Witam wszystkich.
Jak wielu użytkowników forum walczę z trojanem Amvo oraz kilkoma innymi niechcianymi “cloaked malware”. To straszne. Ja również mam problem z nim.
Rezultatem przeszukania z Prevx CSI było 6 takich cudów. Zastosowałam się do instrukcji znalezionej w necie odnośnie procedury usuwania. Niestety utknęłam po uzyskaniu pliku log z programu ComboFix. Bardzo proszę o poradę fachowca od analizy takich plików. Doczytałam się, że radzicie innym użytkownikom w podobnych sprawach. Bardzo proszę o pomoc w moim przypadku, wydaje się być bardziej skomplikowany ze względu na ilość infekcji. Oto treść pliku log z ComboFix-a.
pozostaję w oczekiwaniu na odpowiedź
Monia
***************************************
ComboFix 08-07-01.5 - Pracownik 2008-07-03 9:21:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.139 [GMT 2:00]
Running from: G:\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-06-03 to 2008-07-03 )))))))))))))))))))))))))))))))
.
2008-07-03 09:18 . 2008-07-03 09:18
2008-07-03 09:07 . 2008-07-03 09:07
2008-07-03 09:07 . 2008-07-03 09:07
2008-07-03 09:07 . 2008-07-03 09:07 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-07-02 15:09 . 2008-07-03 09:11
2008-07-02 15:09 . 2008-07-02 15:09
2008-07-02 15:09 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-02 15:09 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-02 15:09 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-02 15:09 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-02 11:07 . 2008-07-02 11:06 113,731 -r-hs---- C:\xmnm2.cmd
2008-07-02 09:54 . 2008-06-27 08:48 112,070 -r-hs---- C:\r.cmd
2008-06-26 14:52 . 2008-07-03 09:20
2008-06-18 12:07 . 1996-12-02 18:44 251,664 --a------ C:\WINDOWS\system32\msrd2x35.dll
2008-06-18 12:06 . 1997-01-13 00:00 37,136 --a------ C:\WINDOWS\system32\Msjint35.dll
2008-06-18 12:06 . 1996-12-02 18:44 24,336 --a------ C:\WINDOWS\system32\msjter35.dll
2008-06-12 09:27 . 2008-06-12 09:27
2008-06-12 09:27 . 1995-07-21 10:58 26,624 --a------ C:\WINDOWS\system\SV3D32.DLL
2008-06-12 09:27 . 2008-06-25 13:24 56 --a------ C:\WINDOWS\SCI.INI
2008-06-11 08:49 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 08:49 . 2008-06-14 20:01 273,024 -----c— C:\WINDOWS\system32\dllcache\bthport.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 13:10 --------- d-----w C:\Documents and Settings\Pracownik\Dane aplikacji\U3
2008-05-20 13:37 --------- d-----w C:\Program Files\EIZO
2008-05-12 13:08 --------- d-----w C:\Documents and Settings\Pracownik\Dane aplikacji\AdobeUM
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 07:20 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44 15360]
“updateMgr”=“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [2006-03-30 16:45 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“vptray”=“C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe” [2003-05-21 01:21 90112]
“Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” [2005-06-06 23:46 57344]
“NeroCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 12:50 155648]
“Samsung PanelMgr”=“C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe” [2005-10-31 13:20 503808]
“WrtMon.exe”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe” [2006-09-20 09:35 20480]
“ScreenManager Pro for LCD”=“C:\Program Files\EIZO\ScreenManager Pro for LCD\Lcdctrl.exe” [2007-08-30 05:47 10937640]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 00:44 15360]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusOverride”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\Gadu-Gadu\gg.exe”=
“C:\Program Files\ESI Software\PAM-STAMP\2005.0\Binary\SolverManager\solvermanager.exe”=
“C:\flexlm\pam_lmd.exe”=
“C:\flexlm\lmgrd.exe”=
“C:\Program Files\Dassault Systemes\B09D20\intel_a\code\bin\orbixd.exe”=
“C:\Program Files\Dassault Systemes\B09D20\intel_a\code\bin\CNEXT.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-07-03 09:07]
R2 CSIScanner;CSIScanner;“C:\Program Files\PrevxCSI\prevxcsi.exe” /service []
R2 FLEXlm Service 1;FLEXlm Service 1;C:\flexlm\lmgrd.exe [2005-02-18 13:17]
R2 PamSolverManager21;PamSolver Manager v2.1;“C:\Program Files\ESI Software\PAM-STAMP\2005.0\Binary\SolverManager\solvermanager.exe” [2005-01-06 16:40]
S2 BBDemon;Backbone Service;C:\Program Files\Dassault Systemes\B09D20\intel_a\code\bin\CATSysDemon.exe [2002-04-17 21:35]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{34a4c784-ae16-11dc-8077-0040f479c839}]
\Shell\Auto\command - H:\Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{40d69e7e-f135-11da-bee7-0040f479c839}]
\Shell\AutoRun\command - jdwx.exe
\Shell\explore\Command - jdwx.exe
\Shell\open\Command - jdwx.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{75f30f06-575d-11db-bf42-0040f479c839}]
\Shell\AutoRun\command - H:\r.cmd
\Shell\explore\Command - H:\r.cmd
\Shell\open\Command - H:\r.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{a6fc5fde-7eac-11db-bf62-0040f479c839}]
\Shell\AutoRun\command - H:\r.cmd
\Shell\explore\Command - H:\r.cmd
\Shell\open\Command - H:\r.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ade4f0d0-46ec-11db-bf32-0040f479c839}]
\Shell\AutoRun\command - H:\jdwx.exe
\Shell\explore\Command - H:\jdwx.exe
\Shell\open\Command - H:\jdwx.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b7002e76-2184-11dd-80d3-0040f479c839}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
*Newly Created Service* - CATCHME
*Newly Created Service* - CSISCANNER
*Newly Created Service* - PXARK
.
-
-
-
- ORPHANS REMOVED - - - -
-
-
HKLM-Run-IS CfgWiz - C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe
HKLM-Run-URLLSTCK.exe - C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-03 09:28:31
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
- C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-07-03 9:34:36
ComboFix-quarantined-files.txt 2008-07-03 07:34:31
Pre-Run: 1,559,891,968 bajtów wolnych
Post-Run: 6,129,762,304 bajtów wolnych
133 — E O F — 2008-06-20 13:05:35