komputer po zainfekowaniu pokazywał wszystkie pliki systemowe zainfekowane (*.cmd; msiexec.exe itp)
udało mi sie uruchomić płytę z windowsem
i przeinstalować windowsa
nie wiem czy to koniec
uruchomiłem combofix i oto log
ComboFix 09-02-14.01 - ela 2009-02-15 17:54:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.3326.2603 [GMT 1:00]
Uruchomiony z: C:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Utworzono nowy punkt przywracania
.
((((((((((((((((((((((((( Pliki utworzone od 2009-01-15 do 2009-02-15 )))))))))))))))))))))))))))))))
.
2009-02-15 17:46 . 2009-02-15 17:46 2,921,051 -ra------ C:\ComboFix.exe
2009-02-15 17:13 . 2008-04-15 13:00 13,463,552 --a–c— c:\windows\system32\dllcache\hwxjpn.dll
2009-02-15 17:12 . 2008-04-15 13:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-15 17:11 . 2009-02-15 17:11 749 -rah----- c:\windows\WindowsShell.Manifest
2009-02-15 17:11 . 2009-02-15 17:11 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-02-15 17:11 . 2009-02-15 17:11 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-02-15 17:11 . 2009-02-15 17:11 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-02-15 17:11 . 2009-02-15 17:11 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-02-15 17:10 . 2008-04-15 13:00 188,416 --a–c— c:\windows\system32\dllcache\accwiz.exe
2009-02-15 17:10 . 2008-04-15 13:00 188,416 --a------ c:\windows\system32\accwiz.exe
2009-02-15 17:10 . 2008-04-15 13:00 17,408 --a–c— c:\windows\system32\dllcache\mofcomp.exe
2009-02-14 14:57 . 2009-02-14 14:57 250 --a------ c:\windows\gmer.ini
2009-02-12 12:26 . 2009-02-12 12:26
2009-02-12 12:26 . 2009-02-14 12:17 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-12 12:26 . 2009-02-12 12:26 1,409 --a------ c:\windows\QTFont.for
2009-02-12 12:22 . 2009-02-12 13:30
2009-02-05 09:55 . 2009-02-13 16:00
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-14 11:13 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\avg8
2009-02-13 15:06 --------- d-----w c:\program files\AutoCAD LT 2000i Plk
2009-02-13 15:05 --------- d-----w c:\program files\ArchiCAD 8
2009-02-05 10:23 --------- d-----w c:\documents and settings\ela\Dane aplikacji\AVGTOOLBAR
2009-02-04 08:53 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-04 08:53 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-04 08:53 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-12 10:09 --------- d-----w c:\program files\Google
2009-01-12 10:06 --------- d-----w c:\documents and settings\leon\Dane aplikacji\INTERsoft
2009-01-12 10:04 --------- d-----w c:\documents and settings\leon\Dane aplikacji\AVGTOOLBAR
2009-01-09 12:23 16 ----a-w c:\documents and settings\ela\poww08.dll
2009-01-08 11:54 --------- d-----w c:\documents and settings\ela\Dane aplikacji\INTERsoft
2009-01-08 11:51 --------- d-----w c:\program files\INTERsoft
2009-01-08 11:51 --------- d-----r c:\documents and settings\All Users\Dane aplikacji\INTERsoft
2009-01-08 11:39 --------- d-----w c:\program files\Reference Assemblies
2009-01-08 11:39 --------- d-----w c:\program files\MSBuild
2009-01-06 09:30 --------- d-----w c:\program files\Smart PC Solutions
2009-01-06 09:30 --------- d-----w c:\documents and settings\ela\Dane aplikacji\Smart PC Solutions
2009-01-06 09:02 --------- d-----w c:\program files\AVG
2009-01-05 08:56 --------- d-----w c:\program files\QuickTime
2009-01-05 08:42 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Apple Computer
2009-01-05 08:39 --------- d-----w c:\program files\Graphisoft
2009-01-05 08:37 --------- d-----w c:\program files\Java
2009-01-05 08:37 --------- d-----w c:\program files\Common Files\Java
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2007-06-01 153136]
“swg”=“c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2009-01-12 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MSConfig”=“c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe” [2008-04-15 171520]
“SunJavaUpdateSched”=“c:\program files\Java\jre1.6.0\bin\jusched.exe” [2009-01-05 77824]
“QuickTime Task”=“c:\program files\QuickTime\qttask.exe” [2009-01-05 282624]
“NeroFilterCheck”=“c:\program files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-03-01 153136]
“AVG8_TRAY”=“c:\progra~1\AVG\AVG8\avgtray.exe” [2009-02-04 1601304]
“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 39792]
“RTHDCPL”=“RTHDCPL.EXE” [2007-08-20 c:\windows\RTHDCPL.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-04 09:53 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
–a----t- 2008-09-03 13:50 133104 c:\documents and settings\ela\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 21:51 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
–a------ 2009-01-12 11:09 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 2007-08-20 08:38 16384512 c:\windows\RTHDCPL.exe
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“%windir%\system32\sessmgr.exe”=
“d:\ArchiCAD 10\ArchiCAD.exe”=
“c:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files\Kaspersky Internet Security 2009\Polish\setup.exe”=
“c:\Program Files\AVG\AVG8\avgemc.exe”=
“c:\Program Files\AVG\AVG8\avgupd.exe”=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-06 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-06 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-06 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-06 298264]
S3 Wibukey2;Wibukey2;c:\windows\system32\drivers\Wibukey2.sys [2008-08-29 16384]
— Inne Usługi/Sterowniki w Pamięci —
*NewlyCreated* - BITS
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b01333e5-80b4-11dd-aaf7-001fd052b68e}]
\Shell\AutoRun\command - J:\bo1dhu.bat
\Shell\explore\Command - J:\bo1dhu.bat
\Shell\open\Command - J:\bo1dhu.bat
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
“c:\program files\Common Files\LightScribe\LSRunOnce.exe”
.
Zawartość folderu ‘Zaplanowane zadania’
2009-02-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-507921405-1417001333-1004.job
- c:\documents and settings\ela\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2008-09-03 13:50]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {1F831FAC-42FC-11D4-95A6-0080AD30DCE1} - file://c:\program files\AutoCAD LT 2000i Plk\InstFred.ocx
.
.
------- Skojarzenia plików -------
.
txtfile=%windir%\NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 17:55:05
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
-
-
-
-
-
-
- > ‘winlogon.exe’(740)
-
-
-
-
-
c:\windows\system32\Ati2evxx.dll
.
Czas ukończenia: 2009-02-15 17:55:55
ComboFix-quarantined-files.txt 2009-02-15 16:55:53
Przed: 27 897 749 504 bajtów wolnych
Po: 28,082,098,176 bajtów wolnych
WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Home Edition” /noexecute=optin /fastdetect /usepmtimer
146