Znów AMVO.EXE


(Adi Superstar) #1

Witam! !!

Ja podobnie jak reszta obywateli mam problem z tym robalem. Próbowałem różnych metod, ale nie skutkują NIESTETY. BARDZO proszę o pomoc !!

Poniżej przesyłam LOG z ComboFix'a

ComboFix 08-05-20.5 - Adi 2008-05-21 20:39:14.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.316 [GMT 2:00]

Running from: C:\Documents and Settings\Adi\Pulpit\ComboFix.exe

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\autorun.inf

C:\WINDOWS\system32\amvo.exe

C:\WINDOWS\system32\amvo0.dll

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))

.

2008-11-08 20:47 . 2008-11-08 20:47

2008-05-21 20:07 . 2008-05-21 20:07

2008-05-21 20:07 . 2008-05-21 20:07 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys

2008-05-21 20:06 . 2008-11-21 21:28

2008-05-19 16:07 . 2008-01-15 10:04 104,451 -r-hs---- C:\d.com

2008-05-11 00:04 . 2004-08-04 00:38 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys

2008-05-11 00:04 . 2004-08-04 00:38 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys

2008-05-10 18:04 . 2008-05-10 18:04 27,224 --a------ C:\WINDOWS\desctemp.dat

2008-05-10 03:15 . 2008-05-10 03:15

2008-05-10 03:14 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll

2008-05-10 03:13 . 2008-05-10 03:38

2008-05-10 03:13 . 2007-12-24 13:49 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll

2008-05-10 03:13 . 2007-07-10 17:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest

2008-05-08 20:46 . 2008-05-08 20:46

2008-05-08 20:42 . 2001-10-26 19:29 74,240 --a--c--- C:\WINDOWS\system32\dllcache\w3ext.dll

2008-05-08 20:41 . 2008-05-08 20:46

2008-05-04 14:05 . 2008-03-01 15:02 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll

2008-05-04 14:05 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat

2008-05-04 14:05 . 2007-03-08 07:11 1,036,288 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui

2008-05-04 14:05 . 2008-03-01 15:02 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll

2008-05-04 14:05 . 2008-03-01 15:02 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll

2008-05-04 14:05 . 2008-03-01 15:02 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll

2008-05-04 14:05 . 2008-03-01 15:02 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll

2008-05-04 14:05 . 2008-03-01 15:02 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2008-05-04 14:05 . 2008-02-22 12:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-05-03 18:56 . 2008-05-04 15:15

2008-05-01 21:46 . 2007-11-08 20:41

2008-05-01 21:46 . 2008-05-01 21:46

2008-05-01 21:46 . 2008-05-01 21:46

2008-05-01 21:46 . 2007-09-17 13:38 22,528 --a------ C:\WINDOWS\system32\drivers\AVHook.sys

2008-05-01 21:46 . 2007-09-17 13:38 15,872 --a------ C:\WINDOWS\system32\drivers\AVRec.sys

2008-05-01 21:46 . 2007-09-17 13:38 15,872 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys

2008-04-24 20:28 . 2008-11-08 20:44

2008-04-21 19:15 . 2008-04-25 22:38

2008-04-21 18:52 . 2008-04-21 18:53

2008-04-21 18:52 . 2008-04-21 19:09

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-21 18:41 --------- d-----w C:\Documents and Settings\Adi\Dane aplikacji\Skype

2008-05-02 08:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-05-01 10:24 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\UDL

2008-05-01 10:21 --------- d-----w C:\Program Files\epson

2008-04-22 19:32 --------- d-----w C:\Documents and Settings\Adi\Dane aplikacji\Winamp

2008-04-21 16:49 --------- d-----w C:\Program Files\Common Files\Adobe

2008-04-21 16:45 --------- d-----w C:\Program Files\Ashampoo

2008-04-21 16:33 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Symantec

2008-04-21 15:27 --------- d-----w C:\Documents and Settings\Adi\Dane aplikacji\AdobeUM

2008-04-20 12:51 --------- d-----w C:\Program Files\Common Files\Real

2008-04-20 12:50 --------- d-----w C:\Program Files\SubEdit-Player

2008-04-19 16:23 --------- d-----w C:\Program Files\MSXML 6.0

2008-04-19 15:26 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-04-19 15:26 --------- d-----w C:\Program Files\CyberLink

2008-04-19 14:57 --------- d-----w C:\Program Files\Windows Media Connect 2

2008-04-15 10:14 --------- d-----w C:\Documents and Settings\Adi\Dane aplikacji\Ahead

