Skocz do zawartości
cudotworca

Trojan, Amvo.exe?

dodany przez cudotworca, w Centrum Bezpieczeństwa

Rekomendowane odpowiedzi

cudotworca Newbie

cudotworca

Napisano
Napisano

Witam

 

Postanowiłem w końcu powklejać logi, ponieważ nie mogę odkryć plików ukrytych, systemowych itd. Możliwe, że trojan ten powoduje również lagi, których mi nie potrzeba...

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - log hijack

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:35:26, on 2009-04-28

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\LEXBCES.EXE

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\system32\LEXPPS.EXE

D:\WINDOWS\Explorer.EXE

E:\CFosSpeed\cFosSpeed.exe

D:\WINDOWS\win32up.exe

D:\Documents and Settings\cudotworca\Dane aplikacji\SanDisk\Sansa Updater\SansaDispatch.exe

C:\ActiveSync\wcescomm.exe

D:\Documents and Settings\cudotworca\Pulpit\Catcher.exe

C:\ACTIVE~1\rapimgr.exe

E:\Cashext\Cashext.exe

E:\CFosSpeed\spd.exe

D:\Program Files\Java\jre6\bin\jqs.exe

D:\WINDOWS\system32\PSIService.exe

D:\spm\spmdib.exe

D:\WINDOWS\system32\Tablet.exe

D:\WINDOWS\system32\wscntfy.exe

D:\WINDOWS\system32\WTablet\TabUserW.exe

D:\WINDOWS\system32\Tablet.exe

E:\Firefox 3\firefox.exe

C:\ActiveSync\WCESMgr.exe

D:\Program Files\Winamp\winamp.exe

C:\Konnekt\konnekt.exe

C:\Logi\HiJack\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\BitComet\tools\BitCometBHO_1.2.1.2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [cFosSpeed] E:\CFosSpeed\cFosSpeed.exe

O4 - HKLM\..\Run: [Windows Updates] D:\WINDOWS\win32up.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "D:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKCU\..\Run: [Paseczek] E:\Paseczek\Paseczek.exe

O4 - HKCU\..\Run: [Konnekt_3313f61f] "C:\Konnekt\konnekt.exe" /autostart -profile=?

O4 - HKCU\..\Run: [sansaDispatch] D:\Documents and Settings\cudotworca\Dane aplikacji\SanDisk\Sansa Updater\SansaDispatch.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [Catcher] D:\Documents and Settings\cudotworca\Pulpit\Catcher.exe

O4 - HKCU\..\Run: [amva] D:\WINDOWS\system32\amvo.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Cashext (2).lnk = E:\Cashext\Cashext.exe

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ACTIVE~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ACTIVE~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Utwórz Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ACTIVE~1\INetRepl.dll

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe

O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - E:\CFosSpeed\spd.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProtexisLicensing - Unknown owner - D:\WINDOWS\system32\PSIService.exe

O23 - Service: SPM License Server (spmd) - mental images GmbH - D:\spm\spmdib.exe

O23 - Service: TabletService - Wacom Technology, Corp. - D:\WINDOWS\system32\Tablet.exe

 

--

End of file - 5432 bytes

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - log silentrunners

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Paseczek" = "E:\Paseczek\Paseczek.exe" ["Codeton Software"]

"Konnekt_3313f61f" = ""C:\Konnekt\konnekt.exe" /autostart -profile=?" ["Stamina"]

"SansaDispatch" = "D:\Documents and Settings\cudotworca\Dane aplikacji\SanDisk\Sansa Updater\SansaDispatch.exe" ["SanDisk Corporation"]

"H/PC Connection Agent" = ""C:\ActiveSync\wcescomm.exe"" [MS]

"Catcher" = "D:\Documents and Settings\cudotworca\Pulpit\Catcher.exe" [null data]

"amva" = "D:\WINDOWS\system32\amvo.exe" [null data]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"cFosSpeed" = "E:\CFosSpeed\cFosSpeed.exe" ["cFos Software GmbH"]

"Windows Updates" = "D:\WINDOWS\win32up.exe" [empty string]

"NvCplDaemon" = "RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"NvMediaCenter" = "RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

"AdobeCS4ServiceManager" = ""D:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin" ["Adobe Systems Incorporated"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "AcroIEHlprObj Class"

\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"

-> {HKLM...CLSID} = "BitComet Helper"

\InProcServer32\(Default) = "C:\BitComet\tools\BitCometBHO_1.2.1.2.dll" ["BitComet"]

{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Java Plug-In 2 SSV Helper"

\InProcServer32\(Default) = "D:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]

{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl"

-> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class"

\InProcServer32\(Default) = "D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "D:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{AD392E40-428C-459F-961E-9B147782D099}" = "UltraISO"

-> {HKLM...CLSID} = "UIContextMenu Class"

\InProcServer32\(Default) = "E:\UltraISO\isoshell.dll" ["EZB Systems, Inc."]

"{2B3453E4-49DF-11D3-8229-0080BE509050}" = "GMail Drive"

-> {HKLM...CLSID} = "GMail Drive"

\InProcServer32\(Default) = "D:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{2B3453E4-49DF-11D3-8229-0080BE509052}" = "GMailFS Property Sheet"

-> {HKLM...CLSID} = "GMailFS Property Sheet"

\InProcServer32\(Default) = "D:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{2B3453E4-49DF-11D3-8229-0080BE509054}" = "GMailFS Drop Handler"

-> {HKLM...CLSID} = "GMailFS Drop Handler"

\InProcServer32\(Default) = "D:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{2B3453E4-49DF-11D3-8229-0080BE509056}" = "GMailFS Context Menu"

-> {HKLM...CLSID} = "GMailFS Context Menu"

\InProcServer32\(Default) = "D:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "D:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "D:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"

-> {HKLM...CLSID} = "Urządzenie przenośne"

\InProcServer32\(Default) = "C:\ACTIVE~1\Wcesview.dll" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"

-> {HKLM...CLSID} = "MShellExtMenu Class"

\InProcServer32\(Default) = "E:\MagicISO\misosh.dll" ["MagicISO, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"

-> {HKLM...CLSID} = "MShellExtMenu Class"

\InProcServer32\(Default) = "E:\MagicISO\misosh.dll" ["MagicISO, Inc."]

UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"

-> {HKLM...CLSID} = "UIContextMenu Class"

\InProcServer32\(Default) = "E:\UltraISO\isoshell.dll" ["EZB Systems, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"

-> {HKLM...CLSID} = "MShellExtMenu Class"

\InProcServer32\(Default) = "E:\MagicISO\misosh.dll" ["MagicISO, Inc."]

UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"

-> {HKLM...CLSID} = "UIContextMenu Class"

\InProcServer32\(Default) = "E:\UltraISO\isoshell.dll" ["EZB Systems, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

 

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

{C95FFEAE-A32E-4122-A5C4-49B5BFB69795}\(Default) = "{C95FFEAE-A32E-4122-A5C4-49B5BFB69795}"

-> {HKLM...CLSID} = "Adobe Drive CS4"

\InProcServer32\(Default) = "D:\Program Files\Common Files\Adobe\Adobe Drive CS4\ADFSMenu.dll" ["Adobe Systems Incorporated"]

 

 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

 

Note: detected settings may not have any effect.

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

 

Windows Portable Device AutoPlay Handlers

-----------------------------------------

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

 

BridgeCS4ImportMediaOnArrival\

"Provider" = "Adobe Bridge CS4"

"InvokeProgID" = "Adobe.adobebridgeCS4"

"InvokeVerb" = "launch"

HKLM\SOFTWARE\Classes\Adobe.adobebridgeCS4\shell\launch\command\(Default) = "C:\Adobe Photoshop CS4\Adobe Bridge CS4\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]

 

BridgeCS4NonVolumeHandler\

"Provider" = "Adobe Bridge CS4"

"ProgID" = "Adobe.adobebridgeMTP_1"

HKLM\SOFTWARE\Classes\Adobe.adobebridgeMTP_1\CLSID\(Default) = "{1E6C711B-6D70-4a65-8AB6-745DC19BE2A6}"

-> {HKLM...CLSID} = "Adobe Bridge CS4"

\LocalServer32\(Default) = "C:\Adobe Photoshop CS4\Adobe Bridge CS4\bridgeproxy.exe -m" ["Adobe Systems, Inc."]

