jak usunąć amvo.exe

[filipnba]

Witam. Nie mam pojęcia jak usunąć amvo.exe. Prosiłbym bardzo, aby ktoś sprawdził tego loga. Z góry dziękuje.

Log z ComboFix

Kod: Zaznacz wszystko

ComboFix 08-04-04.1 - user 2008-04-06 12:02:09.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.1621 [GMT 2:00]
Running from: C:\Documents and Settings\user\Pulpit\z firefoxa\ComboFix.exe
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\OPTIONS\CABS\_desktop.ini
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
D:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2008-03-06 to 2008-04-06  )))))))))))))))))))))))))))))))
.

2008-04-05 20:52 . 2008-04-05 20:53   <DIR>   d--------   C:\Milionerzy
2008-04-05 20:51 . 2008-04-05 20:51   103,463   -r-hs----   C:\m9j.com
2008-04-05 14:59 . 2008-04-05 14:59   <DIR>   d--------   C:\Program Files\MSXML 6.0
2008-04-05 14:32 . 2008-04-05 14:32   <DIR>   d--------   C:\Program Files\MoorHunt
2008-04-04 18:58 . 2008-04-04 18:58   <DIR>   d--------   C:\Program Files\K-Lite Codec Pack
2008-04-04 18:34 . 2008-04-04 18:34   <DIR>   d--------   C:\Program Files\Trend Micro
2008-04-04 18:34 . 2008-04-04 18:34   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Tibia
2008-04-04 18:21 . 2008-04-04 18:22   <DIR>   d--------   C:\Program Files\Tibia
2008-04-03 20:23 . 2008-04-03 20:22   102,407   -r-hs----   C:\gy.cmd
2008-04-02 20:53 . 2008-04-02 20:53   <DIR>   d--------   C:\Program Files\Microsoft.NET
2008-04-02 20:53 . 2003-06-19 01:31   17,920   --a------   C:\WINDOWS\system32\mdimon.dll
2008-04-02 20:53 . 2008-04-02 20:53   421   --a------   C:\WINDOWS\ODBC.INI
2008-04-02 20:52 . 2008-04-02 20:52   <DIR>   d--------   C:\WINDOWS\SHELLNEW
2008-04-02 19:33 . 2008-04-02 19:33   22,328   --a------   C:\Documents and Settings\user\Dane aplikacji\PnkBstrK.sys
2008-04-02 19:33 . 2008-04-02 19:33   319   --a------   C:\WINDOWS\game.ini
2008-04-02 18:26 . 2008-04-02 18:26   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2008-04-02 18:26 . 2008-04-05 08:57   107,832   --a------   C:\WINDOWS\system32\PnkBstrB.exe
2008-04-02 18:26 . 2008-04-02 21:56   66,872   --a------   C:\WINDOWS\system32\PnkBstrA.exe
2008-04-02 18:26 . 2008-04-05 08:57   22,328   --a------   C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-02 18:20 . 2008-04-02 18:20   <DIR>   d--------   C:\Documents and Settings\LocalService\Dane aplikacji\Xfire
2008-04-02 18:17 . 2008-04-02 18:17   <DIR>   d--------   C:\Documents and Settings\NetworkService\Dane aplikacji\Xfire
2008-04-02 18:16 . 2008-04-05 08:56   <DIR>   d--------   C:\Program Files\Xfire
2008-04-02 18:16 . 2008-04-05 09:18   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Xfire
2008-04-02 17:45 . 2008-04-02 19:26   <DIR>   d--------   C:\Program Files\Activision
2008-04-02 17:44 . 2008-04-02 17:44   <DIR>   d--hs----   C:\WINDOWS\ftpcache
2008-04-02 17:42 . 2008-04-02 17:42   <DIR>   d--------   C:\Program Files\DAEMON Tools Lite
2008-04-02 17:40 . 2008-04-02 17:40   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\DAEMON Tools
2008-04-02 17:40 . 2008-04-02 17:40   717,296   --a------   C:\WINDOWS\system32\drivers\sptd.sys
2008-04-02 16:36 . 2008-04-02 16:36   103,810   -r-hs----   C:\qwc.exe
2008-04-02 16:32 . 2008-04-02 21:20   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2008-04-01 22:55 . 2008-04-01 22:55   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Gadu-Gadu
2008-04-01 21:19 . 2008-04-01 21:19   <DIR>   d--------   C:\Program Files\MarBit
2008-04-01 21:02 . 2008-04-01 21:02   <DIR>   d--------   C:\Program Files\Ares
2008-04-01 20:44 . 2008-04-01 20:44   1,158   --a------   C:\WINDOWS\mozver.dat
2008-04-01 20:32 . 2008-04-01 20:32   <DIR>   d--------   C:\Program Files\Gadu-Gadu
2008-04-01 20:32 . 2008-04-01 20:33   <DIR>   d--------   C:\Documents and Settings\user\Gadu-Gadu
2008-04-01 20:30 . 2008-04-01 20:31   103,084   -r-hs----   C:\6l6w8.com
2008-04-01 20:29 . 2008-04-01 20:29   0   --a------   C:\WINDOWS\nsreg.dat
2008-04-01 20:17 . 2008-04-01 20:17   <DIR>   d--------   C:\Program Files\Alwil Software
2008-04-01 20:07 . 2004-08-03 23:01   25,856   --a------   C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-01 20:07 . 2004-08-03 23:01   25,856   --a--c---   C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-01 20:07 . 2008-04-01 20:07   800   --a------   C:\WINDOWS\hpinfo.lnk
2008-04-01 20:07 . 2008-04-01 20:07   740   --a------   C:\WINDOWS\reg.prm
2008-04-01 20:06 . 2008-04-01 20:06   376   --a------   C:\WINDOWS\mozregistry.dat
2008-04-01 20:05 . 2008-04-01 20:07   <DIR>   d--------   C:\Program Files\hp deskjet 656c series
2008-04-01 20:05 . 2008-04-01 20:06   <DIR>   d--------   C:\Program Files\Hewlett-Packard
2008-04-01 20:04 . 2008-04-01 20:04   <DIR>   d--------   C:\Program Files\SAGEM
2008-04-01 20:04 . 2005-11-04 16:55   126,976   --a------   C:\WINDOWS\system32\coclassfast.dll
2008-04-01 20:02 . 2008-04-04 18:57   69   --a------   C:\WINDOWS\NeroDigital.ini
2008-04-01 14:12 . 2008-04-01 14:12   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\CyberLink
2008-04-01 14:11 . 2008-04-01 14:12   <DIR>   d--------   C:\Program Files\CyberLink
2008-04-01 14:10 . 2008-04-02 16:37   <DIR>   d--------   C:\Program Files\Common Files\LightScribe
2008-04-01 14:09 . 2008-04-01 14:09   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Ahead
2008-04-01 14:08 . 2008-04-01 14:08   <DIR>   d--------   C:\Program Files\Nero
2008-04-01 14:08 . 2008-04-01 14:10   <DIR>   d--------   C:\Program Files\Common Files\Ahead
2008-04-01 14:08 . 2008-04-01 14:08   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Nero
2008-04-01 14:05 . 2008-04-01 14:05   <DIR>   d--------   C:\WINDOWS\system32\Lang
2008-04-01 14:05 . 2008-04-01 14:05   940,794   --a------   C:\WINDOWS\system32\LoopyMusic.wav
2008-04-01 14:05 . 2008-04-01 14:05   146,650   --a------   C:\WINDOWS\system32\BuzzingBee.wav
2008-03-14 01:05 . 2008-03-14 01:05   41,296   --a------   C:\WINDOWS\system32\xfcodec.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 17:33   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-04-01 12:11   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-04-01 12:00   15,600   ----a-w   C:\WINDOWS\gdrv.sys
2008-04-01 11:57   ---------   d-----w   C:\Program Files\My Company Name
2008-04-01 11:49   315,392   ----a-w   C:\WINDOWS\HideWin.exe
2008-04-01 11:49   ---------   d-----w   C:\Program Files\Realtek
2008-04-01 11:49   ---------   d-----w   C:\Documents and Settings\user\Dane aplikacji\InstallShield
2008-04-01 11:47   ---------   d-----w   C:\Program Files\Intel
2008-04-01 11:39   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-04-01 11:38   ---------   d-----w   C:\Program Files\Usługi online
2008-03-29 17:45   1,146,232   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2008-03-29 17:35   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:35   20,560   ----a-w   C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-29 17:31   75,856   ----a-w   C:\WINDOWS\system32\drivers\aswSP.sys
2008-03-29 17:29   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26   26,944   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 17:23   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2008-03-04 10:33   7,680   ----a-w   C:\WINDOWS\system32\ff_vfw.dll
2008-01-10 11:16   159,839   ----a-w   C:\WINDOWS\system32\xvidvfw.dll
2008-01-10 11:15   755,027   ----a-w   C:\WINDOWS\system32\xvidcore.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-07 07:51 8523776]
"nwiz"="nwiz.exe" [2007-12-07 07:51 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-07 07:51 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 11:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-12 11:16 196608]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3acm"= ac3acm.acm
"msacm.lameacm"= lameACM.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-04-01 14:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a16cf428-ffee-11dc-81bd-806d6172696f}]
\Shell\AutoRun\command - F:\6l6w8.com
\Shell\explore\Command - F:\6l6w8.com
\Shell\open\Command - F:\6l6w8.com

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 12:02:47
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-06 12:02:57
ComboFix-quarantined-files.txt  2008-04-06 10:02:55
Pre-Run: 80,475,918,336 bajtów wolnych
Post-Run: 80,503,476,224 bajtów wolnych
.
2008-04-02 19:20:53   --- E O F --- 


[huber2t]

Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko

File::
C:\m9j.com
C:\gy.cmd
C:\qwc.exe
C:\6l6w8.com

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]


Plik zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.
Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: \Qoobox

[filipnba]

Oto log z combofix:

Kod: Zaznacz wszystko

ComboFix 08-04-04.1 - user 2008-04-11 19:42:51.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.1517 [GMT 2:00]
Running from: C:\Documents and Settings\user\Pulpit\z firefoxa\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Pulpit\z firefoxa\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\6l6w8.com
C:\gy.cmd
C:\m9j.com
C:\qwc.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\6l6w8.com
C:\gy.cmd
C:\m9j.com
C:\qwc.exe

.
(((((((((((((((((((((((((   Files Created from 2008-03-11 to 2008-04-11  )))))))))))))))))))))))))))))))
.

2008-04-10 15:10 . 2008-04-10 15:34   <DIR>   d--------   C:\Program Files\Tibia7.6
2008-04-08 17:46 . 2008-04-08 17:46   <DIR>   d--------   C:\Program Files\City Interactive
2008-04-08 15:50 . 2008-04-11 16:46   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Hamachi
2008-04-08 15:49 . 2008-04-08 15:50   <DIR>   d--------   C:\Program Files\Hamachi
2008-04-08 15:49 . 2008-04-08 15:49   25,280   --a------   C:\WINDOWS\system32\drivers\hamachi.sys
2008-04-06 16:17 . 2008-04-06 16:17   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Media Player Classic
2008-04-06 15:04 . 2008-04-06 16:57   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\skypePM
2008-04-06 15:04 . 2008-04-06 15:04   32   --a------   C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2008-04-06 15:03 . 2008-04-06 15:03   <DIR>   d--------   C:\Program Files\Skype
2008-04-06 15:03 . 2008-04-06 15:03   <DIR>   d--------   C:\Program Files\Common Files\Skype
2008-04-06 15:03 . 2008-04-06 16:59   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Skype
2008-04-06 15:03 . 2008-04-06 15:03   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Skype
2008-04-05 20:52 . 2008-04-05 20:53   <DIR>   d--------   C:\Milionerzy
2008-04-05 14:59 . 2008-04-05 14:59   <DIR>   d--------   C:\Program Files\MSXML 6.0
2008-04-05 14:32 . 2008-04-05 14:32   <DIR>   d--------   C:\Program Files\MoorHunt
2008-04-04 23:31 . 2008-04-04 23:31   41,296   --a------   C:\WINDOWS\system32\xfcodec.dll
2008-04-04 18:58 . 2008-04-04 18:58   <DIR>   d--------   C:\Program Files\K-Lite Codec Pack
2008-04-04 18:34 . 2008-04-04 18:34   <DIR>   d--------   C:\Program Files\Trend Micro
2008-04-04 18:34 . 2008-04-04 18:34   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Tibia
2008-04-04 18:21 . 2008-04-09 16:28   <DIR>   d--------   C:\Program Files\Tibia
2008-04-02 20:53 . 2008-04-02 20:53   <DIR>   d--------   C:\Program Files\Microsoft.NET
2008-04-02 20:53 . 2003-06-19 01:31   17,920   --a------   C:\WINDOWS\system32\mdimon.dll
2008-04-02 20:53 . 2008-04-02 20:53   421   --a------   C:\WINDOWS\ODBC.INI
2008-04-02 20:52 . 2008-04-02 20:52   <DIR>   d--------   C:\WINDOWS\SHELLNEW
2008-04-02 19:33 . 2008-04-02 19:33   22,328   --a------   C:\Documents and Settings\user\Dane aplikacji\PnkBstrK.sys
2008-04-02 19:33 . 2008-04-02 19:33   319   --a------   C:\WINDOWS\game.ini
2008-04-02 18:26 . 2008-04-02 18:26   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2008-04-02 18:26 . 2008-04-08 16:45   107,832   --a------   C:\WINDOWS\system32\PnkBstrB.exe
2008-04-02 18:26 . 2008-04-02 21:56   66,872   --a------   C:\WINDOWS\system32\PnkBstrA.exe
2008-04-02 18:26 . 2008-04-08 16:45   22,328   --a------   C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-02 18:20 . 2008-04-02 18:20   <DIR>   d--------   C:\Documents and Settings\LocalService\Dane aplikacji\Xfire
2008-04-02 18:17 . 2008-04-02 18:17   <DIR>   d--------   C:\Documents and Settings\NetworkService\Dane aplikacji\Xfire
2008-04-02 18:16 . 2008-04-09 09:02   <DIR>   d--------   C:\Program Files\Xfire
2008-04-02 18:16 . 2008-04-10 06:34   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Xfire
2008-04-02 17:45 . 2008-04-02 19:26   <DIR>   d--------   C:\Program Files\Activision
2008-04-02 17:44 . 2008-04-02 17:44   <DIR>   d--hs----   C:\WINDOWS\ftpcache
2008-04-02 17:42 . 2008-04-02 17:42   <DIR>   d--------   C:\Program Files\DAEMON Tools Lite
2008-04-02 17:40 . 2008-04-02 17:40   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\DAEMON Tools
2008-04-02 17:40 . 2008-04-02 17:40   717,296   --a------   C:\WINDOWS\system32\drivers\sptd.sys
2008-04-02 16:32 . 2008-04-10 06:34   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2008-04-01 22:55 . 2008-04-01 22:55   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Gadu-Gadu
2008-04-01 21:19 . 2008-04-01 21:19   <DIR>   d--------   C:\Program Files\MarBit
2008-04-01 21:02 . 2008-04-01 21:02   <DIR>   d--------   C:\Program Files\Ares
2008-04-01 20:44 . 2008-04-01 20:44   1,158   --a------   C:\WINDOWS\mozver.dat
2008-04-01 20:32 . 2008-04-01 20:32   <DIR>   d--------   C:\Program Files\Gadu-Gadu
2008-04-01 20:32 . 2008-04-01 20:33   <DIR>   d--------   C:\Documents and Settings\user\Gadu-Gadu
2008-04-01 20:29 . 2008-04-01 20:29   0   --a------   C:\WINDOWS\nsreg.dat
2008-04-01 20:17 . 2008-04-01 20:17   <DIR>   d--------   C:\Program Files\Alwil Software
2008-04-01 20:07 . 2004-08-03 23:01   25,856   --a------   C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-01 20:07 . 2004-08-03 23:01   25,856   --a--c---   C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-01 20:07 . 2008-04-01 20:07   800   --a------   C:\WINDOWS\hpinfo.lnk
2008-04-01 20:07 . 2008-04-01 20:07   740   --a------   C:\WINDOWS\reg.prm
2008-04-01 20:06 . 2008-04-01 20:06   376   --a------   C:\WINDOWS\mozregistry.dat
2008-04-01 20:05 . 2008-04-01 20:07   <DIR>   d--------   C:\Program Files\hp deskjet 656c series
2008-04-01 20:05 . 2008-04-01 20:06   <DIR>   d--------   C:\Program Files\Hewlett-Packard
2008-04-01 20:04 . 2008-04-01 20:04   <DIR>   d--------   C:\Program Files\SAGEM
2008-04-01 20:04 . 2005-11-04 16:55   126,976   --a------   C:\WINDOWS\system32\coclassfast.dll
2008-04-01 20:02 . 2008-04-11 19:18   69   --a------   C:\WINDOWS\NeroDigital.ini
2008-04-01 14:12 . 2008-04-01 14:12   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\CyberLink
2008-04-01 14:11 . 2008-04-01 14:12   <DIR>   d--------   C:\Program Files\CyberLink
2008-04-01 14:10 . 2008-04-02 16:37   <DIR>   d--------   C:\Program Files\Common Files\LightScribe
2008-04-01 14:09 . 2008-04-01 14:09   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Ahead
2008-04-01 14:08 . 2008-04-01 14:08   <DIR>   d--------   C:\Program Files\Nero
2008-04-01 14:08 . 2008-04-01 14:10   <DIR>   d--------   C:\Program Files\Common Files\Ahead
2008-04-01 14:08 . 2008-04-01 14:08   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Nero
2008-04-01 14:05 . 2008-04-01 14:05   <DIR>   d--------   C:\WINDOWS\system32\Lang
2008-04-01 14:05 . 2008-04-01 14:05   940,794   --a------   C:\WINDOWS\system32\LoopyMusic.wav
2008-04-01 14:05 . 2008-04-01 14:05   146,650   --a------   C:\WINDOWS\system32\BuzzingBee.wav

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 17:33   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-04-01 12:11   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-04-01 12:00   15,600   ----a-w   C:\WINDOWS\gdrv.sys
2008-04-01 11:57   ---------   d-----w   C:\Program Files\My Company Name
2008-04-01 11:49   315,392   ----a-w   C:\WINDOWS\HideWin.exe
2008-04-01 11:49   ---------   d-----w   C:\Program Files\Realtek
2008-04-01 11:49   ---------   d-----w   C:\Documents and Settings\user\Dane aplikacji\InstallShield
2008-04-01 11:47   ---------   d-----w   C:\Program Files\Intel
2008-04-01 11:39   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-04-01 11:38   ---------   d-----w   C:\Program Files\Usługi online
2008-03-29 17:45   1,146,232   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2008-03-29 17:35   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:35   20,560   ----a-w   C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-29 17:31   75,856   ----a-w   C:\WINDOWS\system32\drivers\aswSP.sys
2008-03-29 17:29   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26   26,944   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 17:23   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2008-03-20 08:09   1,845,504   ----a-w   C:\WINDOWS\system32\win32k.sys
2008-03-04 10:33   7,680   ----a-w   C:\WINDOWS\system32\ff_vfw.dll
2008-02-20 06:51   282,624   ----a-w   C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:38   45,568   ----a-w   C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:05   662,016   ----a-w   C:\WINDOWS\system32\wininet.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-07 07:51 8523776]
"nwiz"="nwiz.exe" [2007-12-07 07:51 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-07 07:51 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 11:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-12 11:16 196608]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3acm"= ac3acm.acm
"msacm.lameacm"= lameACM.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\City Interactive\\Americas Secret Operations - Close Conflict\\System\\cqc.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-04-01 14:00]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 19:43:34
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-11 19:43:46
ComboFix-quarantined-files.txt  2008-04-11 17:43:44
Pre-Run: 77,218,828,288 bajtów wolnych
Post-Run: 77,208,231,936 bajtów wolnych
.
2008-04-10 04:34:18   --- E O F --- 

[huber2t]

Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko

Driver::
VIDC.YV12


Plik zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.
Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: \Qoobox

[filipnba]

Oto log:

Kod: Zaznacz wszystko

ComboFix 08-04-04.1 - user 2008-04-12 11:27:03.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.1615 [GMT 2:00]
Running from: C:\Documents and Settings\user\Pulpit\z firefoxa\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Pulpit\z firefoxa\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2008-03-12 to 2008-04-12  )))))))))))))))))))))))))))))))
.

2008-04-10 15:10 . 2008-04-10 15:34   <DIR>   d--------   C:\Program Files\Tibia7.6
2008-04-08 17:46 . 2008-04-08 17:46   <DIR>   d--------   C:\Program Files\City Interactive
2008-04-08 15:50 . 2008-04-11 16:46   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Hamachi
2008-04-08 15:49 . 2008-04-08 15:50   <DIR>   d--------   C:\Program Files\Hamachi
2008-04-08 15:49 . 2008-04-08 15:49   25,280   --a------   C:\WINDOWS\system32\drivers\hamachi.sys
2008-04-06 16:17 . 2008-04-06 16:17   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Media Player Classic
2008-04-06 15:04 . 2008-04-06 16:57   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\skypePM
2008-04-06 15:04 . 2008-04-06 15:04   32   --a------   C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2008-04-06 15:03 . 2008-04-06 15:03   <DIR>   d--------   C:\Program Files\Skype
2008-04-06 15:03 . 2008-04-06 15:03   <DIR>   d--------   C:\Program Files\Common Files\Skype
2008-04-06 15:03 . 2008-04-06 16:59   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Skype
2008-04-06 15:03 . 2008-04-06 15:03   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Skype
2008-04-05 20:52 . 2008-04-05 20:53   <DIR>   d--------   C:\Milionerzy
2008-04-05 14:59 . 2008-04-05 14:59   <DIR>   d--------   C:\Program Files\MSXML 6.0
2008-04-05 14:32 . 2008-04-05 14:32   <DIR>   d--------   C:\Program Files\MoorHunt
2008-04-04 23:31 . 2008-04-04 23:31   41,296   --a------   C:\WINDOWS\system32\xfcodec.dll
2008-04-04 18:58 . 2008-04-04 18:58   <DIR>   d--------   C:\Program Files\K-Lite Codec Pack
2008-04-04 18:34 . 2008-04-04 18:34   <DIR>   d--------   C:\Program Files\Trend Micro
2008-04-04 18:34 . 2008-04-04 18:34   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Tibia
2008-04-04 18:21 . 2008-04-09 16:28   <DIR>   d--------   C:\Program Files\Tibia
2008-04-02 20:53 . 2008-04-02 20:53   <DIR>   d--------   C:\Program Files\Microsoft.NET
2008-04-02 20:53 . 2003-06-19 01:31   17,920   --a------   C:\WINDOWS\system32\mdimon.dll
2008-04-02 20:53 . 2008-04-02 20:53   421   --a------   C:\WINDOWS\ODBC.INI
2008-04-02 20:52 . 2008-04-02 20:52   <DIR>   d--------   C:\WINDOWS\SHELLNEW
2008-04-02 19:33 . 2008-04-02 19:33   22,328   --a------   C:\Documents and Settings\user\Dane aplikacji\PnkBstrK.sys
2008-04-02 19:33 . 2008-04-02 19:33   319   --a------   C:\WINDOWS\game.ini
2008-04-02 18:26 . 2008-04-02 18:26   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2008-04-02 18:26 . 2008-04-08 16:45   107,832   --a------   C:\WINDOWS\system32\PnkBstrB.exe
2008-04-02 18:26 . 2008-04-02 21:56   66,872   --a------   C:\WINDOWS\system32\PnkBstrA.exe
2008-04-02 18:26 . 2008-04-08 16:45   22,328   --a------   C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-02 18:20 . 2008-04-02 18:20   <DIR>   d--------   C:\Documents and Settings\LocalService\Dane aplikacji\Xfire
2008-04-02 18:17 . 2008-04-02 18:17   <DIR>   d--------   C:\Documents and Settings\NetworkService\Dane aplikacji\Xfire
2008-04-02 18:16 . 2008-04-09 09:02   <DIR>   d--------   C:\Program Files\Xfire
2008-04-02 18:16 . 2008-04-10 06:34   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Xfire
2008-04-02 17:45 . 2008-04-02 19:26   <DIR>   d--------   C:\Program Files\Activision
2008-04-02 17:44 . 2008-04-02 17:44   <DIR>   d--hs----   C:\WINDOWS\ftpcache
2008-04-02 17:42 . 2008-04-02 17:42   <DIR>   d--------   C:\Program Files\DAEMON Tools Lite
2008-04-02 17:40 . 2008-04-02 17:40   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\DAEMON Tools
2008-04-02 17:40 . 2008-04-02 17:40   717,296   --a------   C:\WINDOWS\system32\drivers\sptd.sys
2008-04-02 16:32 . 2008-04-10 06:34   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2008-04-01 22:55 . 2008-04-01 22:55   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Gadu-Gadu
2008-04-01 21:19 . 2008-04-01 21:19   <DIR>   d--------   C:\Program Files\MarBit
2008-04-01 21:02 . 2008-04-01 21:02   <DIR>   d--------   C:\Program Files\Ares
2008-04-01 20:44 . 2008-04-01 20:44   1,158   --a------   C:\WINDOWS\mozver.dat
2008-04-01 20:32 . 2008-04-01 20:32   <DIR>   d--------   C:\Program Files\Gadu-Gadu
2008-04-01 20:32 . 2008-04-01 20:33   <DIR>   d--------   C:\Documents and Settings\user\Gadu-Gadu
2008-04-01 20:29 . 2008-04-01 20:29   0   --a------   C:\WINDOWS\nsreg.dat
2008-04-01 20:17 . 2008-04-01 20:17   <DIR>   d--------   C:\Program Files\Alwil Software
2008-04-01 20:07 . 2004-08-03 23:01   25,856   --a------   C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-01 20:07 . 2004-08-03 23:01   25,856   --a--c---   C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-01 20:07 . 2008-04-01 20:07   800   --a------   C:\WINDOWS\hpinfo.lnk
2008-04-01 20:07 . 2008-04-01 20:07   740   --a------   C:\WINDOWS\reg.prm
2008-04-01 20:06 . 2008-04-01 20:06   376   --a------   C:\WINDOWS\mozregistry.dat
2008-04-01 20:05 . 2008-04-01 20:07   <DIR>   d--------   C:\Program Files\hp deskjet 656c series
2008-04-01 20:05 . 2008-04-01 20:06   <DIR>   d--------   C:\Program Files\Hewlett-Packard
2008-04-01 20:04 . 2008-04-01 20:04   <DIR>   d--------   C:\Program Files\SAGEM
2008-04-01 20:04 . 2005-11-04 16:55   126,976   --a------   C:\WINDOWS\system32\coclassfast.dll
2008-04-01 20:02 . 2008-04-11 19:18   69   --a------   C:\WINDOWS\NeroDigital.ini
2008-04-01 14:12 . 2008-04-01 14:12   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\CyberLink
2008-04-01 14:11 . 2008-04-01 14:12   <DIR>   d--------   C:\Program Files\CyberLink
2008-04-01 14:10 . 2008-04-02 16:37   <DIR>   d--------   C:\Program Files\Common Files\LightScribe
2008-04-01 14:09 . 2008-04-01 14:09   <DIR>   d--------   C:\Documents and Settings\user\Dane aplikacji\Ahead
2008-04-01 14:08 . 2008-04-01 14:08   <DIR>   d--------   C:\Program Files\Nero
2008-04-01 14:08 . 2008-04-01 14:10   <DIR>   d--------   C:\Program Files\Common Files\Ahead
2008-04-01 14:08 . 2008-04-01 14:08   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Nero
2008-04-01 14:05 . 2008-04-01 14:05   <DIR>   d--------   C:\WINDOWS\system32\Lang
2008-04-01 14:05 . 2008-04-01 14:05   940,794   --a------   C:\WINDOWS\system32\LoopyMusic.wav
2008-04-01 14:05 . 2008-04-01 14:05   146,650   --a------   C:\WINDOWS\system32\BuzzingBee.wav

