Jesi li siguran da nije neka lažna uzbuna, s obzirom da ti ostali programi nisu ni detektovali?

Ne znam, moguće. Ne primećujem nikakav problem.

Probaj:



Ako prodje blacklight najverovatnije je sve u redu. Vrlo je moguce da ti RootkitRevealer pronadje stavke koji ostali alati ne pronalaze, ali treba dobro citati njegov help.

U AVG-u je pisalo za to Hidden Drive i nalazi se u C\Windows\system32\drives.
Ni ovo mi nije ništa našlo, ali mi je Rootkit Revealer našao 328 stvari!!!
Neke stvari u mom korisniku pa Cookies i Local Setting/Temp/ pa neki folder koji ne vidim iako mi je uključeno da vidim sakrivene stvari.
Šta da radim, piše kod tih stvari: Hidden From Windows API.
A ima i nekih koje ne može da otvori.

Ljudi, hitno je! Samo AVG nađe neki fajl u system32/drivers, i on ga kao ukloni i kad restartujem komp pojavi se tu novi fajl sa drugačijim imenom, extenzija je .SYS. Piše kad idem da traži rootkite, HIDDEN DRIVE.
Išao sam ono RUN i on nalazi taj fajl i ponudi mi da biram sa čim da ga otvorim.
Da li moram da obaram sistem ili ima šanse da ga se rešim???????????????????
Probao sam da ga obrišem sa Spybot-om, ona aplikacija za brisanje, ali ne vredi.

Skini Combofix, pokreni ga, prati promptove, ne diraj nista dok skenira, pusti da restartuje racunar ako je potrebno, sacekaj da izgenerise log, i okaci log ovde da ga analiziramo.

Prvi put kad sam skenirao AVG je našao trojanca u Temp, a ComboFix mi je restartovao komp, tako da je našao nešto, pa sam posle ponovio skeniranje, samo sa isključenim AVG-om i sad se nije restartovao, evo ga log. I dalje AVG nalazi onaj rootkit, ali ima drugo ime svaki put posle ovog skeniranja sa ComboFix-om.

ComboFix 08-12-04.05 - Stefan 2008-12-05 14:02:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1566 [GMT 1:00]
Running from: c:\documents and settings\Stefan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-05 14:02 . 2008-12-05 14:02 <DIR> d-------- C:\ComboFix0
2008-12-04 16:46 . 2008-12-04 16:46 <DIR> d-------- c:\windows\system32\drivers\log
2008-12-04 16:45 . 2008-12-04 18:39 <DIR> d-------- C:\Rustbfix
2008-12-03 21:08 . 2008-12-03 21:08 <DIR> d-------- c:\documents and settings\Aleksandra\Application Data\LimeWire
2008-12-02 21:30 . 2008-12-02 21:30 <DIR> d-------- c:\windows\system32\Adobe
2008-12-02 00:02 . 2008-12-02 00:02 <DIR> d-------- c:\documents and settings\Stefan\Application Data\ACD Systems
2008-11-30 20:20 . 2008-11-30 20:20 <DIR> d-------- c:\documents and settings\Stefan\Contacts
2008-11-30 15:27 . 2008-11-30 15:27 <DIR> d-------- c:\windows\system32\Samsung_USB_Drivers
2008-11-30 15:27 . 2006-05-03 22:53 174,592 --a------ c:\windows\system32\framedyn.dll
2008-11-30 15:27 . 2008-11-30 16:36 5,632 --a------ c:\windows\system32\drivers\StarOpen.sys
2008-11-30 15:27 . 2005-08-28 20:51 766 --a------ c:\windows\system32\Uninstall.ico
2008-11-30 15:26 . 2008-11-30 15:26 <DIR> d-------- c:\program files\Samsung
2008-11-29 00:44 . 2008-12-05 13:26 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Winamp
2008-11-29 00:44 . 2008-11-29 00:44 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Malwarebytes
2008-11-29 00:44 . 2008-12-04 22:48 <DIR> d-------- c:\documents and settings\Stefan\Application Data\LimeWire
2008-11-29 00:44 . 2008-11-29 00:44 <DIR> d-------- c:\documents and settings\Stefan\Application Data\InfraRecorder
2008-11-29 00:44 . 2008-11-29 00:44 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Foxit
2008-11-29 00:44 . 2008-11-29 00:44 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Digsby
2008-11-29 00:44 . 2008-11-29 00:44 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Activision
2008-11-29 00:41 . 2008-11-29 00:44 <DIR> d-------- c:\documents and settings\Stefan\Application Data\AVGTOOLBAR
2008-11-29 00:39 . 2008-11-29 00:39 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Launchy
2008-11-29 00:39 . 2008-12-04 15:33 <DIR> d-------- c:\documents and settings\Stefan
2008-11-28 19:59 . 2008-11-28 19:59 3,207,168 --a------ c:\windows\system32\GZKKPGWXXTAI
2008-11-27 23:38 . 2008-11-27 23:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\MumboJumbo
2008-11-27 01:20 . 2008-06-30 17:16 234,640 --a------ c:\windows\system32\drivers\afwcore.sys
2008-11-27 01:19 . 2008-11-27 01:25 <DIR> d-------- c:\windows\system32\Filt
2008-11-27 01:19 . 2008-11-27 01:19 <DIR> d-------- c:\program files\Agnitum
2008-11-27 01:19 . 2008-07-11 15:41 673,920 --a------ c:\windows\system32\drivers\SandBox.sys
2008-11-27 01:19 . 2008-06-30 17:16 30,864 --a------ c:\windows\system32\drivers\afw.sys
2008-11-27 01:19 . 2007-09-07 17:45 49 --a------ c:\windows\transp.gif
2008-11-27 01:18 . 2008-11-27 01:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Agnitum
2008-11-26 01:56 . 2008-11-26 01:56 250 --a------ c:\windows\gmer.ini
2008-11-26 01:52 . 2008-11-26 01:52 142,096 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-25 19:43 . 2008-12-04 21:20 138,184 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2008-11-25 19:43 . 2008-11-25 19:47 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2008-11-25 19:41 . 2008-12-04 21:20 183,112 --a------ c:\windows\system32\PnkBstrB.exe
2008-11-25 19:09 . 2003-06-18 17:31 17,920 --a------ c:\windows\system32\mdimon.dll
2008-11-25 19:09 . 2008-12-02 14:21 376 --a------ c:\windows\ODBC.INI
2008-11-25 19:07 . 2008-11-25 19:07 <DIR> d-------- c:\program files\Microsoft Works
2008-11-25 19:07 . 2008-11-25 19:07 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-11-25 19:07 . 2008-11-25 19:07 <DIR> d-------- c:\program files\Common Files\L&H
2008-11-25 19:06 . 2008-11-25 19:07 <DIR> d-------- c:\windows\SHELLNEW
2008-11-25 19:06 . 2008-11-25 19:06 <DIR> d-------- c:\program files\Microsoft.NET
2008-11-23 13:23 . 2008-11-27 01:13 <DIR> d-------- c:\program files\Total Uninstall 5
2008-11-23 13:23 . 2008-11-23 13:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Martau
2008-11-23 12:49 . 2008-02-22 12:30 334,792 --a------ c:\windows\system32\_AxShlEx.dll
2008-11-23 12:47 . 2008-11-23 12:47 <DIR> d-------- c:\program files\Alcohol Soft
2008-11-23 12:44 . 2008-11-24 20:40 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2008-11-22 17:29 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-11-22 17:15 . 2008-11-22 17:16 <DIR> d-------- c:\program files\LimeWire
2008-11-22 16:31 . 2008-11-22 23:42 <DIR> d-------- c:\documents and settings\Aleksandra\Contacts
2008-11-22 16:07 . 2008-11-22 16:07 <DIR> d-------- c:\documents and settings\Aleksandra\Application Data\Malwarebytes
2008-11-22 13:29 . 2008-11-22 13:29 <DIR> d-------- c:\program files\SR7.Stop
2008-11-22 13:29 . 2008-11-22 13:29 <DIR> d-------- c:\program files\sd4hide
2008-11-21 13:05 . 2008-11-21 13:05 2,188 --a------ c:\windows\system32\ealregsnapshot1.reg
2008-11-21 01:33 . 2008-11-21 01:33 <DIR> d-------- c:\program files\Desktop Perpetuum Mobile
2008-11-20 22:32 . 2008-11-20 22:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Codemasters
2008-11-20 22:31 . 2008-11-20 22:31 109,080 --a------ c:\windows\system32\OpenAL32.dll
2008-11-20 15:37 . 2008-11-20 15:37 2,560 --a------ c:\windows\_MSRSTRT.EXE
2008-11-20 15:30 . 2008-04-26 16:14 42,672 --------- c:\windows\system32\wbsys.dll
2008-11-20 15:24 . 2008-11-20 15:24 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{8CC5CF4A-124E-41BA-B58C-A41F05BE09CC}
2008-11-20 14:36 . 2008-11-20 15:24 <DIR> d-------- c:\program files\Stardock
2008-11-20 14:36 . 2008-11-20 14:36 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{A850D4D9-871B-4234-908D-21C457767270}
2008-11-19 23:41 . 2008-11-19 23:41 <DIR> d-------- c:\program files\Acronis
2008-11-19 23:41 . 2008-11-19 23:41 134,272 --a------ c:\windows\system32\drivers\snman380.sys
2008-11-19 15:43 . 2008-11-19 15:43 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Acronis
2008-11-19 15:43 . 2008-11-19 15:43 <DIR> d-------- c:\documents and settings\Administrator
2008-11-19 15:37 . 2008-11-19 23:41 <DIR> d-------- c:\program files\Common Files\Acronis
2008-11-19 15:37 . 2008-11-19 15:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Acronis
2008-11-19 15:37 . 2008-11-19 23:41 971,168 --a------ c:\windows\system32\drivers\tdrpm140.sys
2008-11-19 15:37 . 2008-11-19 23:41 540,000 --a------ c:\windows\system32\drivers\timntr.sys
2008-11-19 15:37 . 2008-11-19 23:41 44,704 --a------ c:\windows\system32\drivers\tifsfilt.sys
2008-11-18 23:51 . 2008-11-18 23:51 <DIR> d-------- c:\program files\OpenAL
2008-11-18 23:51 . 2008-11-20 22:31 444,952 --a------ c:\windows\system32\wrap_oal.dll
