Problem sa Rootkitom

[es] :: Zaštita :: Problem sa Rootkitom
Zaključana tema (lock), by Goran Mijailovic
Stefan 93

Član broj: 178220
Poruke: 364


27.11.2008. u 23:33 - pre 189 meseci
Našao sam sa AVG Anti-virus Pro neki Rootkit i ne mogu da ga uklonim!!! Probao sam Rustbfix, Rootchk, Gmer, Malwarebytes Anti-malware Pro, koji se spominju u onoj top temi, i oni mi ništa nisu detektovali.
Isključio sam bio i System Restore kad ga je AVG uklanjao, jedino nisam išao u Safe Mod jer mislim da ne može da traži samo rootkite, a sad preko nedelje ne mogu da čekam dok sve pretraži.
Šta da radim???!!!

Miroslav Jeftić
Istraživanje ruda

Član broj: 37513
Poruke: 6833

Sajt: about:blank

+2200 Profil

27.11.2008. u 23:47 - pre 189 meseci
Jesi li siguran da nije neka lažna uzbuna, s obzirom da ti ostali programi nisu ni detektovali?

28.11.2008. u 11:24 - pre 189 meseci
Ne znam, moguće. Ne primećujem nikakav problem.

Goran Mijailovic

Član broj: 12684
Poruke: 6907

+437 Profil

28.11.2008. u 15:04 - pre 189 meseci

Ako prodje blacklight najverovatnije je sve u redu. Vrlo je moguce da ti RootkitRevealer pronadje stavke koji ostali alati ne pronalaze, ali treba dobro citati njegov help.

28.11.2008. u 18:57 - pre 189 meseci
U AVG-u je pisalo za to Hidden Drive i nalazi se u C\Windows\system32\drives.
Ni ovo mi nije ništa našlo, ali mi je Rootkit Revealer našao 328 stvari!!!
Neke stvari u mom korisniku pa Cookies i Local Setting/Temp/ pa neki folder koji ne vidim iako mi je uključeno da vidim sakrivene stvari.
Šta da radim, piše kod tih stvari: Hidden From Windows API.
A ima i nekih koje ne može da otvori.

04.12.2008. u 15:33 - pre 189 meseci
Ljudi, hitno je! Samo AVG nađe neki fajl u system32/drivers, i on ga kao ukloni i kad restartujem komp pojavi se tu novi fajl sa drugačijim imenom, extenzija je .SYS. Piše kad idem da traži rootkite, HIDDEN DRIVE.
Išao sam ono RUN i on nalazi taj fajl i ponudi mi da biram sa čim da ga otvorim.
Da li moram da obaram sistem ili ima šanse da ga se rešim???????????????????
Probao sam da ga obrišem sa Spybot-om, ona aplikacija za brisanje, ali ne vredi.

+3779 Profil

04.12.2008. u 19:06 - pre 189 meseci
Skini Combofix, pokreni ga, prati promptove, ne diraj nista dok skenira, pusti da restartuje racunar ako je potrebno, sacekaj da izgenerise log, i okaci log ovde da ga analiziramo.

05.12.2008. u 13:07 - pre 189 meseci
Prvi put kad sam skenirao AVG je našao trojanca u Temp, a ComboFix mi je restartovao komp, tako da je našao nešto, pa sam posle ponovio skeniranje, samo sa isključenim AVG-om i sad se nije restartovao, evo ga log. I dalje AVG nalazi onaj rootkit, ali ima drugo ime svaki put posle ovog skeniranja sa ComboFix-om.

