|
Poslao: 25 Maj 2012 04:51
|
offline
- hipnotik
- Novi MyCity građanin
- Pridružio: 25 Maj 2012
- Poruke: 6
|
Napisano: 25 May 2012 4:34
Pozdrav!
Računalo je zaraženo USB virusom, detaljnog naziva (prema NOD32-u):
C:\configuration\configuration.exe » AUTOIT » script.au3 - Win32/Spy.KeyLogger.NHI trojan
U listi procesa pojavljivala su se dva procesa pod nazivom lsass.exe. Jedan je bio komponenta W7-a, drugi je očito bio virus.
Koraci koje sam do sad poduzeo:
1. Otvorio "msconfig" -> "Startup" i obrisao nepoznatu stavku "configuration"
2. Otvorio "Start" -> "All programs" -> "Startup" i obrisao stavku "configuration"
3. Otvorio "C:\configuration" i obrisao datoteku "configuration.exe"
Nakon nabrojanih radnji, nepoznati proces se više ne pojavljuje u listi svih procesa (Task Manager), no ostaje sumnja da postoji mogućnost da nije do kraja očišćeno, te vas stoga molim za dodatnu pomoć i način provjere.
Također, molim vas objašnjenje jesu li direktoriji "configuration" i "OptionalComponents" kreirani od strane virusa ili su to direktoriji kreirani od strane OS-a? Navedenim direktorijima moguće je pristupiti samo ukoliko se onemogući opcija "Hide protected operating system files and folders".
Nakon što sam obrisao datoteku "configuration.exe" iz direktorija "C:\configuration", isti još uvijek stoji prazan, dok se u direktoriju "C:\OptionalComponents" nalazi poddirektorij "2D2E2D" sa sljedećim datotekama:
br.dll
nam.dll
nfie.dll
sys.dll
Molim vas da mi ukažete ako sam neštoučinio krivo, te kako biti siguran da je virus očišćen?
Hvala i lijep pozdrav!
Dopuna: 25 May 2012 4:51
Zaboravio sam napomenuti da sam, prilikom prvog puta kada je NOD32 prikazao upozorenje o virusu, nekoliko puta kliknuo opciju "Delete", te postoji mogućnost da je NOD32 obrisao još neke zaražene datoteke iz direktorija "configuration" i "OptionalComponents".
Bio bih zahvalan kada biste objasnili postoji li mogućnost da je NOD32 obrisao neke datoteke koje nije smio obrisati, nužne za ispravan rad OS-a, budući da, ako ih i jest obrisao, su se nalazile u osjetljivim sistemskim direktorijima.
Hvala,
Lp
|
|
|
|
|
|
|
Poslao: 25 Maj 2012 06:19
|
rip
- argus
- Anti Malware Fighter
Rank 2
- Pridružio: 27 Apr 2008
- Poruke: 9160
- Gde živiš: Prokuplje
|
Pozdrav
Potrebno je da ispratis ovo uputstvo i dostavis nam odgovarajuce logove, koje ce neko od kolega da pregleda i odluci o daljim koracima.
|
|
|
|
|
|
|
Poslao: 25 Maj 2012 08:02
|
offline
- hipnotik
- Novi MyCity građanin
- Pridružio: 25 Maj 2012
- Poruke: 6
|
Hvala na uputstvima. Dolje je DDS izvještaj. U prilogu su ostale potrebne datoteke.
mycity.rs/must-login.png
mycity.rs/must-login.png
mycity.rs/must-login.png
mycity.rs/must-login.png
DDS.txt
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by -.- at 7:49:06 on 2012-05-25
Microsoft Windows 7 Ultimate 6.1.7601.1.1250.385.1033.18.3327.2290 [GMT 2:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Launchy\Launchy.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Stickies\stickies.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\AUDIODG.EXE
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\-.-\appdata\roaming\micros~1\windows\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\users\-.-\appdata\roaming\micros~1\windows\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7A322CA9-611F-4ACF-A316-0E461B6AEEC5} : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\-.-\appdata\roaming\mozilla\firefox\profiles\txzrma9c.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\programdata\nexoneu\ngm\npNxGameeu.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\-.-\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-9-8 176128]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-8-12 810144]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2010-7-29 96920]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-9-8 8606208]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-9-8 248832]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-6-7 211984]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-7-29 136632]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 62464]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-27 129976]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-21 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 112640]
.
=============== Created Last 30 ================
.
2012-05-25 03:15:56 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0e38805f-3f76-4e31-8a76-c2cb656b8e77}\offreg.dll
2012-05-25 03:05:20 -------- d-----w- c:\users\-.-\appdata\roaming\Malwarebytes
2012-05-25 03:05:02 -------- d-----w- c:\programdata\Malwarebytes
2012-05-24 01:24:05 -------- d-sh--r- C:\configuration
2012-05-24 01:24:04 -------- d-sh--r- C:\OptionalComponents
2012-05-11 05:16:58 6734704 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0e38805f-3f76-4e31-8a76-c2cb656b8e77}\mpengine.dll
2012-05-11 05:13:53 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-11 05:13:51 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2012-05-11 05:13:50 1221632 ----a-w- c:\program files\windows journal\NBDoc.DLL
2012-05-11 05:13:49 989184 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2012-05-11 05:13:49 969216 ----a-w- c:\program files\windows journal\JNWDRV.dll
2012-05-11 05:13:46 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-11 05:13:45 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-11 05:13:45 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 05:13:33 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-11 05:13:32 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-05 13:59:30 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-05-05 13:59:29 5120 ----a-w- c:\windows\system32\wmi.dll
2012-05-05 13:59:29 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-05-05 13:59:29 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-05-05 13:54:05 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-05-05 13:54:04 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-05-05 13:54:04 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-05-05 13:54:04 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-05-05 13:54:00 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-05-05 13:53:58 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-05-05 13:53:58 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-05-05 13:53:58 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-05-05 13:53:56 690688 ----a-w- c:\windows\system32\msvcrt.dll
2012-05-05 13:53:56 478720 ----a-w- c:\windows\system32\timedate.cpl
.
==================== Find3M ====================
.
2012-05-25 03:14:53 78848 ----a-w- c:\windows\KMSEmulator.exe
2012-05-05 02:22:08 271200 ----a-w- c:\windows\system32\PnkBstrB.xtr
2012-05-05 02:22:08 271200 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-05-05 02:10:04 138160 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-05-05 02:09:50 271200 ----a-w- c:\windows\system32\PnkBstrB.ex0
2012-04-13 19:58:53 53248 ----a-w- c:\windows\system32\unrar.dll
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 7:49:49,32 ===============
|
|
|
|
|
|
|
Poslao: 25 Maj 2012 09:48
|
rip
- argus
- Anti Malware Fighter
Rank 2
- Pridružio: 27 Apr 2008
- Poruke: 9160
- Gde živiš: Prokuplje
|
Preuzmi program OTM na Desktop.
Dvoklikom pokreni OTM.exe
U (levi) prozor programa (ispod Paste Instructions for Items to be Moved) iskopiraj sve što se nalazi unutar Kod polja:
:files
C:\configuration
C:\OptionalComponents
:Commands
[purity]
[emptytemp]
[EMPTYJAVA]
[Reboot]
Klikni MoveIt!
Po završetku procesa, u desnom prozoru programa (ispod Results), će se nalaziti tekst koji je potrebno iskopirati u poruku na forumu.
Ukoliko se pojavi upit:
Confirm ::The system requires a reboot to finish removing files.
Do you want to reboot now?
kliknuti Yes kako bi se kompjuter restartovao i proces bio dovršen.
Nakon ponovnog pokretanja sistema, logfile će se automatski otvoriti u Notepadu.
Potrebno je iskopirati sadržaj tog loga u poruku na forumu.
---------------------------------------
Preuzmi program MCShield za zaštitu USB memorijskih uredaja.
Program možeš preuzeti sa OVOG linka.
Nakon instalacije programa, prikljuci USB memorijske uredaje, i oni ce biti skenirani.