 

WinampMTPHandler\

"Provider" = "Winamp"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = "D:\Program Files\Winamp\winamp.exe"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

 

WinampPlayMediaOnArrival\

"Provider" = "Winamp"

"InvokeProgID" = "Winamp.File"

"InvokeVerb" = "Play"

HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""D:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]

HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"

-> {HKLM...CLSID} = (no title provided)

\LocalServer32\(Default) = ""D:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]

 

 

Startup items in "cudotworca" & "All Users" startup folders:

------------------------------------------------------------

 

D:\Documents and Settings\cudotworca\Menu Start\Programy\Autostart

"Cashext (2)" -> shortcut to: "E:\Cashext\Cashext.exe" [null data]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\

"ButtonText" = "Create Mobile Favorite"

"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"

-> {HKLM...CLSID} = "Create Mobile Favorite"

\InProcServer32\(Default) = "C:\ACTIVE~1\INetRepl.dll" [MS]

 

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\

"MenuText" = "Utwórz Ulubione dla urządzenia przenośnego..."

"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"

-> {HKLM...CLSID} = "Create Mobile Favorite"

\InProcServer32\(Default) = "C:\ACTIVE~1\INetRepl.dll" [MS]

 

{D18A0B52-D63C-4ED0-AFC6-C1E3DC1AF43A}\

"ButtonText" = "BitComet"

"Script" = "res://C:\BitComet\tools\BitCometBHO_1.2.1.2.dll/206" ["BitComet"]

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

cFosSpeed System Service, cFosSpeedS, ""E:\CFosSpeed\spd.exe" -service" ["cFos Software GmbH"]

Java Quick Starter, JavaQuickStarterService, ""D:\Program Files\Java\jre6\bin\jqs.exe" -service -config "D:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]

LexBce Server, LexBceS, "D:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]

ProtexisLicensing, ProtexisLicensing, "D:\WINDOWS\system32\PSIService.exe" [null data]

SPM License Server, spmd, "D:\spm\spmdib.exe" ["mental images GmbH"]

TabletService, TabletService, "D:\WINDOWS\system32\Tablet.exe" ["Wacom Technology, Corp."]

Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

Print Monitors:

---------------

 

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]

 

 

---------- (launch time: 2009-04-28 17:43:46)

<<!>>: Suspicious data at a malware launch point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 270 seconds.

---------- (total run time: 316 seconds)

 

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi
Udostępnij na innych stronach
cudotworca Newbie

cudotworca

Napisano
Napisano
» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - combofix

"cudotworca" - 2009-04-30 13:54:46 - ComboFix 07-07-04.4 - Dodatek Service Pack 2


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


D:\DOCUME~1\ALLUSE~1\DANEAP~1.\TEMP


((((((((((((((((((((((((( Files Created from 2009-03-28 to 2009-04-30 )))))))))))))))))))))))))))))))


2009-04-30 13:54 51,200 --a------ D:\WINDOWS\nircmd.exe
2009-04-06 17:29 <DIR> d-------- D:\DOCUME~1\CUDOTW~1\DANEAP~1\com.onair.adobe.flump.F72717AFE33D104747EFA2864DDFAA9D568C67C7.1
2009-03-23 19:11 <DIR> d-------- D:\Program Files\Blue Point Studios
2009-03-17 16:51 4,296,704 -ra------ D:\WINDOWS\unasetup.exe
2009-03-15 19:11 420,240 --a------ D:\WINDOWS\system32\mpg4c32.dll
2009-03-15 19:11 309,616 --a------ D:\WINDOWS\system32\wmv8dmod.dll
2009-03-08 18:10 <DIR> d-------- D:\DOCUME~1\CUDOTW~1\DANEAP~1\HLSW