2008-04-13 17:14 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ArcaBit

2008-04-13 17:00 --------- d-----w C:\Documents and Settings\LocalService\Dane aplikacji\ArcaBit

2008-04-13 16:36 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Ahead

2008-04-13 16:35 --------- d-----w C:\Program Files\Common Files\Ahead

2008-04-13 16:31 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Nero

2008-03-30 19:10 --------- d-----w C:\Documents and Settings\Adi\Dane aplikacji\SolidWorks

2008-03-30 14:00 --------- d-----w C:\Program Files\Winamp

2008-03-30 13:44 --------- d-----w C:\Program Files\Java

2008-03-29 22:22 --------- d-----w C:\Program Files\Common Files\Java

2008-03-23 23:30 --------- d-----w C:\Documents and Settings\Adi\Dane aplikacji\Desktop Sidebar

2008-03-22 20:57 --------- d-----w C:\Program Files\Gadu-Gadu

2008-03-22 19:57 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP

2008-03-21 12:02 --------- d-----w C:\Documents and Settings\Max\Dane aplikacji\Ahead

2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44 15360]

"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 17:34 128000]

"RocketDock"="C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe" [2007-03-19 00:05 630784]

"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [2008-04-23 18:19 1189104]

"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-19 22:13 486856]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-11-14 12:54 2131392]

"Skype"="D:\Program Files Secondo\Skype\Phone\Skype.exe" [2006-07-21 14:16 19953192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nForce Tray Options"="sstray.exe" [2003-08-13 06:25 73728 C:\WINDOWS\system32\sstray.exe]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 13:52 339968]

"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 15:25 28672]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]

"DefragTaskBar"="C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2007-08-28 16:31 169312]

"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-16 00:54 37376]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]

"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 08:47 1629480]

"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 08:47 1057064]

"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-10-04 15:44 1082664]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:44 15360]

"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 15:25 28672]

C:\Documents and Settings\Max\Menu Start\Programy\Autostart\

Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\Documents and Settings\Adi\Menu Start\Programy\Autostart\

RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 00:05:02 630784]

Spis treci programu OneNote.onetoc2 [2008-02-05 01:01:58 3656]

TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 21:41:18 65536]

Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 09:43:08 180224]

Y'z Shadow.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-05-21 09:43:14 155648]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:00 40048]

Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:00 734872]

ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2004-08-25 15:25:56 28672]

BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-09-20 11:28:16 1200128]

Kalendarz XP.lnk - C:\Program Files\Kalendarz XP\Kalendarz.exe [2008-04-24 20:28:46 882176]

Wyszukiwanie z pulpitu systemu Windows.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 16:40:46 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 16:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"D:\Program Files Secondo\Skype\Phone\Skype.exe"=

"C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe"=

R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-05-21 20:07]

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2007-02-01 18:50]

R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2007-02-01 18:50]

R2 CSIScanner;CSIScanner;"C:\Program Files\PrevxCSI\prevxcsi.exe" /service []

S2 UMAXPCLS;Sterownik skanera portu drukowania;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 22:58]

S3 GVTDrv;GVTDrv;C:\WINDOWS\system32\drivers\GVTDrv.sys [2008-01-02 23:32]

S3 ps_drv;ps_drv;C:\Documents and Settings\Adi\ps_drv.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

\Shell\AutoRun\command - C:\d.com

\Shell\explore\Command - C:\d.com

\Shell\open\Command - C:\d.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - D:\d.com

\Shell\explore\Command - D:\d.com

\Shell\open\Command - D:\d.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]

\Shell\AutoRun\command - L:\Setup.exe

*Newly Created Service* - CSISCANNER

*Newly Created Service* - PXARK

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-21 20:42:40

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe

  • C:\WINDOWS\system32\Ati2evxx.dll

PROCESS: C:\WINDOWS\explorer.exe

  • C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll

  • C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon.dll

.

Completion time: 2008-05-21 20:43:37

ComboFix-quarantined-files.txt 2008-05-21 18:43:30

ComboFix2.txt 2007-11-08 18:37:08

Pre-Run: 15,968,620,544 bajtów wolnych

Post-Run: 15,958,855,680 bajtów wolnych

186 --- E O F --- 2008-05-10 01:46:41


(Leon$) #2

Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/S ... Tool.shtml lub format

Flash Disinfector http://www.searchengines.pl/index.php?s ... ntry369724

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri ... iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

:slight_smile: