Problem z Amvo.exe nie moge usunac

wiedzaradosna · 31 Marzec 2008 12:20

Witam. Bardzo proszę o zlokalizowanie Amvo.exe.

ComboFix 08-03-30.3 - mlogh 2008-03-31 10:07:20.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.130 [GMT 2:00]

Running from: C:\Documents and Settings\mlogh\Pulpit\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

C:\WINDOWS\system32\amvo.exe

C:\WINDOWS\system32\amvo0.dll

C:\WINDOWS\system32\amvo1.dll

.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))

.

2008-03-31 10:09 . 2008-03-31 10:09 53,248 --a------ C:\WINDOWS\PSEXESVC.EXE

2008-03-31 09:57 . 2008-03-31 09:57

2008-03-31 09:57 . 2008-03-31 09:59

2008-03-31 09:57 . 2008-03-31 09:57 10,880 --a------ C:\WINDOWS\system32\drivers\pxark.sys

2008-03-31 09:49 . 2008-03-29 19:59 103,421 -r-hs---- C:\rthrw.com

2008-03-30 09:04 . 2008-03-29 19:59 103,421 -r-hs---- C:\jiwsxh39.exe

2008-03-29 09:32 . 2008-03-28 14:14 103,953 -r-hs---- C:\gjn2pjlw.exe

2008-03-08 10:21 . 2008-03-08 10:21

2008-03-08 10:21 . 1998-10-02 20:00 327,168 --a------ C:\WINDOWS\IsUninst.exe

2008-03-08 09:27 . 2008-03-08 09:27

2008-03-01 20:28 . 2008-03-31 09:57

2008-03-01 20:28 . 2008-03-01 20:28

2008-02-26 19:11 . 2008-02-26 19:11

2008-02-23 20:30 . 2008-02-23 20:30

2008-02-20 00:24 . 2008-03-31 10:02 88,768 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck

2008-02-20 00:23 . 2008-03-31 09:50 1,224 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck

2008-02-20 00:12 . 2008-02-23 17:25 8,627 --a------ C:\WINDOWS\system32\PAV_FOG.OPC

2008-02-20 00:11 . 2008-03-31 09:50 13,880 --a------ C:\WINDOWS\system32\drivers\COMFiltr.sys

2008-02-20 00:10 . 2008-02-20 00:10

2008-02-20 00:08 . 2008-02-20 00:08

2008-02-20 00:07 . 2008-02-20 00:07

2008-02-20 00:05 . 2008-02-20 00:05

2008-02-20 00:05 . 2007-07-12 14:49 178,872 --a------ C:\WINDOWS\system32\drivers\PavProc.sys

2008-02-20 00:05 . 2007-05-23 16:40 38,968 --a------ C:\WINDOWS\system32\drivers\ShlDrv51.sys

2008-02-19 17:58 . 2007-06-08 10:44 8,576 --a------ C:\WINDOWS\system32\drivers\odhoqhvohgxu.sys

2008-02-19 17:41 . 2007-06-08 10:44 8,576 --a------ C:\WINDOWS\system32\drivers\luyhpymgkpll.sys

2008-02-18 00:52 . 2008-02-18 00:52 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-02-18 00:52 . 2008-02-18 00:52 1,409 --a------ C:\WINDOWS\QTFont.for

2008-02-16 21:02 . 2008-01-10 14:15 755,027 --a------ C:\WINDOWS\system32\xvidcore.dll

2008-02-16 21:02 . 2007-09-04 18:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll

2008-02-16 17:09 . 2008-02-16 17:09

2008-02-11 10:25 . 2008-03-30 18:20

2008-02-10 22:19 . 2007-06-08 10:44 8,576 --a------ C:\WINDOWS\system32\drivers\qpyjkokjpoyq.sys

2008-02-10 21:20 . 2007-06-08 10:44 8,576 --a------ C:\WINDOWS\system32\drivers\hsghbgiddifv.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-31 08:02 88,768 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT

2008-03-31 07:57 --------- d-----w C:\Program Files\Windows Desktop Search

2008-03-31 07:56 --------- d-----w C:\Program Files\Gadu-Gadu

2008-03-31 07:50 1,224 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG

2008-03-18 15:54 --------- d-----w C:\Documents and Settings\mlogh\Dane aplikacji\U3

2008-03-03 09:12 --------- d-----w C:\Program Files\Elaborate Bytes

2008-03-01 20:39 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2008-02-19 22:07 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-02-19 22:07 --------- d-----w C:\Program Files\Panda Security

2008-02-17 22:54 --------- d-----w C:\Program Files\MSN Toolbar Suite

2008-02-17 22:53 --------- d-----w C:\Program Files\QuickTime

2008-02-17 22:51 --------- d-----w C:\Program Files\Neostrada TP

2008-02-16 19:02 --------- d-----w C:\Program Files\K-Lite Codec Pack

2008-02-10 20:16 --------- d-----w C:\Program Files\SMAC

2007-12-07 00:48 668,672 ----a-w C:\WINDOWS\system32\wininet.dll

2007-12-04 18:42 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{ecdee021-0d17-467f-a1ff-c7a115230949}]

2007-12-04 14:53 1502232 --a------ C:\Program Files\free-downloads.net\tbfree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

“{ECDEE021-0D17-467F-A1FF-C7A115230949}”= “C:\Program Files\free-downloads.net\tbfree.dll” [2007-12-04 14:53 1502232]

[HKEY_CLASSES_ROOT\clsid{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

“{ECDEE021-0D17-467F-A1FF-C7A115230949}”= C:\Program Files\free-downloads.net\tbfree.dll [2007-12-04 14:53 1502232]

[HKEY_CLASSES_ROOT\clsid{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“TOSCDSPD”=“C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” [2005-04-12 12:04 65536]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-05-10 16:36 2111176]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2005-12-11 21:05 344064]

“RTHDCPL”=“RTHDCPL.EXE” [2006-06-28 14:54 16248320 C:\WINDOWS\RTHDCPL.exe]

“SkyTel”=“SkyTel.EXE” [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]

“AGRSMMSG”=“AGRSMMSG.exe” [2006-03-18 08:22 89541 C:\WINDOWS\agrsmmsg.exe]

“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-04-07 16:48 761946]

“Toshiba Hotkey Utility”=“C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe” [2006-08-01 10:57 1773568]

“TPSMain”=“TPSMain.exe” [2005-08-04 14:16 266240 C:\WINDOWS\system32\TPSMain.exe]

“NDSTray.exe”=“NDSTray.exe” []

“SmoothView”=“C:\Program Files\TOSHIBA\Program narzędziowy TOSHIBA Zooming Utility\SmoothView.exe” [2005-05-13 11:03 118784]

“PadTouch”=“C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe” [2005-12-22 15:34 1077329]

“DDWMon”=“C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe” [2006-04-28 11:49 262144]

“SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 11:38 866816]

“AAWTray”=“C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe” []

“UnlockerAssistant”=“C:\Program Files\Unlocker\UnlockerAssistant.exe” []

“APVXDWIN”=“C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.exe” [2007-11-23 15:33 406832]

“SCANINICIO”=“C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe” [2007-07-11 15:17 27952]

“PrevxCSI”=“C:\Program Files\PrevxCSI\prevxcsi.exe” [2008-03-31 09:57 110080]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 12:00 15360]

C:\Documents and Settings\mlogh\Menu Start\Programy\Autostart\

Szybkie uruchamianie programu Microsoft Office OneNote 2003.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 14:06:14 59080]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 22:44:08 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

“{56F9679E-7826-4C84-81F3-532071A8BCC5}”= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“C:\Program Files\eMule\emule.exe”=

R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-03-31 09:57]

R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-09-28 14:05]

R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 09:33]

R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-11-14 18:48]

R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 11:39]

R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-10-25 09:50]

R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-11-09 17:07]

R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2007-05-23 16:40]

R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 09:33]

R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 09:33]

R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2007-06-08 08:44]

R2 CSIScanner;CSIScanner;“C:\Program Files\PrevxCSI\PrevxCSI.exe” /service []

R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-07-12 14:49]

R2 tdudf;TOSHIBA UDF File System Driver;C:\WINDOWS\system32\DRIVERS\tdudf.sys [2006-06-28 11:50]

R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 21:42]

R3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys [2008-03-31 09:50]

R3 NETIMFLT01050097;PANDA NDIS IM Filter Miniport v1.5.0.97;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-11-19 14:01]

R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2006-01-12 16:21]

R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 14:27]

R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys [2006-03-02 19:49]

S3 39e2fede-9758-4702-9930-b6a8cbfd1bf5;39e2fede-9758-4702-9930-b6a8cbfd1bf5;D:\Player\cds300.dll []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{2e0fcee4-c142-11dc-96b8-0016369620ab}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b02eb486-a35f-11dc-9692-0016369620ab}]

\Shell\AutoRun\command - E:\1weicxa.com

\Shell\explore\Command - E:\1weicxa.com

\Shell\open\Command - E:\1weicxa.com

*Newly Created Service* - CSISCANNER

*Newly Created Service* - PXARK

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-31 10:09:59

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-03-31 10:11:33

ComboFix-quarantined-files.txt 2008-03-31 08:11:22

Pre-Run: 2,635,558,912 bajtów wolnych

Post-Run: 2,625,060,864 bajtów wolnych

.

2008-03-12 11:14:16 — E O F —

Gutek · 31 Marzec 2008 18:57

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350

Wklej do Notatnika:

File::

C:\rthrw.com

C:\jiwsxh39.exe

C:\gjn2pjlw.exe

E:\1weicxa.com


Folder::

C:\Program Files\free-downloads.net


Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{ECDEE021-0D17-467F-A1FF-C7A115230949}"=-

[-HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{ECDEE021-0D17-467F-A1FF-C7A115230949}"=-

[-HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NDSTray.exe"=-

"AAWTray"=-

"UnlockerAssistant"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo