Amvo.exe - juz drugi raz...prosze o pomoc

mem · 5 Lipiec 2008 19:53

t u pisalam o jednym komp: viewtopic.php?f=16&t=254490

a teraz drugi zainfekowalam.

usunelam z hjacka amvo.exe, a log z combifika to:

ComboFix 08-07-02.5 - fred 2008-07-05 21:13:08.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.166 [GMT 2:00]

Running from: C:\Documents and Settings\fred.FRED-AFE357FAED\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\autorun.inf

C:\WINDOWS\system32\amvo.exe

C:\WINDOWS\system32\amvo0.dll

C:\WINDOWS\system32\amvo1.dll

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))

.

2008-07-04 16:19 . 2008-07-04 16:19 112,824 -r-hs---- C:\00hoeav.com

2008-07-03 22:03 . 2008-07-03 22:03 16,244 --a------ C:\WINDOWS\system32\rrt_is.wav

2008-07-03 22:03 . 2008-07-03 22:03 7,302 --a------ C:\WINDOWS\system32\rrt_vf.wav

2008-07-03 22:03 . 2008-07-03 22:03 7,148 --a------ C:\WINDOWS\system32\rrt_tv.wav

2008-07-03 22:03 . 2008-07-03 22:03 6,282 --a------ C:\WINDOWS\system32\rrt_tn.wav

2008-07-03 19:18 . 2008-07-04 00:14 114,611 -r-hs---- C:\xmnm2.cmd

2008-07-02 18:56 . 2008-06-27 13:00 110,443 -r-hs---- C:\r.cmd

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-05 19:18 26,277,920 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat

2008-07-05 19:05 --------- d-----w C:\Documents and Settings\fred.FRED-AFE357FAED\Dane aplikacji\Skype

2008-07-05 19:04 --------- d-----w C:\Documents and Settings\fred.FRED-AFE357FAED\Dane aplikacji\skypePM

2008-07-05 19:04 --------- d-----w C:\Documents and Settings\fred.FRED-AFE357FAED\Dane aplikacji\OpenOffice.org2

2008-07-04 14:43 311,672 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2008-07-02 17:31 --------- d-----w C:\Program Files\Mozilla Thunderbird

2008-06-18 16:25 --------- d-----w C:\Documents and Settings\fred.FRED-AFE357FAED\Dane aplikacji\AVG7

2008-06-18 16:25 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\avg7

2008-04-28 12:26 57,856 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp

2008-04-22 23:11 96,768 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp

2008-04-18 17:38 83,968 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp

2008-04-15 17:42 134,656 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp

2008-04-13 18:17 691,545 ----a-w C:\WINDOWS\unins000.exe

2008-04-10 11:19 118,784 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp

2008-04-05 23:33 176,128 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp

2008-02-11 16:22 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44 15360]

“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-11-16 13:39 21760296]

“Gadu-Gadu”=“D:\programy\Gadu-Gadu\gg.exe” [2006-11-14 11:12 1849032]

“SpybotSD TeaTimer”=“D:\programy\Spybot - Search Destroy\TeaTimer.exe” [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ZoneAlarm Client”=“D:\programy\ZoneAlarm\zlclient.exe” [2007-11-14 17:05 919016]

“AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [2008-04-15 13:42 579584]

“Adobe Reader Speed Launcher”=“D:\Programy\adobeReader\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 23:16 39792]

“HP Software Update”=“D:\programy\hp\HP Software Update\HPWuSchd2.exe” [2006-02-19 03:41 49152]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 02:11 132496]

“Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [2008-03-09 15:25 29744]

“RRT-Auto”=“C:\Documents and Settings\fred.FRED-AFE357FAED\Pulpit\RRT.exe” [2008-06-19 19:18 139776]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 01:44 15360]

“AVG7_Run”=“C:\PROGRA~1\Grisoft\AVG7\avgw.exe” [2008-02-11 16:25 219136]

C:\Documents and Settings\fred.FRED-AFE357FAED\Menu Start\Programy\Autostart\

OpenOffice.org 2.0.3.lnk - C:\Program Files\OpenOffice.org 2.0.3\program\quickstart.exe [2006-07-02 18:46:50 393216]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

HP Digital Imaging Monitor.lnk - D:\programy\hp\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]

Microsoft Office.lnk - D:\programy\MS Word\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

“AppInit_DLLs”=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Grisoft\AVG7\avginet.exe”=

