Błąd - amvo.exe


(Mksluka) #1

Prosze o sprawdzenie loga z ComboFix:

ComboFix 08-04-14.2 - Luka 2008-04-15 17:00:16.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.577 [GMT 2:00]

Running from: C:\Documents and Settings\Luka\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

C:\Program Files\myglobalsearch

C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.JAR

C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.MANIFEST

C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.JAR

C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.MANIFEST

C:\Program Files\myglobalsearch\bar\1.bin\M9PLUGIN.DLL

C:\Program Files\myglobalsearch\bar\1.bin\MGSBAR.DLL

C:\Program Files\myglobalsearch\bar\1.bin\NPMYGLSH.DLL

C:\Program Files\myglobalsearch\bar\Cache\000778C7

C:\Program Files\myglobalsearch\bar\Cache\00077AEA

C:\Program Files\myglobalsearch\bar\Cache\00077C23.bin

C:\Program Files\myglobalsearch\bar\Cache\00077E36.bin

C:\Program Files\myglobalsearch\bar\Cache\0007A2C5.bin

C:\Program Files\myglobalsearch\bar\Cache\files.ini

C:\Program Files\myglobalsearch\bar\History\search

C:\Program Files\myglobalsearch\bar\Settings\prevcfg.htm

C:\WINDOWS\system32\amvo.exe

C:\WINDOWS\system32\amvo0.dll

D:\Autorun.inf

E:\Autorun.inf

F:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))

.

2008-04-12 12:22 . 2008-04-02 11:39 103,182 -r-hs---- C:\mvxm.cmd

2008-04-09 15:42 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys

2008-04-09 15:42 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys

2008-04-04 23:56 . 2008-04-04 23:56

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-15 15:00 --------- d-----w C:\Documents and Settings\Luka\Dane aplikacji\uTorrent

2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe

2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr

2008-03-18 21:30 --------- d-----w C:\Program Files\Java

2008-02-22 21:24 --------- d-----w C:\Program Files\Opera

2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe

2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-04-12 13:49 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Cmaudio"="cmicnfg.cpl" []

"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-07-16 11:20 35328]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]

"AtiPTA"="atiptaxx.exe" [2006-02-22 03:05 344064 C:\WINDOWS\system32\atiptaxx.exe]

"Creative Mouse Software"="C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe" [2004-09-23 15:13 49152]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"C:\Program Files\BearShare\BearShare.exe"=

"C:\Program Files\Gadu-Gadu\gg.exe"=

"C:\Program Files\Java\jre1.5.0_11\bin\javaw.exe"=

"E:\Half-Life 2\hl2.exe"=

"E:\Call of Duty 2\CoD2MP_s.exe"=

"C:\Program Files\mIRC\mirc.exe"=

"C:\Program Files\NAPI-PROJEKT\napisy.exe"=

"E:\Valve\Steam\Steam.exe"=

"E:\Valve\Steam\SteamApps\ukasz82\counter-strike\hl.exe"=

"E:\Valve\Steam\SteamApps\ukasz82\condition zero\hl.exe"=

"C:\Program Files\uTorrent\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10044:TCP"= 10044:TCP:BitComet 10044 TCP

"10044:UDP"= 10044:UDP:BitComet 10044 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

S1 atitray;atitray;C:\PROGRA~1\NGOATI~1.6\ATT\atitray.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{1eb80646-04a9-11dd-9f46-0004757b83db}]

\Shell\Auto\command - auto.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{33d3d690-aa66-11db-a468-806d6172696f}]

\Shell\AutoRun\command - C:\mvxm.cmd

\Shell\explore\Command - C:\mvxm.cmd

\Shell\open\Command - C:\mvxm.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f9ef8dc5-b643-11dc-9e4a-0004757b83db}]

\Shell\AutoRun\command - J:\mvxm.cmd

\Shell\explore\Command - J:\mvxm.cmd

\Shell\open\Command - J:\mvxm.cmd

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-15 17:01:18

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-15 17:02:01

ComboFix-quarantined-files.txt 2008-04-15 15:01:45

Pre-Run: 1,946,763,264 bajtów wolnych

Post-Run: 1,937,457,152 bajtów wolnych

Z gory dzieki za pomoc.


