[bobby] Problem sa hidden files i usb uređjima - virus?

[bobby] Problem sa hidden files i usb uređjima - virus?

offline
  • Pridružio: 09 Jun 2004
  • Poruke: 137
  • Gde živiš: Beograd

Vec n puta sam obarao sistem i uvek se desi isto. Ne znam šta pokupim, ali se dese dve stvari:
Prvo, svi hidden folderi i fajlovi se ne vide. Kada u folder options štikliram "Show hidden files and folders" ne menja se ništa. Ako štikliram "Do not show..." i Apply, ne reaguje, odnosno, kad sledeci put otvorim Folder options, štiklirano je opet "Show hidden...".
Drugo, kada ubacim flash memoriju, prikacim fotoaparat ili mp3 plejer, Avast (koristim poslednju verziju, 4.Cool pali alarm gde je virus prisutan na G:\Autorun.exe iako Autorun.exe ne bi trebalo da postoji ni na fotoaparatu ni na flash-u ni na plejeru. Ako iz My computer dvokliknem na G:\ (prenosivi uredaj), ovo se desi. Ako kliknem desnim klikom, otvara se meni na kome se dva puta pojavljuje Open. Prvi na listi je boldiran i taj ima isti efekat kao dvoklik, a drugi je par redova niže, i ako kliknem na njega Win otvara prozor G: najnormalnije. Skeniram, ocistim, sve bude okej jedno vreme i onda ponovo...
Os je Win XP + SP2.
Kad sam on line posecujem, ali, bukvalno, pet adresa ukljucujuci MC. Ništa od rizicnih websiteova.
Kao što rekoh, koristim Avast 4.8.
U suštini, osim cimanja sa usb uredajima i cinjenice da ne mogu da vidim hidden sadržaj, sistem radi bez problema. Sve funkcioniše. Samo, UŽASNO me živcira to što mi se to dešava, pa, redovno! Oborim sistem, sve bude fino, pukne, oborim sistem... U cemu je stvar? Kad skeniram sistem Avast prijavi neki Trojan, pobriše sve zaražene fajlove i kao, ocisti sistem. Posle nekog vremena, ponovo isto. Mislim, da li je moguce da redovno kupim virus na MC, gmail-u, facebook-u???
Mene najviše zanima da li to može da se reši na neki drugi nacin osim obaranjem sistema... Pocelo je da me smara... Very Happy

Unapred hvala.


Logfile of HijackThis v1.99.1
Scan saved at 02:08:46, on 20.05.2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Pinnacle\SHARED~1\Filter\server.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Downloads\Software\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - file://E:\content\drivers\swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BA9810A-F703-49B4-8C8F-AC78E15003E8}: NameServer = 85.222.160.152 217.26.64.131
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BA9810A-F703-49B4-8C8F-AC78E15003E8}: NameServer = 85.222.160.152 217.26.64.131
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe" -s DefaultInstance (file missing)
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe" -s DefaultInstance (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Zdravo,

Hajde uradi i sledece:

Promeni ime programu HijackThis tako da ne podseca uopste na to ime. Promeni u recimo pera.exe.
Napravi onda novi log koji ces ovde postaviti.

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 09 Jun 2004
  • Poruke: 137
  • Gde živiš: Beograd

Logfile of HijackThis v1.99.1
Scan saved at 14:46:10, on 26.05.2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Opera\Opera.exe
D:\ZA REZANJE\instalacije\nije_to_sto_mislite.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - file://E:\content\drivers\swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe" -s DefaultInstance (file missing)
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe" -s DefaultInstance (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe






ComboFix 08-05-25.4 - stanislav 2008-05-26 14:52:31.1 - NTFSx86
Running from: C:\Documents and Settings\stanislav\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-26 13:22 . 2008-05-26 13:23 <DIR> d-------- C:\Program Files\Opera
2008-05-26 03:39 . 2008-05-26 03:42 <DIR> d-------- C:\Documents and Settings\stanislav\Application Data\DBDesigner4
2008-05-26 03:38 . 2008-05-26 03:38 <DIR> d-------- C:\Program Files\Common Files\fabFORCE
2008-05-26 03:37 . 2008-05-26 03:38 <DIR> d-------- C:\Program Files\fabFORCE
2008-05-25 15:31 . 2008-05-25 15:31 <DIR> d-------- C:\Program Files\Quest Software
2008-05-25 01:52 . 2008-04-14 12:57 462,848 --a------ C:\WINDOWS\system32\Firebird2Control.cpl
2008-05-25 01:52 . 2008-04-14 12:52 450,560 --a------ C:\WINDOWS\system32\GDS32.DLL
2008-05-24 19:01 . 2008-05-24 19:01 <DIR> d-------- C:\Program Files\FlameRobin
2008-05-18 23:40 . 2008-05-18 23:40 <DIR> d--h----- C:\New Folder (2)
2008-05-18 23:40 . 2008-05-18 23:40 <DIR> d--h----- C:\New Folder
2008-05-09 17:15 . 2008-05-10 16:35 <DIR> d-------- C:\Program Files\Platypus Free Trial
2008-05-09 14:12 . 2008-05-09 14:12 <DIR> d-------- C:\Documents and Settings\stanislav\Application Data\AdobeUM
2008-05-07 11:31 . 2008-05-07 11:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Contrast
2008-05-07 11:30 . 2008-05-07 11:30 <DIR> d-------- C:\Program Files\Contrast
2008-05-04 19:56 . 2008-05-04 20:00 <DIR> d-------- C:\WINDOWS\system32\Spider-Man 3 (Black Suit) dir
2008-04-27 03:30 . 2008-05-04 20:00 <DIR> d-------- C:\WINDOWS\system32\Spider-Man 3 (Sandman) dir

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 12:58 --------- d-----w C:\Documents and Settings\stanislav\Application Data\Free Download Manager
2008-05-21 18:23 3,001 --sha-w C:\Documents and Settings\stanislav\ppUser.dat
2008-05-18 11:11 --------- d-----w C:\Program Files\CDlyse
2008-05-17 10:21 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-25 16:42 --------- d-----w C:\Program Files\DirectX Buster
2008-04-25 14:36 --------- d-----w C:\Program Files\Firebird
2008-04-24 08:48 --------- d-----w C:\Documents and Settings\stanislav\Application Data\Contrast
2008-04-22 16:15 724,992 ----a-w C:\WINDOWS\iun6002.exe
2008-04-22 16:15 --------- d-----w C:\Program Files\Easy CD-DA Extractor 5.0
2008-04-21 17:25 25,992 ----a-w C:\WINDOWS\system32\pgdfgsvc.exe
2005-08-27 15:26 1,581,056 ----a-w C:\Program Files\SAFlashPlayer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-03-12 03:18 14336]
"WhenUSave"="C:\Program Files\Save\Save.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 07:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 07:16 741376 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"PCTVRemote"="C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe" [2002-01-28 20:12 61440]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-03-12 03:18 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Free Download Manager\\fdm.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-04-02 16:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24ac38a1-1d18-11dd-a820-806d6172696f}]
\Shell\Auto\command - Autorun.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{599a90f0-ef0e-11dc-85fe-806d6172696f}]
\Shell\Auto\command - G:\Autorun.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{929f8f0c-ccfc-11dc-8591-806d6172696f}]
\Shell\Auto\command - H:\Autorun.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{971d0cf3-e20c-11dc-85d0-806d6172696f}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\\msencobe.dll,InstallM

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-05-26 14:58:37
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-26 15:06:07
ComboFix-quarantined-files.txt 2008-05-26 13:05:26

Pre-Run: 1,625,968,640 bytes free
Post-Run: 2,300,395,520 bytes free

105

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Izvini na malo kasnom odgovoru. U logovima nema niceg sto bi zasigurno ukazalo na USB infekciju, pa me je nateralo na malko vise razmisljanja.

Preuzmi program Flash_Disinfector.

program se pokreće dvoklikom na Flash_Disinfector.exe
kada se pojavi poruka sa obaveštenjem, potrebno je priključiti inficirane USB flash drive-ove (pri tome držati pritisnut taster Shift kako bi se izbegao autoplay)
kliknuti na OK i sačekati da se proces završi
kada se pojavi poruka Done !!, kliknuti na OK.



Preuzeti FixPolicies.exe i sacuvati ga na Desktopu.

Dvoklik na FixPolicies.exe.
U prozoru koji ce se otvoriti, na donjoj paleti poslova kliknuti na Install button.
Program ce kreirati novi folder sa imenom FixPolicies.
Uci u novi folder, i onda dvoklik na sledeci fajl koji se nalazi u njemu: Fix_Policies.cmd
Crni prozor ce se na trenutak otvoriti i onda zatvoriti.
Restartovati kompjuter kako bi izmene bile prihvacene.


Otvoriti Notepad i iskopirati sledeci tekst:

Folder::
C:\Program Files\Save\

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WhenUSave"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24ac38a1-1d18-11dd-a820-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{599a90f0-ef0e-11dc-85fe-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{929f8f0c-ccfc-11dc-8591-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{971d0cf3-e20c-11dc-85d0-806d6172696f}]
 


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 09 Jun 2004
  • Poruke: 137
  • Gde živiš: Beograd

Koji si ti car, čak si postavio i animated gif!!! Very Happy Very Happy Very Happy

Kad obavim sve ovo postavljam log! Hvala!

Dopuna: 30 Maj 2008 4:55

ComboFix 08-05-25.4 - stanislav 2008-05-29 16:03:37.2 - NTFSx86
Running from: C:\Documents and Settings\stanislav\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\stanislav\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-28 01:33 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-28 01:30 . 2008-05-28 01:33 <DIR> d-------- C:\Program Files\Java
2008-05-28 01:30 . 2008-05-28 01:30 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-26 13:22 . 2008-05-26 13:23 <DIR> d-------- C:\Program Files\Opera
2008-05-26 03:38 . 2008-05-26 16:38 <DIR> d-------- C:\Program Files\Common Files\fabFORCE
2008-05-25 15:31 . 2008-05-25 15:31 <DIR> d-------- C:\Program Files\Quest Software
2008-05-25 01:52 . 2008-04-14 12:57 462,848 --a------ C:\WINDOWS\system32\Firebird2Control.cpl
2008-05-25 01:52 . 2008-04-14 12:52 450,560 --a------ C:\WINDOWS\system32\GDS32.DLL
2008-05-24 19:01 . 2008-05-24 19:01 <DIR> d-------- C:\Program Files\FlameRobin
2008-05-18 23:40 . 2008-05-18 23:40 <DIR> d--h----- C:\New Folder (2)
2008-05-18 23:40 . 2008-05-18 23:40 <DIR> d--h----- C:\New Folder
2008-05-09 17:15 . 2008-05-10 16:35 <DIR> d-------- C:\Program Files\Platypus Free Trial
2008-05-09 14:12 . 2008-05-09 14:12 <DIR> d-------- C:\Documents and Settings\stanislav\Application Data\AdobeUM
2008-05-07 11:31 . 2008-05-07 11:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Contrast
2008-05-07 11:30 . 2008-05-07 11:30 <DIR> d-------- C:\Program Files\Contrast
2008-05-04 19:56 . 2008-05-04 20:00 <DIR> d-------- C:\WINDOWS\system32\Spider-Man 3 (Black Suit) dir