“C:\Program Files\Grisoft\AVG7\avgamsvr.exe”=

“C:\Program Files\Grisoft\AVG7\avgcc.exe”=

“C:\Program Files\Grisoft\AVG7\avgemc.exe”=

“D:\programy\hp\Digital Imaging\bin\hpqtra08.exe”=

“D:\programy\hp\Digital Imaging\bin\hpqste08.exe”=

“D:\programy\hp\Digital Imaging\bin\hpofxm08.exe”=

“D:\programy\hp\Digital Imaging\bin\hposfx08.exe”=

“D:\programy\hp\Digital Imaging\bin\hposid01.exe”=

“D:\programy\hp\Digital Imaging\bin\hpqscnvw.exe”=

“D:\programy\hp\Digital Imaging\bin\hpqkygrp.exe”=

“D:\programy\hp\Digital Imaging\bin\hpqCopy.exe”=

“D:\programy\hp\Digital Imaging\bin\hpfccopy.exe”=

“D:\programy\hp\Digital Imaging\bin\hpzwiz01.exe”=

“D:\programy\hp\Digital Imaging\bin\hpoews01.exe”=

“D:\programy\hp\Digital Imaging\bin\hpqnrs08.exe”=

“C:\Program Files\Bonjour\mDNSResponder.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

R3 Smcpwr2n;Sterownik karty SMC EtherPower II 10/100 Ethernet Adapter ;C:\WINDOWS\system32\DRIVERS\smcpwr2n.sys [2001-08-17 22:12]

S3 GoogleDesktopManager-022208-143751;Menedżer Google Desktop 5.7.802.22438;“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [2008-03-09 15:25]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0e52fa35-d8a0-11dc-975f-00e02945a733}]

\Shell\AutoRun\command - H:\xmnm2.cmd

\Shell\explore\Command - H:\xmnm2.cmd

\Shell\open\Command - H:\xmnm2.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{49fd2c33-206c-11dd-83c9-00e02945a733}]

\Shell\AutoRun\command - G:\t.com

\Shell\explore\Command - G:\t.com

\Shell\open\Command - G:\t.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{697d9ec6-e0a9-11dc-93c8-00e02945a733}]

\Shell\AutoRun\command - G:\xmnm2.cmd

\Shell\explore\Command - G:\xmnm2.cmd

\Shell\open\Command - G:\xmnm2.cmd

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-05 21:17:42

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-07-05 21:20:56

ComboFix-quarantined-files.txt 2008-07-05 19:20:37

ComboFix2.txt 2008-07-03 22:10:06

Pre-Run: 601,063,424 bajtów wolnych

Post-Run: 585,510,912 bajtów wolnych

125

bartisz · 5 Lipiec 2008 20:03

Pendrive wylecz programem Flash Disinfector

Wklej do Notatnika:

File::

C:\xmnm2.cmd

C:\r.cmd

C:\00hoeav.com

H:\xmnm2.cmd

G:\t.com

G:\xmnm2.cmd


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

Plik–>Zapisz jako… -->CFScript

Przeciągnij plik CFScript.txt na plik ComboFix.exe

Podczas usuwanie powstanie log. Wrzuć go na forum.

Po restarcie usuń folder C:\Qoobox**.**

djarta · 5 Lipiec 2008 20:10

To nie jest cały Script!!

Wklej do notatnika:

File::

G:\t.com

H:\t.com

C:\t.com

D:\t.com

H:\xmnm2.cmd

G:\xmnm2.cmd

C:\xmnm2.cmd

D:\xmnm2.cmd

C:\00hoeav.com

H:\00hoeav.com

G:\00hoeav.com

D:\00hoeav.com

C:\r.cmd

D:\r.cmd

H:\r.cmd

G:\r.cmd


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{697d9ec6-e0a9-11dc-93c8-00e02945a733}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49fd2c33-206c-11dd-83c9-00e02945a733}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e52fa35-d8a0-11dc-975f-00e02945a733}]

>>Plik>>Zapisz jako… >>> CFScript

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

Ma się rozpocząć usuwanie. (i powstanie log). Daj ten log, który powstanie w trakcie usuwania.

Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox.

EDIT:

Sformatuj pendriv’a

mem · 5 Lipiec 2008 20:40

(jak sformatowac pendriwe- tak normalnie prawym itp. czy jakims programami?)

log po wykonaniu powyzszych czynnosci:

ComboFix 08-07-02.5 - fred 2008-07-05 22:20:36.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.139 [GMT 2:00]

Running from: C:\Documents and Settings\fred.FRED-AFE357FAED\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\fred.FRED-AFE357FAED\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::

C:\00hoeav.com

C:\r.cmd

C:\t.com

C:\xmnm2.cmd

D:\00hoeav.com

D:\r.cmd

D:\t.com

D:\xmnm2.cmd

G:\00hoeav.com

G:\r.cmd

G:\t.com

G:\xmnm2.cmd

H:\00hoeav.com

H:\r.cmd

H:\t.com

H:\xmnm2.cmd

.