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 17:33   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-04-01 12:11   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-04-01 12:00   15,600   ----a-w   C:\WINDOWS\gdrv.sys
2008-04-01 11:57   ---------   d-----w   C:\Program Files\My Company Name
2008-04-01 11:49   315,392   ----a-w   C:\WINDOWS\HideWin.exe
2008-04-01 11:49   ---------   d-----w   C:\Program Files\Realtek
2008-04-01 11:49   ---------   d-----w   C:\Documents and Settings\user\Dane aplikacji\InstallShield
2008-04-01 11:47   ---------   d-----w   C:\Program Files\Intel
2008-04-01 11:39   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-04-01 11:38   ---------   d-----w   C:\Program Files\Usługi online
2008-03-29 17:45   1,146,232   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2008-03-29 17:35   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:35   20,560   ----a-w   C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-29 17:31   75,856   ----a-w   C:\WINDOWS\system32\drivers\aswSP.sys
2008-03-29 17:29   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26   26,944   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 17:23   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2008-03-20 08:09   1,845,504   ----a-w   C:\WINDOWS\system32\win32k.sys
2008-03-04 10:33   7,680   ----a-w   C:\WINDOWS\system32\ff_vfw.dll
2008-02-20 06:51   282,624   ----a-w   C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:38   45,568   ----a-w   C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:05   662,016   ----a-w   C:\WINDOWS\system32\wininet.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-07 07:51 8523776]
"nwiz"="nwiz.exe" [2007-12-07 07:51 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-07 07:51 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 11:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-12 11:16 196608]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3acm"= ac3acm.acm
"msacm.lameacm"= lameACM.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\City Interactive\\Americas Secret Operations - Close Conflict\\System\\cqc.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-04-01 14:00]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 11:27:47
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-12 11:27:58
ComboFix-quarantined-files.txt  2008-04-12 09:27:56
ComboFix2.txt  2008-04-11 17:43:47
Pre-Run: 76,071,677,952 bajtów wolnych
Post-Run: 76,071,333,888 bajtów wolnych
.
2008-04-12 08:51:00   --- E O F --- 

[huber2t]

Log jest ok


Usuń ręcznie folder C: \Qoobox
usuń instalkę Combofix z dysku.

[filipnba]

Ok. Wielkie dzięki huber2t.

[masterkick]

Ja w tej samej sprawie, czyli mam problem z amvo.exe.
Nie mam pojęcia jak to usunąć. Proszę o pomoć. Poniżej wklejam kod z Combofix.

Z góry dziękuje i sory jeśli odkopuje stary temat.

Kod: Zaznacz wszystko

ComboFix 08-05-01.3 - michał 2008-05-07 11:59:21.5 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.471 [GMT 2:00]
Running from: D:\install\ComboFix.exe
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\v.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\svchost.exe
C:\WINDOWS\system\_sv_CMD_
C:\WINDOWS\system\_sv_CMD_\_U_.exe
C:\WINDOWS\system\_sv_CMD_\U.exe
C:\WINDOWS\system\svchost.exe
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\temp1.exe
C:\WINDOWS\system32\temp2.exe
C:\WINDOWS\xcopy.exe
D:\Autorun.inf
F:\Autorun.inf
F:\RECYCLER\desktop.ini
F:\RECYCLER\INFO.exe
F:\RECYCLER\U.exe

.
(((((((((((((((((((((((((   Files Created from 2008-04-07 to 2008-05-07  )))))))))))))))))))))))))))))))
.

2008-05-07 11:08 . 2008-05-07 11:08   <DIR>   d--------   C:\Program Files\NeroInstall.bak
2008-05-07 11:06 . 2008-05-07 11:06   <DIR>   d--------   C:\Documents and Settings\michał\Dane aplikacji\Nero
2008-05-07 11:03 . 2008-05-07 11:03   <DIR>   d--------   C:\Program Files\Nero
2008-05-07 11:03 . 2008-05-07 11:05   <DIR>   d--------   C:\Program Files\Common Files\Nero
2008-05-07 11:03 . 2008-05-07 11:03   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Nero
2008-05-04 09:50 . 2008-05-04 09:50   104,147   -r-hs----   C:\igxv.cmd
2008-04-29 22:22 . 2008-04-29 22:22   <DIR>   d--------   C:\Program Files\PITy
2008-04-27 16:37 . 2008-04-27 16:37   <DIR>   d--------   C:\WINDOWS\Sun
2008-04-26 14:27 . 2008-04-26 14:27   103,457   -r-hs----   C:\[u]0[/u]n.bat
2008-04-26 14:20 . 2008-04-26 09:06   104,161   -r-hs----   C:\1dg.exe
2008-04-19 18:25 . 2008-04-23 20:38   <DIR>   d--------   C:\Documents and Settings\michał\Dane aplikacji\skypePM
2008-04-19 18:25 . 2008-04-19 18:25   32   --a------   C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2008-04-19 18:23 . 2008-04-19 18:23   <DIR>   d--------   C:\Program Files\Skype
2008-04-19 18:23 . 2008-04-19 18:23   <DIR>   d--------   C:\Program Files\Common Files\Skype
2008-04-19 18:23 . 2008-04-24 01:49   <DIR>   d--------   C:\Documents and Settings\michał\Dane aplikacji\Skype
2008-04-19 18:22 . 2008-04-19 18:23   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Skype
2008-04-17 20:43 . 2008-04-17 20:43   <DIR>   d--------   C:\Documents and Settings\michał\Dane aplikacji\MozillaControl
2008-04-17 17:05 . 2008-04-17 17:05   <DIR>   d--------   C:\Program Files\Dao 3.5
2008-04-17 17:05 . 2008-04-17 17:05   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-04-17 17:05 . 2008-04-17 17:05   <DIR>   d--------   C:\Documents and Settings\michał\WINDOWS
2008-04-17 17:05 . 2008-04-17 17:05   <DIR>   d--------   C:\Documents and Settings\michał\WINDOWS
2008-04-17 17:05 . 1999-09-28 18:42   1,050,896   --a------   C:\WINDOWS\system32\MSJET35.DLL
2008-04-17 17:05 . 1999-08-25 11:57   415,504   --a------   C:\WINDOWS\system32\MSREPL35.DLL
2008-04-17 17:05 . 1997-04-17 00:00   368,912   --a------   C:\WINDOWS\system32\VBAR332.DLL
2008-04-17 17:05 . 1999-03-23 09:12   299,520   --a------   C:\WINDOWS\uninst.exe
2008-04-17 17:05 . 1999-05-03 10:32   252,176   --a------   C:\WINDOWS\system32\MSRD2X35.DLL
2008-04-17 17:05 . 1999-05-03 10:32   123,664   --a------   C:\WINDOWS\system32\MSJINT35.DLL
2008-04-17 17:05 . 1999-05-03 10:32   24,848   --a------   C:\WINDOWS\system32\MSJTER35.DLL
2008-04-17 17:05 . 2008-04-17 17:05   0   --a------   C:\WINDOWS\PROTOCOL.INI
2008-04-17 16:40 . 2008-04-17 16:40   <DIR>   d--------   C:\berberis_server
2008-04-17 16:37 . 2008-04-17 16:37   <DIR>   d--------   C:\Program Files\Java
2008-04-17 16:37 . 2008-04-17 16:37   <DIR>   d--------   C:\Program Files\Common Files\Java
2008-04-17 16:37 . 2008-01-08 19:55   <DIR>   d--h-----   C:\Documents and Settings\berberis\Ustawienia lokalne
2008-04-17 16:37 . 2008-01-05 22:15   <DIR>   d--------   C:\Documents and Settings\berberis\Ulubione
2008-04-17 16:37 . 2008-01-05 21:44   <DIR>   d--h-----   C:\Documents and Settings\berberis\Szablony
2008-04-17 16:37 . 2008-01-05 22:15   <DIR>   d--------   C:\Documents and Settings\berberis\Pulpit
2008-04-17 16:37 . 2008-01-05 22:15   <DIR>   d--------   C:\Documents and Settings\berberis\Moje dokumenty
2008-04-17 16:37 . 2008-01-05 22:15   <DIR>   dr-------   C:\Documents and Settings\berberis\Menu Start
2008-04-17 16:37 . 2008-01-05 22:15   <DIR>   dr-h-----   C:\Documents and Settings\berberis\Dane aplikacji
2008-04-17 16:37 . 2008-04-17 16:37   <DIR>   d--------   C:\Documents and Settings\berberis
2008-04-17 16:37 . 2004-06-03 22:05   61,555   --a------   C:\WINDOWS\system32\jpicpl32.cpl
2008-04-17 16:37 . 2008-05-07 11:35   1,024   --ah-----   C:\Documents and Settings\berberis\ntuser.dat.LOG
2008-04-17 16:36 . 2008-04-17 16:37   <DIR>   d--------   C:\Program Files\CRM_BMS

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 09:58   3,478   --sha-r   C:\WINDOWS\pagefile.sys.vbs
2008-05-07 09:58   3,478   --sha-r   C:\pagefile.sys.vbs
2008-04-27 21:20   ---------   d-----w   C:\Documents and Settings\michał\Dane aplikacji\dvdcss
2008-04-24 06:18   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\DVD Shrink
2008-04-23 17:41   ---------   d-----w   C:\Program Files\DVD Region+CSS Free
2008-04-19 23:00   ---------   d-----w   C:\Program Files\SuperDVD Player 5.1
2008-04-02 14:20   ---------   d-----w   C:\Documents and Settings\michal2\Dane aplikacji\PC Suite
2008-03-29 20:27   ---------   d-----w   C:\Documents and Settings\michał\Dane aplikacji\DVD Flick
2008-03-18 17:04   ---------   d-----w   C:\Program Files\Google AdWords Editor
2008-03-17 13:15   ---------   d-----w   C:\Program Files\PowerQuest
2008-03-09 10:17   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-02-28 15:38   972,072   ----a-w   C:\WINDOWS\UNNeroMediaHome.exe
2008-02-26 14:14   972,072   ----a-w   C:\WINDOWS\UNRecode.exe
2008-02-18 14:04   95,600   ----a-w   C:\WINDOWS\system32\NeroCo.dll
.

