Mam problem z amvo.exe


(Koar) #1

Przeniosłem go na swoj komputer prawdopodobnie przez pamięć zewnętrzną. Zeskanowałem komputer. Potem program ComboFix wygenerował plik:

ComboFix 08-04-13.3 - Arek 2008-04-14 16:16:54.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.94 [GMT 2:00]

Running from: C:\Documents and Settings\Arek\Pulpit\ComboFix.exe

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Program Files\newdotnet

C:\Program Files\newdotnet\nncore.dll

C:\Program Files\newdotnet\nnrun.exe

C:\WINDOWS\hosts

C:\WINDOWS\system32\ban_list.txt

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NNSERV

-------\Service_NNServ

((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))

.

2008-04-13 23:41 . 2008-03-01 15:02 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll

2008-04-13 23:41 . 2007-07-01 05:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat

2008-04-13 23:41 . 2007-07-01 05:36 1,036,288 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui

2008-04-13 23:41 . 2008-03-01 15:02 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll

2008-04-13 23:41 . 2008-03-01 15:02 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll

2008-04-13 23:41 . 2008-03-01 15:02 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll

2008-04-13 23:41 . 2008-03-01 15:02 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll

2008-04-13 23:41 . 2008-03-01 15:02 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2008-04-13 23:41 . 2008-02-22 12:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-04-13 23:40 . 2008-04-13 23:42

2008-04-11 00:06 . 2008-04-11 01:29

2008-04-10 18:23 . 2007-07-09 15:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

2008-04-10 18:10 . 2008-04-10 18:10

2008-04-10 18:10 . 2008-04-10 18:10

2008-04-10 17:56 . 2008-04-14 15:43

2008-04-10 17:56 . 2008-04-13 23:45 1,374 --a------ C:\WINDOWS\imsins.BAK

2008-04-10 17:46 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui

2008-04-10 17:46 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui

2008-04-10 17:46 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui

2008-04-10 17:46 . 2007-07-30 19:18 21,336 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

2008-04-09 19:26 . 2008-04-09 19:26

2008-04-09 17:55 . 2008-04-09 17:55

2008-04-09 17:55 . 2008-04-09 17:57

2008-04-09 17:54 . 2008-04-09 17:54

2008-04-09 16:00 . 2008-04-09 16:37

2008-04-09 16:00 . 2008-04-09 18:59

2008-04-07 20:59 . 2008-04-08 12:08 5,120 --ahs---- C:\WINDOWS\system32\Thumbs.db

2008-03-31 19:18 . 2008-03-31 19:18 164 --a------ C:\WINDOWS\wininit.ini

2008-03-27 20:01 . 2008-04-05 19:22 45,056 --a------ C:\WINDOWS\system32\UTSCSI.EXE

2008-03-14 16:00 . 2003-06-23 02:44 1,415,680 --a------ C:\WINDOWS\system32\wmv9vcm.dll

2008-03-14 16:00 . 2003-08-29 01:55 423,424 --a------ C:\WINDOWS\system32\WMAVDS32.ax

2008-03-14 16:00 . 2001-03-26 04:41 245,760 --a------ C:\WINDOWS\system32\mp4sds32.ax

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-11 00:17 --------- d-----w C:\Documents and Settings\Arek\Dane aplikacji\Skype

2008-04-09 16:00 --------- d-----w C:\Program Files\Norton Security Scan

2008-04-09 15:44 --------- d-----w C:\Program Files\hp deskjet 3820 series

2008-04-09 13:40 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-04-09 13:40 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-03-31 17:17 --------- d-----w C:\Program Files\GG Skin Manager

2008-03-31 17:17 --------- d-----w C:\Documents and Settings\Arek\Dane aplikacji\Ashampoo Photo Commander 4

2008-03-29 11:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-03-09 19:39 --------- d-----w C:\Program Files\Common Files\ACD Systems

2008-03-09 14:05 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ashampoo

2008-02-28 13:51 20,496 -c--a-w C:\Documents and Settings\Arek\Dane aplikacji\GDIPFONTCACHEV1.DAT

2008-02-18 18:06 --------- d-----w C:\Program Files\ACD Systems

2008-02-16 12:57 --------- d-----w C:\Program Files\Common Files\Adobe

2005-11-28 17:37 37 -c--a-w C:\Documents and Settings\Arek\getfile.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

"amva"="C:\WINDOWS\system32\amvo.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2002-08-02 13:00 46592 C:\WINDOWS\SOUNDMAN.EXE]

"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-03-07 14:16 184408]

"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2008-01-16 16:45 495616]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 11:20 188416]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:44 110592 C:\WINDOWS\system32\bthprops.cpl]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 14:06 40048]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" []

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360]

C:\Documents and Settings\Arek\Menu Start\Programy\Autostart\

Diskeeper 9 Professional Edition Registration.lnk - C:\Program Files\Executive Software\Diskeeper\ESIRegister.exe [2005-01-04 13:24:12 3674112]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"= sockspy.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"C:\Program Files\Gadu-Gadu\gg.exe"=

"C:\WINDOWS\system32\dplaysvr.exe"=

"C:\Program Files\Offroad\OffRoadNormal.exe"=

"C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe"=

"C:\Program Files\Skype\Phone\Skype.exe"=

"%windir%\Network Diagnostic\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-23 21:52]

R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 14:45]

S3 KS-959;MA-620 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-10-22 10:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0de589f0-0e9d-11da-b188-000d88323ea0}]

\Shell\AutoRun\command - F:\mgjpcfdg.cmd

\Shell\explore\Command - F:\mgjpcfdg.cmd

\Shell\open\Command - F:\mgjpcfdg.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{11007530-df20-11dc-b67d-0008f420b922}]

\Shell\AutoRun\command - F:\cayfq2.cmd

\Shell\explore\Command - F:\cayfq2.cmd

\Shell\open\Command - F:\cayfq2.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{5efe00e0-2f18-11dc-b52b-0008f420b922}]

\Shell\AutoRun\command - F:\m9j.com

\Shell\explore\Command - F:\m9j.com

\Shell\open\Command - F:\m9j.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{5efe00e1-2f18-11dc-b52b-0008f420b922}]

\Shell\AutoRun\command - G:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d8d61810-fce1-11dc-b6b7-0008f420b922}]

\Shell\AutoRun\command - F:\kxax.cmd

\Shell\explore\Command - F:\kxax.cmd

\Shell\open\Command - F:\kxax.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d8d61811-fce1-11dc-b6b7-0008f420b922}]

\Shell\AutoRun\command - G:\USBNB.exe

.

Contents of the 'Scheduled Tasks' folder

"2008-04-09 16:01:00 C:\WINDOWS\Tasks\Norton Security Scan.job"

  • C:\Program Files\Norton Security Scan\Nss.exe

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-14 16:22:54

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe

  • C:\Program Files\NetLimiter\nl_lsp.dll

  • C:\WINDOWS\system32\nl_msgc.dll

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\WgaTray.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\UTSCSI.EXE

C:\WINDOWS\system32\wbem\wmiapsrv.exe

.

**************************************************************************

.

Completion time: 2008-04-14 16:28:30 - machine was rebooted

ComboFix-quarantined-files.txt 2008-04-14 14:28:16

Pre-Run: 3,491,033,088 bajtów wolnych

Post-Run: 3,421,888,512 bajt˘w wolnych

.

2008-04-14 13:46:15 --- E O F ---

Proszę o pomoc.


(Gutek) #2

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350

Wklej do Notatnika:

File::

F:\mgjpcfdg.cmd

F:\cayfq2.cmd

F:\m9j.com

F:\kxax.cmd


Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"amva"=-

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: **** Qoobox.

Po tym nowy log z Combo