Błąd amvo.exe ->ComboFix i co dalej?

skolowany · 9 Marzec 2008 18:05

Witam, proszę o pomoc ponieważ mam problem z trojanem podszywającym się pod aplikację amvo.exe, Nie wiem co dalej zrobić, po tym jak ściągnołem program ComboFix otrzymałem loga i umieściłem go na wklej.org, czytam o podobnych sytuacjach i nic z tego nie wiem, ponieważ z komputerami nie jestem za panbrat hehe. Proszę także o w miarę łatwe i przystępne pokierowanie mnie do uwolnienia mojego kompa od tego świństwa co w nim zamieszkało

Oto mój log : http://www.wklej.org/id/9d18f1bfd6

Leon1 · 9 Marzec 2008 18:24

Wyłącz przywracanie systemu na wszystkich dyskach

wylecz pendriva http://www.softpedia.com/get/Security/Security-Related/PRT-Perlovga-Removal-Tool.shtml

otwórz notatnik i wklej

zapisz jako plik.reg >> wszystkie pliki >> scal z rejestrem >> restart

powstanie plik o takiej ikonie

w który dwa razy klikniesz potwierdzisz chęć dodania do rejestru potem restart

daj log do sprawdzenia Deckard’s System Scanner (DSS) http://www.searchengines.pl/index.php?showtopic=86306st=0p=392369entry392369

skolowany · 9 Marzec 2008 21:05

Wielkie dzięki za zainteresowanie i pomoc

main.txt :

Deckard’s System Scanner v20071014.68

Run by Hubert on 2008-03-09 21:54:05

Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable…success.

– Last 1 Restore Point(s) –

1: 2008-03-09 20:54:08 UTC - RP1 - Punkt kontrolny systemu

Backed up registry hives.

Performed disk cleanup.

Percentage of Memory in Use: 81% (more than 75%).

Total Physical Memory: 478 MiB (512 MiB recommended).

– HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2008-03-09 21:55:29

Platform: Windows XP Dodatek Service Pack 2 (5.01.2600)

MSIE: Internet Explorer (7.00.5730.13)

Boot mode: Normal

Running processes:

C:\WINDOWS\system32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\Keyhook.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Spybot - Search Destroy\TeaTimer.exe

C:\WINDOWS\system32\sistray.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\system32\slserv.exe

C:\Program Files\Norton SystemWorks\Speed Disk\NOPDB.EXE

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Hubert\Pulpit\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://onet.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-SD IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NAVShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NAVShExt.dll

O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”

O4 - HKLM…\Run: [ccRegVfy] “C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe”

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [siS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe

O4 - HKLM…\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”

O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search Destroy\SDHelper.dll

O9 - Extra ‘Tools’ menuitem: Spybot - Search Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search Destroy\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab

O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL

O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL

O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL

O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

O20 - AppInit_DLLs: apitrap.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Usługa Auto-Protect w programie Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\Navapsvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe

O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\system32\slserv.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Speed Disk\NOPDB.EXE

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

–

End of file - 6946 bytes

– File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL “%1”,%*

.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser “%1”,%*

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 QDFSDRV - c:\windows\system32\drivers\qdfsdrv.sys

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Speed Disk service - c:\progra~1\norton~1\speedd~1\nopdb.exe

– Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

– Scheduled Tasks -------------------------------------------------------------

2008-03-09 21:45:48 414 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job

2008-02-29 20:51:00 518 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Skanuj komputer.job

– Files created between 2008-02-09 and 2008-03-09 -----------------------------

2008-03-09 21:42:14 296 --a------ C:\plik.reg

2008-03-09 19:18:13 71680 -r-hs---- C:\WINDOWS\system32\amvo0.dll

2008-03-09 19:18:13 107489 -r-hs---- C:\WINDOWS\system32\amvo.exe

2008-03-09 17:57:06 68096 --a------ C:\WINDOWS\system32\zip.exe

2008-03-09 17:57:06 98816 --a------ C:\WINDOWS\system32\sed.exe

2008-03-09 17:57:06 80412 --a------ C:\WINDOWS\system32\grep.exe

2008-03-09 17:57:06 73728 --a------ C:\WINDOWS\system32\fdsv.exe

2008-02-17 13:08:04 0 d-------- C:\Program Files\AIMP2

– Find3M Report ---------------------------------------------------------------

2008-03-09 21:54:47 0 d-------- C:\Documents and Settings\Hubert\Dane aplikacji\Skype

2008-03-09 21:45:22 0 d-------- C:\Program Files\Common Files\Symantec Shared

2008-03-02 14:28:35 0 d-------- C:\Program Files\Norton SystemWorks

2008-02-24 18:38:23 0 d-------- C:\Program Files\Warblade

2008-02-23 12:52:41 0 d-------- C:\Program Files\NAPI-PROJEKT

2008-02-17 11:57:45 1279 --a------ C:\WINDOWS\mozver.dat

2008-02-05 11:19:43 0 d-------- C:\Program Files\Microsoft.NET

2008-02-05 11:18:43 0 d-------- C:\Program Files\Common Files

2008-02-05 11:18:37 0 d-------- C:\Program Files\Microsoft Works

2008-02-05 11:11:53 0 d-------- C:\Program Files\AbiSuite2

2008-02-03 13:24:51 0 d-------- C:\Program Files\microsoft frontpage

2008-02-01 12:56:45 0 d-------- C:\Program Files\Invention Pilot

2008-02-01 12:21:51 0 d-------- C:\Program Files\Rekenwonder Software

2008-01-30 22:48:40 0 d-------- C:\Program Files\WordToPDF

2008-01-30 22:34:57 0 d-------- C:\Documents and Settings\Hubert\Dane aplikacji\WordToPDF

2008-01-24 20:40:08 0 d-------- C:\Program Files\PWN

2008-01-24 17:44:01 0 d-------- C:\Program Files\Gadu-Gadu

2008-01-19 00:01:23 0 d-------- C:\Documents and Settings\Hubert\Dane aplikacji\Apple Computer

2008-01-17 17:26:50 0 d-------- C:\Documents and Settings\Hubert\Dane aplikacji\AdobeUM

2008-01-17 17:26:41 0 d-------- C:\Program Files\Common Files\Adobe

2008-01-16 16:36:17 0 d-------- C:\Documents and Settings\Hubert\Dane aplikacji\Adobe

2008-01-15 14:46:03 0 d-------- C:\Program Files\Skype

2008-01-14 22:47:53 0 d-------- C:\Program Files\QuickTime

2008-01-12 21:22:41 0 d-------- C:\Documents and Settings\Hubert\Dane aplikacji\OpenOffice.org2

2008-01-05 19:41:40 0 --a------ C:\WINDOWS\nsreg.dat

2008-01-05 19:38:25 32 --ahs---- C:\WINDOWS\system32{E06F6178-1BE3-4D59-A693-B8D97A0DE96D}.dat

2008-01-05 19:38:25 32 --ahs---- C:\WINDOWS{644A2FBC-2FBC-4E2A-B09C-968B3FEC417B}.dat

2008-01-05 19:38:01 32 --ahs---- C:\WINDOWS\system32{F194FEB8-A001-4448-BFF8-7D08993874D1}.dat

2008-01-05 19:38:01 32 --ahs---- C:\WINDOWS{794D01D3-254F-42D8-9D57-24F6D9419E7D}.dat

2008-01-05 19:37:15 32 --ahs---- C:\WINDOWS\system32{165D2A65-6D28-435E-9410-E07818B16955}.dat

2008-01-05 19:37:15 32 --ahs---- C:\WINDOWS{32933DBC-1B8D-4644-8AC0-79556C10EA16}.dat

2008-01-05 19:35:43 32 --ahs---- C:\WINDOWS\system32{9FF394FD-5F42-41E2-B28D-31C6A89107DF}.dat

2008-01-05 19:35:43 32 --ahs---- C:\WINDOWS\system32{68E19A99-5B16-47F4-8CC1-329F4C6AC84E}.dat

2008-01-05 19:35:43 32 --ahs---- C:\WINDOWS\system32{078D3026-72DC-4C21-964C-E77DA5F53377}.dat

2008-01-05 19:35:43 32 --ahs---- C:\WINDOWS{78C6DE58-B596-4EE9-B05D-DA977AF77ED5}.dat

2008-01-05 19:35:43 32 --ahs---- C:\WINDOWS{5FB5FAE4-B996-48C5-920C-5A7EFDC6F4FE}.dat

2008-01-05 19:35:43 32 --ahs---- C:\WINDOWS{5C6CFBFB-F0A1-45F9-B45D-D27D857F3147}.dat

2008-01-05 19:34:00 32 --ahs---- C:\WINDOWS\system32{1ACA7DC9-B113-4B0A-8FB2-9FC769FEE18C}.dat

2008-01-05 19:34:00 32 --ahs---- C:\WINDOWS{7C90715E-EB50-42C9-8808-70B3A2160159}.dat

2008-01-05 19:33:51 14 --a------ C:\WINDOWS\system32\SR2.dat

2008-01-05 19:15:20 62 --ahs---- C:\Documents and Settings\Hubert\Dane aplikacji\desktop.ini

2008-01-05 18:45:38 356068 --a------ C:\WINDOWS\system32\perfh015.dat

2008-01-05 18:45:38 49910 --a------ C:\WINDOWS\system32\perfc015.dat

2008-01-05 18:30:27 0 -rahs---- C:\MSDOS.SYS

2008-01-05 18:30:27 0 -rahs---- C:\IO.SYS

2008-01-05 18:30:27 0 --a------ C:\CONFIG.SYS

2008-01-05 18:30:27 0 --a------ C:\AUTOEXEC.BAT

2008-01-05 18:26:06 21856 --a------ C:\WINDOWS\system32\emptyregdb.dat

– Registry Dump ---------------------------------------------------------------

*Note* empty entries legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2002-12-10 19:20]

“ccRegVfy”=“C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe” [2002-12-10 19:21]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50]

“SoundMan”=“SOUNDMAN.EXE” [2003-04-15 08:15 C:\WINDOWS\SOUNDMAN.EXE]

“SiS Windows KeyHook”=“C:\WINDOWS\system32\keyhook.exe” [2004-02-27 03:06]

“SiSUSBRG”=“C:\WINDOWS\SiSUSBrg.exe” [2002-07-12 12:15]

“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-12-08 17:35]

“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2007-10-19 20:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-08-04 00:55]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-11-14 11:54]

“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2006-03-02 11:55]

“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search Destroy\TeaTimer.exe” [2008-01-28 11:43]

C:\Documents and Settings\Hubert\Menu Start\Programy\Autostart\

Norton System Doctor.lnk - C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE [2008-01-05 19:36:15]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2008-01-05 21:55:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“DisableRegistryTools”=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

“DisableRegistryTools”=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

“appinit_dlls”=apitrap.dll

– Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com

127.0.0.1 http://www.007guard.com

127.0.0.1 008i.com

127.0.0.1 008k.com

127.0.0.1 http://www.008k.com

127.0.0.1 00hq.com

127.0.0.1 http://www.00hq.com

127.0.0.1 010402.com

127.0.0.1 032439.com

127.0.0.1 http://www.032439.com

7898 more entries in hosts file.

– End of Deckard’s System Scanner: finished at 2008-03-09 21:56:57 ------------

extra.txt :