2008-11-18 22:28 . 2008-11-18 22:28 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-18 22:28 . 2004-08-04 02:07 221,184 --a------ c:\windows\system32\wmpns.dll
2008-11-18 22:26 . 2008-11-25 19:36 <DIR> d-------- c:\windows\system32\LogFiles
2008-11-18 22:26 . 2008-11-18 22:27 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-11-18 14:56 . 2008-11-18 14:57 <DIR> d-------- c:\program files\DAMN NFO Viewer
2008-11-17 23:55 . 2008-11-17 23:55 <DIR> d-------- c:\documents and settings\Aleksandra\Application Data\Comodo
2008-11-17 23:52 . 2008-11-17 23:52 <DIR> d-------- c:\documents and settings\Aleksandra\Application Data\MySpace
2008-11-17 23:46 . 2008-11-17 23:46 <DIR> d-------- c:\documents and settings\Aleksandra\Application Data\Launchy
2008-11-17 23:46 . 2008-11-17 23:46 <DIR> d-------- c:\documents and settings\Aleksandra\Application Data\AVGTOOLBAR
2008-11-17 23:46 . 2008-11-22 16:31 <DIR> d-------- c:\documents and settings\Aleksandra
2008-11-17 23:34 . 2008-12-03 20:32 172 --a------ c:\windows\wininit.ini
2008-11-17 22:55 . 2008-11-17 22:55 <DIR> d-------- c:\program files\Common Files\eSellerate
2008-11-17 21:57 . 2008-12-05 13:51 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-17 21:34 . 2008-12-05 13:23 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-17 21:34 . 2008-11-17 21:34 <DIR> d-------- c:\program files\AVG
2008-11-17 21:34 . 2008-11-17 21:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-17 21:34 . 2008-11-17 21:50 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-17 21:34 . 2008-11-17 21:50 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-17 21:34 . 2008-11-17 21:34 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-11-17 21:34 . 2008-11-17 21:34 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-17 15:52 . 2008-11-17 21:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-11-17 14:11 . 2008-12-04 22:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-17 14:11 . 2008-11-17 14:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-17 14:11 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-17 14:11 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-16 23:29 . 2008-11-16 23:29 <DIR> d-------- c:\program files\MySpace
2008-11-16 22:57 . 2008-11-16 22:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Digsby
2008-11-16 22:31 . 2008-11-17 14:18 <DIR> d-------- c:\program files\RegSupreme Pro
2008-11-16 21:38 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-11-16 21:38 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-11-16 21:38 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-16 21:31 . 2008-11-16 21:32 <DIR> d-------- c:\program files\Common Files\ACD Systems
2008-11-16 21:31 . 2008-11-16 21:31 <DIR> d-------- c:\program files\ACD Systems
2008-11-16 21:31 . 2008-11-16 21:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\ACD Systems
2008-11-16 19:45 . 2008-11-16 19:45 <DIR> d-------- c:\program files\Raxco
2008-11-16 19:45 . 2008-11-16 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Raxco
2008-11-16 19:45 . 2008-08-28 13:16 71,184 --a------ c:\windows\system32\drivers\DefragFS.sys
2008-11-16 17:25 . 2008-11-16 17:26 <DIR> d-------- c:\program files\InfraRecorder
2008-11-16 17:25 . 2008-11-25 21:28 <DIR> d-------- c:\program files\7-Zip
2008-11-16 16:49 . 2008-11-16 16:49 <DIR> d-------- c:\windows\system32\XPSViewer
2008-11-16 16:49 . 2008-11-16 16:49 <DIR> d-------- c:\program files\Reference Assemblies
2008-11-16 16:49 . 2008-11-16 16:49 <DIR> d-------- c:\program files\MSBuild
2008-11-16 16:48 . 2008-11-16 17:10 <DIR> d-------- c:\windows\SxsCaPendDel
2008-11-16 16:48 . 2008-07-06 13:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2008-11-16 16:48 . 2008-07-06 13:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2008-11-16 16:48 . 2008-07-06 11:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-11-16 16:48 . 2008-07-06 13:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2008-11-16 16:48 . 2008-07-06 13:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2008-11-16 16:48 . 2008-07-06 13:06 117,760 --------- c:\windows\system32\prntvpt.dll
2008-11-16 16:48 . 2008-07-06 13:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-11-16 16:45 . 2008-11-16 16:45 <DIR> d-------- c:\program files\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 14:26 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-15 22:23 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2008-11-15 22:23 106,496 ----a-w c:\windows\system32\ATL71.DLL
2008-11-15 22:23 --------- d-----w c:\program files\Nikon
2008-11-15 22:23 --------- d-----w c:\program files\Common Files\Nikon
2008-11-15 22:23 --------- d-----w c:\program files\Common Files\muvee Technologies
2008-11-15 22:23 --------- d-----w c:\documents and settings\All Users\Application Data\Ultima_T15
2008-11-15 22:23 --------- d-----w c:\documents and settings\All Users\Application Data\Nikon
2008-11-15 22:23 --------- d-----w c:\documents and settings\All Users\Application Data\EnterNHelp
2008-11-15 22:23 --------- d-----w c:\documents and settings\All Users\Application Data\designjet
2008-11-15 22:13 --------- d-----w c:\program files\Logitech
2008-11-15 22:13 --------- d-----w c:\program files\Common Files\Logitech
2008-11-15 22:06 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-15 22:06 --------- d-----w c:\program files\Altiris
2008-11-15 22:00 --------- d-----w c:\program files\My Company Name
2008-11-15 21:57 15,600 ----a-w c:\windows\gdrv.sys
2008-11-15 21:53 --------- d-----w c:\program files\Realtek
2008-11-15 21:51 315,392 ----a-w c:\windows\HideWin.exe
2008-11-15 21:49 --------- d-----w c:\program files\Intel
2008-11-15 21:44 --------- d-----w c:\program files\microsoft frontpage
2008-10-27 09:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 09:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 09:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 09:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-10 03:52 452,440 ----a-w c:\windows\system32\d3dx10_40.dll
2008-10-10 03:52 4,379,984 ----a-w c:\windows\system32\D3DX9_40.dll
2008-10-10 03:52 2,036,576 ----a-w c:\windows\system32\D3DCompiler_40.dll
2008-10-02 09:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-16 20:12 222,488 ----a-w c:\windows\system32\snapapi.dll
2008-09-09 12:49 230,152 ----a-w c:\windows\system32\PDBoot.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-05_13.56.23.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-05 12:26:43 72,108 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-05 12:59:16 72,108 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-05 12:26:43 444,358 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-05 12:59:17 444,358 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"CursorFX"="c:\program files\Stardock\CursorFX\CursorFX.exe" [2008-02-19 418632]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2008-07-15 883528]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2008-08-05 435528]

c:\documents and settings\Stefan\Start Menu\Programs\Startup\
digsby.lnk - c:\program files\Digsby\digsby.exe [2008-10-10 137728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-11-16 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"d:\\Igrice\\Codemasters\\GRID\\GRID.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-11-17 12936]
R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\DRIVERS\snman380.sys [2008-11-19 134272]
R0 tdrpman140;Acronis Try&Decide and Restore Points filter (build 140);c:\windows\system32\DRIVERS\tdrpm140.sys [2008-11-19 971168]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-17 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-17 90632]
R1 SandBox;SandBox;c:\windows\system32\DRIVERS\SandBox.sys [2008-11-27 673920]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [2008-11-27 1238344]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-17 874776]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-17 231704]
R2 PD91Agent;PD91Agent;"c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe" [2008-09-09 693512]
R3 AEXPAM;Philips SmartManage Service;c:\windows\system32\Drivers\aexpamdrv.sys [2004-09-01 21824]
R3 afw;Agnitum firewall driver;c:\windows\system32\DRIVERS\afw.sys [2008-11-27 30864]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2008-11-27 234640]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [2008-11-27 33408]
S3 PD91Engine;PD91Engine;"c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe" [2008-09-09 906504]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"c:\program files\Windows Live\Messenger\usnsvc.exe" [2007-10-18 98328]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.freegamepick.com/?game_title=AdventureMatch
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Stefan\Application Data\Mozilla\Firefox\Profiles\3d4g5rgm.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yustart.com/
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 14:04:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-05 14:04:55
ComboFix-quarantined-files.txt 2008-12-05 13:04:53
ComboFix2.txt 2008-12-05 12:56:59

Pre-Run: 29.339.832.320 bytes free
Post-Run: 29,328,990,208 bytes free

260 --- E O F --- 2008-12-02 13:18:59

Vi svi ste sigurno ubeđeni da su ovo lažne uzbune, ali 5-6 puta sam išao na Run i svaki put bi mi on našao da postoji taj fajl, kako god bi se zvao, a ja ne mogu da ga vidim iako mi je uključeno da vidim sakrivene fajlove.

Sa Avirom se ne bi tako zekio...

Skini HiJackThis skeniraj i okaci log.

Čist je HijackThis log, proverili su kristi1 i ona 4 sajta sa top teme.

Binary Mind, ti ne reče ništa o ComboFix logu, ima li nešto sumnjivo?

Koliko ja vidim nema nista sto bi ukazivalo na bilo kakvu zarazu.

Hvala magna86, kristi1, binary mind što ste se mučili da mi pomognete, ipak ću obarati sistem jer ovo sigurno postoji.
Samo da kažem sad na kraju, ispalo je da AVG Anti-virus Pro ima bolji anti-rootkit SKENER od svih ovih ostalih što su u top temi, ali šta vredi kad nije mogao da ga obriše. Još mi je Rootkit Revealer, što sam rekao na početku teme, našao gomilu sakrivenih fajlova od Windows API-ja, koje je sigurno ovaj rootkit sakrivao.
Samo za kraj, šta je Windows API?

Windows Application Programming Interface. Proguglaj za objasnjenje. Inace je AVG koliko god ga hvalili sklon false positive rezultatima tokom skeniranja.

Kada sam išao na Run UVEK je postojao taj fajl! A ja nisam mogao da ga vidim u tom folderu. To je valjda dovoljno. A i bilo je toliko razne gomile fajlova u starom korisniku, koji sam posle izbrisao.

Da li mozes da navedes barem neko od imena fajlova koje je AVG prepoznavao kao malware/rootkit?

aj5rr16j.SYS je sada, uvek je nešto slično, počinje na A i posle idu ovako neka slova.

Ok. Mozes li da prilozis link gde si okacio HiJackThis! log da ga ja vidim. Takodje daj screenshot procesa u Task Manageru.

Slika Procesa: http://www.sxc.hu/browse.phtml?f=download&id=1118775
Evo ga log, nije proveren od onda tako da se sada možda nešto navatalo:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:43:57, on 8.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freegamepick.com/?game_title=AdventureMatch
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: digsby.lnk = C:\Program Files\Digsby\digsby.exe
O4 - Global Startup: Launchy.lnk = C:\Qoobox\Quarantine\C\Program Files\Launchy\Launchy.exe.vir
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 5572 bytes

Nema nista sunjivo u HiJackThis-u. Link sto si prilozio za screenshot mi trazi neki username i password. Molio bih da ga uploadujesh ovde i prilepis sliku ovde na temi da je svi vide... (ono [img]...[/img]).

Pa nema, zato sto je Rootkit.
Inace ja sam lepo rekao:

Npr. itd. itd.

Inace zanimljivo je da obican msconfig vidi path odakle se rootkit startuje u registry za razliku od mnogih specijalizovanih alata, samo treba znati sta da iskljucis.

?

Mislis da se rootkit vidi ovde?

Ma najjednostavnije rešenje, samo oborim sistem i ko da nikad nije bilo tog rootkita, ako ga je bilo. Ionako imam sve instalacije.

Sorry sto se nisam javio ranije. Imao sam posla juce. Digsby je najverovatnije krivac i nije rec ni o kakvom rootkitu jer da jeste znao bih... Inace postoje trojanci koji se ponasaju tako da prave random .sys fajlove sa 8 simbola koji mogu biti slova i brojevi. Ovde nema ni trojanaca a bogami nema ni rootkita.

Zašto bi Digsby bio krivac? Koristim ga pola godine i naravno da mi se tamo nikada nije pojavljivao od njega nikakav drajver, to je program za chat, naravno da on ne trpa stvari u system32.

To je jedina stavka za koju znam od postojecih koju neki od security alata uvek registruju kao malware. Ostalo je sve cisto, mada ima mogucnosti da neki od Windows sistemskih fajlova budu krivci kao sto je npr. wmiprvse.exe ako ne nalazi tamo gde treba (C:\WINDOWS\System32\Wbem). I wuauclt.exe moze biti maskirani malware ukoliko nije na svojoj putanji tj. C:\Windows\System32 itd. Isto vazi za sve Windows sistemske fajlove. Ako nisu na default putanjama onda su maskirani malware... Probaj da utvrdis da li je to problem. Mozes da instaliras i neki firewall i da vidis da li neki sumnjiv fajl ne trazi izlaz na net. To je jedan od nacina koji moze da se upotrebi da bi se nasla potencijalna gamad.

Imao sam sve vreme prvo Comodo FW Pro, pa onda Outpost FW Pro, dok nije pravio magna86 skripte za ComboFix, i nikakav sumnjiv fajl nije pokušavao da izađe na net. Nešto drugo je u pitanju.

Probaj da ocistis Malwarebytes Anti-malware programom!

Samo pročitaj celu temu drvlado!

Mogao bih ti ja dati par saveta, ali oni su mozda tezi nego da srusis sistem. Zavisi koliko ti je sam sistem bitan, i koliko ga mozes povratiti a da nesto drugo ne trpi. Doduse iz logova koje si ostavljao cini mi se da ti masina ne radi kao server ;)

Ako nije uspelo sve ovo reci pa cemo da ubacimo jos neke metode :)

Ma ja pomenuo Malwarebytes jer su mozda prosirili bazu podataka, mozda je i tvoj problem sadrzan u najnovijim definicijama!
Pozdrav!

Molim Vas komentar?
MBBAm ostaje "bez teksta"
a sa S&D dobijam plavi ekran trenutno ...
borba se nastavlja

Malwarebytes' Anti-Malware 1.31
Verzija baze podataka: 1482
Windows 5.1.2600 Service Pack 2

11.12.2008 17:55:40
mbam-log-2008-12-11 (17-55-33).txt

Tip skeniranja: Brzo Skeniranje
Skeniranih objekata: 111897
Proteklo vreme: 33 minute(s), 34 second(s)

Inficirani procesi u memoriji: 0
Inficirani moduli u memoriji: 1
Inficirani kljuèevi u registru: 4
Inficirane vrednosti u registru: 0
Inficirani podaci u registru: 0
Inficirane fascikle: 0
Inficirane datoteke: 2

Inficirani procesi u memoriji:
(Maliciozne stavke nisu detektovane)

Inficirani moduli u memoriji:
C:WINDOWSsystem32WinCtrl32.dll (Trojan.Agent) -> No action taken.

Inficirani kljuèevi u registru:
HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceswinva82 (Rootkit.Agent) ->
No action taken.
HKEY_LOCAL_MACHINESYSTEMControlSet002Serviceswinva82 (Rootkit.Agent) ->
No action taken.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswinva82
(Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogonNotifyWinCtrl32 (Trojan.Agent) -> No action
taken.

Inficirane vrednosti u registru:
(Maliciozne stavke nisu detektovane)

Inficirani podaci u registru:
(Maliciozne stavke nisu detektovane)

Inficirane fascikle:
(Maliciozne stavke nisu detektovane)

Inficirane datoteke:
C:WINDOWSsystem32driversWinva82.sys (Rootkit.Agent) -> No action taken.
C:WINDOWSsystem32WinCtrl32.dll (Trojan.Agent) -> No action taken.



__________ Information from ESET Smart Security, version of virus signature database 3684 (20081211) __________

The message was checked by ESET Smart Security.

http://www.eset.com

@zadrugarka
nisi odradio posao! nisi kliknuo na Remove Selected
Ponovi skeniranje, izaberi Full Scan, po zavrsetku procesa klikni OK,
klikni Remove Selected

kad zavrsi,postavi svez MBAM log

_{[Ovu poruku je menjao magna86 dana 12.12.2008. u 00:15 GMT+1]}

Ćao svima, čisto da zatvorim temu, ako nekad neko bude imao slični problem da može da vidi šta se desilo.
Zaključak: to je izgleda nešto novo i ako se do tada ne poprave ovi alati jedini način da ga se rešite je kao što sam i ja uradio, samo obaranje sistema. Ili imate i drugo rešenje, da koristite neke mnogo komplikovane alate (samo mi je rečeno da postoje) za šta ćete morati da nađete stručnjaka, ali to se baš i ne isplati ako nemate neke vrlo bitne podatke koje ne možete da prenesete.

Stefane tema je otkljucana.

Hvala Goxy, dakle ovaj rootkit što ga je našao AVG je drajver za Daemon Tools, tačnije za virtuelne drajvove. Ovo nema nikakve veze sa onim adware-om, on se nalazi u toolbaru i njega naravno da nisam istalirao.
Džabe sam obarao sistem :'(
Samo mi nije jasno kako to da jedan takav drajver pri svakom restartu menja ime i da ne mogu da ga vidim? Pa ni ta aplikacija ne može normalno da ga nađe ako je stvarno njen, valjda. Morala bi da pretražuje ceo taj folder da bi ga uopšte našla. Možda je to da bi se izbegle one razne zaštite na diskovima?