ComboFix 08-12-04.05 - Stefan 2008-12-05 14:02:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1566 [GMT 1:00]
Running from: c:\documents and settings\Stefan\Desktop\ComboFix.exe

((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))

2008-12-05 14:02 . 2008-12-05 14:02 <DIR> d-------- C:\ComboFix0
2008-12-04 16:46 . 2008-12-04 16:46 <DIR> d-------- c:\windows\system32\drivers\log
2008-12-04 16:45 . 2008-12-04 18:39 <DIR> d-------- C:\Rustbfix
2008-12-03 21:08 . 2008-12-03 21:08 <DIR> d-------- c:\documents and settings\Aleksandra\Application Data\LimeWire
2008-12-02 21:30 . 2008-12-02 21:30 <DIR> d-------- c:\windows\system32\Adobe
2008-12-02 00:02 . 2008-12-02 00:02 <DIR> d-------- c:\documents and settings\Stefan\Application Data\ACD Systems
2008-11-30 20:20 . 2008-11-30 20:20 <DIR> d-------- c:\documents and settings\Stefan\Contacts
2008-11-30 15:27 . 2008-11-30 15:27 <DIR> d-------- c:\windows\system32\Samsung_USB_Drivers
2008-11-30 15:27 . 2006-05-03 22:53 174,592 --a------ c:\windows\system32\framedyn.dll
2008-11-30 15:27 . 2008-11-30 16:36 5,632 --a------ c:\windows\system32\drivers\StarOpen.sys
2008-11-30 15:27 . 2005-08-28 20:51 766 --a------ c:\windows\system32\Uninstall.ico
2008-11-30 15:26 . 2008-11-30 15:26 <DIR> d-------- c:\program files\Samsung
2008-11-29 00:44 . 2008-12-05 13:26 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Winamp
2008-11-29 00:44 . 2008-11-29 00:44 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Malwarebytes
2008-11-29 00:44 . 2008-12-04 22:48 <DIR> d-------- c:\documents and settings\Stefan\Application Data\LimeWire
2008-11-29 00:44 . 2008-11-29 00:44 <DIR> d-------- c:\documents and settings\Stefan\Application Data\InfraRecorder
2008-11-29 00:44 . 2008-11-29 00:44 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Foxit
2008-11-29 00:44 . 2008-11-29 00:44 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Digsby
2008-11-29 00:44 . 2008-11-29 00:44 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Activision
2008-11-29 00:41 . 2008-11-29 00:44 <DIR> d-------- c:\documents and settings\Stefan\Application Data\AVGTOOLBAR
2008-11-29 00:39 . 2008-11-29 00:39 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Launchy
2008-11-29 00:39 . 2008-12-04 15:33 <DIR> d-------- c:\documents and settings\Stefan
2008-11-28 19:59 . 2008-11-28 19:59 3,207,168 --a------ c:\windows\system32\GZKKPGWXXTAI
2008-11-27 23:38 . 2008-11-27 23:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\MumboJumbo
2008-11-27 01:20 . 2008-06-30 17:16 234,640 --a------ c:\windows\system32\drivers\afwcore.sys
2008-11-27 01:19 . 2008-11-27 01:25 <DIR> d-------- c:\windows\system32\Filt
2008-11-27 01:19 . 2008-11-27 01:19 <DIR> d-------- c:\program files\Agnitum
2008-11-27 01:19 . 2008-07-11 15:41 673,920 --a------ c:\windows\system32\drivers\SandBox.sys
2008-11-27 01:19 . 2008-06-30 17:16 30,864 --a------ c:\windows\system32\drivers\afw.sys
2008-11-27 01:19 . 2007-09-07 17:45 49 --a------ c:\windows\transp.gif
2008-11-27 01:18 . 2008-11-27 01:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Agnitum
2008-11-26 01:56 . 2008-11-26 01:56 250 --a------ c:\windows\gmer.ini
2008-11-26 01:52 . 2008-11-26 01:52 142,096 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-25 19:43 . 2008-12-04 21:20 138,184 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2008-11-25 19:43 . 2008-11-25 19:47 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2008-11-25 19:41 . 2008-12-04 21:20 183,112 --a------ c:\windows\system32\PnkBstrB.exe
2008-11-25 19:09 . 2003-06-18 17:31 17,920 --a------ c:\windows\system32\mdimon.dll
2008-11-25 19:09 . 2008-12-02 14:21 376 --a------ c:\windows\ODBC.INI
2008-11-25 19:07 . 2008-11-25 19:07 <DIR> d-------- c:\program files\Microsoft Works
2008-11-25 19:07 . 2008-11-25 19:07 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-11-25 19:07 . 2008-11-25 19:07 <DIR> d-------- c:\program files\Common Files\L&H
2008-11-25 19:06 . 2008-11-25 19:07 <DIR> d-------- c:\windows\SHELLNEW
2008-11-25 19:06 . 2008-11-25 19:06 <DIR> d-------- c:\program files\Microsoft.NET
2008-11-23 13:23 . 2008-11-27 01:13 <DIR> d-------- c:\program files\Total Uninstall 5
2008-11-23 13:23 . 2008-11-23 13:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Martau
2008-11-23 12:49 . 2008-02-22 12:30 334,792 --a------ c:\windows\system32\_AxShlEx.dll
2008-11-23 12:47 . 2008-11-23 12:47 <DIR> d-------- c:\program files\Alcohol Soft
2008-11-23 12:44 . 2008-11-24 20:40 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2008-11-22 17:29 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-11-22 17:15 . 2008-11-22 17:16 <DIR> d-------- c:\program files\LimeWire
2008-11-22 16:31 . 2008-11-22 23:42 <DIR> d-------- c:\documents and settings\Aleksandra\Contacts
2008-11-22 16:07 . 2008-11-22 16:07 <DIR> d-------- c:\documents and settings\Aleksandra\Application Data\Malwarebytes
2008-11-22 13:29 . 2008-11-22 13:29 <DIR> d-------- c:\program files\SR7.Stop
2008-11-22 13:29 . 2008-11-22 13:29 <DIR> d-------- c:\program files\sd4hide
2008-11-21 13:05 . 2008-11-21 13:05 2,188 --a------ c:\windows\system32\ealregsnapshot1.reg
2008-11-21 01:33 . 2008-11-21 01:33 <DIR> d-------- c:\program files\Desktop Perpetuum Mobile
2008-11-20 22:32 . 2008-11-20 22:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Codemasters
2008-11-20 22:31 . 2008-11-20 22:31 109,080 --a------ c:\windows\system32\OpenAL32.dll
2008-11-20 15:37 . 2008-11-20 15:37 2,560 --a------ c:\windows\_MSRSTRT.EXE
2008-11-20 15:30 . 2008-04-26 16:14 42,672 --------- c:\windows\system32\wbsys.dll
2008-11-20 15:24 . 2008-11-20 15:24 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{8CC5CF4A-124E-41BA-B58C-A41F05BE09CC}
2008-11-20 14:36 . 2008-11-20 15:24 <DIR> d-------- c:\program files\Stardock
2008-11-20 14:36 . 2008-11-20 14:36 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{A850D4D9-871B-4234-908D-21C457767270}
2008-11-19 23:41 . 2008-11-19 23:41 <DIR> d-------- c:\program files\Acronis
2008-11-19 23:41 . 2008-11-19 23:41 134,272 --a------ c:\windows\system32\drivers\snman380.sys
2008-11-19 15:43 . 2008-11-19 15:43 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Acronis
2008-11-19 15:43 . 2008-11-19 15:43 <DIR> d-------- c:\documents and settings\Administrator
2008-11-19 15:37 . 2008-11-19 23:41 <DIR> d-------- c:\program files\Common Files\Acronis
2008-11-19 15:37 . 2008-11-19 15:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Acronis
2008-11-19 15:37 . 2008-11-19 23:41 971,168 --a------ c:\windows\system32\drivers\tdrpm140.sys
2008-11-19 15:37 . 2008-11-19 23:41 540,000 --a------ c:\windows\system32\drivers\timntr.sys
2008-11-19 15:37 . 2008-11-19 23:41 44,704 --a------ c:\windows\system32\drivers\tifsfilt.sys
2008-11-18 23:51 . 2008-11-18 23:51 <DIR> d-------- c:\program files\OpenAL
2008-11-18 23:51 . 2008-11-20 22:31 444,952 --a------ c:\windows\system32\wrap_oal.dll
2008-11-18 22:28 . 2008-11-18 22:28 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-18 22:28 . 2004-08-04 02:07 221,184 --a------ c:\windows\system32\wmpns.dll
2008-11-18 22:26 . 2008-11-25 19:36 <DIR> d-------- c:\windows\system32\LogFiles
2008-11-18 22:26 . 2008-11-18 22:27 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-11-18 14:56 . 2008-11-18 14:57 <DIR> d-------- c:\program files\DAMN NFO Viewer
2008-11-17 23:55 . 2008-11-17 23:55 <DIR> d-------- c:\documents and settings\Aleksandra\Application Data\Comodo
2008-11-17 23:52 . 2008-11-17 23:52 <DIR> d-------- c:\documents and settings\Aleksandra\Application Data\MySpace
2008-11-17 23:46 . 2008-11-17 23:46 <DIR> d-------- c:\documents and settings\Aleksandra\Application Data\Launchy
2008-11-17 23:46 . 2008-11-17 23:46 <DIR> d-------- c:\documents and settings\Aleksandra\Application Data\AVGTOOLBAR
2008-11-17 23:46 . 2008-11-22 16:31 <DIR> d-------- c:\documents and settings\Aleksandra
2008-11-17 23:34 . 2008-12-03 20:32 172 --a------ c:\windows\wininit.ini
2008-11-17 22:55 . 2008-11-17 22:55 <DIR> d-------- c:\program files\Common Files\eSellerate
2008-11-17 21:57 . 2008-12-05 13:51 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-17 21:34 . 2008-12-05 13:23 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-17 21:34 . 2008-11-17 21:34 <DIR> d-------- c:\program files\AVG
2008-11-17 21:34 . 2008-11-17 21:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-17 21:34 . 2008-11-17 21:50 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-17 21:34 . 2008-11-17 21:50 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-17 21:34 . 2008-11-17 21:34 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-11-17 21:34 . 2008-11-17 21:34 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-17 15:52 . 2008-11-17 21:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-11-17 14:11 . 2008-12-04 22:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-17 14:11 . 2008-11-17 14:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-17 14:11 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-17 14:11 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-16 23:29 . 2008-11-16 23:29 <DIR> d-------- c:\program files\MySpace
2008-11-16 22:57 . 2008-11-16 22:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Digsby
2008-11-16 22:31 . 2008-11-17 14:18 <DIR> d-------- c:\program files\RegSupreme Pro
2008-11-16 21:38 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-11-16 21:38 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-11-16 21:38 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-16 21:31 . 2008-11-16 21:32 <DIR> d-------- c:\program files\Common Files\ACD Systems
2008-11-16 21:31 . 2008-11-16 21:31 <DIR> d-------- c:\program files\ACD Systems
2008-11-16 21:31 . 2008-11-16 21:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\ACD Systems
2008-11-16 19:45 . 2008-11-16 19:45 <DIR> d-------- c:\program files\Raxco
2008-11-16 19:45 . 2008-11-16 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Raxco
2008-11-16 19:45 . 2008-08-28 13:16 71,184 --a------ c:\windows\system32\drivers\DefragFS.sys
2008-11-16 17:25 . 2008-11-16 17:26 <DIR> d-------- c:\program files\InfraRecorder
2008-11-16 17:25 . 2008-11-25 21:28 <DIR> d-------- c:\program files\7-Zip
2008-11-16 16:49 . 2008-11-16 16:49 <DIR> d-------- c:\windows\system32\XPSViewer
2008-11-16 16:49 . 2008-11-16 16:49 <DIR> d-------- c:\program files\Reference Assemblies
2008-11-16 16:49 . 2008-11-16 16:49 <DIR> d-------- c:\program files\MSBuild
2008-11-16 16:48 . 2008-11-16 17:10 <DIR> d-------- c:\windows\SxsCaPendDel
2008-11-16 16:48 . 2008-07-06 13:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2008-11-16 16:48 . 2008-07-06 13:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2008-11-16 16:48 . 2008-07-06 11:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-11-16 16:48 . 2008-07-06 13:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2008-11-16 16:48 . 2008-07-06 13:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2008-11-16 16:48 . 2008-07-06 13:06 117,760 --------- c:\windows\system32\prntvpt.dll
2008-11-16 16:48 . 2008-07-06 13:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-11-16 16:45 . 2008-11-16 16:45 <DIR> d-------- c:\program files\MSXML 6.0