------- Sigcheck -------

2004-08-04 00:44  693248  7d46293106e58ca7878509ccc4071f2f   C:\WINDOWS\system32\wininet.dll
2004-08-04 00:44  693248  7d46293106e58ca7878509ccc4071f2f   C:\WINDOWS\system32\dllcache\wininet.dll

2004-08-04 00:44  975872  196c130d31317fe53de984220b5e13b9   C:\WINDOWS\explorer.exe
2004-08-04 00:44  975872  196c130d31317fe53de984220b5e13b9   C:\WINDOWS\system32\dllcache\explorer.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-04-11 18:52 1409024]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 13:05 212992]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-07-20 23:15 593920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 14:07 761946]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 13:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 13:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 13:17 118784]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-16 12:23 16248320 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-08-16 12:21 2879488 C:\WINDOWS\SkyTel.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-08-16 12:20 53248]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-10-31 02:06 304664]
"AcerOrbicamRibbon"="C:\Program Files\Acer\OrbiCam10\OrbiCam.exe" [2006-11-28 19:43 754712]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-15 00:22 35328]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 10:03 210472]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 22:12 30248]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 22:10 46632]
"PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 14:46 255528]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 15:51 663552]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 16:58 65536]
"MSRegInfo"="C:\WINDOWS\pagefile.sys.vbs" [2008-05-07 11:58 3478]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-04-26 09:29 237568]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 22:05 32881]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 09:59 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

C:\Documents and Settings\michaˆ\Menu Start\Programy\Autostart\
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 00:05:02 630784]
Thoosje Vista Sidebar.lnk - C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe [2007-10-22 02:28:57 524288]
TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 21:41:18 65536]
Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 09:43:08 180224]
Y'z Shadow.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-05-21 09:43:14 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\phonevoip\\X-Lite\\x-lite.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 hotcore;hotcore;C:\WINDOWS\system32\drivers\hotcore.sys [2006-06-20 11:04]
R0 hotcore2;hotcore2;C:\WINDOWS\system32\drivers\hotcore2.sys [2006-10-02 11:39]
R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-08-16 19:42]
R2 BerbService;Berberis;C:\Program Files\CRM_BMS\berberis_server\berberis_service\bin\BerbServices.exe [2006-04-20 11:22]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d1e0be3-e45b-11dc-9e58-0016d4b2e546}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f27d245c-eae6-11dc-9e66-0016d4b2e546}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs

*Newly Created Service* - CATCHME
*Newly Created Service* - NERO_BACKITUP_SCHEDULER_3
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 12:00:27
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-07 12:01:10
ComboFix-quarantined-files.txt  2008-05-07 10:01:06
ComboFix2.txt  2008-01-08 17:55:48

Pre-Run: 10,026,889,216 bajtów wolnych
Post-Run: 10,756,857,856 bajtów wolnych

180


[huber2t]

masterkick
Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko

File::
C:\igxv.cmd
C:\0n.bat
C:\1dg.exe
C:\WINDOWS\pagefile.sys.vbs
C:\pagefile.sys.vbs

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]


Plik zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

[masterkick]

Wielkie dzięki za szybką odpowiedź.

Zrobiłem jak kazałeś. Poniżej log:

Kod: Zaznacz wszystko

ComboFix 08-05-01.3 - michał 2008-05-07 18:08:52.6 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.348 [GMT 2:00]
Running from: C:\Documents and Settings\michał\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\michał\Pulpit\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\[u]0[/u]n.bat
C:\1dg.exe
C:\igxv.cmd
C:\pagefile.sys.vbs
C:\WINDOWS\pagefile.sys.vbs
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\[u]0[/u]n.bat
C:\1dg.exe
C:\igxv.cmd
C:\pagefile.sys.vbs
C:\WINDOWS\pagefile.sys.vbs

.
(((((((((((((((((((((((((   Files Created from 2008-04-07 to 2008-05-07  )))))))))))))))))))))))))))))))
.

2008-05-07 12:24 . 2008-05-07 15:12   69   --a------   C:\WINDOWS\NeroDigital.ini
2008-05-07 12:10 . 2008-05-07 12:10   <DIR>   d--------   C:\Documents and Settings\michab
2008-05-07 11:08 . 2008-05-07 11:08   <DIR>   d--------   C:\Program Files\NeroInstall.bak
2008-05-07 11:06 . 2008-05-07 11:06   <DIR>   d--------   C:\Documents and Settings\michał\Dane aplikacji\Nero
2008-05-07 11:03 . 2008-05-07 11:03   <DIR>   d--------   C:\Program Files\Nero
2008-05-07 11:03 . 2008-05-07 11:05   <DIR>   d--------   C:\Program Files\Common Files\Nero
2008-05-07 11:03 . 2008-05-07 11:03   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Nero
2008-04-29 22:22 . 2008-04-29 22:22   <DIR>   d--------   C:\Program Files\PITy
2008-04-27 16:37 . 2008-04-27 16:37   <DIR>   d--------   C:\WINDOWS\Sun
2008-04-19 18:25 . 2008-04-23 20:38   <DIR>   d--------   C:\Documents and Settings\michał\Dane aplikacji\skypePM
2008-04-19 18:25 . 2008-04-19 18:25   32   --a------   C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2008-04-19 18:23 . 2008-04-19 18:23   <DIR>   d--------   C:\Program Files\Skype
2008-04-19 18:23 . 2008-04-19 18:23   <DIR>   d--------   C:\Program Files\Common Files\Skype
2008-04-19 18:23 . 2008-04-24 01:49   <DIR>   d--------   C:\Documents and Settings\michał\Dane aplikacji\Skype
2008-04-19 18:22 . 2008-04-19 18:23   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Skype
2008-04-17 20:43 . 2008-04-17 20:43   <DIR>   d--------   C:\Documents and Settings\michał\Dane aplikacji\MozillaControl
2008-04-17 17:05 . 2008-04-17 17:05   <DIR>   d--------   C:\Program Files\Dao 3.5
2008-04-17 17:05 . 2008-04-17 17:05   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-04-17 17:05 . 2008-04-17 17:05   <DIR>   d--------   C:\Documents and Settings\michał\WINDOWS
2008-04-17 17:05 . 2008-04-17 17:05   <DIR>   d--------   C:\Documents and Settings\michał\WINDOWS
2008-04-17 17:05 . 1999-09-28 18:42   1,050,896   --a------   C:\WINDOWS\system32\MSJET35.DLL
2008-04-17 17:05 . 1999-08-25 11:57   415,504   --a------   C:\WINDOWS\system32\MSREPL35.DLL
2008-04-17 17:05 . 1997-04-17 00:00   368,912   --a------   C:\WINDOWS\system32\VBAR332.DLL
2008-04-17 17:05 . 1999-03-23 09:12   299,520   --a------   C:\WINDOWS\uninst.exe
2008-04-17 17:05 . 1999-05-03 10:32   252,176   --a------   C:\WINDOWS\system32\MSRD2X35.DLL
2008-04-17 17:05 . 1999-05-03 10:32   123,664   --a------   C:\WINDOWS\system32\MSJINT35.DLL
2008-04-17 17:05 . 1999-05-03 10:32   24,848   --a------   C:\WINDOWS\system32\MSJTER35.DLL
2008-04-17 17:05 . 2008-04-17 17:05   0   --a------   C:\WINDOWS\PROTOCOL.INI
2008-04-17 16:40 . 2008-04-17 16:40   <DIR>   d--------   C:\berberis_server
2008-04-17 16:37 . 2008-04-17 16:37   <DIR>   d--------   C:\Program Files\Java
2008-04-17 16:37 . 2008-04-17 16:37   <DIR>   d--------   C:\Program Files\Common Files\Java
2008-04-17 16:37 . 2008-01-08 19:55   <DIR>   d--h-----   C:\Documents and Settings\berberis\Ustawienia lokalne
2008-04-17 16:37 . 2008-01-05 22:15   <DIR>   d--------   C:\Documents and Settings\berberis\Ulubione
2008-04-17 16:37 . 2008-01-05 21:44   <DIR>   d--h-----   C:\Documents and Settings\berberis\Szablony
2008-04-17 16:37 . 2008-01-05 22:15   <DIR>   d--------   C:\Documents and Settings\berberis\Pulpit
2008-04-17 16:37 . 2008-01-05 22:15   <DIR>   d--------   C:\Documents and Settings\berberis\Moje dokumenty
2008-04-17 16:37 . 2008-01-05 22:15   <DIR>   dr-------   C:\Documents and Settings\berberis\Menu Start
2008-04-17 16:37 . 2008-01-05 22:15   <DIR>   dr-h-----   C:\Documents and Settings\berberis\Dane aplikacji
2008-04-17 16:37 . 2008-04-17 16:37   <DIR>   d--------   C:\Documents and Settings\berberis
2008-04-17 16:37 . 2004-06-03 22:05   61,555   --a------   C:\WINDOWS\system32\jpicpl32.cpl
2008-04-17 16:37 . 2008-05-07 11:35   1,024   --ah-----   C:\Documents and Settings\berberis\ntuser.dat.LOG
2008-04-17 16:36 . 2008-04-17 16:37   <DIR>   d--------   C:\Program Files\CRM_BMS

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 13:15   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\DVD Shrink
2008-04-27 21:20   ---------   d-----w   C:\Documents and Settings\michał\Dane aplikacji\dvdcss
2008-04-23 17:41   ---------   d-----w   C:\Program Files\DVD Region+CSS Free
2008-04-19 23:00   ---------   d-----w   C:\Program Files\SuperDVD Player 5.1
2008-04-02 14:20   ---------   d-----w   C:\Documents and Settings\michal2\Dane aplikacji\PC Suite
2008-03-29 20:27   ---------   d-----w   C:\Documents and Settings\michał\Dane aplikacji\DVD Flick
2008-03-18 17:04   ---------   d-----w   C:\Program Files\Google AdWords Editor
2008-03-17 13:15   ---------   d-----w   C:\Program Files\PowerQuest
2008-03-09 10:17   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-02-28 15:38   972,072   ----a-w   C:\WINDOWS\UNNeroMediaHome.exe
2008-02-26 14:14   972,072   ----a-w   C:\WINDOWS\UNRecode.exe
2008-02-18 14:04   95,600   ----a-w   C:\WINDOWS\system32\NeroCo.dll
.

------- Sigcheck -------

2004-08-04 00:44  693248  7d46293106e58ca7878509ccc4071f2f   C:\WINDOWS\system32\wininet.dll
2004-08-04 00:44  693248  7d46293106e58ca7878509ccc4071f2f   C:\WINDOWS\system32\dllcache\wininet.dll

2004-08-04 00:44  975872  196c130d31317fe53de984220b5e13b9   C:\WINDOWS\explorer.exe
2004-08-04 00:44  975872  196c130d31317fe53de984220b5e13b9   C:\WINDOWS\system32\dllcache\explorer.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-04-11 18:52 1409024]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29 303104]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05 212992]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-07-20 23:15 593920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 14:07 761946]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 13:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 13:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 13:17 118784]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-16 12:23 16248320 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-08-16 12:21 2879488 C:\WINDOWS\SkyTel.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-08-16 12:20 53248]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-10-31 02:06 304664]
"AcerOrbicamRibbon"="C:\Program Files\Acer\OrbiCam10\OrbiCam.exe" [2006-11-28 19:43 754712]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-15 00:22 35328]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 10:03 210472]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 22:12 30248]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 22:10 46632]
"PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 14:46 255528]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 15:51 663552]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 16:58 65536]
"MSRegInfo"="C:\WINDOWS\pagefile.sys.vbs" [ ]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-04-26 09:29 237568]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 22:05 32881]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 09:59 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

C:\Documents and Settings\michaˆ\Menu Start\Programy\Autostart\
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 00:05:02 630784]
Thoosje Vista Sidebar.lnk - C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe [2007-10-22 02:28:57 524288]
TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 21:41:18 65536]
Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 09:43:08 180224]
Y'z Shadow.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-05-21 09:43:14 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\phonevoip\\X-Lite\\x-lite.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 hotcore;hotcore;C:\WINDOWS\system32\drivers\hotcore.sys [2006-06-20 11:04]
R0 hotcore2;hotcore2;C:\WINDOWS\system32\drivers\hotcore2.sys [2006-10-02 11:39]
R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-08-16 19:42]
R2 BerbService;Berberis;C:\Program Files\CRM_BMS\berberis_server\berberis_service\bin\BerbServices.exe [2006-04-20 11:22]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50]

*Newly Created Service* - CATCHME
*Newly Created Service* - NERO_BACKITUP_SCHEDULER_3
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 18:09:58
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-07 18:10:40
ComboFix-quarantined-files.txt  2008-05-07 16:10:36
ComboFix2.txt  2008-05-07 10:01:10
ComboFix3.txt  2008-01-08 17:55:48

Pre-Run: 6,302,416,896 bajtów wolnych
Post-Run: 6,292,758,528 bajtów wolnych

165


I jak?

[huber2t]

Log wyglada na czysty

Usuń ręcznie folder C: \Qoobox

Usuń instalkę Combofix z dysku.

Wykonaj optymalizację autostartu

Wykonaj optymalizację link zostal usuniety!

Wyłącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj komputer tym (uruchom przez IE) http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum

Włącz przywracanie systemu na wszystkich dyskach. Instrukcja

[pykoo]

witam ja tez mam problem z amvo mimo ze tydzin temu robilem gruntowny format musial sie on zagniezdic na dysku d
oto lgo z combofix'a

i jeszcze pytanie czemu wszystkim karzesz pobierac combofix'a skoro kazdy daje z niego logi czy jest on jednorazowego uzytku??
musze pobrac go jeszcze raz a tego co pobralem 10 minut temu do zrobienia log mam usunac??

Kod: Zaznacz wszystko

ComboFix 08-05-08.1 - pykoo 2008-05-09 17:31:32.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.204 [GMT 2:00]
Running from: C:\Documents and Settings\pykoo\Pulpit\ComboFix.exe
 * Created a new restore point
 * Resident AV is active


[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
D:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2008-04-09 to 2008-05-09  )))))))))))))))))))))))))))))))
.

2008-05-05 18:06 . 2008-05-05 18:06   <DIR>   d--------   C:\DESKJET
2008-05-05 18:04 . 2008-05-05 18:04   <DIR>   d--h-----   C:\WINDOWS\PIF
2008-05-05 16:56 . 2004-08-03 23:01   25,856   --a------   C:\WINDOWS\system32\drivers\usbprint.sys
2008-05-05 16:56 . 2004-08-03 23:01   25,856   --a--c---   C:\WINDOWS\system32\dllcache\usbprint.sys
2008-05-02 17:24 . 2008-05-02 17:24   <DIR>   d--------   C:\Logs
2008-05-02 16:46 . 2008-05-02 16:46   <DIR>   d--------   C:\Documents and Settings\pykoo\Dane aplikacji\Ahead
2008-05-02 14:53 . 2008-05-02 14:53   <DIR>   d--------   C:\Program Files\Common Files\Blizzard Entertainment
2008-05-01 22:41 . 2008-05-01 22:42   <DIR>   d--------   C:\WINDOWS\system32\URTTemp
2008-05-01 22:12 . 2008-05-01 22:54   <DIR>   d--------   C:\Program Files\Norton Ghost
2008-05-01 22:11 . 2008-05-01 22:11   <DIR>   d--------   C:\Program Files\Symantec
2008-05-01 22:11 . 2008-05-01 22:55   <DIR>   d--------   C:\Program Files\Common Files\Symantec Shared
2008-05-01 22:11 . 2008-05-01 22:36   <DIR>   d--------   C:\Documents and Settings\pykoo\Dane aplikacji\Symantec
2008-05-01 22:11 . 2008-05-01 22:54   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Symantec
2008-05-01 22:05 . 2008-05-02 16:58   <DIR>   d--------   C:\Program Files\FlashGet
2008-05-01 22:05 . 2004-08-03 23:14   359,040   --a------   C:\WINDOWS\system32\drivers\tcpip.sys.flg
2008-05-01 21:21 . 2008-05-01 21:21   <DIR>   d--------   C:\Program Files\IrfanView
2008-05-01 20:53 . 2008-05-01 20:53   <DIR>   d--------   C:\Program Files\LightSurf
2008-05-01 20:51 . 1998-10-29 16:45   306,688   --a------   C:\WINDOWS\IsUninst.exe
2008-05-01 20:17 . 2008-05-01 20:18   <DIR>   d--------   C:\Program Files\KonnektPlus
2008-05-01 20:15 . 2008-05-01 20:15   <DIR>   d--------   C:\WINDOWS\Downloaded Installations
2008-05-01 19:52 . 2008-05-01 19:52   <DIR>   d--------   C:\WINDOWS\nview
2008-05-01 19:52 . 2007-12-05 01:41   356,352   --a------   C:\WINDOWS\system32\nvudisp.exe
2008-05-01 19:52 . 2008-05-01 19:53   163,353   --a------   C:\WINDOWS\system32\nvapps.xml
2008-05-01 19:52 . 2007-12-05 01:41   17,737   --a------   C:\WINDOWS\system32\nvdisp.nvu
2008-05-01 19:51 . 2008-05-01 19:51   <DIR>   d--------   C:\NVIDIA
2008-05-01 19:51 . 2007-12-05 02:53   356,352   --a------   C:\WINDOWS\system32\NVUNINST.EXE
2008-05-01 19:48 . 2008-05-01 19:48   <DIR>   d--------   C:\Program Files\Common Files\Ahead
2008-05-01 19:48 . 2008-05-01 19:48   <DIR>   d--------   C:\Program Files\Ahead
2008-05-01 19:48 . 2001-07-06 14:41   569,344   --a------   C:\WINDOWS\system32\imagr5.dll
2008-05-01 19:48 . 2001-07-06 12:44   544,768   --a------   C:\WINDOWS\system32\imagx5.dll
2008-05-01 19:48 . 2001-07-06 18:24   283,920   --a------   C:\WINDOWS\system32\ImagXpr5.dll
2008-05-01 19:48 . 2001-07-09 11:50   155,648   --a------   C:\WINDOWS\system32\NeroCheck.exe
2008-05-01 19:48 . 2000-06-26 11:45   106,496   --a------   C:\WINDOWS\system32\TwnLib20.dll
2008-05-01 19:48 . 2001-06-26 08:15   38,912   --a------   C:\WINDOWS\system32\picn20.dll
2008-05-01 19:48 . 2008-05-01 19:48   1,024   --ah-----   C:\Documents and Settings\Default User\NtUser.dat.LOG
2008-05-01 19:45 . 2008-05-01 19:45   2,301   --a------   C:\WINDOWS\mozver.dat
2008-05-01 19:41 . 2008-05-01 19:42   <DIR>   d--------   C:\Program Files\DivX
2008-05-01 19:36 . 2008-05-01 19:36   <DIR>   d--------   C:\Program Files\AC3Filter
2008-05-01 19:36 . 2007-08-18 09:54   380,928   --a------   C:\WINDOWS\system32\ac3filter.acm
2008-05-01 19:30 . 2008-05-01 19:30   <DIR>   d--------   C:\Program Files\Xvid
2008-05-01 19:30 . 2007-06-28 18:52   765,952   --a------   C:\WINDOWS\system32\xvidcore.dll
2008-05-01 19:30 . 2007-06-28 18:54   180,224   --a------   C:\WINDOWS\system32\xvidvfw.dll
2008-05-01 19:30 . 2007-06-28 18:55   77,824   --a------   C:\WINDOWS\system32\xvid.ax
2008-05-01 18:55 . 2008-05-01 18:56   <DIR>   d--------   C:\Program Files\Common Files\Adobe
2008-05-01 18:05 . 2008-05-01 23:01   1,224   --a------   C:\WINDOWS\bestplayer.ini
2008-05-01 18:05 . 2008-05-01 23:01   57   --a------   C:\WINDOWS\bestplayer.bpp
2008-05-01 18:05 . 2008-05-01 23:01   0   --a------   C:\WINDOWS\bestplayer.bbt
2008-05-01 17:55 . 2008-05-01 17:55   <DIR>   d--------   C:\Program Files\Alcohol Soft
2008-05-01 17:47 . 2008-05-01 17:47   <DIR>   d--------   C:\Program Files\DAEMON Tools
2008-05-01 17:47 . 2008-05-01 20:10   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\stamina
2008-05-01 17:45 . 2008-05-01 17:53   639,224   --a------   C:\WINDOWS\system32\drivers\sptd.sys
2008-05-01 17:43 . 2008-05-01 17:43   <DIR>   d--------   C:\Program Files\eMule
2008-05-01 17:42 . 2008-05-01 17:42   <DIR>   d--------   C:\Program Files\foobar2000
2008-05-01 17:42 . 2008-05-07 18:05   <DIR>   d--------   C:\Documents and Settings\pykoo\Dane aplikacji\foobar2000
2008-05-01 17:37 . 2008-05-01 17:37   0   --a------   C:\WINDOWS\nsreg.dat
2008-05-01 17:36 . 2008-05-01 17:37   <DIR>   d--------   C:\Program Files\BitComet
2008-05-01 17:02 . 2008-05-01 19:04   14   --a------   C:\WINDOWS\system32\getfile.dat
2008-05-01 15:54 . 2003-06-19 01:31   17,920   --a------   C:\WINDOWS\system32\mdimon.dll
2008-05-01 15:54 . 2008-05-01 15:54   421   --a------   C:\WINDOWS\ODBC.INI
2008-05-01 15:53 . 2008-05-01 15:53   <DIR>   d--------   C:\Program Files\Microsoft.NET
2008-05-01 15:52 . 2008-05-01 15:53   <DIR>   d--------   C:\WINDOWS\SHELLNEW
2008-05-01 15:52 . 2008-05-01 15:52   <DIR>   d--------   C:\Program Files\Microsoft Works
2008-05-01 15:29 . 2008-05-01 16:13   <DIR>   d--h-----   C:\Program Files\InstallShield Installation Information
2008-05-01 15:29 . 2008-05-01 15:29   <DIR>   d--------   C:\Program Files\Analog Devices
2008-05-01 15:28 . 2008-05-01 22:11   <DIR>   d--------   C:\Program Files\Common Files\InstallShield
2008-05-01 15:17 . 2000-03-29 08:17   5,824   --a------   C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-05-01 15:17 . 2008-05-01 16:44   3,366   --a------   C:\WINDOWS\Ascd_tmp.ini

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 14:58   ---------   d-----w   C:\Program Files\Opera
2008-05-01 14:16   ---------   d-----w   C:\Program Files\Neostrada TP
2008-05-01 14:13   ---------   d-----w   C:\Program Files\Thomson
2008-05-01 12:52   ---------   d-----w   C:\Program Files\Softwin
2008-05-01 12:52   ---------   d-----w   C:\Program Files\Common Files\Softwin
2008-05-01 12:30   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-05-01 12:28   ---------   d-----w   C:\Program Files\Usługi online
2008-03-31 21:25   831,488   ----a-w   C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25   161,096   ----a-w   C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-21 20:30   9,464   ------w   C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-03-21 20:30   9,336   ------w   C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-03-21 20:30   43,528   ------w   C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-03-21 20:30   129,784   ------w   C:\WINDOWS\system32\pxafs.dll
2008-03-21 20:30   120,056   ------w   C:\WINDOWS\system32\pxcpyi64.exe
2008-03-21 20:30   118,520   ------w   C:\WINDOWS\system32\pxinsi64.exe
2008-03-21 11:13   102,536   --sh--r   C:\v.com
2003-07-17 02:26   448,640   ----a-w   C:\WINDOWS\inf\EL2K_N64.sys
2003-07-17 02:22   147,328   ----a-w   C:\WINDOWS\inf\EL2K_XP.sys
2003-06-03 07:47   147,328   ----a-w   C:\WINDOWS\inf\EL2K_2K.sys
.

------- Sigcheck -------

2004-08-03 23:14  359040  9f4b36614a0fc234525ba224957de55c   C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-03 23:14  359040  6a603809f598332dbedd535bdbce313e   C:\WINDOWS\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="C:\WINDOWS\TBPanel.exe" [2004-02-11 08:49 2015232]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2005-10-11 11:28 360448]
"BDOESRV"="C:\Program Files\Softwin\BitDefender9\bdoesrv.exe" [2005-03-11 17:53 90112]
"BDNewsAgent"="C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe" [2005-06-09 10:28 9728]
"BDSwitchAgent"="C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe" [2005-04-06 13:09 33280]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 22:09 157592]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\KonnektPlus\\konnekt.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27308:TCP"= 27308:TCP:BitComet 27308 TCP
"27308:UDP"= 27308:UDP:BitComet 27308 UDP

R2 FILESpy;FILESpy;C:\Program Files\Softwin\BitDefender9\filespy.sys [2005-07-28 15:42]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 17:32:37
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-09 17:33:08
ComboFix-quarantined-files.txt  2008-05-09 15:33:05

Pre-Run: 7,882,547,200 bajtów wolnych
Post-Run: 7,906,623,488 bajtów wolnych

161


[/code]

[huber2t]

Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko

File::
C:\v.com


Plik zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

[pykoo]

oto i log po przeprowadzeniu podanego przez ciebie procesu

Kod: Zaznacz wszystko

ComboFix 08-05-08.1 - pykoo 2008-05-09 17:53:40.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.199 [GMT 2:00]
Running from: C:\Documents and Settings\pykoo\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\pykoo\Pulpit\CFScript.txt
 * Created a new restore point
 * Resident AV is active


[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\v.com
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\v.com

.
(((((((((((((((((((((((((   Files Created from 2008-04-09 to 2008-05-09  )))))))))))))))))))))))))))))))
.

