Izdvojeno iz druge teme (2)

1

Izdvojeno iz druge teme (2)

offline
  • Pridružio: 01 Dec 2008
  • Poruke: 6

Pozdrav,

Imam isti problem kao i blagojer.
Znači na svakom disku i sticku pojavljuje mi se RECYCLER folder i autorun.inf
Oba su naravno pod hidden ili protected system file.
Unutra RECYCLER foldera zna biti ikona od smeća sa ovim nazivom :
S-1-5-21-823518204-842925246-682003330-1003
i unutra nekad bude i file klass.
Nekad sam imao problem sa RaVMon.exe i Autorun.inf i riješio ih i sad imam sa ovim novim sranjima neznam di sam ih pokupio.
Problem je velik, imam ga na poslu na 2kompa,svih nas 13 radnika isto doma na kompu i na stikovima.
Reinstalirao bi ja najlakše Windowse, ali kad obrišem na jednom disku vrati se i javi se na drugom pa nisam siguran dali bi to pomoglo...

Molim Vas spasite mi život jer ovog se već 2 tjedna nemogu riješit obrišem te file-ove i autorun.inf se pojavi ponovo nakon 4sekunde i ovaj drugi.
Probao sam bezbroj anti ovo anti ono,antivirusa i svašta i nikako da se riješim.

Unaprijed Hvala, molim Vas za pomoć

Lp

Evo i logova:


mycity.rs/must-login.png

mycity.rs/must-login.png

ComboFix 08-11-30.02 - COVER 2008-12-01 17:36:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.962 [GMT 1:00]
Running from: c:\documents and settings\COVER\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - system32: deleted 414093 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\COVER\Application Data\addons.dat
c:\windows\system32\bitcometres.dll
D:\install.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.

2008-12-01 16:54 . 2008-12-01 17:06 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-12-01 16:54 . 2008-12-01 16:54 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-12-01 16:53 . 2008-12-01 16:53 <DIR> d-------- c:\program files\Kaspersky Lab
2008-12-01 16:53 . 2008-12-01 17:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-01 16:53 . 2008-12-01 17:46 4,515,872 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-01 16:53 . 2008-12-01 17:46 352,288 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-12-01 16:53 . 2008-12-01 17:46 38,456 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-01 16:53 . 2008-12-01 17:46 2,284 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-12-01 16:51 . 2008-12-01 16:51 <DIR> d-------- c:\program files\Kaspersky Internet Security
2008-11-30 18:34 . 2008-11-30 18:34 <DIR> d-------- c:\program files\USB Disk Security
2008-11-29 22:49 . 2008-11-29 22:49 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-29 22:49 . 2008-11-29 22:49 1,409 --a------ c:\windows\QTFont.for
2008-11-28 08:39 . 2008-11-28 08:39 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-11-24 12:31 . 2008-11-24 12:31 <DIR> d-------- c:\program files\Canon
2008-11-23 18:57 . 2008-11-23 18:58 <DIR> d-------- c:\program files\Error Repair Professional
2008-11-23 18:22 . 2008-11-23 18:22 <DIR> d-------- c:\program files\Webteh
2008-11-22 18:43 . 2008-11-22 18:43 <DIR> d-------- c:\documents and settings\Administrator
2008-11-22 18:27 . 2008-11-23 19:07 <DIR> d-------- c:\documents and settings\COVER\Application Data\BSplayer PRO
2008-11-22 07:33 . 2008-11-22 07:33 3,524 --a------ c:\windows\system32\tmp.reg
2008-11-22 07:27 . 2007-09-06 00:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-22 07:27 . 2006-04-27 17:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-22 07:27 . 2003-06-05 21:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-22 07:27 . 2004-07-31 18:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-22 07:14 . 2008-11-22 07:14 <DIR> d-------- c:\program files\Trend Micro
2008-11-21 18:34 . 2008-11-22 02:00 <DIR> d-------- C:\!KillBox
2008-11-21 15:36 . 2008-11-21 15:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-20 22:16 . 2008-11-20 22:25 <DIR> d-------- c:\documents and settings\COVER\Application Data\GetRight Pro
2008-11-20 21:11 . 2005-09-23 07:29 626,688 --a------ c:\windows\system32\msvcr80.dll
2008-11-19 20:20 . 2008-11-19 20:20 <DIR> d-------- c:\documents and settings\COVER\Application Data\NASA
2008-11-19 20:18 . 2008-11-19 20:18 <DIR> d-------- c:\program files\NASA
2008-11-19 18:33 . 2007-06-29 09:59 108,552 -ra------ c:\windows\system32\drivers\s716mdm.sys
2008-11-19 18:33 . 2007-06-29 09:59 15,112 -ra------ c:\windows\system32\drivers\s716mdfl.sys
2008-11-19 18:33 . 2007-06-29 09:59 12,424 -ra------ c:\windows\system32\drivers\s716cmnt.sys
2008-11-19 18:33 . 2007-06-29 09:59 12,424 -ra------ c:\windows\system32\drivers\s716cm.sys
2008-11-19 18:30 . 2007-06-29 09:59 83,208 -ra------ c:\windows\system32\drivers\s716bus.sys
2008-11-19 18:30 . 2007-06-29 09:59 12,424 -ra------ c:\windows\system32\drivers\s716whnt.sys
2008-11-19 18:30 . 2007-06-29 09:59 12,424 -ra------ c:\windows\system32\drivers\s716wh.sys
2008-11-19 16:46 . 2008-11-29 12:01 183,112 --a------ c:\windows\system32\PnkBstrB.exe
2008-11-19 16:46 . 2008-11-29 12:01 138,184 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2008-11-19 16:46 . 2008-11-23 23:34 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2008-11-19 16:23 . 2008-11-19 16:23 <DIR> d-------- c:\program files\DAEMON Tools
2008-11-18 16:39 . 2008-11-18 16:39 <DIR> d-------- c:\windows\system32\LogFiles
2008-11-15 11:26 . 2008-11-15 11:26 4 --a------ C:\timestmp.tmp
2008-11-10 13:34 . 2008-11-10 13:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\KONAMI
2008-11-08 17:52 . 2008-11-08 17:52 220,331 --a------ c:\windows\ProgDVB Uninstaller.exe
2008-11-08 17:31 . 2008-11-08 17:55 <DIR> d-------- c:\program files\ProgDVB
2008-11-08 16:47 . 2008-11-08 16:47 <DIR> d-------- c:\program files\DVBViewerTE
2008-11-08 16:44 . 2008-11-08 16:44 <DIR> d-------- c:\program files\TechniSat DVB
2008-11-08 16:44 . 2004-03-10 23:37 368,912 --a------ c:\windows\system32\vbar332.dll
2008-11-08 16:44 . 2004-05-02 20:30 118,784 --a------ c:\windows\system32\SkyDll.dll
2008-11-08 16:44 . 2004-05-02 20:30 118,784 --a------ c:\windows\system32\Sky2PCUI.dll
2008-11-08 16:44 . 2004-04-13 13:15 102,400 --a------ c:\windows\system32\libbz2.dll
2008-11-08 16:27 . 2008-11-08 16:27 <DIR> d-------- c:\program files\DVBViewer TE2
2008-11-06 23:37 . 2008-11-06 23:37 <DIR> d--hs---- c:\windows\ftpcache
2008-11-02 23:42 . 2008-11-02 23:42 <DIR> d-------- c:\windows\Easy Rapidshare Points
2008-11-02 19:58 . 2008-11-02 19:58 <DIR> d-------- c:\program files\MSBuild
2008-11-02 19:55 . 2008-11-06 20:02 <DIR> d-------- c:\windows\system32\XPSViewer
2008-11-02 19:55 . 2008-11-02 19:55 <DIR> d-------- c:\program files\Reference Assemblies
2008-11-02 19:54 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-11-02 17:57 . 2008-11-02 17:57 <DIR> d-------- c:\program files\Rar Repair Tool
2008-11-02 12:47 . 2008-11-02 12:47 <DIR> d-------- c:\windows\system32\xlive
2008-11-01 18:55 . 2008-11-01 18:55 <DIR> d-------- c:\program files\Common Files\DirectX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 16:47 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2008-12-01 16:47 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2008-12-01 16:15 --------- d-----w c:\program files\Firefox 3
2008-12-01 15:52 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-01 15:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 15:08 --------- d-----w c:\documents and settings\COVER\Application Data\uTorrent
2008-11-28 07:04 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-26 09:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-24 11:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-22 18:01 --------- d-----w c:\program files\Lisica 2.0.16
2008-11-21 16:02 --------- d-----w c:\program files\videofixer
2008-11-21 16:00 --------- d-----w c:\program files\All Media Fixer
2008-11-21 15:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-20 14:53 --------- d-----w c:\program files\XoftSpySE
2008-11-19 06:19 --------- d-----w c:\program files\TeamViewer3
2008-11-17 15:00 --------- d-----w c:\program files\ESET
2008-11-17 05:16 --------- d-----w c:\program files\BitComet
2008-11-15 17:55 --------- d-----w c:\documents and settings\COVER\Application Data\LimeWire
2008-10-30 11:39 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-10-30 11:21 --------- d-----w c:\program files\JLC's Software
2008-10-30 11:21 --------- d-----w c:\documents and settings\COVER\Application Data\JLC's Software
2008-10-29 00:43 3,264 ----a-w C:\drmHeader.bin
2008-10-26 17:55 --------- d-----w c:\documents and settings\COVER\Application Data\Canon
2008-10-24 13:47 --------- d-----w c:\program files\Word Translator
2008-10-22 10:21 --------- d-----w c:\program files\Alcohol Soft
2008-10-22 07:43 --------- d-----w c:\documents and settings\COVER\Application Data\Nero
2008-10-22 07:42 --------- d-----w c:\program files\Nero 9
2008-10-22 07:42 --------- d-----w c:\program files\Common Files\Nero
2008-10-21 23:29 --------- d-----w c:\program files\Common Files\Ahead
2008-10-21 23:29 --------- d-----w c:\program files\Ahead
2008-10-18 15:21 --------- d-----w c:\documents and settings\All Users\Application Data\Codemasters
2008-10-17 00:46 --------- d-----w c:\program files\FastStone Image Viewer
2008-10-17 00:38 --------- d-----w c:\program files\Electronic Arts
2008-10-14 22:31 --------- d-----w c:\documents and settings\COVER\Application Data\Touchstone
2008-10-14 22:09 --------- d-----w c:\program files\AGEIA Technologies
2008-10-14 13:34 --------- d-----w c:\documents and settings\COVER\Application Data\CyberLink
2008-10-13 10:28 --------- d-----w c:\documents and settings\COVER\Application Data\Disney Interactive Studios
2008-10-09 22:58 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-09 11:33 444,952 ----a-w c:\windows\system32\wrap_oal.dll
2008-10-09 11:33 109,080 ----a-w c:\windows\system32\OpenAL32.dll
2008-10-09 11:33 --------- d-----w c:\program files\OpenAL
2008-10-09 11:01 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-10-09 10:57 --------- d-----w c:\program files\ATI Technologies
2008-10-09 10:55 --------- d-----w c:\program files\Common Files\ATI Technologies
2008-10-09 00:43 --------- d-----w c:\program files\Common Files\Adobe
2008-10-09 00:41 --------- d-----w c:\program files\Common Files\Control Panels
2008-10-09 00:40 --------- d-----w c:\documents and settings\All Users\Application Data\ALM
2008-10-09 00:14 --------- d-----w c:\program files\Bonjour
2008-10-09 00:09 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-08 19:27 --------- d-----w c:\documents and settings\All Users\Application Data\Logishrd
2008-10-07 10:55 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-10-07 10:55 --------- d-----w c:\documents and settings\COVER\Application Data\DAEMON Tools
2008-10-06 11:00 --------- d-----w c:\program files\++HideAnyWindow
2008-10-06 10:01 --------- d-----w c:\program files\Common Files\LogiShrd
2008-10-06 09:58 --------- d-----w c:\program files\Logitech
2008-10-06 07:01 --------- d-----w c:\program files\AVI MPEG RM WMV Splitter
2008-10-05 20:01 --------- d-----w c:\program files\wLite
2008-10-03 22:51 3,969,144 ----a-w c:\documents and settings\COVER\$TEMP.dat
2008-10-01 07:04 --------- d-----w c:\program files\++OpenVideoCapture
2008-09-15 14:04 921,632 ----a-w C:\PA7302.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RCApp"="c:\program files\gigabyte\RCApp\U7000RCApp.exe" [2007-04-24 625152]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-06 185896]
"USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2008-08-16 798720]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 c:\windows\RTHDCPL.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 c:\windows\system32\bthprops.cpl]

c:\documents and settings\COVER\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Logitech\QuickCam\eReg.exe [2008-02-13 493832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Server4PC.lnk - c:\program files\TechniSat DVB\bin\Server4PC.exe [2008-11-08 430080]
TMMonitor.lnk - c:\program files\MSI\ArcSoft\TotalMedia\TMMonitor.exe [2008-09-21 249856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^COVER^Start Menu^Programs^Startup^BitComet Acceleration Patch.lnk]
backup=c:\windows\pss\BitComet Acceleration Patch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^COVER^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^COVER^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\COVER\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 11:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 19:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"helpsvc"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent 1.8\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"d:\\GAMES\\GAMES INSTALL\\PES 2009\\pes2009.exe"=
"d:\\GAMES\\GAMES INSTALL\\FAR CRY 2\\bin\\FarCry2.exe"=
"d:\\GAMES\\GAMES INSTALL\\FAR CRY 2\\bin\\FC2Launcher.exe"=
"d:\\GAMES\\GAMES INSTALL\\FAR CRY 2\\bin\\FC2Editor.exe"=
"d:\\GAMES\\GAMES INSTALL\\COD 5\\CoDWaWmp.exe"=
"d:\\GAMES\\GAMES INSTALL\\COD 5\\CoDWaW.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10589:TCP"= 10589:TCP:BitComet 10589 TCP
"10589:UDP"= 10589:UDP:BitComet 10589 UDP
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R2 TeamViewer;TeamViewer 3;"c:\program files\TeamViewer3\TeamViewer_Host.exe" -service [2008-02-19 176128]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-10-09 93696]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 LVRS;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs.sys [2008-10-06 628760]
R3 MODRC;DiBcom Infrared Receiver;c:\windows\system32\DRIVERS\modrc.sys [2006-05-08 13056]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2002-10-02 31504]
R3 SKYNET;TechniSat DVB-PC TV Star PCI;c:\windows\system32\DRIVERS\SkyNET.SYS [2008-09-04 451816]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe /s c:\windows\nod32fixtemdono.reg [2001-08-23 3584]
S3 PAC7302;i-Look 317;c:\windows\system32\DRIVERS\PAC7302.SYS [2008-09-15 457856]
S3 RKH;RKH;c:\docume~1\COVER\LOCALS~1\Temp\RKH.exe []
S3 s716bus;Sony Ericsson Device 716 driver (WDM);c:\windows\system32\DRIVERS\s716bus.sys [2008-11-19 83208]
S3 s716mdfl;Sony Ericsson Device 716 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s716mdfl.sys [2008-11-19 15112]
S3 s716mdm;Sony Ericsson Device 716 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s716mdm.sys [2008-11-19 108552]
S3 vmfilter323;323 filter service, Normal;c:\windows\system32\drivers\vmfilter323.sys []
S3 ZSMC326;CANYON USB PC Camera;c:\windows\system32\Drivers\usbvm323.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c80fed2-7996-11dd-b0e2-001d7da7023a}]
\Shell\AutoRun\command - h:\wd_windows_tools\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{07AD01B9-2286-596D-9CC7-916F9933591B}]
c:\program files\windowssecurity\security.exe s

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81GH8C654712}]
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\klass.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-01 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-03-05 11:13]

2008-11-17 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-03-05 11:13]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\COVER\Application Data\Mozilla\Firefox\Profiles\t7il0la5.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.24sata.hr/
FF -: plugin - c:\program files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npDivxPlayerPlugin.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npnul32.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npqtplugin.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npqtplugin2.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npqtplugin3.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npqtplugin4.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npqtplugin5.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npqtplugin6.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npqtplugin7.dll
FF -: plugin - c:\program files\Firefox 3\plugins\NPSWF32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-12-01 17:48:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1792)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(7768-)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\TeamViewer3\TeamViewer.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-12-01 17:53:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-01 16:53:24

Pre-Run: 1.897.598.976 bytes free
Post-Run: 2,621,812,736 bytes free

308


USB_blocker by bobby

Started at 1.12.2008 17:56:29

Scanning for connected USB Mass storage...
========================================
========================================
Scanning for other storage...
========================================
D: 7e7c5a46-6351-11dd-a1c4-806d6172696f
C: 7e7c5a47-6351-11dd-a1c4-806d6172696f
E: 7e7c5a48-6351-11dd-a1c4-806d6172696f
========================================

Scanning fixed storage for autorun.inf files...
========================================
========================================



New device connected at 1.12.2008 17:56:44

Scanning for connected USB Mass storage...
========================================
I: 5e56880a-634d-11dd-b0d2-001d7da7023a
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
========================================


New device connected at 1.12.2008 17:58:30

Scanning for connected USB Mass storage...
========================================
H: 9ab154a4-6346-11dd-b0d1-001d7da7023a
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================

autorun.inf found on H:
Error renaming file H:\autorun.inf

desktop.ini found on H:
Sanitizing Shell Menu...
No key for GUID: 9ab154a4-6346-11dd-b0d1-001d7da7023a
========================================


New device connected at 1.12.2008 17:59:24

Scanning for connected USB Mass storage...
========================================
H: d0aa45fc-804a-11dd-b0e7-001d7da7023a
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
Sanitized d0aa45fc-804a-11dd-b0e7-001d7da7023a
========================================

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Nemoj pogresno da me shvatis, ali ti si vec drugi u zadnjih pola sata, a mozda deseti ove nedelje, koji nije ispostovao pravila otvaranja teme u Ambulanti.

Svaki dan se pitam zasto one teme stoje obelezene crvenom bojom i ispred pise Vazno:
http://www.mycity.rs/Ambulanta/

1. Nisi smeo bez naseg nadzora pokretati ComboFix.
2. Manje vazno, ali ne smes pisati u tudjim temama, vec moras otvoriti svoju temu. Jedna tema = jedan slucaj = jednako 1 clan AMF tima resava taj slucaj.

Pogledacu sada logove, da vidim da li je ostalo nesto od tragova infekcije, pa da vidim da li je ostalo jos nesto od materijala koji je nama potreban za analizu...

Dopuna: 01 Dec 2008 18:39

Drugi uredjaj po redu koji si skenirao USB_blockerom je inficiran i USB_blocker nije uspeo da sredi taj USB uredjaj posto je najverovatnije infekcija vec aktivna.

Kazi mi koji je to uredjaj bio i kako je formatiran (FAT32 ili NTFS).

Dopuna: 01 Dec 2008 19:06

Mislim da znam zasto USB_blocker nije uspeo da obavi posao.
Iskljuci USB Guard i probaj ponovo.

Dalje, u ComboFix logu vidim USB uredjaje koji su inficirani, a nisi probao da ih sredis USB_blockerom. Da li te uredjaje mozda nemas tu pri ruci?

offline
  • Pridružio: 01 Dec 2008
  • Poruke: 6

Izvinjavam se moderatorima, iskreno nisam čitao pravila jer sam bio sretan, u nadi da sam našao nekoga tko je voljan pomoći rješiti moje probleme.
Izvinjavam se šta sam stavio u krivu temu.
Stick je sony usm4gr 4gb formatiran u fat32
Nemam ih pri ruci koji su to?
Hvala

Evo novi log i gledajte kako mi izgleda task manager, zašto?

lp

Puno hvala
mycity.rs/must-login.png

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Klikni na skroz desnu ivicu Task Managera, to bi trebalo da ga vrati u normalan oblik.

Dao si mi stari log USB_blockera (onaj sto ima 1 u zagradi je stari log). Trebao bi mi nov log, ali da iskljucis USB Guard tako da USB_blocker uspe da obavi svoj posao.

Vidi, svaki uredjaj ima svoju identifikacioni broj. U ComboFix logu vidi tri uredjaja (3 razlicite identifikacije), a u USB_blocker logu vidim neka druga 3 uredjaja.

offline
  • Pridružio: 01 Dec 2008
  • Poruke: 6

Evo uspio sam vratit u normalu task manager (neznam kako je došao onakav).
Hvala

evo i novi log:

mycity.rs/must-login.png


USB_blocker by bobby

Started at 1.12.2008 20:53:33

Scanning for connected USB Mass storage...
========================================
I: 5e56880a-634d-11dd-b0d2-001d7da7023a
========================================
Scanning for other storage...
========================================
D: 7e7c5a46-6351-11dd-a1c4-806d6172696f
C: 7e7c5a47-6351-11dd-a1c4-806d6172696f
E: 7e7c5a48-6351-11dd-a1c4-806d6172696f
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
========================================

Scanning fixed storage for autorun.inf files...
========================================
========================================



New device connected at 1.12.2008 20:55:14

Scanning for connected USB Mass storage...
========================================
H: 9ab154a4-6346-11dd-b0d1-001d7da7023a
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================

desktop.ini found on H:
File H:\Portable.Everest.4.60.1562.Beta.g3n\Portable.Everest.4.60.1562.Beta.g3n\desktop.ini renamed successfully
Sanitizing Shell Menu...
No key for GUID: 9ab154a4-6346-11dd-b0d1-001d7da7023a
========================================


New device connected at 1.12.2008 20:56:46

Scanning for connected USB Mass storage...
========================================
H: d0aa45fc-804a-11dd-b0e7-001d7da7023a
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
No key for GUID: d0aa45fc-804a-11dd-b0e7-001d7da7023a
========================================


lp

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Otvoriti Notepad i iskopirati sledeci tekst:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c80fed2-7996-11dd-b0e2-001d7da7023a}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{07AD01B9-2286-596D-9CC7-916F9933591B}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81GH8C654712}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 01 Dec 2008
  • Poruke: 6

Evo napokon...
mycity.rs/must-login.png

lp

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Rekao bih da je infekcija sada uklonjena.

Deinstaliraj ComboFix prema sledecem uputstvu:

Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi

Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji

Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore



USB_blocker nastavi dalje da koristis ukoliko USB stic i dalje koristis na vise racunara.
Folder koji ranije nije mogao da se izbrise sada bi trebao da moze rucno da se izbrise.

offline
  • Pridružio: 01 Dec 2008
  • Poruke: 6

Puno hvala...
ali onaj folder RECYCLER mi se opet pojavljuje na svim diskovima (dali mora?),
unutra tog foldera je ikonica sa smećem sa nekin čudnim nazivom i sve šta brišem na kompu baca u taj folder u ikonicu sa smećem.
da opet pokrenem combofix (koji sam izbrisao) ili kako , autorun-a više nema na sreću.

Unaprijed Hvala

evo screen-ova

lp






Dopuna: 03 Dec 2008 1:31

i da... taj folder kompletni RECYCLER obrišem (jedino sa unlocker-om) ali se opet nakon par sekundi ili minuta vrati, dali on mora bit tamo, ima li veze sa ikonom smeća sa desktopa?


lp

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Taj folder mora biti tu. To ti je folder koji na desktopu vidis kao Recycle Bin (korpu za otpatke). Na svakoj particiji ima po jedan takav folder.

Ko je trenutno na forumu
 

Ukupno su 723 korisnika na forumu :: 34 registrovanih, 4 sakrivenih i 685 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Sale, Andrija357, Apok, branko7, Brot, cvrle312, dragoljub11987, dragon986, flash12, h8propaganda, HrcAk47, Insan, JOntra, Krusarac, kybonacci, lidija2011, Lucije Kvint, mercedesamg, Mercury, Miskohd, mladen.zovko, novator, nuke92, Oluj2.1, Panter, repac, rodoljub, sizif, Srki98, styg, time, Toni, vlvl, vobo