Moj log kostolac

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Logfile of HijackThis v1.99.1
Scan saved at 12:34:50, on 3.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Domain Tools\ProjectWhois\ProjectWhois.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Acunetix\Web Vulnerability Scanner 5\WVSScheduler.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\AdministratoriNET\Desktop\New Folder\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [Link mogu videti samo ulogovani korisnici]
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=021408 serial=DR12WNG-0249275-TMV lang=EN
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] C:\Program Files\BitComet\BitComet.exe /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: ProjectWhois.lnk = C:\Program Files\Domain Tools\ProjectWhois\ProjectWhois.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - [Link mogu videti samo ulogovani korisnici]\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - [Link mogu videti samo ulogovani korisnici]\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - [Link mogu videti samo ulogovani korisnici]\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [Link mogu videti samo ulogovani korisnici]\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{078F2A67-650C-42AB-8E0B-39812A506184}: NameServer = 10.88.0.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{078F2A67-650C-42AB-8E0B-39812A506184}: NameServer = 10.88.0.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{078F2A67-650C-42AB-8E0B-39812A506184}: NameServer = 10.88.0.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Acunetix WVS Scheduler v5 (AcuWVSSchedulerv5) - Acunetix Ltd. - C:\Program Files\Acunetix\Web Vulnerability Scanner 5\WVSScheduler.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Skini ComboFix sa jedne od sledecih adresa na Desktop:
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 08-02.03.1 - AdministratoriNET 2008-02-03 14:13:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.271 [GMT 1:00]
Running from: C:\Documents and Settings\AdministratoriNET\Desktop\New Folder (2)\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\install.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-02 15:07 . 2008-02-02 15:07 <DIR> d-------- C:\Program Files\Acunetix
2008-02-02 15:06 . 2008-02-02 15:07 810 --a------ C:\WINDOWS\WVS_InstDBLogFile.csv
2008-02-02 15:06 . 2008-02-02 15:06 16 --a------ C:\WINDOWS\system32\ptlx55.dat.{5728B11F-B697-47AA-9C1B-8ECB545B5193}
2008-01-26 23:17 . 2008-01-26 23:17 <DIR> d-------- C:\Program Files\FLV Player
2008-01-26 19:45 . 2008-01-26 19:45 <DIR> d-------- C:\Program Files\YouTube Downloader
2008-01-26 19:45 . 2008-01-26 20:04 <DIR> d-------- C:\Program Files\AAA Photo Album
2008-01-19 18:41 . 2008-01-19 18:42 <DIR> d-------- C:\wamp
2008-01-15 07:06 . 2008-01-15 07:06 <DIR> d-------- C:\Documents and Settings\AdministratoriNET\Application Data\Corel
2008-01-15 07:06 . 2008-01-15 07:12 394 --a------ C:\WINDOWS\capture.ini
2008-01-15 07:05 . 2008-01-15 07:05 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-01-15 07:04 . 2008-01-15 07:04 <DIR> d-------- C:\Program Files\Corel
2008-01-14 21:25 . 2008-01-14 21:26 <DIR> d-------- C:\Program Files\WebShot
2008-01-06 13:59 . 2008-01-06 13:59 <DIR> d-a------ C:\txt_report
2008-01-06 13:19 . 2008-01-06 13:19 <DIR> d-------- C:\Program Files\IDM Computer Solutions
2008-01-06 13:19 . 2008-01-06 13:19 <DIR> d-------- C:\Documents and Settings\AdministratoriNET\Application Data\IDMComp
2008-01-06 11:42 . 2004-08-03 23:10 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys
2008-01-06 11:42 . 2004-08-03 23:10 38,016 --a--c--- C:\WINDOWS\system32\dllcache\bthmodem.sys
2008-01-05 23:15 . 2004-08-03 23:10 274,304 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-01-05 23:15 . 2004-08-03 23:10 274,304 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-01-05 23:15 . 2004-08-03 23:10 18,944 --a------ C:\WINDOWS\system32\drivers\BTHUSB.SYS
2008-01-05 23:15 . 2004-08-03 23:10 18,944 --a--c--- C:\WINDOWS\system32\dllcache\bthusb.sys
2008-01-05 22:35 . 2008-01-05 22:35 45,056 --a------ C:\WINDOWS\NCUNINST.EXE
2008-01-05 22:33 . 2004-08-03 22:58 207,360 --a------ C:\WINDOWS\system32\drivers\Dot4.sys
2008-01-05 22:33 . 2004-08-03 22:58 207,360 --a--c--- C:\WINDOWS\system32\dllcache\dot4.sys
2008-01-05 22:33 . 2001-08-17 13:47 23,808 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys
2008-01-05 22:33 . 2001-08-17 13:47 23,808 --a--c--- C:\WINDOWS\system32\dllcache\dot4usb.sys
2008-01-05 22:33 . 2001-08-17 13:47 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys
2008-01-05 22:33 . 2001-08-17 13:47 12,928 --a--c--- C:\WINDOWS\system32\dllcache\dot4prt.sys
2008-01-05 22:32 . 2008-01-05 22:32 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-01-05 22:30 . 2008-01-05 22:35 248,866 --a------ C:\WINDOWS\hplj1010.his
2008-01-05 22:30 . 2008-01-05 22:35 17,968 --a------ C:\WINDOWS\hplj1010.ini
2008-01-05 22:27 . 2008-01-05 22:27 <DIR> d-------- C:\Program Files\Common Files\SWF Studio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 07:32 --------- d-----w C:\Documents and Settings\AdministratoriNET\Application Data\Skype
2008-02-02 07:09 --------- d-----w C:\Documents and Settings\AdministratoriNET\Application Data\skypePM
2008-01-30 23:45 --------- d-----w C:\Program Files\Trillian
2008-01-15 06:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 06:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-13 15:32 --------- d-----w C:\Program Files\BitComet
2008-01-05 21:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-02 20:43 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-02 20:41 --------- d-----w C:\Program Files\Skype
2008-01-02 20:41 --------- d-----w C:\Program Files\Common Files\Skype
2008-01-02 20:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-30 21:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2007-12-30 21:11 --------- d-----w C:\Documents and Settings\AdministratoriNET\Application Data\Autodesk
2007-12-30 20:42 --------- d-----w C:\Program Files\UltraISO
2007-12-30 20:42 --------- d-----w C:\Program Files\Common Files\EZB Systems
2007-12-24 05:52 --------- d-----w C:\Program Files\Mv2Player
2007-12-24 00:25 --------- d-----w C:\Program Files\XviD
2007-12-24 00:25 --------- d-----w C:\Program Files\DivX
2007-12-24 00:24 --------- d-----w C:\Program Files\Microsoft Calculator Plus
2007-12-16 14:21 --------- d-----w C:\Program Files\Domain Tools
2007-12-16 13:38 --------- d-----w C:\Program Files\Lavalys
2007-12-16 13:36 --------- d-----w C:\Documents and Settings\AdministratoriNET\Application Data\Lavasoft
2007-12-16 12:56 --------- d-----w C:\Program Files\MSN Messenger
2007-12-16 12:53 --------- d-----w C:\Program Files\Google
2007-12-16 12:49 --------- d-----w C:\Program Files\DU Meter
2007-12-16 12:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hagel Technologies
2007-12-16 12:46 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-16 12:46 --------- d-----w C:\Program Files\Ahead
2007-12-16 12:44 --------- d-----w C:\Program Files\Microsoft
2007-12-16 12:39 --------- d-----w C:\Program Files\ESET
2007-12-16 12:17 502,368 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-12-16 12:17 270,336 ----a-w C:\WINDOWS\system32\imon.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:07 15360]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 22:22 3739648]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [2007-12-07 16:03 1913656]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 04:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 04:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 04:10 114688]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"SMSERIAL"="sm56hlpr.exe" [2004-12-28 23:01 544768 C:\WINDOWS\sm56hlpr.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-03-23 06:28 14202368 C:\WINDOWS\RTHDCPL.EXE]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-16 13:17 917504]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2005-02-01 19:28 1469952]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 16:51 36864]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 19:28 155648]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 02:07 110592 C:\WINDOWS\system32\bthprops.cpl]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 13:39 729088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:07 15360]

