 20:15 41,068 --------- C:\WINDOWS\system32\ActPanel.dll 2008-06-16 18:26 . 2008-06-16 18:26 2008-06-16 18:25 . 2008-06-16 18:25 2008-06-16 18:19 . 2008-06-16 18:19 2008-06-16 18:18 . 2008-06-16 18:18 2008-06-16 18:17 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe 2008-06-16 18:17 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002184_.tmp 2008-06-16 18:15 . 2008-06-16 18:20 2008-06-16 18:09 . 2008-06-16 18:09 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-24 17:36 --------- d-----w C:\Program Files\AutoConnect 2008-06-24 17:34 483,360 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat 2008-06-24 17:34 34,776 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-06-24 17:34 3,239,968 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-06-24 17:34 11,116 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2008-06-24 17:28 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab 2008-06-16 17:53 --------- d-----w C:\Program Files\Gadu-Gadu 2008-06-16 17:27 33 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg 2008-06-16 17:26 --------- d-----w C:\Program Files\SAGEM 2008-06-16 17:00 96,966 ----a-w C:\WINDOWS\system32\drivers\klin.dat 2008-06-16 17:00 88,774 ----a-w C:\WINDOWS\system32\drivers\klick.dat 2008-06-16 17:00 --------- d-----w C:\Program Files\Kaspersky Lab 2008-06-16 15:59 --------- d-----w C:\Program Files\microsoft frontpage 2008-06-16 15:58 558,142 ----a-w C:\WINDOWS\java\Packages\HZ5B7ZBR.ZIP 2008-06-16 15:58 155,995 ----a-w C:\WINDOWS\java\Packages\YE07VX3V.ZIP 2008-06-16 15:56 --------- d-----w C:\Program Files\Usługi online 2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll 2008-04-25 16:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll 2008-04-25 16:21 26,964 ----a-w C:\WINDOWS\system32\drivers\klopp.dat 2008-04-23 07:20 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\divx.dll 2008-03-28 17:41 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll 2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:52 178,976 ----a-w C:\WINDOWS\system32\msjint40.dll 2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL . ((((((((((((((((((((((((((((( snapshot@2008-06-24_19.27.16.68 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-24 17:24:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-24 17:35:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE~\Browser Helper Objects{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}] 2008-04-25 18:22 62728 --a------ C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44 15360] “AutoConnect”=“C:\Program Files\AutoConnect\AutoConnect.exe” [2004-08-28 20:27 295424] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Cmaudio”=“cmicnfg.cpl,CMICtrlWnd” [] “HydraVisionViewport”=“C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe” [2003-09-15 21:00 364544] “AVP”=“C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe” [2008-04-25 18:21 201992] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 00:44 15360] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2008-06-16 19:27:02 839680] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “VIDC.YV12”= yv12vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva] C:\WINDOWS\system32\amvo.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] --a------ 2006-01-02 16:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2007-05-04 10:39 149040 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] --a------ 2008-04-01 11:39 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] --a------ 2007-04-19 13:26 484904 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-05-04 10:59 161328 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] d:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “Netman”=3 (0x3) “ATI Smart”=2 (0x2) “Ati HotKey Poller”=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] “DisableMonitoring”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile] “EnableFirewall”= 0 (0x0) [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files\Kaspersky Internet Security 2009\Polish\setup.exe”= “%windir%\Network Diagnostic\xpnetdiag.exe”= R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29] R0 sfdrv02;FrontLine Environment Driver (v2);C:\WINDOWS\system32\drivers\sfdrv02.sys [2006-09-11 13:57] R0 sfsync05;FrontLine Synchronization Driver (v5);C:\WINDOWS\system32\drivers\sfsync05.sys [2006-08-11 18:09] R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys [2006-09-19 11:03] R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 19:02] R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07] S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [2006-09-15 11:07] S2 sfrem02;FrontLine Drivers Auto Removal (v2);C:\WINDOWS\system32\sfrem02.exe svc [] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{10880D85-AAD9-4558-ABDC-2AB1552D831F}] “C:\Program Files\Common Files\LightScribe\LSRunOnce.exe” . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-24 19:36:27 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\rundll32.exe . ************************************************************************** . Completion time: 2008-06-24 19:38:50 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-24 17:38:44 ComboFix2.txt 2008-06-24 17:27:39 Pre-Run: 23,018,942,464 bajtów wolnych Post-Run: 23,009,116,160 bajt˘w wolnych 256 — E O F — 2008-06-23 14:48:25 ComboFix chyba usunął infenfekcję, bo dyski się otwierają normalnie. Ten log ComboFix pokazuje usunięcie z pendriva tych szkodników (wcześniejszy niestety utraciłem, bo zapomniałem o pendrivie i uruchomiłem drugi raz ComboFix) 1. Czy teraz jest już wszystko OK z systemem? 2. Czy wie ktoś, co to był za szkodnik i co on miał za zadanie robić i jaki to rodzaj szkodnika? 3. Dlaczego ten “super” Kaspersky Internet-Security 9 nie potrafi wykryć w skanowaniu takiego szkodnika i go usunąć (tylko go blokuje i automatycznie blokuje dostęp do partycji)? 4. Co to za szkodnik amvo.exe? 5. Ten proces amvo.exe został mi w msconfig w uruchamianiu, jak usunąć wpis? Jakby mi ktoś odpowiedział na te pytania byłbym bardzo wdzięczny Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum To już chyba jest zbędne?