2008-05-05 18:06 . 2008-05-05 18:06   <DIR>   d--------   C:\DESKJET
2008-05-05 18:04 . 2008-05-05 18:04   <DIR>   d--h-----   C:\WINDOWS\PIF
2008-05-05 16:56 . 2004-08-03 23:01   25,856   --a------   C:\WINDOWS\system32\drivers\usbprint.sys
2008-05-05 16:56 . 2004-08-03 23:01   25,856   --a--c---   C:\WINDOWS\system32\dllcache\usbprint.sys
2008-05-02 17:24 . 2008-05-02 17:24   <DIR>   d--------   C:\Logs
2008-05-02 16:46 . 2008-05-02 16:46   <DIR>   d--------   C:\Documents and Settings\pykoo\Dane aplikacji\Ahead
2008-05-02 14:53 . 2008-05-02 14:53   <DIR>   d--------   C:\Program Files\Common Files\Blizzard Entertainment
2008-05-01 22:41 . 2008-05-01 22:42   <DIR>   d--------   C:\WINDOWS\system32\URTTemp
2008-05-01 22:12 . 2008-05-01 22:54   <DIR>   d--------   C:\Program Files\Norton Ghost
2008-05-01 22:11 . 2008-05-01 22:11   <DIR>   d--------   C:\Program Files\Symantec
2008-05-01 22:11 . 2008-05-01 22:55   <DIR>   d--------   C:\Program Files\Common Files\Symantec Shared
2008-05-01 22:11 . 2008-05-01 22:36   <DIR>   d--------   C:\Documents and Settings\pykoo\Dane aplikacji\Symantec
2008-05-01 22:11 . 2008-05-01 22:54   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Symantec
2008-05-01 22:05 . 2008-05-02 16:58   <DIR>   d--------   C:\Program Files\FlashGet
2008-05-01 22:05 . 2004-08-03 23:14   359,040   --a------   C:\WINDOWS\system32\drivers\tcpip.sys.flg
2008-05-01 21:21 . 2008-05-01 21:21   <DIR>   d--------   C:\Program Files\IrfanView
2008-05-01 20:53 . 2008-05-01 20:53   <DIR>   d--------   C:\Program Files\LightSurf
2008-05-01 20:51 . 1998-10-29 16:45   306,688   --a------   C:\WINDOWS\IsUninst.exe
2008-05-01 20:17 . 2008-05-01 20:18   <DIR>   d--------   C:\Program Files\KonnektPlus
2008-05-01 20:15 . 2008-05-01 20:15   <DIR>   d--------   C:\WINDOWS\Downloaded Installations
2008-05-01 19:52 . 2008-05-01 19:52   <DIR>   d--------   C:\WINDOWS\nview
2008-05-01 19:52 . 2007-12-05 01:41   356,352   --a------   C:\WINDOWS\system32\nvudisp.exe
2008-05-01 19:52 . 2008-05-01 19:53   163,353   --a------   C:\WINDOWS\system32\nvapps.xml
2008-05-01 19:52 . 2007-12-05 01:41   17,737   --a------   C:\WINDOWS\system32\nvdisp.nvu
2008-05-01 19:51 . 2008-05-01 19:51   <DIR>   d--------   C:\NVIDIA
2008-05-01 19:51 . 2007-12-05 02:53   356,352   --a------   C:\WINDOWS\system32\NVUNINST.EXE
2008-05-01 19:48 . 2008-05-01 19:48   <DIR>   d--------   C:\Program Files\Common Files\Ahead
2008-05-01 19:48 . 2008-05-01 19:48   <DIR>   d--------   C:\Program Files\Ahead
2008-05-01 19:48 . 2001-07-06 14:41   569,344   --a------   C:\WINDOWS\system32\imagr5.dll
2008-05-01 19:48 . 2001-07-06 12:44   544,768   --a------   C:\WINDOWS\system32\imagx5.dll
2008-05-01 19:48 . 2001-07-06 18:24   283,920   --a------   C:\WINDOWS\system32\ImagXpr5.dll
2008-05-01 19:48 . 2001-07-09 11:50   155,648   --a------   C:\WINDOWS\system32\NeroCheck.exe
2008-05-01 19:48 . 2000-06-26 11:45   106,496   --a------   C:\WINDOWS\system32\TwnLib20.dll
2008-05-01 19:48 . 2001-06-26 08:15   38,912   --a------   C:\WINDOWS\system32\picn20.dll
2008-05-01 19:48 . 2008-05-01 19:48   1,024   --ah-----   C:\Documents and Settings\Default User\NtUser.dat.LOG
2008-05-01 19:45 . 2008-05-01 19:45   2,301   --a------   C:\WINDOWS\mozver.dat
2008-05-01 19:41 . 2008-05-01 19:42   <DIR>   d--------   C:\Program Files\DivX
2008-05-01 19:36 . 2008-05-01 19:36   <DIR>   d--------   C:\Program Files\AC3Filter
2008-05-01 19:36 . 2007-08-18 09:54   380,928   --a------   C:\WINDOWS\system32\ac3filter.acm
2008-05-01 19:30 . 2008-05-01 19:30   <DIR>   d--------   C:\Program Files\Xvid
2008-05-01 19:30 . 2007-06-28 18:52   765,952   --a------   C:\WINDOWS\system32\xvidcore.dll
2008-05-01 19:30 . 2007-06-28 18:54   180,224   --a------   C:\WINDOWS\system32\xvidvfw.dll
2008-05-01 19:30 . 2007-06-28 18:55   77,824   --a------   C:\WINDOWS\system32\xvid.ax
2008-05-01 18:55 . 2008-05-01 18:56   <DIR>   d--------   C:\Program Files\Common Files\Adobe
2008-05-01 18:05 . 2008-05-01 23:01   1,224   --a------   C:\WINDOWS\bestplayer.ini
2008-05-01 18:05 . 2008-05-01 23:01   57   --a------   C:\WINDOWS\bestplayer.bpp
2008-05-01 18:05 . 2008-05-01 23:01   0   --a------   C:\WINDOWS\bestplayer.bbt
2008-05-01 17:55 . 2008-05-01 17:55   <DIR>   d--------   C:\Program Files\Alcohol Soft
2008-05-01 17:47 . 2008-05-01 17:47   <DIR>   d--------   C:\Program Files\DAEMON Tools
2008-05-01 17:47 . 2008-05-01 20:10   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\stamina
2008-05-01 17:45 . 2008-05-01 17:53   639,224   --a------   C:\WINDOWS\system32\drivers\sptd.sys
2008-05-01 17:43 . 2008-05-01 17:43   <DIR>   d--------   C:\Program Files\eMule
2008-05-01 17:42 . 2008-05-01 17:42   <DIR>   d--------   C:\Program Files\foobar2000
2008-05-01 17:42 . 2008-05-07 18:05   <DIR>   d--------   C:\Documents and Settings\pykoo\Dane aplikacji\foobar2000
2008-05-01 17:37 . 2008-05-01 17:37   0   --a------   C:\WINDOWS\nsreg.dat
2008-05-01 17:36 . 2008-05-01 17:37   <DIR>   d--------   C:\Program Files\BitComet
2008-05-01 17:02 . 2008-05-01 19:04   14   --a------   C:\WINDOWS\system32\getfile.dat
2008-05-01 15:54 . 2003-06-19 01:31   17,920   --a------   C:\WINDOWS\system32\mdimon.dll
2008-05-01 15:54 . 2008-05-01 15:54   421   --a------   C:\WINDOWS\ODBC.INI
2008-05-01 15:53 . 2008-05-01 15:53   <DIR>   d--------   C:\Program Files\Microsoft.NET
2008-05-01 15:52 . 2008-05-01 15:53   <DIR>   d--------   C:\WINDOWS\SHELLNEW
2008-05-01 15:52 . 2008-05-01 15:52   <DIR>   d--------   C:\Program Files\Microsoft Works
2008-05-01 15:29 . 2008-05-01 16:13   <DIR>   d--h-----   C:\Program Files\InstallShield Installation Information
2008-05-01 15:29 . 2008-05-01 15:29   <DIR>   d--------   C:\Program Files\Analog Devices
2008-05-01 15:28 . 2008-05-01 22:11   <DIR>   d--------   C:\Program Files\Common Files\InstallShield
2008-05-01 15:17 . 2000-03-29 08:17   5,824   --a------   C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-05-01 15:17 . 2008-05-01 16:44   3,366   --a------   C:\WINDOWS\Ascd_tmp.ini

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 14:58   ---------   d-----w   C:\Program Files\Opera
2008-05-01 14:16   ---------   d-----w   C:\Program Files\Neostrada TP
2008-05-01 14:13   ---------   d-----w   C:\Program Files\Thomson
2008-05-01 12:52   ---------   d-----w   C:\Program Files\Softwin
2008-05-01 12:52   ---------   d-----w   C:\Program Files\Common Files\Softwin
2008-05-01 12:30   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-05-01 12:28   ---------   d-----w   C:\Program Files\Usługi online
2008-03-31 21:25   831,488   ----a-w   C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25   161,096   ----a-w   C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-21 20:30   9,464   ------w   C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-03-21 20:30   9,336   ------w   C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-03-21 20:30   43,528   ------w   C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-03-21 20:30   129,784   ------w   C:\WINDOWS\system32\pxafs.dll
2008-03-21 20:30   120,056   ------w   C:\WINDOWS\system32\pxcpyi64.exe
2008-03-21 20:30   118,520   ------w   C:\WINDOWS\system32\pxinsi64.exe
2003-07-17 02:26   448,640   ----a-w   C:\WINDOWS\inf\EL2K_N64.sys
2003-07-17 02:22   147,328   ----a-w   C:\WINDOWS\inf\EL2K_XP.sys
2003-06-03 07:47   147,328   ----a-w   C:\WINDOWS\inf\EL2K_2K.sys
.

------- Sigcheck -------

2004-08-03 23:14  359040  9f4b36614a0fc234525ba224957de55c   C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-03 23:14  359040  6a603809f598332dbedd535bdbce313e   C:\WINDOWS\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="C:\WINDOWS\TBPanel.exe" [2004-02-11 08:49 2015232]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2005-10-11 11:28 360448]
"BDOESRV"="C:\Program Files\Softwin\BitDefender9\bdoesrv.exe" [2005-03-11 17:53 90112]
"BDNewsAgent"="C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe" [2005-06-09 10:28 9728]
"BDSwitchAgent"="C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe" [2005-04-06 13:09 33280]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 22:09 157592]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\KonnektPlus\\konnekt.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27308:TCP"= 27308:TCP:BitComet 27308 TCP
"27308:UDP"= 27308:UDP:BitComet 27308 UDP

R2 FILESpy;FILESpy;C:\Program Files\Softwin\BitDefender9\filespy.sys [2005-07-28 15:42]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 17:54:29
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-09 17:54:58
ComboFix-quarantined-files.txt  2008-05-09 15:54:54
ComboFix2.txt  2008-05-09 15:33:09

Pre-Run: 7,891,132,416 bajtów wolnych
Post-Run: 7,883,915,264 bajtów wolnych

161

[huber2t]

Log wyglada na czysty

Usuń ręcznie folder C: \Qoobox,usuń instalkę Combofix z dysku

Wyłącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj komputer tym (uruchom przez IE) http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum

Włącz przywracanie systemu.