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2008-11-30 14:26 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-15 22:23 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2008-11-15 22:23 106,496 ----a-w c:\windows\system32\ATL71.DLL
2008-11-15 22:23 --------- d-----w c:\program files\Nikon
2008-11-15 22:23 --------- d-----w c:\program files\Common Files\Nikon
2008-11-15 22:23 --------- d-----w c:\program files\Common Files\muvee Technologies
2008-11-15 22:23 --------- d-----w c:\documents and settings\All Users\Application Data\Ultima_T15
2008-11-15 22:23 --------- d-----w c:\documents and settings\All Users\Application Data\Nikon
2008-11-15 22:23 --------- d-----w c:\documents and settings\All Users\Application Data\EnterNHelp
2008-11-15 22:23 --------- d-----w c:\documents and settings\All Users\Application Data\designjet
2008-11-15 22:13 --------- d-----w c:\program files\Logitech
2008-11-15 22:13 --------- d-----w c:\program files\Common Files\Logitech
2008-11-15 22:06 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-15 22:06 --------- d-----w c:\program files\Altiris
2008-11-15 22:00 --------- d-----w c:\program files\My Company Name
2008-11-15 21:57 15,600 ----a-w c:\windows\gdrv.sys
2008-11-15 21:53 --------- d-----w c:\program files\Realtek
2008-11-15 21:51 315,392 ----a-w c:\windows\HideWin.exe
2008-11-15 21:49 --------- d-----w c:\program files\Intel
2008-11-15 21:44 --------- d-----w c:\program files\microsoft frontpage
2008-10-27 09:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 09:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 09:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 09:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-10 03:52 452,440 ----a-w c:\windows\system32\d3dx10_40.dll
2008-10-10 03:52 4,379,984 ----a-w c:\windows\system32\D3DX9_40.dll
2008-10-10 03:52 2,036,576 ----a-w c:\windows\system32\D3DCompiler_40.dll
2008-10-02 09:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-16 20:12 222,488 ----a-w c:\windows\system32\snapapi.dll
2008-09-09 12:49 230,152 ----a-w c:\windows\system32\PDBoot.exe

((((((((((((((((((((((((((((( snapshot@2008-12-05_13.56.23.50 )))))))))))))))))))))))))))))))))))))))))
- 2008-12-05 12:26:43 72,108 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-05 12:59:16 72,108 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-05 12:26:43 444,358 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-05 12:59:17 444,358 ----a-w c:\windows\system32\perfh009.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"CursorFX"="c:\program files\Stardock\CursorFX\CursorFX.exe" [2008-02-19 418632]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2008-07-15 883528]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2008-08-05 435528]

c:\documents and settings\Stefan\Start Menu\Programs\Startup\
digsby.lnk - c:\program files\Digsby\digsby.exe [2008-10-10 137728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-11-16 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"EnableFirewall"= 0 (0x0)

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-11-17 12936]
R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\DRIVERS\snman380.sys [2008-11-19 134272]
R0 tdrpman140;Acronis Try&Decide and Restore Points filter (build 140);c:\windows\system32\DRIVERS\tdrpm140.sys [2008-11-19 971168]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-17 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-17 90632]
R1 SandBox;SandBox;c:\windows\system32\DRIVERS\SandBox.sys [2008-11-27 673920]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [2008-11-27 1238344]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-17 874776]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-17 231704]
R2 PD91Agent;PD91Agent;"c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe" [2008-09-09 693512]
R3 AEXPAM;Philips SmartManage Service;c:\windows\system32\Drivers\aexpamdrv.sys [2004-09-01 21824]
R3 afw;Agnitum firewall driver;c:\windows\system32\DRIVERS\afw.sys [2008-11-27 30864]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2008-11-27 234640]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [2008-11-27 33408]
S3 PD91Engine;PD91Engine;"c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe" [2008-09-09 906504]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"c:\program files\Windows Live\Messenger\usnsvc.exe" [2007-10-18 98328]
------- Supplementary Scan -------
uInternet Connection Wizard,ShellNext = hxxp://
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Stefan\Application Data\Mozilla\Firefox\Profiles\3d4g5rgm.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll


catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-12-05 14:04:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Completion time: 2008-12-05 14:04:55
ComboFix-quarantined-files.txt 2008-12-05 13:04:53
ComboFix2.txt 2008-12-05 12:56:59

Pre-Run: 29.339.832.320 bytes free
Post-Run: 29,328,990,208 bytes free

260 --- E O F --- 2008-12-02 13:18:59

05.12.2008. u 13:30 - pre 189 meseci
Vi svi ste sigurno ubeđeni da su ovo lažne uzbune, ali 5-6 puta sam išao na Run i svaki put bi mi on našao da postoji taj fajl, kako god bi se zvao, a ja ne mogu da ga vidim iako mi je uključeno da vidim sakrivene fajlove.


05.12.2008. u 18:02 - pre 189 meseci
Sa Avirom se ne bi tako zekio...
Cash Rules Everything Around Me.

+3779 Profil

06.12.2008. u 09:36 - pre 189 meseci
Skini HiJackThis skeniraj i okaci log.

06.12.2008. u 12:16 - pre 189 meseci
Čist je HijackThis log, proverili su kristi1 i ona 4 sajta sa top teme.

06.12.2008. u 12:23 - pre 189 meseci
Binary Mind, ti ne reče ništa o ComboFix logu, ima li nešto sumnjivo?

+3779 Profil

06.12.2008. u 13:07 - pre 189 meseci
Koliko ja vidim nema nista sto bi ukazivalo na bilo kakvu zarazu.

06.12.2008. u 20:48 - pre 189 meseci
Hvala magna86, kristi1, binary mind što ste se mučili da mi pomognete, ipak ću obarati sistem jer ovo sigurno postoji.
Samo da kažem sad na kraju, ispalo je da AVG Anti-virus Pro ima bolji anti-rootkit SKENER od svih ovih ostalih što su u top temi, ali šta vredi kad nije mogao da ga obriše. Još mi je Rootkit Revealer, što sam rekao na početku teme, našao gomilu sakrivenih fajlova od Windows API-ja, koje je sigurno ovaj rootkit sakrivao.
Samo za kraj, šta je Windows API?

+3779 Profil

06.12.2008. u 21:09 - pre 189 meseci
Windows Application Programming Interface. Proguglaj za objasnjenje. Inace je AVG koliko god ga hvalili sklon false positive rezultatima tokom skeniranja.

06.12.2008. u 21:46 - pre 189 meseci
Kada sam išao na Run UVEK je postojao taj fajl! A ja nisam mogao da ga vidim u tom folderu. To je valjda dovoljno. A i bilo je toliko razne gomile fajlova u starom korisniku, koji sam posle izbrisao.

+3779 Profil

07.12.2008. u 12:22 - pre 189 meseci
Da li mozes da navedes barem neko od imena fajlova koje je AVG prepoznavao kao malware/rootkit?

07.12.2008. u 20:07 - pre 189 meseci
aj5rr16j.SYS je sada, uvek je nešto slično, počinje na A i posle idu ovako neka slova.

+3779 Profil

08.12.2008. u 15:12 - pre 189 meseci
Ok. Mozes li da prilozis link gde si okacio HiJackThis! log da ga ja vidim. Takodje daj screenshot procesa u Task Manageru.

