Cześć!
Dopiero założyłem tu konto i nie bardzo wiem czy można się tak dopisać więc wybaczcie.
Mam problem z amvo.exe i nie bardzo wiem jak się używa tego ComboFix. Już sobie go ściągnąłem, ale narazie nic z tym nie robiłem. Tego wirusa najprawdopodobniej już usunąłem przy pomocy Kaspersky’ego ale mimo to system i tak nie działa jak powinien
-
Po wejściu w mój komputer i kliknięciu na jakikolwiek dysk (żeby otworzyć) wyskakuje okienko z wyborem programu do jego uruchomienia.
-
Można wejść na dyski przez eksploratora.
-
Nie można włączyć opcji - pokaż ukryte pliki.
Tu dołączam lod do sprawdzenia:
ComboFix 08-05-09.1 - Dawid & Aldonka 2008-05-11 13:39:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.2048 [GMT 2:00]
Running from: C:\Documents and Settings\Dawid & Aldonka\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dawid & Aldonka\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
FILE ::
C:\WINDOWS\system32\amvo.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
C:\v.exe
C:\WINDOWS\system32_000003_.tmp.dll
C:\WINDOWS\system32_000004_.tmp.dll
C:\WINDOWS\system32_000005_.tmp.dll
C:\WINDOWS\system32_000006_.tmp.dll
C:\WINDOWS\system32_000007_.tmp.dll
C:\WINDOWS\system32_000008_.tmp.dll
C:\WINDOWS\system32_000009_.tmp.dll
C:\WINDOWS\system32_000010_.tmp.dll
C:\WINDOWS\system32_000011_.tmp.dll
C:\WINDOWS\system32_000012_.tmp.dll
C:\WINDOWS\system32_000013_.tmp.dll
C:\WINDOWS\system32_000014_.tmp.dll
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
D:\Autorun.inf
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.
2008-05-11 13:43 . 2008-05-11 13:43 53,248 --a------ C:\Temp\catchme.dll
2008-05-11 11:24 . 2008-05-11 11:24
2008-05-11 11:04 . 2008-05-11 11:04
2008-05-10 23:08 . 2008-05-10 23:08
2008-05-10 20:34 . 2008-05-10 20:34
2008-05-10 20:33 . 2008-05-10 20:33
2008-05-08 22:34 . 2004-08-10 15:00 488,724 -ra------ C:\txtsetup.sif
2008-05-08 22:34 . 2004-08-10 15:00 260,272 -ra------ C:$LDR$
2008-05-08 19:46 . 2008-05-08 19:46
2008-05-08 19:16 . 2008-05-08 19:16 45,768 --a------ C:\WINDOWS\system32\drivers\MiniIcpt.sys
2008-05-08 19:16 . 2008-05-08 19:46 105 --a------ C:\WINDOWS\Backup.INI
2008-05-08 18:46 . 2008-05-08 18:46
2008-05-08 11:08 . 2008-05-11 11:27
2008-05-08 11:08 . 2008-05-11 12:03
2008-05-08 11:08 . 2008-05-11 12:03
2008-05-08 11:08 . 2008-05-11 11:27
2008-05-08 11:04 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-05-08 10:57 . 2006-12-28 21:01 19,569 --a------ C:\WINDOWS\003579_.tmp
2008-05-08 10:57 . 2008-04-14 02:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-05-08 10:18 . 2008-05-08 15:48
2008-04-23 20:16 . 2008-04-23 20:16 98,927 --a------ C:\WINDOWS\hpqins16.dat
2008-04-21 21:06 . 2008-05-08 18:48
2008-04-20 19:52 . 2008-04-20 19:53 38 --a------ C:\WINDOWS\avisplitter.INI
2008-04-19 13:36 . 2008-04-19 13:36
2008-04-18 00:17 . 2008-05-06 16:01 24 --a------ C:\WINDOWS\sys.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 17:14 --------- d–h--w C:\Program Files\InstallShield Installation Information
2008-05-08 16:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-08 16:46 --------- d-----w C:\Program Files\Symantec
2008-05-08 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-28 14:33 --------- d-----w C:\Documents and Settings\Dawid & Aldonka\Application Data\Bioshock
2008-04-19 11:39 --------- d-----w C:\Documents and Settings\Dawid & Aldonka\Application Data\Corel
2008-04-19 11:37 --------- d-----w C:\Program Files\Common Files\Corel
2008-04-14 16:55 --------- d-----w C:\Documents and Settings\Dawid & Aldonka\Application Data\Image Zone Express
2008-04-11 00:35 --------- d-----w C:\Program Files\Opera
2008-04-09 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-04-09 07:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-08 18:32 --------- d-----w C:\Program Files\Google
2008-03-29 20:00 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-03-29 19:56 --------- d-----w C:\Program Files\DivX
2008-03-28 18:48 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-28 18:46 --------- d-----w C:\Program Files\Windows Media Connect
2008-03-27 15:53 --------- d-----w C:\Program Files\Common Files\Real
2008-03-18 21:13 --------- d-----w C:\Program Files\Avant Browser
2008-03-16 19:36 --------- d-----w C:\Documents and Settings\Dawid & Aldonka\Application Data\Printer Info Cache
2008-03-15 17:23 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-15 17:23 22,328 ----a-w C:\Documents and Settings\Dawid & Aldonka\Application Data\PnkBstrK.sys
2008-03-15 17:10 --------- d-----w C:\Program Files\Electronic Arts
2008-03-13 14:52 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-03-13 14:44 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-03-13 14:43 40,456 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-03-11 11:31 --------- d-----w C:\Program Files\Total Video Converter
2008-03-02 14:48 127,034 ------r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-11-09 19:48 476,752 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-10 15:00 15360]
“RocketDock”=“C:\Program Files\RocketDock\RocketDock.exe” [2007-09-02 14:58 495616]
“MsnMsgr”=“C:\Program Files\Windows Live\Messenger\MsnMsgr.exe” [2007-10-18 12:34 5724184]
“NVIDIA nTune”=“C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” [2007-09-04 20:25 81920]