C:\Documents and Settings\AdministratoriNET\Start Menu\Programs\Startup\
ProjectWhois.lnk - C:\Program Files\Domain Tools\ProjectWhois\ProjectWhois.exe [2006-11-21 02:13:40 147456]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAID Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAID Manager.lnk
backup=C:\WINDOWS\pss\RAID Manager.lnkCommon Startup

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-12-10 15:44]
R2 AcuWVSSchedulerv5;Acunetix WVS Scheduler v5;"C:\Program Files\Acunetix\Web Vulnerability Scanner 5\WVSScheduler.exe" [2008-02-01 15:48]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 12:54]
S3 FXDRV;FXDRV;D:\Fxdrv.sys []
S3 wampapache;wampapache;"c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe" [2007-09-05 08:59]
S3 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe wampmysqld []

*Newly Created Service* - ACUWVSSCHEDULERV5
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-02-03 14:16:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\ntos.exe 559104 bytes executable
C:\WINDOWS\system32\wsnpoem

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2008-02-03 14:17:05
ComboFix-quarantined-files.txt 2008-02-03 13:16:48

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Otvoriti Notepad i iskopirati sledeci tekst:

Rootkit::
C:\WINDOWS\system32\ntos.exe



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uradjeno kako si rekao i evo loga posle toga, stim da mi je ovoga puta ComboFix uradio restart kompa a prvi put nije

ComboFix 08-02.03.1 - AdministratoriNET 2008-02-03 21:44:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.196 [GMT 1:00]
Running from: C:\Documents and Settings\AdministratoriNET\Desktop\New Folder (2)\ComboFix.exe
Command switches used :: C:\Documents and Settings\AdministratoriNET\Desktop\New Folder (2)\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ntos.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-03 17:15 . 2008-02-03 17:25 671 --a------ C:\WINDOWS\mozver.dat
2008-02-02 15:07 . 2008-02-02 15:07 <DIR> d-------- C:\Program Files\Acunetix
2008-02-02 15:06 . 2008-02-02 15:07 810 --a------ C:\WINDOWS\WVS_InstDBLogFile.csv
2008-02-02 15:06 . 2008-02-02 15:06 16 --a------ C:\WINDOWS\system32\ptlx55.dat.{5728B11F-B697-47AA-9C1B-8ECB545B5193}
2008-01-26 23:17 . 2008-01-26 23:17 <DIR> d-------- C:\Program Files\FLV Player
2008-01-26 19:45 . 2008-01-26 19:45 <DIR> d-------- C:\Program Files\YouTube Downloader
2008-01-26 19:45 . 2008-01-26 20:04 <DIR> d-------- C:\Program Files\AAA Photo Album
2008-01-20 19:07 . 2008-02-03 16:16 <DIR> d--hs---- C:\WINDOWS\system32\wsnpoem
2008-01-19 18:41 . 2008-01-19 18:42 <DIR> d-------- C:\wamp
2008-01-15 07:06 . 2008-01-15 07:06 <DIR> d-------- C:\Documents and Settings\AdministratoriNET\Application Data\Corel
2008-01-15 07:06 . 2008-01-15 07:12 394 --a------ C:\WINDOWS\capture.ini
2008-01-15 07:05 . 2008-01-15 07:05 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-01-15 07:04 . 2008-01-15 07:04 <DIR> d-------- C:\Program Files\Corel
2008-01-14 21:25 . 2008-01-14 21:26 <DIR> d-------- C:\Program Files\WebShot
2008-01-06 13:59 . 2008-01-06 13:59 <DIR> d-a------ C:\txt_report
2008-01-06 13:19 . 2008-01-06 13:19 <DIR> d-------- C:\Program Files\IDM Computer Solutions
2008-01-06 13:19 . 2008-01-06 13:19 <DIR> d-------- C:\Documents and Settings\AdministratoriNET\Application Data\IDMComp
2008-01-06 11:42 . 2004-08-03 23:10 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys
2008-01-06 11:42 . 2004-08-03 23:10 38,016 --a--c--- C:\WINDOWS\system32\dllcache\bthmodem.sys
2008-01-05 23:15 . 2004-08-03 23:10 274,304 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-01-05 23:15 . 2004-08-03 23:10 274,304 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-01-05 23:15 . 2004-08-03 23:10 18,944 --a------ C:\WINDOWS\system32\drivers\BTHUSB.SYS
2008-01-05 23:15 . 2004-08-03 23:10 18,944 --a--c--- C:\WINDOWS\system32\dllcache\bthusb.sys
2008-01-05 22:35 . 2008-01-05 22:35 45,056 --a------ C:\WINDOWS\NCUNINST.EXE
2008-01-05 22:33 . 2004-08-03 22:58 207,360 --a------ C:\WINDOWS\system32\drivers\Dot4.sys
2008-01-05 22:33 . 2004-08-03 22:58 207,360 --a--c--- C:\WINDOWS\system32\dllcache\dot4.sys
2008-01-05 22:33 . 2001-08-17 13:47 23,808 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys
2008-01-05 22:33 . 2001-08-17 13:47 23,808 --a--c--- C:\WINDOWS\system32\dllcache\dot4usb.sys
2008-01-05 22:33 . 2001-08-17 13:47 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys
2008-01-05 22:33 . 2001-08-17 13:47 12,928 --a--c--- C:\WINDOWS\system32\dllcache\dot4prt.sys
2008-01-05 22:32 . 2008-01-05 22:32 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-01-05 22:30 . 2008-01-05 22:35 248,866 --a------ C:\WINDOWS\hplj1010.his
2008-01-05 22:30 . 2008-01-05 22:35 17,968 --a------ C:\WINDOWS\hplj1010.ini
2008-01-05 22:27 . 2008-01-05 22:27 <DIR> d-------- C:\Program Files\Common Files\SWF Studio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 20:49 --------- d-----w C:\Documents and Settings\AdministratoriNET\Application Data\skypePM
2008-02-03 20:49 --------- d-----w C:\Documents and Settings\AdministratoriNET\Application Data\Skype
2008-01-30 23:45 --------- d-----w C:\Program Files\Trillian
2008-01-15 06:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 06:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-13 15:32 --------- d-----w C:\Program Files\BitComet
2008-01-05 21:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-02 20:43 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-02 20:41 --------- d-----w C:\Program Files\Skype
2008-01-02 20:41 --------- d-----w C:\Program Files\Common Files\Skype
2008-01-02 20:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-30 21:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2007-12-30 21:11 --------- d-----w C:\Documents and Settings\AdministratoriNET\Application Data\Autodesk
2007-12-30 20:42 --------- d-----w C:\Program Files\UltraISO
2007-12-30 20:42 --------- d-----w C:\Program Files\Common Files\EZB Systems
2007-12-24 05:52 --------- d-----w C:\Program Files\Mv2Player
2007-12-24 00:25 --------- d-----w C:\Program Files\XviD
2007-12-24 00:25 --------- d-----w C:\Program Files\DivX
2007-12-24 00:24 --------- d-----w C:\Program Files\Microsoft Calculator Plus
2007-12-16 14:21 --------- d-----w C:\Program Files\Domain Tools
2007-12-16 13:38 --------- d-----w C:\Program Files\Lavalys
2007-12-16 13:36 --------- d-----w C:\Documents and Settings\AdministratoriNET\Application Data\Lavasoft
2007-12-16 12:56 --------- d-----w C:\Program Files\MSN Messenger
2007-12-16 12:53 --------- d-----w C:\Program Files\Google
2007-12-16 12:49 --------- d-----w C:\Program Files\DU Meter
2007-12-16 12:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hagel Technologies
2007-12-16 12:46 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-16 12:46 --------- d-----w C:\Program Files\Ahead
2007-12-16 12:44 --------- d-----w C:\Program Files\Microsoft
2007-12-16 12:39 --------- d-----w C:\Program Files\ESET
2007-12-16 12:17 502,368 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-12-16 12:17 270,336 ----a-w C:\WINDOWS\system32\imon.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:07 15360]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 22:22 3739648]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [2007-12-07 16:03 1913656]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 04:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 04:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 04:10 114688]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"SMSERIAL"="sm56hlpr.exe" [2004-12-28 23:01 544768 C:\WINDOWS\sm56hlpr.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-03-23 06:28 14202368 C:\WINDOWS\RTHDCPL.EXE]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-16 13:17 917504]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2005-02-01 19:28 1469952]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 16:51 36864]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 19:28 155648]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 02:07 110592 C:\WINDOWS\system32\bthprops.cpl]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 13:39 729088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:07 15360]

C:\Documents and Settings\AdministratoriNET\Start Menu\Programs\Startup\
ProjectWhois.lnk - C:\Program Files\Domain Tools\ProjectWhois\ProjectWhois.exe [2006-11-21 02:13:40 147456]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAID Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAID Manager.lnk
backup=C:\WINDOWS\pss\RAID Manager.lnkCommon Startup

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-12-10 15:44]
R2 AcuWVSSchedulerv5;Acunetix WVS Scheduler v5;"C:\Program Files\Acunetix\Web Vulnerability Scanner 5\WVSScheduler.exe" [2008-02-01 15:48]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 12:54]
S3 FXDRV;FXDRV;D:\Fxdrv.sys []
S3 wampapache;wampapache;"c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe" [2007-09-05 08:59]
S3 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe wampmysqld []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-02-03 21:49:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-02-03 21:51:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 20:51:14
ComboFix2.txt 2008-02-03 13:17:06

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

U sledecem folderu treba da su dva fajla:
C:\WINDOWS\system32\wsnpoem
Jedan nosi naziv audio.nesto, drugi video.nesto - obrisi ih, to su logovi koje je pravio ntos.exe

Interesuje me drajver D:\Fxdrv.sys
Google kaze da je to neki drajver za FoxxCon maticne ploce, ali sta ce on u rootu D particije? Jesi li to pustao neki tool za tvoju maticnu, a da se taj tool nalazio na D ?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Bobby ne mogu da nadjem taj folder a sto se tice ovog drajvera ne secam se da sam pokretao neki tool

A onaj ntos.exe je bio neki virus ili sta vec ?

Dopuna: 04 Feb 2008 18:34

Obrisao sam ona dva fajla, nosili su eksenziju dll, audio.dll i video.dll i bio je i treci fajl audio.dll.cla

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Posalji mi na uploada taj D:\Fxdrv.sys
Koristi sledecu formu za upload:
[Link mogu videti samo ulogovani korisnici]

Javi kad uradis upload.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Nego ja nisam gledao prosli put kada si mi napisao, D mi je DVD jedinica i u njemu mi je neki disk pa je mozda sa njega to procitao. Druga particija mi nosi naziv E
Tako da neznam sta da ti saljem

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Onda je to ipak od instalacije drajvera za maticnu.
Setup je ucitao taj drajver da bi utvrdio model maticne, da bi znao koje drajvere za maticnu da instalira (ukoliko na CD-u dolaze vise drajvera za razlicite maticne).
Ovo je samo pretpostavka, ali mi je to jedino logicno.

Sto se tice ntos.exe, to je rootkit/trojanac, tj. trojanac koji moze da sakrije samog sebe.
Ne bih znao vise o njemu (osim da sam ga i sam jednom zakacio slucajnim klikom na jedan EXE iz paketa virusa koji sam dobio od drugara).

Daj mi novi HJT i ComboFix log, da vidim sta smo do sada postigli.