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2009-04-30 11:41:22 -------- d-----w D:\DOCUME~1\CUDOTW~1\DANEAP~1\WTablet
2009-04-30 11:40:59 54,784 --sh--w D:\WINDOWS\system32\amvo0.dll
2009-04-28 14:49:49 79,386 ----a-w D:\WINDOWS\system32\perfc015.dat
2009-04-28 14:49:49 457,230 ----a-w D:\WINDOWS\system32\perfh015.dat
2009-03-26 15:22:37 -------- d--h--w D:\Program Files\InstallShield Installation Information
2009-03-09 03:19:08 410,984 -c--a-w D:\WINDOWS\system32\deploytk.dll
2009-03-05 14:25:45 73,216 ----a-w D:\WINDOWS\ST6UNST.EXE
2009-03-05 14:25:45 249,856 ------w D:\WINDOWS\Setup1.exe
2008-03-08 15:46:29 88 -csh--r D:\WINDOWS\system32\CEDE404B3D.sys
2008-12-22 09:13:26 900 -csha-w D:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 21:38 63128 --a------ D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}]
2008-01-25 12:06 496952 --a------ C:\BitComet\tools\BitCometBHO_1.2.1.2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2009-03-09 05:18 35840 --a------ D:\Program Files\Java\jre6\bin\jp2ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2009-03-09 05:18 73728 --a------ D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cFosSpeed"="E:\CFosSpeed\cFosSpeed.exe" [2008-02-14 18:27]
"AdobeCS4ServiceManager"="D:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 08:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Paseczek"="E:\Paseczek\Paseczek.exe" [2008-03-07 23:21]
"Konnekt_3313f61f"="C:\Konnekt\konnekt.exe" [2005-05-24 23:41]
"SansaDispatch"="D:\Documents and Settings\cudotworca\Dane aplikacji\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-04-02 22:31]
"H/PC Connection Agent"="C:\ActiveSync\wcescomm.exe" [2006-11-13 16:57]
"Catcher"="D:\Documents and Settings\cudotworca\Pulpit\Catcher.exe" [2008-12-28 01:00]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=D:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"E:\Adobe Lightroom\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeBridge]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
D:\WINDOWS\system32\amvo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AQQ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
"C:\DAEMON Tools Lite\daemon.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gainward]
D:\Program Files\VDOTool\TBPanel.exe /A

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
D:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"D:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"D:\Program Files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse]
D:\Program Files\A4Tech\Mouse\Amoumain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"D:\Program Files\Winamp\winampa.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32a49180-392f-11dd-891b-001c250fd028}]
AutoRun\command- I:\2ifetri.cmd
explore\Command- I:\2ifetri.cmd
open\Command- I:\2ifetri.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{908f9836-003b-11de-8aa3-001c250fd028}]
AutoRun\command- I:\2ifetri.cmd
explore\Command- I:\2ifetri.cmd
open\Command- I:\2ifetri.cmd


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 13:56:16
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = D:\Documents and Settings\cudotworca\Dane aplikacji\SanDisk\Sansa Updater\SansaDispatch.exe?latform=&is-debug=&rom-version=&part-number=&product-name=&content-class=common_content&?%25

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\JavaQuickStarterService]
"ImagePath"="\"D:\Program Files\Java\jre6\bin\jqs.exe\" -service -config \"D:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf\""

Completion time: 2009-04-30 13:56:32

--- E O F ---

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi
Udostępnij na innych stronach
Kolobos Newbie

Kolobos

Napisano
Napisano

Nie widze w logu zebys uzyl Flash Disinfector, dlaczego tego nie zrobiles?

 

Wklej do notatnika:

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]

 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32a49180-392f-11dd-891b-001c250fd028}]

 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{908f9836-003b-11de-8aa3-001c250fd028}]

 

Zapisz jako fix.reg i uruchom.

Na koniec zablokuj dostep do klucza mountpoints2:

http://www.searchengines.pl/Infekcje-z-pen...ych-t94761.html (punkt 3 z sekcji zapobieganie).

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi
Udostępnij na innych stronach
cudotworca Newbie

cudotworca

Napisano
Napisano

użyłem tego Flash Disinfector'a i po tej operacji nie wyskakiwało już nic o amvo.exe, mogłem pokazać ukryte pliki i wszystko działało lepiej, nie wiem dlaczego w logach tego nie widać.

 

Teraz zrobiłem to co piszesz, zfixowałem rejestr i ustawiłem udostępnianie. Pokazać jakieś logi jeszcze?

 

 

Dzięki za pomoc.

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi
Udostępnij na innych stronach

Dołącz do dyskusji

Możesz dodać zawartość już teraz a zarejestrować się później. Jeśli posiadasz już konto, zaloguj się aby dodać zawartość za jego pomocą.

Gość
Dodaj odpowiedź do tematu...

×   Wklejono zawartość z formatowaniem.   Przywróć formatowanie

  Dozwolonych jest tylko 75 emoji.

×   Odnośnik został automatycznie osadzony.   Przywróć wyświetlanie jako odnośnik

×   Przywrócono poprzednią zawartość.   Wyczyść edytor

×   Nie możesz bezpośrednio wkleić grafiki. Dodaj lub załącz grafiki z adresu URL.

Ładowanie
×
Przejdź do listy tematów
×
×
  • Dodaj nową pozycję...