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 02:31 --------- d-----w C:\Documents and Settings\stanislav\Application Data\Free Download Manager
2008-05-21 18:23 3,001 --sha-w C:\Documents and Settings\stanislav\ppUser.dat
2008-05-18 11:11 --------- d-----w C:\Program Files\CDlyse
2008-05-17 10:21 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-25 16:42 --------- d-----w C:\Program Files\DirectX Buster
2008-04-25 14:36 --------- d-----w C:\Program Files\Firebird
2008-04-24 08:48 --------- d-----w C:\Documents and Settings\stanislav\Application Data\Contrast
2008-04-22 16:15 724,992 ----a-w C:\WINDOWS\iun6002.exe
2008-04-22 16:15 --------- d-----w C:\Program Files\Easy CD-DA Extractor 5.0
2008-04-21 17:25 25,992 ----a-w C:\WINDOWS\system32\pgdfgsvc.exe
2005-08-27 15:26 1,581,056 ----a-w C:\Program Files\SAFlashPlayer.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-26_15.04.37,36 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-26 10:30:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-29 13:29:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-09-24 21:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-21 23:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-24 21:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-21 23:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-24 22:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 00:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-05-29 13:30:32 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-03-12 03:18 14336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 07:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 07:16 741376 C:\WINDOWS\system32\nwiz.exe]
"PCTVRemote"="C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe" [2002-01-28 20:12 61440]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-03-12 03:18 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Free Download Manager\\fdm.exe"=


.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-05-29 16:08:19
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-29 16:14:26
ComboFix-quarantined-files.txt 2008-05-29 14:13:58
ComboFix2.txt 2008-05-26 13:06:17

Pre-Run: 2,370,895,872 bytes free
Post-Run: 2,384,773,120 bytes free

102



Dakle, ne znam šta se desilo, ali, hidden files se vide! Sve se ponaša prilično normalno! Jedino šro sam primetio da se na obe particije pojavljuju skriveni folderi karakterističnih imena. Ne znam da li su oni vezani za FixPolicies, Flash_Disinfector ili ComboFix, ili su vezani za xp, samo mi je čudno što se pojavljuju i na D particiji koja nije sistemska. Ako pokušam da ih obrišem iznova se generišu svaki put kada otvorim prozor u winexploreru...

Što se tiče USBa, formatirao sam ga...

Hvala do neba za pomoć, a ako ne tražim previše, samo mi objasni šta da radim u vezi ovih "Cumnjivih" hidden foldera? Da li bi mogli da mi prave problem?
E, da, još jedna stvar!



Dopuna: 30 Maj 2008 5:00

Daklem, još jedna stvar! Kao što se vidi na slici C particije, jedan od fajlova je i ntldr!!! Kako je, dođavola, on dospeo tu??? Da li je to ONAJ ntldr? Da li sam puk'o ako ga deletujem?

Još jednom, hvaaalaaa!!!

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

offline
  • Pridružio: 09 Jun 2004
  • Poruke: 137
  • Gde živiš: Beograd

Evo, sad sam o'ma' reagovao! Tri dana was my middle name. Very Happy
Elem, hvala na objašnjenjima. Kada sam ponovio scan nije bilo te linije:



Da li je to problem ili samo imam sreće jer ću imati manje posla? Smile
Nisam bio siguran da li je trebalo da postavim log, pa sam ga prikačio da ne bude kilometarska poruka.

mycity.rs/must-login.png

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Obrisala ga je neka od alatki izgleda automatski.

Po meni je ovo resen slucaj.
Ima li jos nekakvih simptoma?

offline
  • Pridružio: 09 Jun 2004
  • Poruke: 137
  • Gde živiš: Beograd

Nicht! Sve radi k'o sat!

Daklem, posle X puta oborenog sistema... Najzad!
Hvala puno! Nadam se da ću jednom uzvratiti uslugu tako što ću moći nekom da pomognem...

Pozdrav!

Ko je trenutno na forumu
 

Ukupno su 637 korisnika na forumu :: 18 registrovanih, 3 sakrivenih i 616 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., croato, Ctrl x, djboj, Djokislav, GveX, HrcAk47, ladro, laze2, Mr.G., operniki, pavle_pzs, repac, shone34, sombrero, stegonosa, suton, Trpe Grozni