Na kraju skeniranja ceš dobiti izveštaj da je uredaj cist ili obaveštenje o uklonjenom malware-u.
Iskopiraj sadrzaj loga na forum.
Lokacija loga je Start > All Programs > MCShield > Logs > All scans
|
|
|
|
|
|
|
Poslao: 25 Maj 2012 14:10
|
offline
- hipnotik
- Novi MyCity građanin
- Pridružio: 25 Maj 2012
- Poruke: 6
|
Napisano: 25 May 2012 14:04
Hvala na brzom odgovoru.
Preuzeo sam program koji ste naveli, pokrenuo ga, obavio proces, ali prije reboot-a računala sam nažalost zaboravio kopirati tekst iz polja "Results". Nakon ponovnog pokretanja računala nije se automatski otvorio Notepad.
No mogu reći da sam provjerio i nestale su sljedeće nepoznate stvari:
- proces "lsass.exe" (virusni) koji se automatski pokretao sa Windows
- direktoriji "configuration" i "OptionalComponents" na disku C:
- stavka "configuration" iz "msconfig" -> "Startup"
- stavka "configuration" iz "Start" -> "All programs" -> "Startup"
Virus je vjerojatno očišćen, no priložit ću, ako je potrebno, dodatne logove, samo vas omlim da mi kažete koji s kojim od programa da generiram.
Zamolio bih vas još samo da mi kratko objasnite:
- postoji li mogućnost da je virus zarazio još neke datoteke na računalu?
-
Hvala,
Lp
Dopuna: 25 May 2012 14:08
Na disku "C:" našao sam direktorij "_OTM" koji je kreirao program "OTM" u kojem se nalazi određeni log.
Kopirao sam ga ovdje i nadam se da je to tekst koji je bilo potrebno kopirati prije spomenutog reboot-a računala.
All processes killed
========== FILES ==========
C:\configuration folder moved successfully.
C:\OptionalComponents\2D2E2D folder moved successfully.
C:\OptionalComponents folder moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: -.-
->Temp folder emptied: 52274997 bytes
->Temporary Internet Files folder emptied: 1023578 bytes
->Java cache emptied: 8311949 bytes
->FireFox cache emptied: 175148956 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 57368 bytes
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 200704 bytes
%systemroot%\System32 .tmp files removed: 1938448 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 228,00 mb
[EMPTYJAVA]
User: -.-
->Java cache emptied: 0 bytes
User: All Users
User: Default
User: Default User
User: Public
Total Java Files Cleaned = 0,00 mb
OTM by OldTimer - Version 3.1.19.0 log created on 05252012_134835
Hvala,
Lp
Dopuna: 25 May 2012 14:10
Također, volio bih znati što da učinim sa spomenutim direktorijem "_OTM" u slučaju da je virus očišćen - mogu li ga slobodno obrisati?
Hvala,
Lp
|
|
|
|
|
|
|
Poslao: 25 Maj 2012 14:19
|
rip
- argus
- Anti Malware Fighter
Rank 2
- Pridružio: 27 Apr 2008
- Poruke: 9160
- Gde živiš: Prokuplje
|
Citat:Zamolio bih vas još samo da mi kratko objasnite:
- postoji li mogućnost da je virus zarazio još neke datoteke na računalu?
To nije virus, to je worm (dopuna: crv) koji se siri putem USB memoriskih uredjaja i nije zarazio ostale datoteke.
Potrebno je da odradis jos jedan korak, a to je da skeniras Flash memoriju, vec sam ti dao uputstvo za MCShield.
Kad budemo zavrsili dacu ti uputstvo kako da uklonis OTM.
|
|
|
|
|
|
|
Poslao: 25 Maj 2012 14:32
|
offline
- hipnotik
- Novi MyCity građanin
- Pridružio: 25 Maj 2012
- Poruke: 6
|
Hvala na odgovoru.
Evo sadržaj loga programa MCShield
>>> MCShield AllScans.txt <<<
>>> MCShield v 2.0.3.11 <<<
25.5.2012. 14:05:47 > Drive C: - scan started (no label ~37 GB, NTFS HDD )...
