Problem sa USB diskovima

1

Problem sa USB diskovima

offline
  • Pridružio: 14 Nov 2003
  • Poruke: 323

Imam instaliran NOD32, verziju 2.7 i USB Disc Security i do sada je sve šljakalo OK.
Pre dva dana sam nekako navukao virus (bar mi se čini) preko USB diskića.
Uvek mi se pojavi i folder Recycled pa makar i formatirao USB.
Danas sam odradio ghost sistema i opet na USB diskovima je sve kako sam opisao.
NOD32 se ne javlja kao i USB Disc Security.

Evo logova:

USBNoRisk 2.4 (1 June 2009) by bobby

Started at 6/9/2009 3:14:47 PM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {04025096-a1c9-11dc-93f9-806d6172696f}
D: {04025097-a1c9-11dc-93f9-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 04025096-a1c9-11dc-93f9-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 04025097-a1c9-11dc-93f9-806d6172696f
No Desktop.ini files found on D:
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 6/9/2009 3:14:55 PM

Scanning for connected USB mass storage...
----------------------------------------
I: {010d413c-0b3d-11de-9ea5-5050506f4531}
Added I:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on I:
----------------------------------------
No Autorun.inf files found on I:
No mountpoint found for 010d413c-0b3d-11de-9ea5-5050506f4531
----------------------------------------

----------------------------------------
Desktop.ini found at I:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------

Mimics found on drive I:
========================================




I evo drugog loga:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:43 PM, on 6/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ipko Net\Ipko Net\fts.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\USB Disk Security\USBGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Eldar\Application Data\Mis portables\turbo\portable\TurboLaunch.exe
C:\WINDOWS\system32\CAPRPCSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\Program Files\Ipko Net\Ipko Net\FWPortal.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Eldar\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [%FP%Ipko Net fts.exe] "C:\Program Files\Ipko Net\Ipko Net\fts.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files\USB Disk Security\USBGuard.exe
O4 - HKLM\..\Run: [run32] C:\Win\lsass.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe -p
O4 - Startup: TurboLaunch.lnk = C:\Documents and Settings\Eldar\Application Data\Mis portables\turbo\portable\TurboLaunch.exe
O8 - Extra context menu item: Download All by FlashGet - D:\PROGRAMS\Misc\Portable Flashget v1.71\Portable FlashGet\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\PROGRAMS\Misc\Portable Flashget v1.71\Portable FlashGet\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{78CC348B-85CD-4D08-BB17-413F835FD2EA}: NameServer = 80.80.160.8 80.80.160.9
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3047 bytes



Kako da sredim USB diskove da budu OK?

Hvala unapred.

online
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8448
  • Gde živiš: Novi Beograd

A, da ti lepo prvo uradis kako se kaze u uputstvu:

Ovako ne valja:


Klikni desno dugme misa na ikonicu programa i odaberi opciju Rename:


Zadaj mu neko bezvezno ime, recimo GH5.EXE ili TR3.EXE, ili bilo sta drugo samo da se ne spominje HijackThis:

offline
  • Pridružio: 14 Nov 2003
  • Poruke: 323

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:49 PM, on 6/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ipko Net\Ipko Net\fts.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\USB Disk Security\USBGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Eldar\Application Data\Mis portables\turbo\portable\TurboLaunch.exe
C:\WINDOWS\system32\CAPRPCSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\Program Files\Ipko Net\Ipko Net\FWPortal.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\Win\lsass.exe
C:\Documents and Settings\Eldar\Desktop\GH5.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [%FP%Ipko Net fts.exe] "C:\Program Files\Ipko Net\Ipko Net\fts.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files\USB Disk Security\USBGuard.exe
O4 - HKLM\..\Run: [run32] C:\Win\lsass.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe -p
O4 - Startup: TurboLaunch.lnk = C:\Documents and Settings\Eldar\Application Data\Mis portables\turbo\portable\TurboLaunch.exe
O8 - Extra context menu item: Download All by FlashGet - D:\PROGRAMS\Misc\Portable Flashget v1.71\Portable FlashGet\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\PROGRAMS\Misc\Portable Flashget v1.71\Portable FlashGet\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{78CC348B-85CD-4D08-BB17-413F835FD2EA}: NameServer = 80.80.160.8 80.80.160.9
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3014 bytes

online
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8448
  • Gde živiš: Novi Beograd

Preuzmi sUBs-ov ComboFix sa jedne od sledećih adresa na Desktop:


Bleeping Computer . . . . . Geeks to Go!
Klikni desnim tasterom na neki od linkova i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
zatvori pokrenute programe;
deaktiviraj zaštitni softver (uputstvo);
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 14 Nov 2003
  • Poruke: 323

Napisano: 09 Jun 2009 19:54

ComboFix 09-06-08.05 - Eldar 06/09/2009 19:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.717 [GMT 2:00]
Running from: c:\documents and settings\Eldar\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\win\lsass.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))
.

2009-06-09 17:40 . 2009-06-09 17:40 45056 ----a-r- c:\documents and settings\Eldar\Application Data\Microsoft\Installer\{0A28C610-EE06-4A33-BB56-A2155B524916}\ARPPRODUCTICON.exe
2009-06-09 15:13 . 2009-06-09 15:13 -------- d-----w- c:\documents and settings\Eldar\Application Data\Media Player Classic
2009-06-09 13:50 . 2009-06-09 13:50 37888 ----a-w- c:\documents and settings\Eldar\Application Data\Thinstall\GOM Player\400000400003i\srt2smi.exe
2009-06-09 13:50 . 2009-06-09 13:50 37888 ----a-w- c:\documents and settings\Eldar\Application Data\Thinstall\GOM Player\4000002300002i\GrLauncher.exe
2009-06-09 13:50 . 2009-06-09 13:50 -------- d-----w- c:\documents and settings\Eldar\Application Data\Thinstall
2009-06-09 13:49 . 2009-06-09 13:49 848 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-06-09 13:05 . 2009-06-09 17:46 -------- d-sh--r- C:\Win
2009-06-09 12:42 . 2009-06-09 12:42 -------- d-----w- c:\program files\Opera

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 17:46 . 2009-03-07 17:19 -------- d-----w- c:\program files\ESET
2009-06-09 16:14 . 2009-03-07 14:23 96778 ---h--w- c:\documents and settings\Eldar\Application Data\TurboLaunch_IconCache.dat
2004-01-08 02:20 . 2007-05-27 12:00 5035 ----a-w- c:\program files\Eko.Theme
2008-12-17 21:59 . 2009-03-08 07:01 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-17 21:59 . 2009-03-08 07:01 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-17 21:59 . 2009-03-08 07:01 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 21:59 . 2009-03-08 07:01 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-17 21:59 . 2009-03-08 07:01 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%FP%Ipko Net fts.exe"="c:\program files\Ipko Net\Ipko Net\fts.exe" [2005-08-11 83608]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-03-07 950664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-07 155648]
"CAPON"="c:\windows\system32\Spool\Drivers\w32x86\3\CAPONN.EXE" [2001-02-05 22528]
"USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2008-09-23 798720]

c:\documents and settings\Eldar\Start Menu\Programs\Startup\
TurboLaunch.lnk - c:\documents and settings\Eldar\Application Data\Mis portables\turbo\portable\TurboLaunch.exe [2009-3-7 2007552]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [3/7/2009 7:20 PM 15424]
R2 RapidPort;RapidPort;c:\windows\system32\drivers\CAPLPTN.SYS [3/7/2009 7:45 PM 22912]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Download All by FlashGet - d:\programs\Misc\Portable Flashget v1.71\Portable FlashGet\FlashGet\jc_all.htm
IE: Download using FlashGet - d:\programs\Misc\Portable Flashget v1.71\Portable FlashGet\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {78CC348B-85CD-4D08-BB17-413F835FD2EA} = 80.80.160.8 80.80.160.9
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-09 19:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(668-)
c:\windows\system32\imon.dll
.
Completion time: 2009-06-09 19:50
ComboFix-quarantined-files.txt 2009-06-09 17:50

Pre-Run: 6,236,000,256 bytes free
Post-Run: 6,234,791,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

95

Dopuna: 09 Jun 2009 20:04

Ovo je log sa ubacenim USB diskom.

ComboFix 09-06-08.05 - Eldar 06/09/2009 19:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.750 [GMT 2:00]
Running from: c:\documents and settings\Eldar\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))
.

2009-06-09 17:40 . 2009-06-09 17:40 45056 ----a-r- c:\documents and settings\Eldar\Application Data\Microsoft\Installer\{0A28C610-EE06-4A33-BB56-A2155B524916}\ARPPRODUCTICON.exe
2009-06-09 15:13 . 2009-06-09 15:13 -------- d-----w- c:\documents and settings\Eldar\Application Data\Media Player Classic
2009-06-09 13:50 . 2009-06-09 13:50 37888 ----a-w- c:\documents and settings\Eldar\Application Data\Thinstall\GOM Player\400000400003i\srt2smi.exe
2009-06-09 13:50 . 2009-06-09 13:50 37888 ----a-w- c:\documents and settings\Eldar\Application Data\Thinstall\GOM Player\4000002300002i\GrLauncher.exe
2009-06-09 13:50 . 2009-06-09 13:50 -------- d-----w- c:\documents and settings\Eldar\Application Data\Thinstall
2009-06-09 13:49 . 2009-06-09 13:49 848 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-06-09 13:05 . 2009-06-09 17:46 -------- d-sh--r- C:\Win
2009-06-09 12:42 . 2009-06-09 12:42 -------- d-----w- c:\program files\Opera

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 17:51 . 2009-03-07 17:19 -------- d-----w- c:\program files\ESET
2009-06-09 16:14 . 2009-03-07 14:23 96778 ---h--w- c:\documents and settings\Eldar\Application Data\TurboLaunch_IconCache.dat
2004-01-08 02:20 . 2007-05-27 12:00 5035 ----a-w- c:\program files\Eko.Theme
2008-12-17 21:59 . 2009-03-08 07:01 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-17 21:59 . 2009-03-08 07:01 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-17 21:59 . 2009-03-08 07:01 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 21:59 . 2009-03-08 07:01 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-17 21:59 . 2009-03-08 07:01 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%FP%Ipko Net fts.exe"="c:\program files\Ipko Net\Ipko Net\fts.exe" [2005-08-11 83608]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-03-07 950664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-07 155648]
"CAPON"="c:\windows\system32\Spool\Drivers\w32x86\3\CAPONN.EXE" [2001-02-05 22528]
"USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2008-09-23 798720]

c:\documents and settings\Eldar\Start Menu\Programs\Startup\
TurboLaunch.lnk - c:\documents and settings\Eldar\Application Data\Mis portables\turbo\portable\TurboLaunch.exe [2009-3-7 2007552]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [3/7/2009 7:20 PM 15424]
R2 RapidPort;RapidPort;c:\windows\system32\drivers\CAPLPTN.SYS [3/7/2009 7:45 PM 22912]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Download All by FlashGet - d:\programs\Misc\Portable Flashget v1.71\Portable FlashGet\FlashGet\jc_all.htm
IE: Download using FlashGet - d:\programs\Misc\Portable Flashget v1.71\Portable FlashGet\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {78CC348B-85CD-4D08-BB17-413F835FD2EA} = 80.80.160.8 80.80.160.9
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-09 20:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(668-)
c:\windows\system32\imon.dll
.
Completion time: 2009-06-09 20:02
ComboFix-quarantined-files.txt 2009-06-09 18:02
ComboFix2.txt 2009-06-09 17:50

Pre-Run: 6,238,007,296 bytes free
Post-Run: 6,231,433,216 bytes free

82

online
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8448
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:

Folder::
C:\Win


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 14 Nov 2003
  • Poruke: 323

Napisano: 09 Jun 2009 21:33

Izgleda da mora da prekinemo ovo....
Posle instaliranja i pokretanja ComboFix-a, komp se počeo čudno ponašati.
Promenila se rezolucija, određene fajlove nije hteo da pokrene program koji je za to određen, kada ubacim USB ceo komp se smrzne pa sam morao da uradim ghost sistema.

Možeš li mi preporučiti neku zaštitu za koju misliš da je OK?

Dopuna: 09 Jun 2009 21:35

Problem imam sa USB diskićima, tu najviše prenosim virusa a moram da ih nosim kod jednog lika koji mi štampa sve i svašta, tako da od njega navučem.
Ovo je nešto novo, pa zbog toga USB disc security i NOD nisu hteli da reaguju.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

@Corleone

Sorry sto kolegi upadam u temu, ali ovo je jako vazno.
Nisi prvi kome je ComboFix upropastio sistem, i u ovom momentu nam je bitno da saznamo sta se tacno desilo, da bi skupili podatke o tome kako popraviti ovu gresku.
TI si nazalost vratio image particije, a resenje je bilo samo odraditi jednom System Restore.

Ono sto mene interesuje je da li su stvari krenule naopako pri cistom pokretanju ComboFixa, ili kada si pokusao da pokrenes ComboFix uz ovu skriptu koju ti je helen1 dao u zadnjoj poruci?

offline
  • Pridružio: 14 Nov 2003
  • Poruke: 323

Problem je ispao posle instaliranja ComboFix-a.
Naime, ja JPG fajlove pregledavam sa AcdSee-om. Posle instalacije nije hteo da ih otvara sa tim programom nego sa Picture Fax Viewrom.
Adobe Illustrator fajlove otvaram sa Illustratorom CS3 a posle svega nije poznavao te fajlove.
Photoshop fajlove isto.
Rezolucija ekrana se smanjila na 800x600 i zeza me prilikom povećanja rezolucije.

Ubacio sam USB disk da probam, da vidim šta će da se desi, komp se smrzao.

Pre instalacije ComboFix-a sam onemogućio NOD32 i isključio USB Disc Security, tako da nema govora o nekom sukobu programa a i ComboFix nije prijavio sukob programa.

Znači, dok je kolega pisao poruku, ja sam več ghost-irao sistem.

Moram, nadam se uz vašu pomoć, da nađem neki dobar program tipa antimalware-antispyware da probam sa tim, jer mislim da će se problem sa USB-om nastavljati jer često puta nosim USB na štampanje nekih fajlova pa ga tamo i pokupim.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Znaci, sranje se desilo pre nego sto si postavio prvi log ComboFix-a?

Ko je trenutno na forumu
 

Ukupno su 861 korisnika na forumu :: 39 registrovanih, 5 sakrivenih i 817 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., awathorn, Bahuss, dane007, darkangel, dika69, djo97, Dorcolac, Duško, goxin, helen1, Helket, HrcAk47, Insan, jogurtmen, konstruktor, Kruger, KUZMAR, kvcali, mercedesamg, Milan A. Nikolic, Miskohd, pavle_pzs, pein, RecA, Regrut Boskica, royst33, samsung, shaja1, Sirius, Smd, Srki94, Steeeefan, stegonosa, Van, VaRvArI 85, Vlad000, vlvl, zodiac94