(huber2t) #2

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\mvxm.cmd


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

02f8f1e3c410a4cc.gif

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: \Qoobox


(Mksluka) #3

Wyszlo taki cos:

ComboFix 08-04-14.2 - Luka 2008-04-15 17:22:51.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.556 [GMT 2:00]

Running from: C:\Documents and Settings\Luka\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\Luka\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

FILE ::

C:\mvxm.cmd

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\mvxm.cmd

.

((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))

.

2008-04-09 15:42 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys

2008-04-09 15:42 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys

2008-04-04 23:56 . 2008-04-04 23:56

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-15 15:23 --------- d-----w C:\Documents and Settings\Luka\Dane aplikacji\uTorrent

2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe

2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr

2008-03-18 21:30 --------- d-----w C:\Program Files\Java

2008-02-22 21:24 --------- d-----w C:\Program Files\Opera

2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe

2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“uTorrent”=“C:\Program Files\uTorrent\uTorrent.exe” [2008-04-12 13:49 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Cmaudio”=“cmicnfg.cpl” []

“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2006-07-16 11:20 35328]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50 155648]

“RemoteControl”=“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2004-11-02 21:24 32768]

“AtiPTA”=“atiptaxx.exe” [2006-02-22 03:05 344064 C:\WINDOWS\system32\atiptaxx.exe]

“Creative Mouse Software”=“C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe” [2004-09-23 15:13 49152]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 05:25 144784]

“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-03-29 19:37 79224]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“UpdatesDisableNotify”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\BearShare\BearShare.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“C:\Program Files\Java\jre1.5.0_11\bin\javaw.exe”=

“E:\Half-Life 2\hl2.exe”=

“E:\Call of Duty 2\CoD2MP_s.exe”=

“C:\Program Files\mIRC\mirc.exe”=

“C:\Program Files\NAPI-PROJEKT\napisy.exe”=

“E:\Valve\Steam\Steam.exe”=

“E:\Valve\Steam\SteamApps\ukasz82\counter-strike\hl.exe”=

“E:\Valve\Steam\SteamApps\ukasz82\condition zero\hl.exe”=

“C:\Program Files\uTorrent\uTorrent.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“10044:TCP”= 10044:TCP:BitComet 10044 TCP

“10044:UDP”= 10044:UDP:BitComet 10044 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

S1 atitray;atitray;C:\PROGRA~1\NGOATI~1.6\ATT\atitray.sys []

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-15 17:23:39

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-15 17:24:06

ComboFix-quarantined-files.txt 2008-04-15 15:24:01

ComboFix2.txt 2008-04-15 15:02:02

Pre-Run: 2,125,664,256 bajtów wolnych

Post-Run: 2,124,107,776 bajtów wolnych


(huber2t) #4

Log jest czysty

Przeskanuj komputer tym http://www.kaspersky.pl/virusscanner.html Daj log z niego na forum

Usuń ręcznie folder C: \Qoobox

usuń instalkę Combofix z dysku.


(Leon$) #5

Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/S … Tool.shtml lub format

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

:slight_smile:


(Mksluka) #6

Log ze skanu antywirusem:

Nazwa zainfekowanego obiektu Nazwa wirusa Ostatnie działanie

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked pominięty

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked pominięty

C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty

C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty

C:\Documents and Settings\LocalService\Ustawienia lokalne\Temp\Cookies\index.dat Object is locked pominięty

C:\Documents and Settings\LocalService\Ustawienia lokalne\Temp\Historia\History.IE5\index.dat Object is locked pominięty

C:\Documents and Settings\LocalService\Ustawienia lokalne\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty

C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty

C:\Documents and Settings\Luka\Cookies\index.dat Object is locked pominięty

C:\Documents and Settings\Luka\NTUSER.DAT Object is locked pominięty

C:\Documents and Settings\Luka\NTUSER.DAT.LOG Object is locked pominięty

C:\Documents and Settings\Luka\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty

C:\Documents and Settings\Luka\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty

C:\Documents and Settings\Luka\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty

C:\Documents and Settings\Luka\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked pominięty

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked pominięty

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked pominięty

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked pominięty

C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked pominięty

C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked pominięty

C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked pominięty

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked pominięty

C:\Program Files\Alwil Software\Avast4\DATA\report\Osłona rezydentna.txt Object is locked pominięty

C:\Program Files\mIRC\mirc.exe Zainfekowanych: not-a-virus:Client-IRC.Win32.mIRC.621 pominięty

C:\QooBox\Quarantine\C\autorun.inf.vir Zainfekowanych: Worm.Win32.AutoRun.dgt pominięty

C:\QooBox\Quarantine\C\mvxm.cmd.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ywg pominięty

C:\QooBox\Quarantine\C\Program Files\MyGlobalSearch\bar\1.bin\NPMYGLSH.DLL.vir Zainfekowanych: not-a-virus:AdTool.Win32.MyWebSearch.i pominięty

C:\QooBox\Quarantine\C\WINDOWS\system32\amvo.exe.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ywg pominięty

C:\QooBox\Quarantine\C\WINDOWS\system32\amvo0.dll.vir Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ywf pominięty

C:\QooBox\Quarantine\D\autorun.inf.vir Zainfekowanych: Worm.Win32.AutoRun.dgt pominięty

C:\QooBox\Quarantine\E\autorun.inf.vir Zainfekowanych: Worm.Win32.AutoRun.dgt pominięty

C:\QooBox\Quarantine\F\autorun.inf.vir Zainfekowanych: Worm.Win32.AutoRun.dgt pominięty

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty

C:\System Volume Information_restore{A38486E9-AE40-4E19-BA55-D10623D06382}\RP2\A0000005.cmd Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ywg pominięty

C:\System Volume Information_restore{A38486E9-AE40-4E19-BA55-D10623D06382}\RP2\change.log Object is locked pominięty

C:\WINDOWS\Debug\PASSWD.LOG Object is locked pominięty

C:\WINDOWS\SchedLgU.Txt Object is locked pominięty

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked pominięty

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked pominięty

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked pominięty

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked pominięty

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked pominięty

C:\WINDOWS\system32\config\default Object is locked pominięty

C:\WINDOWS\system32\config\default.LOG Object is locked pominięty

C:\WINDOWS\system32\config\SAM Object is locked pominięty

C:\WINDOWS\system32\config\SAM.LOG Object is locked pominięty

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked pominięty

C:\WINDOWS\system32\config\SECURITY Object is locked pominięty

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked pominięty

C:\WINDOWS\system32\config\software Object is locked pominięty

C:\WINDOWS\system32\config\software.LOG Object is locked pominięty

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked pominięty

C:\WINDOWS\system32\config\system Object is locked pominięty

C:\WINDOWS\system32\config\system.LOG Object is locked pominięty

C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked pominięty

C:\WINDOWS\system32\drivers\sptd.sys Object is locked pominięty

C:\WINDOWS\system32\drivers\sptd8941.sys Object is locked pominięty

C:\WINDOWS\system32\h323log.txt Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked pominięty

C:\WINDOWS\Temp\Perflib_Perfdata_5ac.dat Object is locked pominięty

C:\WINDOWS\Temp_avast4_\Webshlock.txt Object is locked pominięty

C:\WINDOWS\WindowsUpdate.log Object is locked pominięty

D:\Moje dokumenty+Instalki programów+\mirc621.exe/stream/data0008 Zainfekowanych: not-a-virus:Client-IRC.Win32.mIRC.621 pominięty

D:\Moje dokumenty+Instalki programów+\mirc621.exe/stream Zainfekowanych: not-a-virus:Client-IRC.Win32.mIRC.621 pominięty

D:\Moje dokumenty+Instalki programów+\mirc621.exe NSIS: zainfekowany - 2 pominięty

D:\mvxm.cmd Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ywg pominięty

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty

D:\System Volume Information_restore{A38486E9-AE40-4E19-BA55-D10623D06382}\RP2\change.log Object is locked pominięty

E:\mvxm.cmd Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ywg pominięty

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty

F:\mvxm.cmd Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ywg pominięty

F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty

Proces skanowania został zakończony.


(Mksluka) #7

Zrobilem tak jak pislales.jak sie skonczylo naprawiac tos ie sam zresetowal kompa i pozniej po uruchomieniu pokazal mi sie log ale nie zdazylem go skopiowac i wytawaic na forum bo znow sam sie komp zresetowal.


(Mksluka) #8

Jednak znalazlem log byl na dysku C na wieszku:

ComboFix 08-04-14.2 - Luka 2008-04-15 18:55:11.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.569 [GMT 2:00]

Running from: C:\Documents and Settings\Luka\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\Luka\Pulpit\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ATITRAY

-------\Service_atitray

((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))

.

2008-04-15 17:33 . 2008-04-15 17:33

2008-04-15 17:33 . 2008-04-15 17:33

2008-04-09 15:42 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys

2008-04-09 15:42 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys

2008-04-04 23:56 . 2008-04-04 23:56

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-15 16:56 --------- d-----w C:\Documents and Settings\Luka\Dane aplikacji\uTorrent

2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe

2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr

2008-03-18 21:30 --------- d-----w C:\Program Files\Java

2008-02-22 21:24 --------- d-----w C:\Program Files\Opera

2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe

2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

.

((((((((((((((((((((((((((((( snapshot@2008-04-15_17.01.34,84 )))))))))))))))))))))))))))))))))))))))))

.

  • 2008-04-15 13:58:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
  • 2008-04-15 16:55:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat

  • 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE

  • 2005-05-24 10:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll

  • 2007-08-29 13:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe

  • 2007-08-29 13:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll

  • 2008-04-15 16:55:58 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_620.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“uTorrent”=“C:\Program Files\uTorrent\uTorrent.exe” [2008-04-12 13:49 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2006-07-16 11:20 35328]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50 155648]

“RemoteControl”=“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2004-11-02 21:24 32768]

“AtiPTA”=“atiptaxx.exe” [2006-02-22 03:05 344064 C:\WINDOWS\system32\atiptaxx.exe]

“Creative Mouse Software”=“C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe” [2004-09-23 15:13 49152]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 05:25 144784]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“UpdatesDisableNotify”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\BearShare\BearShare.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“C:\Program Files\Java\jre1.5.0_11\bin\javaw.exe”=

“E:\Half-Life 2\hl2.exe”=

“E:\Call of Duty 2\CoD2MP_s.exe”=

“C:\Program Files\mIRC\mirc.exe”=

“C:\Program Files\NAPI-PROJEKT\napisy.exe”=

“E:\Valve\Steam\Steam.exe”=

“E:\Valve\Steam\SteamApps\ukasz82\counter-strike\hl.exe”=

“E:\Valve\Steam\SteamApps\ukasz82\condition zero\hl.exe”=

“C:\Program Files\uTorrent\uTorrent.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“10044:TCP”= 10044:TCP:BitComet 10044 TCP

“10044:UDP”= 10044:UDP:BitComet 10044 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-15 18:56:12

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

C:\WINDOWS\system32\ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

.

**************************************************************************

.

Completion time: 2008-04-15 18:57:29 - machine was rebooted

ComboFix-quarantined-files.txt 2008-04-15 16:57:24

ComboFix2.txt 2008-04-15 15:24:07

ComboFix3.txt 2008-04-15 15:02:02

Pre-Run: 2,145,062,912 bajtów wolnych

Post-Run: 2,084,339,712 bajt˘w wolnych


(Leon$) #9

Log wygląda na czysty

ale trzeba trochę usunąć według Kaspra

1.usuń

2.usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

3.Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

4.usuń tą instalkę

5.te pliki do usunięcia

chyba że punkt 2 i 3 już zrobiłeś po skanie Kasperskim

:slight_smile:


(Mksluka) #10

Wszytko co napislaes Leon$ zrobilem procz tego:

D:\mvxm.cmd Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ywg

F:\mvxm.cmd Zainfekowanych: Trojan-PSW.Win32.OnLineGames.ywg

nie mam tych plikow na dysku.


(Leon$) #11

Z C: ten plik został usunięty przez Combo natomiast na D: i F; nie widzę

dla pewności

Pobierz i uruchom narzędzie The Avenger Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:

Klikasz Done , a następnie zielone światełko i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt

:slight_smile:


(Gutek) #12

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350


(Mksluka) #13

Nie ma tej opcji Input script manually i zadnej lupy.


(Leon$) #14

tu jest opis chyba coś zmieniło się w nowej wersji http://www.searchengines.pl/index.php?showtopic=12510&st=0&p=405552entry405552

:slight_smile:


(Mksluka) #15

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File “D:\mvxm.cmd” deleted successfully.

File “F:\mvxm.cmd” deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


(Leon$) #16

A więc ty nie znalazłeś a on pousuwał te pliki

system masz czysty aby tak dalej

:slight_smile:


(Mksluka) #17

Wielkie dzieki :smiley:


(Mail) #18

Daj nowe logi.


(huber2t) #19

Pokaż log z Combofix


(Mksluka) #20

Oto log:

ComboFix 08-04-15.1 - Luka 2008-04-16 6:19:37.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.681 [GMT 2:00]

Running from: C:\Documents and Settings\Luka\Pulpit\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

C:\WINDOWS\system32\amvo.exe

C:\WINDOWS\system32\amvo0.dll

D:\Autorun.inf

E:\Autorun.inf

F:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))

.

2008-04-15 21:19 . 2008-04-02 11:39 103,182 -r-hs---- C:\mvxm.cmd

2008-04-15 17:33 . 2008-04-15 17:33

2008-04-15 17:33 . 2008-04-15 17:33

2008-04-09 15:42 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys

2008-04-09 15:42 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys

2008-04-04 23:56 . 2008-04-04 23:56

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-16 04:19 --------- d-----w C:\Documents and Settings\Luka\Dane aplikacji\uTorrent

2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe

2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr

2008-03-18 21:30 --------- d-----w C:\Program Files\Java

2008-02-22 21:24 --------- d-----w C:\Program Files\Opera

2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe

2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“uTorrent”=“C:\Program Files\uTorrent\uTorrent.exe” [2008-04-12 13:49 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2006-07-16 11:20 35328]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50 155648]

“RemoteControl”=“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2004-11-02 21:24 32768]

“AtiPTA”=“atiptaxx.exe” [2006-02-22 03:05 344064 C:\WINDOWS\system32\atiptaxx.exe]

“Creative Mouse Software”=“C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe” [2004-09-23 15:13 49152]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 05:25 144784]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“UpdatesDisableNotify”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\BearShare\BearShare.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“C:\Program Files\Java\jre1.5.0_11\bin\javaw.exe”=

“E:\Half-Life 2\hl2.exe”=

“E:\Call of Duty 2\CoD2MP_s.exe”=

“C:\Program Files\NAPI-PROJEKT\napisy.exe”=

“E:\Valve\Steam\Steam.exe”=

“E:\Valve\Steam\SteamApps\ukasz82\counter-strike\hl.exe”=

“E:\Valve\Steam\SteamApps\ukasz82\condition zero\hl.exe”=

“C:\Program Files\uTorrent\uTorrent.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“10044:TCP”= 10044:TCP:BitComet 10044 TCP

“10044:UDP”= 10044:UDP:BitComet 10044 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4aa1fe30-acb5-11db-9ab1-0004757b83db}]

\Shell\AutoRun\command - J:\mvxm.cmd

\Shell\explore\Command - J:\mvxm.cmd

\Shell\open\Command - J:\mvxm.cmd

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-16 06:20:35

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-16 6:21:10

ComboFix-quarantined-files.txt 2008-04-16 04:21:00

Pre-Run: 2,088,820,736 bajtów wolnych

Post-Run: 2,080,325,632 bajtów wolnych