AMVO - jak to usunąć?

rogos1985 · 28 Kwiecień 2008 21:20

Ja mam kolejny problem z tym wirusem. Log z ComboFix jest następujący:

Gutek · 28 Kwiecień 2008 21:26

Nie podpinaj się pod cudzy temat.

Wklej do Notatnika:

File::

C:\oq.cmd

C:\0n.bat

C:\1dg.exe

C:\lkxcqdb.bat

C:\os652192.bin

H:\1dg.exe

H:\uqhqx1.cmd


Driver::

RTCore32


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo oraz skan http://www.kaspersky.pl/virusscanner.html

zakus88 · 28 Kwiecień 2008 23:13

POMÓŻCIE-PROSZĘ. Oto log z ComboFix:

ComboFix 08-04-26.5 - x 2008-04-28 1:08:57.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.1495 [GMT 2:00]

Running from: C:\Documents and Settings\x\Pulpit\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

C:\WINDOWS\system32\amvo.exe

C:\WINDOWS\system32\amvo0.dll

C:\WINDOWS\system32\amvo1.dll

C:\WINDOWS\system32\avi.dll

C:\WINDOWS\system32\DivXsm.exe

C:\WINDOWS\system32\dllcache\spoolsv.exe

C:\WINDOWS\system32\ff_liba52.dll

C:\WINDOWS\system32\ff_libdts.dll

C:\WINDOWS\system32\ff_libfaad2.dll

C:\WINDOWS\system32\ff_libmad.dll

C:\WINDOWS\system32\ff_realaac.dll

C:\WINDOWS\system32\ff_samplerate.dll

C:\WINDOWS\system32\ff_tremor.dll

C:\WINDOWS\system32\ff_unrar.dll

C:\WINDOWS\system32\ff_wmv9.dll

C:\WINDOWS\system32\iconv.dll

C:\WINDOWS\system32\libavcodec.dll

C:\WINDOWS\system32\libmpeg2_ff.dll

C:\WINDOWS\system32\libmplayer.dll

C:\WINDOWS\system32\media

C:\WINDOWS\system32\media\AvidRender.wav

C:\WINDOWS\system32\mkunicode.dll

C:\WINDOWS\system32\mkx.dll

C:\WINDOWS\system32\mkzlib.dll

C:\WINDOWS\system32\mmfinfo.dll

C:\WINDOWS\system32\mp4.dll

C:\WINDOWS\system32\mplvpx.dll

C:\WINDOWS\system32\ogg.dll

C:\WINDOWS\system32\OggDS.dll

C:\WINDOWS\system32\ogm.dll

C:\WINDOWS\system32\ts.dll

C:\WINDOWS\system32\vorbis.dll

C:\WINDOWS\system32\vorbisenc.dll

C:\WINDOWS\system32\WMV9VCM.dll

C:\WINDOWS\system32\xvidcore.dll

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))

.

2008-04-27 23:09 . 2008-04-27 23:09

2008-04-27 23:09 . 2002-01-10 11:13 7,962,624 --a------ C:\WINDOWS\system32\SVI.dll

2008-04-27 23:08 . 2008-04-27 23:09

2008-04-27 23:08 . 2001-02-01 15:10 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll

2008-04-27 23:08 . 2001-02-01 15:10 25,244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys

2008-04-27 23:08 . 2001-02-01 15:10 5,600 --a------ C:\WINDOWS\system\winaspi.dll

2008-04-27 23:08 . 2001-02-01 15:10 4,672 --a------ C:\WINDOWS\system\wowpost.exe

2008-04-27 23:07 . 2008-04-27 23:07

2008-04-27 23:07 . 2001-03-23 18:32 2,981,888 --a------ C:\WINDOWS\system32\iplw7.dll

2008-04-27 23:07 . 2001-03-23 18:31 2,973,696 --a------ C:\WINDOWS\system32\iplA6.dll

2008-04-27 23:07 . 2001-03-23 18:31 2,785,280 --a------ C:\WINDOWS\system32\iplM6.dll

2008-04-27 23:07 . 2001-03-23 18:31 2,686,976 --a------ C:\WINDOWS\system32\iplM5.dll

2008-04-27 23:07 . 2001-03-23 18:31 2,531,328 --a------ C:\WINDOWS\system32\iplP6.dll

