Amvo.exe problem z usunieciem

ComboFix 08-04-08.10 - Administrator 2008-04-09 19:21:43.1 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.791 [GMT 2:00]

Running from: C:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\amvo0.dll

.

((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))

.

2008-04-09 18:52 . 2008-04-09 18:52

2008-04-09 18:48 . 2008-04-09 18:48 419 --a------ C:\WINDOWS\BRWMARK.INI

2008-04-09 18:48 . 2008-04-09 18:48 184 --a------ C:\WINDOWS\system32\brsvc01a.bsi

2008-04-09 18:48 . 2008-04-09 18:48 30 --a------ C:\WINDOWS\system32\brss01a.ini

2008-04-09 18:48 . 2008-04-09 18:48 27 --a------ C:\WINDOWS\BRPP2KA.INI

2008-04-09 18:36 . 2008-04-09 18:36

2008-04-09 18:35 . 2008-04-09 18:35

2008-04-09 18:35 . 2003-09-24 11:36 27,019 --a------ C:\WINDOWS\maxlink.ini

2008-04-09 18:34 . 2008-04-09 18:34

2008-04-09 18:34 . 2008-04-09 18:34

2008-04-09 18:34 . 2008-04-09 18:34

2008-04-09 18:34 . 2008-04-09 18:34

2008-04-09 18:31 . 2008-04-09 18:31

2008-04-09 18:27 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

2008-04-09 18:27 . 2004-08-03 23:08 31,616 --a–c— C:\WINDOWS\system32\dllcache\usbccgp.sys

2008-04-09 18:27 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

2008-04-09 18:27 . 2004-08-03 23:01 25,856 --a–c— C:\WINDOWS\system32\dllcache\usbprint.sys

2008-04-09 16:29 . 2008-04-09 16:29

2008-04-09 16:29 . 2008-04-09 16:29

2008-04-09 16:29 . 2008-04-09 16:29

2008-04-09 16:19 . 2008-04-09 16:19

2008-04-09 16:18 . 2008-04-09 16:18 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2008-04-09 00:25 . 2004-08-03 23:07 171,776 --a------ C:\WINDOWS\system32\drivers\kmixer.sys

2008-04-09 00:25 . 2004-08-03 22:39 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys

2008-04-09 00:25 . 2004-08-03 23:15 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys

2008-04-09 00:25 . 2004-08-03 23:15 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys

2008-04-09 00:25 . 2001-08-17 23:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys

2008-04-09 00:25 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys

2008-04-09 00:25 . 2004-08-03 23:07 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys

2008-04-09 00:25 . 2001-08-17 22:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys

2008-04-09 00:25 . 2004-08-03 23:07 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys

2008-04-09 00:24 . 2004-08-04 00:35 58,624 --a------ C:\WINDOWS\system32\drivers\redbook.sys

2008-04-09 00:24 . 2001-08-17 21:13 27,165 --a------ C:\WINDOWS\system32\drivers\fetnd5.sys

2008-04-09 00:24 . 2004-08-03 23:08 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys

2008-04-09 00:24 . 2001-08-17 23:00 2,944 --a------ C:\WINDOWS\system32\drivers\msmpu401.sys

2008-04-09 00:23 . 2001-07-22 05:15 1,685,606 --a–c— C:\WINDOWS\system32\dllcache\sam.spd

2008-04-09 00:23 . 2008-04-09 16:17 865,792 --a------ C:\WINDOWS\system32\PerfStringBackup.INI

2008-04-09 00:23 . 2001-10-26 19:29 77,824 --a–c— C:\WINDOWS\system32\dllcache\spcommon.dll

2008-04-09 00:23 . 2004-08-04 00:44 77,312 --a------ C:\WINDOWS\system32\usbui.dll

2008-04-09 00:23 . 2001-10-26 19:28 61,440 --a–c— C:\WINDOWS\system32\dllcache\spcplui.dll

2008-04-09 00:23 . 2008-04-08 23:32 4,293 --a------ C:\WINDOWS\ODBCINST.INI

2008-04-09 00:23 . 2008-04-09 00:05 1,355 --a------ C:\WINDOWS\imsins.BAK

2008-04-09 00:23 . 2001-07-22 05:15 888 --a–c— C:\WINDOWS\system32\dllcache\sam.sdf

