Znajoma poprosiła mnie o usunięcie wirusów z komputera.
Trochę tego było, z większością poradził sobie avast, nie mam jednak pewności czy coś nie zostało, proszę więc o pomoc z interpretacji wyników z ComboFix. Podczas pary combofixa pojawił się monit o zarażonym pliku amvo1.dll, usunąłem go z poziomu Avasta, nie wiem czy zadziałało.
Pozdrawiam.
- Kod: Zaznacz wszystko
ComboFix 08-03-18.1 - Marta 2008-03-20 17:24:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.195 [GMT 1:00]
Running from: C:\Documents and Settings\Marta\Pulpit\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
C:\WINDOWS\system32\amvo1.dll
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.
2008-03-12 09:35 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-12 09:35 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-09 20:01 . 2008-03-06 10:42 107,849 -r-hs---- C:\v.com
2008-03-05 15:28 . 2008-03-05 15:27 106,249 -r-hs---- C:\ta2.cmd
2008-03-02 12:48 . 2008-03-03 17:47 108,058 -r-hs---- C:\x6.bat
2008-02-26 18:40 . 2008-02-27 10:33 107,489 -r-hs---- C:\u2.cmd
2008-02-21 17:38 . 2008-02-21 17:38 <DIR> d-------- C:\Program Files\Winamp Remote
2008-02-21 17:38 . 2008-02-21 17:39 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\OrbNetworks
2008-02-21 17:33 . 2008-02-21 17:39 <DIR> d-------- C:\Program Files\Winamp
2008-02-21 17:33 . 2008-02-21 17:40 <DIR> d-------- C:\Documents and Settings\Marta\Dane aplikacji\Winamp
2008-02-21 17:33 . 2007-03-08 00:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-02-21 17:33 . 2007-03-08 00:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-21 17:33 . 2007-03-08 00:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-21 14:31 . 2008-03-11 22:16 <DIR> d-------- C:\Program Files\eMule
2008-02-21 14:24 . 2008-02-21 14:24 <DIR> d-------- C:\Documents and Settings\Marta\Dane aplikacji\.ABC
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 13:24 --------- d-----w C:\Documents and Settings\Marta\Dane aplikacji\.ABC
2007-01-13 11:03 1,572 ----a-w C:\Documents and Settings\Marta\Dane aplikacji\wklnhst.dat
2005-09-24 06:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 15:36 2111176]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 21:02 495616]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 21:58 458752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56 36975]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-22 21:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-22 21:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-22 21:17 118784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 16:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 06:22 794713]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-19 14:14 102400]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11 49152]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 10:33 163840]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 09:50 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 09:23 1187840]
"adiras"="adiras.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 23:54 37376]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 13:33:22 581693]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe [2006-12-25 21:02:24 946247]
HP Photosmart Premier - Szybkie uruchomienie.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 08:39:30 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 07:15:54 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys [2006-06-06 21:39]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1be5dfb2-df18-11dc-b971-0018de32ac02}]
\Shell\AutoRun\command - F:\d6fagcs8.cmd
\Shell\explore\Command - F:\d6fagcs8.cmd
\Shell\open\Command - F:\d6fagcs8.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c38c73a-87a7-11dc-b927-001641c8fc3c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fc91de8-9e61-11da-b892-0018de32ac02}]
\Shell\AutoRun\command - u2.cmd
\Shell\explore\Command - u2.cmd
\Shell\open\Command - u2.cmd
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 17:27:38
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????W??????`?@?????L?@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-20 17:28:06
ComboFix-quarantined-files.txt 2008-03-20 16:27:57
.
2008-03-12 17:09:07 --- E O F ---
