t u pisalam o jednym komp: viewtopic.php?f=16&t=254490
a teraz drugi zainfekowalam.
usunelam z hjacka amvo.exe, a log z combifika to:
ComboFix 08-07-02.5 - fred 2008-07-05 21:13:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.166 [GMT 2:00]
Running from: C:\Documents and Settings\fred.FRED-AFE357FAED\Pulpit\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.
2008-07-04 16:19 . 2008-07-04 16:19 112,824 -r-hs---- C:\00hoeav.com
2008-07-03 22:03 . 2008-07-03 22:03 16,244 --a------ C:\WINDOWS\system32\rrt_is.wav
2008-07-03 22:03 . 2008-07-03 22:03 7,302 --a------ C:\WINDOWS\system32\rrt_vf.wav
2008-07-03 22:03 . 2008-07-03 22:03 7,148 --a------ C:\WINDOWS\system32\rrt_tv.wav
2008-07-03 22:03 . 2008-07-03 22:03 6,282 --a------ C:\WINDOWS\system32\rrt_tn.wav
2008-07-03 19:18 . 2008-07-04 00:14 114,611 -r-hs---- C:\xmnm2.cmd
2008-07-02 18:56 . 2008-06-27 13:00 110,443 -r-hs---- C:\r.cmd
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 19:18 26,277,920 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-05 19:05 --------- d-----w C:\Documents and Settings\fred.FRED-AFE357FAED\Dane aplikacji\Skype
2008-07-05 19:04 --------- d-----w C:\Documents and Settings\fred.FRED-AFE357FAED\Dane aplikacji\skypePM
2008-07-05 19:04 --------- d-----w C:\Documents and Settings\fred.FRED-AFE357FAED\Dane aplikacji\OpenOffice.org2
2008-07-04 14:43 311,672 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-02 17:31 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-18 16:25 --------- d-----w C:\Documents and Settings\fred.FRED-AFE357FAED\Dane aplikacji\AVG7
2008-06-18 16:25 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\avg7
2008-04-28 12:26 57,856 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-04-22 23:11 96,768 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-04-18 17:38 83,968 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-04-15 17:42 134,656 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-04-13 18:17 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-04-10 11:19 118,784 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-04-05 23:33 176,128 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-11 16:22 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44 15360]
“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-11-16 13:39 21760296]
“Gadu-Gadu”=“D:\programy\Gadu-Gadu\gg.exe” [2006-11-14 11:12 1849032]
“SpybotSD TeaTimer”=“D:\programy\Spybot - Search Destroy\TeaTimer.exe” [2007-08-31 16:46 1460560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ZoneAlarm Client”=“D:\programy\ZoneAlarm\zlclient.exe” [2007-11-14 17:05 919016]
“AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [2008-04-15 13:42 579584]
“Adobe Reader Speed Launcher”=“D:\Programy\adobeReader\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 23:16 39792]
“HP Software Update”=“D:\programy\hp\HP Software Update\HPWuSchd2.exe” [2006-02-19 03:41 49152]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 02:11 132496]
“Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [2008-03-09 15:25 29744]
“RRT-Auto”=“C:\Documents and Settings\fred.FRED-AFE357FAED\Pulpit\RRT.exe” [2008-06-19 19:18 139776]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 01:44 15360]
“AVG7_Run”=“C:\PROGRA~1\Grisoft\AVG7\avgw.exe” [2008-02-11 16:25 219136]
C:\Documents and Settings\fred.FRED-AFE357FAED\Menu Start\Programy\Autostart\
OpenOffice.org 2.0.3.lnk - C:\Program Files\OpenOffice.org 2.0.3\program\quickstart.exe [2006-07-02 18:46:50 393216]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
HP Digital Imaging Monitor.lnk - D:\programy\hp\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
Microsoft Office.lnk - D:\programy\MS Word\Office\OSA9.EXE [1999-02-17 20:05:56 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
“DisableMonitoring”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\Grisoft\AVG7\avginet.exe”=
“C:\Program Files\Grisoft\AVG7\avgamsvr.exe”=
“C:\Program Files\Grisoft\AVG7\avgcc.exe”=
“C:\Program Files\Grisoft\AVG7\avgemc.exe”=
“D:\programy\hp\Digital Imaging\bin\hpqtra08.exe”=
“D:\programy\hp\Digital Imaging\bin\hpqste08.exe”=
“D:\programy\hp\Digital Imaging\bin\hpofxm08.exe”=
“D:\programy\hp\Digital Imaging\bin\hposfx08.exe”=
“D:\programy\hp\Digital Imaging\bin\hposid01.exe”=
“D:\programy\hp\Digital Imaging\bin\hpqscnvw.exe”=
“D:\programy\hp\Digital Imaging\bin\hpqkygrp.exe”=
“D:\programy\hp\Digital Imaging\bin\hpqCopy.exe”=
“D:\programy\hp\Digital Imaging\bin\hpfccopy.exe”=
“D:\programy\hp\Digital Imaging\bin\hpzwiz01.exe”=
“D:\programy\hp\Digital Imaging\bin\hpoews01.exe”=
“D:\programy\hp\Digital Imaging\bin\hpqnrs08.exe”=
“C:\Program Files\Bonjour\mDNSResponder.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=
R3 Smcpwr2n;Sterownik karty SMC EtherPower II 10/100 Ethernet Adapter ;C:\WINDOWS\system32\DRIVERS\smcpwr2n.sys [2001-08-17 22:12]
S3 GoogleDesktopManager-022208-143751;Menedżer Google Desktop 5.7.802.22438;“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [2008-03-09 15:25]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0e52fa35-d8a0-11dc-975f-00e02945a733}]
\Shell\AutoRun\command - H:\xmnm2.cmd
\Shell\explore\Command - H:\xmnm2.cmd
\Shell\open\Command - H:\xmnm2.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{49fd2c33-206c-11dd-83c9-00e02945a733}]
\Shell\AutoRun\command - G:\t.com
\Shell\explore\Command - G:\t.com
\Shell\open\Command - G:\t.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{697d9ec6-e0a9-11dc-93c8-00e02945a733}]
\Shell\AutoRun\command - G:\xmnm2.cmd
\Shell\explore\Command - G:\xmnm2.cmd
\Shell\open\Command - G:\xmnm2.cmd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 21:17:42
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-05 21:20:56
ComboFix-quarantined-files.txt 2008-07-05 19:20:37
ComboFix2.txt 2008-07-03 22:10:06
Pre-Run: 601,063,424 bajtów wolnych
Post-Run: 585,510,912 bajtów wolnych
125