“WMPNSCFG”=“C:\Program Files\Windows Media Player\WMPNSCFG.exe” [2006-12-01 12:46 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [2005-08-05 13:56 64512]
“High Definition Audio Property Page Shortcut”=“HDAShCut.exe” [2005-01-08 02:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
“SoundMAXPnP”=“C:\Program Files\Analog Devices\Core\smax4pnp.exe” [2005-05-20 11:11 925696]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2006-01-12 16:40 155648]
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 02:41 49152]
“Logitech Hardware Abstraction Layer”=“KHALMNPR.EXE” [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
“ISUSPM Startup”=“C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” []
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2005-08-11 10:30 81920]
“CoolSwitch”=“C:\WINDOWS\system32\taskswitch.exe” [2002-03-19 18:30 45632]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2007-10-04 17:14 8491008]
“nwiz”=“nwiz.exe” [2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2007-10-04 17:14 81920]
“Corel File Shell Monitor”=“C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe” [2008-01-15 15:18 16200]
“Symantec PIF AlertEng”=“C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe” [2007-03-12 11:22 517768]
“egui”=“C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” [2008-03-13 16:48 1443072]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
“spuninst”=“C:\WINDOWS$NtServicePackUninstall$\spuninst\spuninst.exe” [2007-08-10 20:46 231288]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-10 15:00 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-03-02 16:48:37 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-02 16:52:45 784912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.YV12”= yv12vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
–a------ 2007-07-09 09:39 2119104 C:\Program Files\Gadu-Gadu\gg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
-r------- 2006-04-25 04:52 385024 C:\WINDOWS\system32\JMRaidTool.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=
“C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hposid01.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe”=
“C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe”=
“C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe”=
“C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe”=
“C:\WINDOWS\system32\PnkBstrA.exe”=
“C:\WINDOWS\system32\PnkBstrB.exe”=
“C:\Program Files\KONAMI\Pro Evolution Soccer 2008\PES2008.exe”=
“C:\Program Files\Messenger\msmsgs.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“C:\Program Files\Windows Live\Messenger\msnmsgr.exe”=
“C:\Program Files\Windows Live\Messenger\livecall.exe”=
“D:\Gra\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe”=
“D:\Gra\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe”=
“C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe”=
“C:\Program Files\Gadu-Gadu\gg.exe”=
“C:\Program Files\Opera\Opera.exe”=
“C:\Program Files\Half Life 2\root\hl2.exe”=
“D:\Gra\Soldat\Soldat.exe”=
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 05:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 05:39]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
S2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;“C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe” [2008-02-10 02:06]
S3 cpuz129;cpuz129;C:\Temp\cpuz_x32.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4b64503a-9d1d-11dc-a4dc-001731143542}]
\Shell\AutoRun\command - N:\oufddh.exe
\Shell\explore\Command - N:\oufddh.exe
\Shell\open\Command - N:\oufddh.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{85ea213e-93b9-11dc-a4bd-001731143542}]
\Shell\AutoRun\command - L:\v.exe
\Shell\explore\Command - L:\v.exe
\Shell\open\Command - L:\v.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{94671d49-eacc-11dc-a5c8-001731143542}]
\Shell\AutoRun\command - K:\m9j.com
\Shell\explore\Command - K:\m9j.com
\Shell\open\Command - K:\m9j.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{997babb2-c05e-11dc-a537-001731143542}]
\Shell\AutoRun\command - M:\juok3st.bat
\Shell\explore\Command - M:\juok3st.bat
\Shell\open\Command - M:\juok3st.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c42c3b56-711a-11dc-a44c-001731143542}]
\Shell\AutoRun\command - K:\jfvkcsy.bat
\Shell\explore\Command - K:\jfvkcsy.bat
\Shell\open\Command - K:\jfvkcsy.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c5949bca-f01b-11dc-a5e7-001731143542}]
\Shell\AutoRun\command - K:\jfvkcsy.bat
\Shell\explore\Command - K:\jfvkcsy.bat
\Shell\open\Command - K:\jfvkcsy.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ccb99f78-f5b5-11dc-a5f5-001731143542}]
\Shell\AutoRun\command - K:\EXPLORER.EXE
\Shell\explore\Command - K:\EXPLORER.EXE
\Shell\open\Command - K:\EXPLORER.EXE
*Newly Created Service* - NVR0DEV
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 13:43:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
-> ?:\WINDOWS\system32\MLANG.dll
-> ?:\WINDOWS\system32\MLANG.dll
-> ?:\WINDOWS\system32\MLANG.dll
-> ?:\WINDOWS\system32\MLANG.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-05-11 13:45:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-11 11:45:26
Pre-Run: 29,375,426,560 bytes free
Post-Run: 32,111,915,008 bytes free
258 — E O F — 2008-04-09 07:22:24
Będę wdzięczny za pomoc!