=> The drive is clean.
25.5.2012. 14:05:47 > Drive D: - scan started (Local Disk ~233 GB, NTFS HDD )...
=> The drive is clean.
>>> MCShield v 2.0.3.11 <<<
25.5.2012. 14:13:35 > Drive H: - scan started (no label ~7824 MB, FAT32 flash drive )...
---> Note: traces of file replicators have been found!
---> Executing generic S&D routine...
>>> H:\20120227 - dobro jutro hrvatska.exe - Malware > Deleted. (12.05.25. 14.13 20120227 - dobro jutro hrvatska.exe.525036; MD5: 1628b5236d9d41b760e5e477eb50700b)
>>> H:\,.exe - Malware > Deleted. (12.05.25. 14.13 ,.exe.878395; MD5: 1628b5236d9d41b760e5e477eb50700b)
>>> H:\vedranovi podaci - backup.exe - Malware > Deleted. (12.05.25. 14.13 vedranovi podaci - backup.exe.533498; MD5: 1628b5236d9d41b760e5e477eb50700b)
> Resetting attributes: H:\20120227 - dobro jutro hrvatska < Successful.
> Resetting attributes: H:\, < Successful.
> Resetting attributes: H:\vedranovi podaci - backup < Successful.
=> Malicious files : 3/3 deleted.
=> Hidden folders : 3/3 unhidden.
____________________________________________
::::: Scan duration: 2s ::::::::::::::::::::
____________________________________________
>>> MCShield v 2.0.3.11 <<<
25.5.2012. 14:20:06 > Drive H: - scan started (no label ~7824 MB, FAT32 flash drive )...
=> The drive is clean.
>>> MCShield v 2.0.3.11 <<<
25.5.2012. 14:20:17 > Drive H: - scan started (no label ~7824 MB, FAT32 flash drive )...
=> The drive is clean.
Hvala,
Lp
|
|
|
|
|
|
|
Poslao: 25 Maj 2012 14:45
|
rip
- argus
- Anti Malware Fighter
Rank 2
- Pridružio: 27 Apr 2008
- Poruke: 9160
- Gde živiš: Prokuplje
|
OK, sada si imao priliku da se uveris kako radi program MCShield. Kada si prikljucio flash, on je skenirao uredjaj, obrisao 3 maliciozna fajla i skinuo hidden atribute, cime ti je vratio foldere u prvobitno stanje, znaci sada su vidljivi.
Ovaj program neka se uvek pokrece sa Windowsom i neces imati problema sa ovakvom vrstom infekcije. Ne pravi nikakvu smetnju Antivirus programu, vec se nadovezuje i povecava zastitu.
Pokreni OTM i klikni karticu CleanUp.
To bi bilo sve, pozdrav.
|
|
|
|
|
|
|
Poslao: 25 Maj 2012 15:12
|
offline
- hipnotik
- Novi MyCity građanin
- Pridružio: 25 Maj 2012
- Poruke: 6
|
Zahvaljujem na objašnjenju.
Ako imate vremena, zamolio bih vas samo još za jedno kratko objašnjenje:
- Nakon pokretanja programa OTM i odabira opcije "CleanUp" na disku "C:" pojavio se prazan direktorij pod nazivom "autorun.inf". Zanima me radi li se o crvu ili je taj direktorij kreiran od strane jednog od programa kako bi se spriječilo crv da kreiraju istoimene maliciozne datoteke/direktorije?
Od srca vam hvala na vremenu i pomoći.
|
|
|
|
|
|
|
Poslao: 25 Maj 2012 17:48
|
rip
- argus
- Anti Malware Fighter
Rank 2
- Pridružio: 27 Apr 2008
- Poruke: 9160
- Gde živiš: Prokuplje
|
autorun.inf po svojoj funkciji moze biti legitiman i maliciozan. Imas program MCShield i nemoj da brines, on ce da odluci sta ce sa njim da radi.
Ako ti nije tesko da uslikas root particije C:\ i postavis sliku da vidim. Kontam da je na root-u C:\
|
|
|
|
|
|