2008-04-27 23:07 . 2001-03-23 18:31 2,502,656 --a------ C:\WINDOWS\system32\iplPX.dll

2008-04-27 23:07 . 2001-03-23 18:31 53,248 --a------ C:\WINDOWS\system32\ipl.dll

2008-04-27 23:06 . 2008-04-27 23:06

2008-04-27 21:26 . 2008-04-27 21:26 105,128 -r-hs---- C:\oq.cmd

2008-04-26 12:33 . 2008-04-26 12:33

2008-04-26 12:07 . 2008-03-13 20:13

2008-04-26 12:07 . 2008-04-26 12:08

2008-04-26 00:51 . 2008-04-26 00:52 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll

2008-04-26 00:51 . 2008-04-26 00:52 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll

2008-04-26 00:51 . 2008-04-26 00:52 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll

2008-04-26 00:40 . 2008-04-26 00:40

2008-04-26 00:31 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2008-04-26 00:31 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll

2008-04-26 00:31 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

2008-04-26 00:15 . 2008-04-26 00:15

2008-04-26 00:11 . 2008-04-26 00:11

2008-04-26 00:11 . 2008-04-26 02:23

2008-04-26 00:10 . 2008-04-26 00:10

2008-04-26 00:04 . 2008-04-26 00:04

2008-04-25 23:56 . 2008-04-25 23:56

2008-04-25 23:54 . 2008-04-25 23:55

2008-04-25 23:48 . 2007-03-29 15:00 17,024 --a------ C:\WINDOWS\system32\drivers\KMWDFilter.SYS

2008-04-25 23:47 . 2008-04-25 23:48

2008-04-25 23:12 . 2008-04-26 11:34 1,024 --ah----- C:\Documents and Settings\Default User\NTUSER.dat.LOG

2008-04-25 23:10 . 2008-04-25 23:55

2008-04-25 23:08 . 2008-04-25 23:11

2008-04-25 23:06 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\system32\audiopid.vxd

2008-04-25 23:05 . 2000-05-22 10:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx

2008-04-25 23:05 . 2006-10-06 08:17 53,248 --------- C:\WINDOWS\Ctregrun.exe

2008-04-25 23:03 . 1999-12-12 19:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE

2008-04-25 23:03 . 1999-11-17 19:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE

2008-04-25 23:02 . 2008-04-25 23:04

2008-04-25 23:02 . 2008-04-25 23:05

2008-04-25 23:02 . 2008-04-25 23:02

2008-04-25 22:32 . 2008-04-25 22:32

2008-04-25 22:31 . 2008-04-25 22:31

2008-04-25 22:22 . 2008-04-25 22:22

2008-04-25 22:17 . 2008-04-25 22:17

2008-04-25 22:17 . 2008-04-25 22:17 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2008-04-25 22:15 . 2008-04-25 22:15

2008-04-25 22:13 . 2008-04-25 22:13

2008-04-25 22:13 . 2008-04-26 00:40

2008-04-25 22:13 . 2008-04-28 00:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-04-25 22:13 . 2008-04-25 22:13 1,409 --a------ C:\WINDOWS\QTFont.for

2008-04-25 22:12 . 2008-04-25 22:12

2008-04-25 22:12 . 2008-04-25 22:13

2008-04-25 22:11 . 2008-04-25 22:11

2008-04-25 22:05 . 2008-04-25 22:05

2008-04-25 22:04 . 2008-04-21 15:00 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll

2008-04-25 22:04 . 2008-04-21 15:00 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll

2008-04-25 22:04 . 2008-04-21 15:00 6,144 --a------ C:\WINDOWS\system32\ff_acm.acm

2008-04-25 22:04 . 2008-04-21 15:00 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest

2008-04-25 22:03 . 2008-04-25 22:03

2008-04-25 21:51 . 2008-04-25 21:55

2008-04-25 21:51 . 2008-04-25 21:59

2008-04-25 21:43 . 2008-04-26 12:00

2008-04-25 21:43 . 2008-04-25 21:43 32 --a------ C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2008-04-25 21:38 . 2008-04-25 21:38

2008-04-25 21:38 . 2008-04-26 12:02

2008-04-25 21:38 . 2008-04-25 21:38

2008-04-25 21:36 . 2008-04-25 21:36

2008-04-25 21:35 . 2008-04-25 21:35

2008-04-25 21:35 . 2008-04-25 21:36

2008-04-25 14:27 . 2008-04-25 14:27

2008-04-25 14:19 . 2008-04-25 14:19

2008-04-25 14:19 . 2005-07-30 21:00 114,688 --a------ C:\WINDOWS\system32\OdiOlDVR.dll

2008-04-25 14:19 . 2005-07-30 21:14 86,016 --a------ C:\WINDOWS\system32\STRDEVAPI.dll

2008-04-25 14:19 . 2006-04-07 17:05 73,728 --a------ C:\WINDOWS\system32\VNUSB.dll

2008-04-25 14:19 . 2003-06-13 17:49 73,728 --a------ C:\WINDOWS\system32\DW90USB.DLL

2008-04-25 14:19 . 2004-06-21 10:14 53,248 --a------ C:\WINDOWS\system32\OdiAPI.dll

2008-04-25 14:19 . 2001-04-09 19:17 39,096 --a------ C:\WINDOWS\system32\drivers\DW90USB.SYS

2008-04-25 14:19 . 2006-04-07 17:06 38,496 --a------ C:\WINDOWS\system32\drivers\VNUSB.sys

2008-04-25 14:16 . 2008-04-25 14:16

2008-04-25 14:14 . 2008-04-25 14:14

2008-04-25 14:13 . 2008-04-25 14:13

2008-04-25 14:13 . 2001-04-04 14:00 245,760 --------- C:\WINDOWS\system32\DECO_32.DLL

2008-04-25 14:12 . 1998-11-13 13:10 307,200 --a------ C:\WINDOWS\IsUn0415.exe

2008-04-25 14:02 . 2008-04-25 14:02

2008-04-25 14:01 . 2008-04-25 14:01

2008-04-25 13:41 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

2008-04-25 13:41 . 2004-08-03 23:01 25,856 --a–c— C:\WINDOWS\system32\dllcache\usbprint.sys

2008-04-25 13:37 . 2008-04-25 13:37

2008-04-25 13:37 . 2008-04-25 13:39 30,590 --a------ C:\WINDOWS\system32\pavas.ico

2008-04-25 13:37 . 2008-04-25 13:39 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico

2008-04-25 13:37 . 2008-04-25 13:39 1,406 --a------ C:\WINDOWS\system32\Help.ico

2008-04-25 05:11 . 2008-04-25 05:11

2008-04-25 05:02 . 2008-04-25 13:18

2008-04-25 04:53 . 2008-04-25 04:53

2008-04-25 04:53 . 2004-07-14 15:47 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll

2008-04-25 04:53 . 2004-06-29 19:07 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll

2008-04-25 04:46 . 2008-04-25 04:46 98 --a------ C:\WINDOWS\WirelessFTP.INI

2008-04-25 04:34 . 2008-04-25 04:34 1,160 --a------ C:\WINDOWS\mozver.dat

2008-04-25 04:33 . 2008-04-25 04:33 0 --a------ C:\WINDOWS\nsreg.dat

2008-04-25 04:28 . 2008-04-25 04:28

2008-04-25 04:27 . 2008-04-25 04:27 13,682 --a------ C:\WINDOWS\system32\wpa.bak

2008-04-25 04:18 . 2005-08-11 14:33 49,152 --a------ C:\WINDOWS_detmp.2

2008-04-25 04:18 . 2008-04-25 03:11 36,092 --a------ C:\WINDOWS_detmp.1

2008-04-25 04:08 . 2008-04-25 04:08

2008-04-25 04:08 . 2008-04-25 04:08 376,832 --a------ C:\WINDOWS\system32\AegisI5Installer.exe

2008-04-25 04:08 . 2008-04-25 04:08 21,361 --a------ C:\WINDOWS\system32\drivers\AegisP.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-25 21:11 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll

2008-04-25 21:11 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll

2008-04-25 02:08 --------- d-----w C:\Program Files\Intel

2008-04-25 01:30 315,392 ----a-w C:\WINDOWS\HideWin.exe

2008-04-25 01:30 13,578,240 ----a-w C:\WINDOWS\RTHDCPL.exe

2008-04-24 09:34 --------- d-----w C:\Program Files\directx

2008-04-24 07:33 --------- d-----w C:\Program Files\microsoft frontpage

2008-04-24 07:31 --------- d-----w C:\Program Files\Usługi online

2008-04-08 09:37 102,499 --sh–r C:\1ce.cmd

2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-01-29 10:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll

2006-12-12 09:13 32,768 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\EBLib.dll

2006-07-28 14:25 19,456 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\LPCFilter.sys

2003-03-21 11:37 16,056 ----a-w C:\Program Files\owcstp16.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 14:00 15360]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2008-03-20 12:04 2127296]

“Creative MediaSource Go”=“C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe” [2006-11-09 10:19 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NDSTray.exe”=“NDSTray.exe” []

“TCtryIOHook”=“TCtrlIOHook.exe” [2007-06-30 08:18 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]

“TFncKy”=“TFncKy.exe” []

“TDispVol”=“TDispVol.exe” [2005-12-27 13:06 73728 C:\WINDOWS\system32\TDispVol.exe]

“nwiz”=“nwiz.exe” [2006-02-16 18:34 1519616 C:\WINDOWS\system32\nwiz.exe]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-02-16 18:34 7557120]

“RTHDCPL”=“RTHDCPL.EXE” [2008-04-25 03:30 13578240 C:\WINDOWS\RTHDCPL.exe]

“SVPWUTIL”=“C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe” [2006-05-25 11:17 65536]

“CeEKEY”=“C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe” [2006-04-12 16:31 638976]

“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2007-07-25 18:19 888832]

“SmoothView”=“C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe” [2007-05-11 10:06 143360]

“HWSetup”=“C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe” [2004-05-01 13:45 28672]

“Camera Assistant Software”=“C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe” [2007-05-22 10:50 413696]

“IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [2007-10-08 14:18 995328]

“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2007-10-08 14:13 1101824]

“Zooming”=“ZoomingHook.exe” [2005-06-06 09:58 24576 C:\WINDOWS\system32\ZoomingHook.exe]

“CFSServ.exe”=“CFSServ.exe” []

“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-03-29 19:37 79224]

“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2006-11-03 19:20 866584]

“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2008-03-28 23:37 413696]

“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2008-03-30 10:36 267048]

“SPIRun”=“SPIRun.dll” [2006-11-29 12:35 8704 C:\WINDOWS\system32\SPIRun.dll]

“KMCONFIG”=“C:\Program Files\Mouse Driver\StartAutorun.exe” [2007-03-06 14:51 212992]

“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 22:16 39792]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“VIDC.I420”= i263_32.drv

“msacm.avis”= ff_acm.acm

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\Program Files\Bonjour\mDNSResponder.exe”=

“C:\Program Files\iTunes\iTunes.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

R2 KMWDSERVICE;Keyboard And Mouse Communication Service;C:\Program Files\Mouse Driver\KMWDSrv.exe [2007-04-05 10:29]

R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-25 21:55]

R3 KMWDFilter;KMWDFilter;C:\WINDOWS\System32\Drivers\KMWDFilter.SYS [2007-03-29 15:00]

R3 t3;SB Xtreme Audio Notebook;C:\WINDOWS\system32\drivers\t3.sys [2007-06-19 07:38]

R3 t3filt;t3filt;C:\WINDOWS\system32\drivers\t3filt.sys [2007-08-20 07:35]

R3 tosrfec;Bluetooth ACPI;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2006-10-23 16:32]

R3 UVCFTR;UVCFTR;C:\WINDOWS\system32\Drivers\UVCFTR_S.SYS [2007-04-16 10:19]

S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys [2003-09-09 10:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{a50d1aaa-125b-11dd-a2e8-8082eff50cd2}]

\Shell\AutoRun\command - G:\1ce.cmd

\Shell\explore\Command - G:\1ce.cmd

\Shell\open\Command - G:\1ce.cmd

*Newly Created Service* - CATCHME

.

Contents of the ‘Scheduled Tasks’ folder

“2008-04-25 20:12:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

C:\Program Files\Apple Software Update\SoftwareUpdate.exe

“2008-04-27 22:56:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job”

C:\Program Files\Windows Defender\MpCmdRun.exe

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-28 01:10:29

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-28 1:11:21

ComboFix-quarantined-files.txt 2008-04-27 23:11:07

Pre-Run: 37,461,569,536 bajtów wolnych

Post-Run: 38,485,987,328 bajtów wolnych

276 — E O F — 2008-04-26 09:35:26

W dniu 29.04.2008 , o godzinie 1:13 został dopisany post przez zakus88