2008-04-09 00:22 . 2008-04-09 00:22

2008-04-09 00:22 . 2008-04-09 00:22

2008-04-09 00:22 . 2008-04-08 23:29

2008-04-09 00:22 . 2008-04-09 00:22

2008-04-09 00:22 . 2008-04-09 00:22

2008-04-09 00:22 . 2008-04-09 00:22

2008-04-09 00:22 . 2008-04-09 00:22

2008-04-09 00:22 . 2008-04-09 00:22

2008-04-09 00:22 . 2008-04-09 00:22

2008-04-09 00:22 . 2008-04-09 16:42

2008-04-09 00:22 . 2008-04-09 00:02

2008-04-09 00:22 . 2008-04-09 00:06

2008-04-09 00:22 . 2008-04-09 18:52

2008-04-09 00:19 . 2008-04-09 17:20

2008-04-09 00:19 . 2008-04-09 19:17

2008-04-09 00:19 . 2008-04-09 00:19

2008-04-09 00:19 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-04-09 00:19 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-04-09 00:19 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-04-09 00:19 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-04-09 00:18 . 2008-04-09 16:14

2008-04-09 00:11 . 2003-06-19 01:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll

2008-04-09 00:11 . 2008-04-09 00:11 421 --a------ C:\WINDOWS\ODBC.INI

2008-04-09 00:10 . 2008-04-09 00:10

2008-04-09 00:10 . 2008-04-09 00:10

2008-04-09 00:08 . 2008-04-09 00:08

2008-04-09 00:07 . 2008-04-09 00:07

2008-04-09 00:01 . 2008-04-09 00:01

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-09 17:21 1,671,038 ----a-w C:\ComboFix.exe

2008-04-09 16:36 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-04-09 16:36 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-04-08 21:54 --------- d-----w C:\Program Files\My Company Name

2008-04-08 21:48 --------- d-----w C:\Program Files\Realtek

2008-04-08 21:45 --------- d-----w C:\Program Files\VIA

2008-04-08 21:43 --------- d-----w C:\Program Files\AMD

2008-04-08 21:32 558,142 ----a-w C:\WINDOWS\java\Packages\YARVB75B.ZIP

2008-04-08 21:32 155,995 ----a-w C:\WINDOWS\java\Packages\MQI1ZZ3F.ZIP

2008-04-08 21:32 --------- d-----w C:\Program Files\microsoft frontpage

2008-04-08 21:29 --------- d-----w C:\Program Files\Usługi online

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44 15360]

“Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2008-03-03 14:44 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“RTHDCPL”=“RTHDCPL.EXE” [2006-02-10 12:25 15969280 C:\WINDOWS\RTHDCPL.exe]

“NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2006-08-11 15:43 7630848]

“nwiz”=“nwiz.exe” [2006-08-11 15:43 1519616 C:\WINDOWS\system32\nwiz.exe]

“NvMediaCenter”=“C:\WINDOWS\System32\NvMcTray.dll” [2006-08-11 15:43 86016]

“ISTray”=“C:\Program Files\Spyware Doctor\pctsTray.exe” [2007-12-10 14:53 1103752]

“SSBkgdUpdate”=“C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” [2003-10-14 10:22 155648]

“PaperPort PTD”=“C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe” [2005-03-17 14:25 57393]

“IndexSearch”=“C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe” [2005-03-17 14:45 40960]

“SetDefPrt”=“C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe” [2005-01-26 18:02 49152]

“ControlCenter2.0”=“C:\Program Files\Brother\ControlCenter2\brctrcen.exe” [2005-05-17 17:42 933888]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 00:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2008-04-09 18:36:42 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusOverride”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - v.com

\Shell\explore\Command - v.com

\Shell\open\Command - v.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - v.com

\Shell\explore\Command - v.com

\Shell\open\Command - v.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\bootcd\wintools\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{041a77e4-0640-11dd-80b2-0017313729fc}]

\Shell\AutoRun\command - H:\INTRO.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{938e5bb0-05b6-11dd-80ae-0017313729fc}]

\Shell\AutoRun\command - G:\v.com

\Shell\explore\Command - G:\v.com

\Shell\open\Command - G:\v.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{db1a64f2-05c1-11dd-8008-806d6172696f}]

\Shell\AutoRun\command - v.com

\Shell\explore\Command - v.com

\Shell\open\Command - v.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{db1a64f3-05c1-11dd-8008-806d6172696f}]

\Shell\AutoRun\command - v.com

\Shell\explore\Command - v.com

\Shell\open\Command - v.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{db1a64f4-05c1-11dd-8008-806d6172696f}]

\Shell\AutoRun\command - v.com

\Shell\explore\Command - v.com

\Shell\open\Command - v.com

.

**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-09 19:22:32

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-09 19:22:51

ComboFix-quarantined-files.txt 2008-04-09 17:22:41

Pre-Run: 12,905,697,280 bajtów wolnych

Post-Run: 12,895,379,456 bajtów wolnych

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350

Wklej do Notatnika:

File::

H:\INTRO.EXE

G:\v.com


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo