delirus
(6znakow)
31 Styczeń 2008 22:41
#1
:Avast krzyczy mi o wirusie C:\xn1i9x.com i c:\windows\system32\amvo0.dll nazwa pasozyta: win32:AutoRun-PD(Wrm)
Usunelam chyba cos z tego za pomoca SpyBota a to log z combofixa:
ComboFix 08-02.01.1 - Karolina 2008-01-31 23:29:01.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.133 [GMT 1:00] Running from: C:\Documents and Settings\Karolina\Pulpit\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf C:\WINDOWS\system32\amvo1.dll D:\Autorun.inf . . . . failed to delete . ((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 ))))))))))))))))))))))))))))))) . 2008-01-30 18:24 . 2008-01-31 22:39 2008-01-28 10:17 . 2008-01-30 03:16 2008-01-28 10:17 . 2008-01-28 10:17 32 --a------ C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat 2008-01-28 10:16 . 2008-01-31 22:40 2008-01-28 10:16 . 2008-01-31 22:40 2008-01-28 10:15 . 2008-01-31 22:40 2008-01-27 19:25 . 2008-02-01 23:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-27 19:25 . 2008-02-01 23:30 1,409 --a------ C:\WINDOWS\QTFont.for 2008-01-21 17:42 . 2008-02-01 23:30 2008-01-21 17:42 . 2008-01-21 17:42 2008-01-21 17:42 . 2008-01-17 14:45 2008-01-21 17:42 . 2008-01-17 15:37 2008-01-21 17:42 . 2008-01-21 17:42 2008-01-21 17:42 . 2008-01-17 15:37 2008-01-21 17:42 . 2008-01-21 17:42 2008-01-21 14:13 . 2008-01-21 14:13 2008-01-21 14:13 . 2008-01-21 14:14 2008-01-21 14:12 . 2008-01-21 14:13 2008-01-21 14:11 . 1999-11-10 12:05 86,016 --a------ C:\WINDOWS\unvise32qt.exe 2008-01-21 14:07 . 2008-01-21 14:11 2008-01-21 14:07 . 2008-01-21 14:11 2008-01-21 14:06 . 2008-01-21 14:11 2008-01-20 23:33 . 2008-01-20 23:33 292 --a------ C:\WINDOWS\vtmb.ini 2008-01-20 22:37 . 2008-01-20 23:15 2008-01-20 22:33 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2008-01-20 22:33 . 2004-08-03 23:01 25,856 --a–c— C:\WINDOWS\system32\dllcache\usbprint.sys 2008-01-20 22:32 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2008-01-20 22:32 . 2004-08-03 23:08 31,616 --a–c— C:\WINDOWS\system32\dllcache\usbccgp.sys 2008-01-20 12:22 . 2008-01-21 17:32 45 --a------ C:\TEST.XML 2008-01-20 11:07 . 2008-01-25 22:56 2008-01-20 11:07 . 2000-01-31 06:02 317,952 --a------ C:\WINDOWS\system32\Roboex32.dll 2008-01-20 11:07 . 2000-01-31 06:02 60,928 --a------ C:\WINDOWS\system32\DC265ser.ocx 2008-01-20 11:07 . 2000-01-31 06:02 59,904 --a------ C:\WINDOWS\system32\DC265ifr.ocx 2008-01-20 11:07 . 2000-01-31 06:02 58,368 --a------ C:\WINDOWS\system32\DC265usb.ocx 2008-01-20 11:07 . 2000-01-31 06:02 54,784 --a------ C:\WINDOWS\system32\Inetwh32.dll 2008-01-20 11:07 . 2000-01-31 06:02 47,104 --a------ C:\WINDOWS\system32\Wh2Robo.dll 2008-01-19 23:59 . 2008-01-29 01:44 2008-01-19 23:59 . 2008-01-29 16:41 2008-01-19 23:44 . 2008-01-19 23:44 2008-01-19 23:41 . 2008-01-19 23:41 2008-01-19 23:41 . 2008-01-19 23:44 2008-01-19 23:38 . 2008-01-17 14:43 211 --ahs---- C:\BOOT.BKK 2008-01-19 23:35 . 2008-01-19 23:35 2008-01-19 21:10 . 2008-01-30 16:57 2008-01-19 19:14 . 2008-01-16 07:54 104,863 -r-hs---- C:\juok3st.bat 2008-01-19 18:33 . 2008-01-19 18:34 2008-01-19 18:33 . 2008-01-19 18:33 5 --a------ C:\WINDOWS\system32\SndDrv32b.ini 2008-01-19 18:32 . 2008-01-31 22:27 2008-01-19 17:56 . 2008-01-19 18:24 2008-01-19 14:04 . 2008-01-19 14:05 2008-01-19 13:52 . 2008-01-19 13:52 2008-01-19 13:52 . 2008-01-19 13:52 2008-01-19 13:52 . 2008-01-19 13:52 2008-01-19 13:51 . 2008-01-19 13:51 2008-01-19 13:51 . 2008-01-19 13:52 2008-01-19 13:51 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll 2008-01-19 13:50 . 2008-01-19 13:50 2008-01-19 13:31 . 2008-01-19 13:32 2008-01-19 12:23 . 2008-01-19 12:50 600 --a------ C:\WINDOWS\Rtcw.INI 2008-01-19 10:36 . 2008-01-19 10:37 2008-01-19 10:36 . 1995-04-26 23:15 322,384 --a------ C:\WINDOWS\system\MFC250.DLL 2008-01-19 10:36 . 1997-06-04 16:29 271,248 --a------ C:\WINDOWS\ISUN16.EXE 2008-01-19 10:36 . 1995-04-26 22:33 146,976 --a------ C:\WINDOWS\system\MFCOLEUI.DLL 2008-01-19 10:36 . 1995-04-26 23:20 125,856 --a------ C:\WINDOWS\system\MFCO250.DLL 2008-01-19 10:36 . 1995-07-13 17:43 26,768 --a------ C:\WINDOWS\system\CTL3D.DLL 2008-01-19 10:36 . 2008-01-26 02:21 786 --a------ C:\WINDOWS\YDPDICT.INI 2008-01-19 10:35 . 2008-01-19 10:35 2008-01-18 16:20 . 2008-01-18 16:20 2008-01-18 16:20 . 2008-01-18 16:20 61 --a------ C:\WINDOWS\TEXTware.ini 2008-01-18 16:19 . 2008-01-18 16:19 2008-01-18 16:19 . 2008-01-18 16:19 2008-01-18 16:18 . 2008-01-18 16:18 2008-01-17 20:11 . 2008-01-17 20:11 2008-01-17 20:03 . 2008-01-26 11:10 69 --a------ C:\WINDOWS\NeroDigital.ini 2008-01-17 19:31 . 2005-09-01 11:03 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys 2008-01-17 19:31 . 2005-09-01 11:03 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys 2008-01-17 19:28 . 2008-01-17 19:28 2008-01-17 19:28 . 2006-03-23 17:15 33,536 --------- C:\WINDOWS\system32\drivers\InCDrm.sys 2008-01-17 19:22 . 2006-03-24 11:12 59,278 --------- C:\WINDOWS\NuNinst.cfg 2008-01-17 19:21 . 2006-03-07 16:27 3,067,904 --------- C:\WINDOWS\NuNinst.exe 2008-01-17 19:21 . 2004-09-13 07:17 2,146,304 --------- C:\WINDOWS\UNNMP.exe 2008-01-17 19:21 . 2006-03-23 17:15 102,016 --------- C:\WINDOWS\system32\drivers\InCDfs.sys 2008-01-17 19:21 . 2004-10-15 11:02 52,536 --------- C:\WINDOWS\UNNMP.cfg 2008-01-17 19:21 . 2006-03-23 17:15 29,440 --------- C:\WINDOWS\system32\drivers\InCDpass.sys 2008-01-17 19:21 . 2006-03-23 17:00 8,704 --------- C:\WINDOWS\system32\drivers\InCDrec.sys 2008-01-17 19:18 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe 2008-01-17 19:16 . 2008-01-17 19:16 2008-01-17 19:16 . 2005-12-09 15:02 3,051,520 --------- C:\WINDOWS\UNNeroVision.exe 2008-01-17 19:16 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll 2008-01-17 19:16 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll 2008-01-17 19:16 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll 2008-01-17 19:16 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll 2008-01-17 19:16 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll 2008-01-17 19:16 . 2006-01-30 14:09 156,471 --------- C:\WINDOWS\UNNeroVision.cfg 2008-01-17 19:16 . 2001-03-08 19:30 24,064 --------- C:\WINDOWS\system32\msxml3a.dll 2008-01-17 19:15 . 2008-01-17 19:17 2008-01-17 19:15 . 2008-01-17 19:32 2008-01-17 19:15 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll 2008-01-17 19:15 . 2001-06-26 08:15 38,912 --------- C:\WINDOWS\system32\picn20.dll 2008-01-17 19:14 . 2008-01-17 19:45 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-21 15:59 --------- d–h--w C:\Program Files\InstallShield Installation Information 2008-01-21 13:03 155,995 ----a-w C:\WINDOWS\java\Packages\63DVVTRH.ZIP 2008-01-20 21:37 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-01-17 14:57 --------- d-----w C:\Program Files\Alwil Software 2008-01-17 14:47 --------- d-----w C:\Program Files\SiS VGA Utilities V3.82 2008-01-17 14:38 315,392 ----a-w C:\WINDOWS\HideWin.exe 2008-01-17 14:38 --------- d-----w C:\Program Files\Realtek 2008-01-17 13:54 --------- d–h--w C:\Program Files\Uninstall Information 2008-01-17 13:49 --------- d-----w C:\Program Files\microsoft frontpage 2008-01-17 13:48 --------- d-----w C:\Program Files\Usługi online 2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 13:00 15360] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search Destroy\TeaTimer.exe” [2007-08-31 16:46 1460560] “WITaj!”=“C:\Program Files\Witaj 2000\WIT2000.exe” [2003-04-14 17:30 872960] “STYLEXP”=“C:\Program Files\TGTSoft\StyleXP\StyleXP.exe” [2006-05-24 19:31 1372160] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “RTHDCPL”=“RTHDCPL.EXE” [2007-08-10 15:21 16384000 C:\WINDOWS\RTHDCPL.exe] “SiSPower”=“SiSPower.dll” [2007-08-03 16:07 53248 C:\WINDOWS\system32\SiSPower.dll] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 14:00 79224] “RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42 32768] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648] “InCD”=“C:\Program Files\Ahead\InCD\InCD.exe” [2006-03-23 17:06 1398272] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2008-01-21 14:11 77824] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-02 13:00 15360] C:\Documents and Settings\Karolina\Menu Start\Programy\Autostart\ WIT2000.lnk - C:\Program Files\Witaj 2000\WIT2000.EXE [2008-01-19 18:33:01 872960] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{1c8dfed0-c7b8-11dc-b1fb-00a0d1c85f28}] \Shell\AutoRun\command - F:\xn1i9x.com \Shell\explore\Command - F:\xn1i9x.com \Shell\open\Command - F:\xn1i9x.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{98bc55d4-c50c-11dc-b1d8-00a0d1c85f28}] \Shell\AutoRun\command - F:\juok3st.bat \Shell\explore\Command - F:\juok3st.bat \Shell\open\Command - F:\juok3st.bat . Contents of the ‘Scheduled Tasks’ folder “2008-01-18 16:16:03 C:\WINDOWS\Tasks\1-Click Maintenance.job” - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-01 23:32:25 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Spybot - Search Destroy\TeaTimer.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe . ************************************************************************** . Completion time: 2008-02-01 23:34:33 - machine was rebooted ComboFix-quarantined-files.txt 2008-02-01 22:34:23 . 2008-01-19 16:58:05 — E O F —
Gutek
(Gutek)
31 Styczeń 2008 23:55
#2
delirus
(6znakow)
1 Luty 2008 00:25
#3
Gutek
(Gutek)
2 Luty 2008 21:44
#4
Wklej do Notatnika:
File::
C:\juok3st.bat
F:\xn1i9x.com
C:\WINDOWS\Tasks\1-Click Maintenance.job
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo