Neizbrisivi virus na fleshci

1

Neizbrisivi virus na fleshci

offline
  • Pridružio: 01 Apr 2005
  • Poruke: 797
  • Gde živiš: Niš

Кад убацим флешку, аваст пријављује вирус у ауторан фајлу, и у рецајклеру. Ауторан покреће неки сис32.егзе из рецајклера, сам се рекреира и тако даље.

Кад обришем све, не помаже. Кад радим формат он заврши за пар секунди и само побрише фајлове, али чисто сумљам да стварно форматира.
Пробао сам све да побришем из линукса, и успео, али кад проблем се и даље јавља.

Има ли искустава са овим? Како да оправим стари буђави флеш од 1ГБ?

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Mislim da si već upućen na ovaj link:

http://www.mycity.rs/Ambulanta/Kako-otvoriti-temu-u-Ambulanti.html

Koji deo uputstva ti nije bio jasan?

offline
  • Pridružio: 01 Apr 2005
  • Poruke: 797
  • Gde živiš: Niš

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:35:10, on 3.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\POSTGR~1\ENTERP~1\apache\bin\httpd.exe
C:\PROGRA~1\POSTGR~1\ENTERP~1\apache\bin\httpd.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox 3\firefox.exe
C:\Program Files\WinFast\WFDTV\DVBTAP.exe
C:\Program Files\Opera 9.5 alpha\opera.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\FreeCommander\FreeCommander.exe
D:\Instalacije\HiJackThis\sasa.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.studnet.lan:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost, 127.0.0.1, studnet.lan;*.local
O1 - Hosts: 194.9.94.120 s3.loopia.se
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: Microsoft Web Test Recorder 9.0 Helper - {E31CE47F-C268-41ba-897B-B415E613947D} - C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1292428093-1220945662-1417001333-1007\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'postgres')
O4 - HKUS\S-1-5-21-1292428093-1220945662-1417001333-1007\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} (FileInterface Class) - https://online.bancaintesabeograd.com/RetailDLL/FSINT.dll
O16 - DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} (ProxyModule Class) - https://online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EnterpriseDB ApachePHP (EnterpriseDBApachePHP) - Apache Software Foundation - C:\PROGRA~1\POSTGR~1\ENTERP~1\apache\bin\httpd.exe
O23 - Service: Google Update Service (gupdate1c93f9134dadc0) (gupdate1c93f9134dadc0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PostgreSQL Server 8.3 (postgresql-8.3) - PostgreSQL Global Development Group - C:/Program Files/PostgreSQL/8.3/bin/pg_ctl.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--
End of file - 8820 bytes

Dopuna: 03 Dec 2008 18:40

И да, није ми јасно ово:


3 - Nakon toga kliknite 2 puta na taj novi folder i u njemu promenite ime fajla HijackThis.exe u recimo TR3.exe.


Зашто?

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

umpirsky ::D:\Instalacije\HiJackThis\sasa.exe



И да, није ми јасно ово:

3 - Nakon toga kliknite 2 puta na taj novi folder i u njemu promenite ime fajla HijackThis.exe u recimo TR3.exe.


Зашто?


Razlog zašto naziv foldera u kome se program nalazi i naziv file-a ne treba da upućuju na program HijackThis jeste to što se određeni primerci malware-a ''sakrivaju'' ukoliko detektuju da je pokrenut HijackThis.




Arrow Klikni desnim tasterom miša na avast! ikonicu ( ) u donjem, desnom uglu ekrana i izaberi Program settings....

U prozoru koji se otvori, pod Troubleshooting, čekiraj opciju Disable avast! self-defence i klikni OK.

Takođe, klikni desnim tasterom miša na avast! ikonicu ( ) u donjem, desnom uglu ekrana i izaberi Stop OnAccess Protection.


Napomena: Ne zaboravi da uključiš ove opcije po završetku čišćenja.




Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 01 Apr 2005
  • Poruke: 797
  • Gde živiš: Niš

ComboFix 08-12-02.02 - Sale 2008-12-03 19:29:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.500 [GMT 1:00]
Running from: d:\instalacije\HiJackThis\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Dvbpws.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-12-01 21:12 . 2008-12-01 21:12 <DIR> d-------- c:\program files\psqlODBC
2008-12-01 21:08 . 2008-12-01 21:08 <DIR> d-------- c:\program files\psqlJDBC
2008-12-01 20:58 . 2008-12-01 20:58 <DIR> d-------- c:\documents and settings\postgres
2008-12-01 20:56 . 2008-12-01 21:12 <DIR> d-------- c:\program files\PostgreSQL
2008-11-27 23:20 . 2008-11-27 23:30 411 --a------ c:\windows\asfbinapp.INI
2008-11-26 22:49 . 2008-11-26 22:49 <DIR> d-------- c:\program files\glassfish-v3-prelude
2008-11-26 22:47 . 2008-11-26 22:49 <DIR> d-------- c:\program files\glassfish-v2ur2
2008-11-26 22:41 . 2008-11-26 22:50 <DIR> d-------- c:\program files\NetBeans 6.5
2008-11-26 22:20 . 2008-11-26 22:20 <DIR> d-------- C:\digitalvideoconverter
2008-11-26 21:26 . 2008-11-26 21:26 <DIR> d-------- c:\program files\Digital Video Converter
2008-11-23 19:56 . 2008-11-23 19:56 <DIR> d-------- c:\documents and settings\Sale\j2mewtk
2008-11-08 17:19 . 2003-02-21 04:42 348,160 --a------ c:\windows\system\MSVCR71.dll
2008-11-06 19:12 . 2008-11-06 19:12 <DIR> d-------- c:\program files\Bonjour
2008-11-06 19:11 . 2008-11-06 19:11 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-06 19:05 . 2008-11-06 19:05 <DIR> d-------- c:\program files\Apple Software Update
2008-11-05 20:46 . 2008-11-05 20:46 <DIR> d-------- c:\program files\EasyEclipse Desktop Java 1.3.1.1
2008-11-05 19:31 . 2008-11-05 19:31 <DIR> d-------- c:\program files\PowerQuest

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 17:33 --------- d-----w c:\program files\FreeCommander
2008-12-03 16:19 --------- d-----w c:\program files\Mozilla Firefox 3
2008-12-01 20:08 --------- d-----w c:\program files\psqlJDBC
2008-12-01 06:25 --------- d-----w c:\program files\Google
2008-11-26 21:25 --------- d-----w c:\program files\Apache Software Foundation
2008-11-23 13:36 --------- d-----w c:\documents and settings\Sale\Application Data\Skype
2008-11-09 09:25 --------- d-----w c:\program files\Java
2008-11-08 16:06 --------- d-----w c:\program files\Winamp
2008-11-06 18:16 --------- d-----w c:\program files\Safari
2008-11-06 18:12 --------- d-----w c:\program files\QuickTime
2008-11-06 18:11 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-05 21:54 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5
2008-11-05 18:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-01 13:38 --------- d-----w c:\program files\Opera 9.5 alpha
2008-11-01 13:38 --------- d-----w c:\program files\Maxthon
2008-10-14 19:19 --------- d-----w c:\program files\IZArc
2008-10-11 08:28 --------- d-----w c:\documents and settings\Sale\Application Data\TortoiseSVN
2008-10-11 07:28 --------- d-----w c:\documents and settings\Sale\Application Data\Subversion
2008-10-11 06:39 --------- d-----w c:\program files\TortoiseSVN
2008-10-11 06:39 --------- d-----w c:\program files\Common Files\TortoiseOverlays
2008-10-03 22:25 --------- d-----w c:\program files\SQLyog Community
2008-10-03 21:28 --------- d-----w c:\program files\iolo
2008-10-03 21:04 --------- d-----w c:\program files\Apache Group
2008-10-03 20:59 --------- d-----w c:\program files\Zend
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"WinFastDTV"="c:\program files\WinFast\WFDTV\DTVSchdl.exe" [2007-02-12 69632]
"WinFast Schedule"="c:\program files\WinFast\WFDTV\WFWIZ.exe" [2007-02-12 397312]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\TC UP\\PLUGINS\\Media\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-23 111184]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\VD_FileDisk.sys [2006-01-13 15872]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-23 20560]
R2 EnterpriseDBApachePHP;EnterpriseDB ApachePHP;"c:\progra~1\POSTGR~1\ENTERP~1\apache\bin\httpd.exe" -k runservice [2008-12-01 20539]
R2 postgresql-8.3;PostgreSQL Server 8.3;C:/Program Files/PostgreSQL/8.3/bin/pg_ctl.exe runservice -N "postgresql-8.3" -D "C:/Program Files/PostgreSQL/8.3/data" -w []
R3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFDTV\WFIOCTL.SYS [2008-03-01 9446]
S2 gupdate1c93f9134dadc0;Google Update Service (gupdate1c93f9134dadc0);"c:\program files\Google\Update\GoogleUpdate.exe" /svc [2008-11-05 133104]
S3 VSPerfDrv90;Performance Tools Driver 9.0;\??\c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 55664]
S3 wampapache;wampapache;"c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe" -k runservice [2008-10-03 24635]
S3 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe wampmysqld []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c19f4fe-2e12-11dd-bf9e-001a4d9deb88}]
\Shell\AutoRun\command - I:\tknn6.bat
\Shell\explore\Command - I:\tknn6.bat
\Shell\open\Command - I:\tknn6.bat

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-03 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-05 22:53]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Sale\Application Data\Mozilla\Firefox\Profiles\5qvng3nx.default\
FF -: plugin - c:\program files\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - c:\program files\Mozilla Firefox 3\plugins\npnul32.dll
FF -: plugin - c:\program files\Mozilla Firefox 3\plugins\npqtplugin.dll
FF -: plugin - c:\program files\Mozilla Firefox 3\plugins\npqtplugin2.dll
FF -: plugin - c:\program files\Mozilla Firefox 3\plugins\npqtplugin3.dll
FF -: plugin - c:\program files\Mozilla Firefox 3\plugins\npqtplugin4.dll
FF -: plugin - c:\program files\Mozilla Firefox 3\plugins\npqtplugin5.dll
FF -: plugin - c:\program files\Mozilla Firefox 3\plugins\npqtplugin6.dll
FF -: plugin - c:\program files\Mozilla Firefox 3\plugins\npqtplugin7.dll
FF -: plugin - c:\program files\Opera 9.5 alpha\program\plugins\npdsplay.dll
FF -: plugin - c:\program files\Opera 9.5 alpha\program\plugins\npqtplugin.dll
FF -: plugin - c:\program files\Opera 9.5 alpha\program\plugins\npqtplugin2.dll
FF -: plugin - c:\program files\Opera 9.5 alpha\program\plugins\npqtplugin3.dll
FF -: plugin - c:\program files\Opera 9.5 alpha\program\plugins\npqtplugin4.dll
FF -: plugin - c:\program files\Opera 9.5 alpha\program\plugins\npqtplugin5.dll
FF -: plugin - c:\program files\Opera 9.5 alpha\program\plugins\npqtplugin6.dll
FF -: plugin - c:\program files\Opera 9.5 alpha\program\plugins\npqtplugin7.dll
FF -: plugin - c:\program files\Opera 9.5 alpha\program\plugins\NPSWF32.dll
FF -: plugin - c:\program files\Opera 9.5 alpha\program\plugins\npwmsdrm.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 19:32:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\postgresql-8.3]
"ImagePath"="C:/Program Files/PostgreSQL/8.3/bin/pg_ctl.exe runservice -N \"postgresql-8.3\" -D \"C:/Program Files/PostgreSQL/8.3/data\" -w"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\postgresql-8.3]
"ImagePath"="C:/Program Files/PostgreSQL/8.3/bin/pg_ctl.exe runservice -N \"postgresql-8.3\" -D \"C:/Program Files/PostgreSQL/8.3/data\" -w"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\wbem\fastprox.dll
.
Completion time: 2008-12-03 19:33:02
ComboFix-quarantined-files.txt 2008-12-03 18:32:54

Pre-Run: 3.018.240.000 bytes free
Post-Run: 4,447,997,952 bytes free

209

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Skini sledeci program - http://amf.mycity.rs/personal/bobby/USB_blocker/usb_blocker.exe
- startuj ga i odaberi opciju Auto block
- ubaci USB stick u komp i sacekaj koji sekund (recimo 5-10 sekundi)
- program je sada uradio analizu sticka (vidi se u donjem delu programa, u logu)
- gore levo klikni duplo na slovo koje oznacava particiju, tj. tvoj USB stick
- dole kraj sata ce se pojaviti poruka da smes da izvadis USB stick iz kompa
- ne gasi program, vec ubaci sledeci USB stick i za njega isto sacekaj par sekundi, i tako redom za sve stickove, MP3 plejere, mobilni
- zapamti kojim redom su ubacivani stickovi

Kada sve to zavrsis, log u donjem delu programa ce sadrzati sve podatke koji su meni potrebni da bih video koji stick je zarazen.
Klikni desnim dugmetom misa na log/izvestaj i odaberi Save log.
Automatski ce se otvoriti Notepad i u njemu izvestaj.
Iskopiraj mi taj izvestaj ovde na forum.

offline
  • Pridružio: 01 Apr 2005
  • Poruke: 797
  • Gde živiš: Niš

USB_blocker by bobby

Started at 4.12.2008 16:03:16

Scanning for connected USB Mass storage...
========================================
========================================
Scanning for other storage...
========================================
C:  66e81f92-e7a9-11dc-a824-806d6172696f
D:  66e81f93-e7a9-11dc-a824-806d6172696f
H:  ebdb1977-ab67-11dd-809c-001a4d9deb88
I:  ebdb1978-ab67-11dd-809c-001a4d9deb88
========================================

Scanning fixed storage for autorun.inf files...
========================================
========================================



[b]New device connected at[/b] 4.12.2008 16:04:10

Scanning for connected USB Mass storage...
========================================
J:  66e81f91-e7a9-11dc-a824-806d6172696f
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================

autorun.inf found on J:
File J:\autorun.inf renamed successfully
Sanitizing Shell Menu...
No key for GUID: 66e81f91-e7a9-11dc-a824-806d6172696f
========================================



П.С. Један је флеш који је инфициран.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Priključi taj USB... Na njemi se nalazi file autorun.inf.blocked. Otvori ga u Notepad-u i iskopiraj ovde sadržaj (ili priloži file uz poruku).

offline
  • Pridružio: 01 Apr 2005
  • Poruke: 797
  • Gde živiš: Niš

Да, исти је као и садржај ауторун фајла, он га је само преименовао.


[autorun]
open=RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sys32.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sys32.exe
shell\open\default=1

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Folder RECYCLER sa flash drive-a možeš obrisati.

Ovako... Ovde ne postoji aktivna infekcija. Taj maliciozan file može biti ponovo kreiran samo ako priključiš flash drive na neki drugi inficirani kompjuter - znači, na tvom kompjuteru nema šta da izvrši reinfekciju.

Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi

Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji

Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore





Neko pitanje?

Ko je trenutno na forumu
 

Ukupno su 1108 korisnika na forumu :: 35 registrovanih, 11 sakrivenih i 1062 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: babaroga, BlekMen, bojank, celik, Chainsaw, dragoljub11987, Fabius, Frunze, Georgius, hologram, JOntra, krkalon, ladro, laurusri, Leonov, Luka Blažević, milanovic, milenko crazy north, milutin134, MiroslavD, nemkea71, procesor, Singidunumac, Sir Budimir, slonic_tonic, Srle993, tmanda323, vladaa012, vladulns, VP6919, yufighter, Yugol33, zillbg, zziko, Čivi