MyCity » Ambulanta -> Arhiva Ambulante » Pomagajte ponovo

Pomagajte ponovo

Napisano na dan: 2.10.2008

Pomagajte ponovo
Sledeća strana Pagination

Idi na vrh

Poslao: 02 Okt 2008 16:48
Idi na vrh
offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Evo novih problema. Kompjuter radi jako sporo a skoro nikako se nemogu spojiti na internet. evo i log fajla
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:37 PM, on 02/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Windows\Explorer.EXE
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\Windows\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
C:\Windows\system32\JupitCo.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
C:\Windows\System32\WScript.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\System32\nvsvc32.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = login.live.com/login.srf?wa=wsignin1.0&.....p;id=64855
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
O4 - HKLM\..\Run: [USB SECURITY DEVICE CoInstaller] JupitCo.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nar] C:\WINDOWS\nar.vbs
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} (Persits Software XEncrypt) - banka.com.mk/Ctrls/Ctrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{072C66EF-0460-4309-9059-F40C9E4AC1E9}: NameServer = 195.26.152.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{072C66EF-0460-4309-9059-F40C9E4AC1E9}: NameServer = 195.26.152.19
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Windows\LogWatNT.exe
O23 - Service: NetOp Helper ver. 7.50 (2002343) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\Windows\System32\nvsvc32.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 5639 bytes

hvala unapred

Poslao: 02 Okt 2008 19:39
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Poz...


Privremeno isključi sav zaštitni softver pre pokretanja programa iz sledećeg uputstva.


Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

Poslao: 03 Okt 2008 10:14
Idi na vrh
offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Zdravo, uradio sam kako je opisano sa jednom napomenom. Prvo skeniranje je napravljeno sa iskljucenim kablom za internet, drugo prilikom analize ComboFix-a, pojavila se poruka Allow ComboFix again to start windows ili slicno no kompjuter je bio zamrznu pa sam ga restarirao nakon cega mi je dat ovaj log fajl

ComboFix 08-10-02.04 - Administrator 2008-10-03 9:41:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.389.1033.18.19 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[1].txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV
-------\Legacy_PASSWORD


((((((((((((((((((((((((( Files Created from 2008-09-03 to 2008-10-03 )))))))))))))))))))))))))))))))
.

2008-10-03 09:53 . 2008-10-03 09:54 88 -rahs---- C:\Autorun.inf
2008-10-02 08:13 . 2008-10-03 09:54 7,474 -rahs---- C:\nar.vbs
2008-10-01 14:36 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-10-01 14:35 . 2008-10-01 14:35 <DIR> d-------- C:\Program Files\Alwil Software
2008-10-01 14:01 . 2008-10-01 14:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-01 13:52 . 2008-10-01 13:52 <DIR> d-------- C:\HiJack
2008-09-23 10:58 . 2008-09-23 10:58 7,474 -rahs---- C:\WINDOWS\Nar.vbs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-03 07:53 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-10-02 06:22 --------- d-----w C:\Program Files\Honorarci
2008-10-01 06:38 --------- d-----w C:\Program Files\Virmani
2008-09-25 06:41 --------- d-----w C:\Program Files\Prevoz
2008-09-25 06:41 --------- d-----w C:\Program Files\Hrana
2008-09-18 09:30 --------- d-----w C:\Program Files\Pozaren pridones
2008-09-16 06:22 --------- d-----w C:\Program Files\Provizija
2008-09-09 06:18 --------- d-----w C:\Program Files\Cistacki
2007-10-15 07:23 137,488 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2002-09-12 10:31 7,510 ----a-w C:\Program Files\ST6UNST.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"ctfmon.exe"="C:\Windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cpqek"="C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe" [2001-09-12 73728]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE" [2001-12-03 81920]
"Realtime Monitor"="C:\Program Files\CA\eTrust\InoculateIT\realmon.exe" [2001-07-19 374584]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"nar"="C:\WINDOWS\nar.vbs" [2008-09-23 7474]
"USB SECURITY DEVICE CoInstaller"="JupitCo.exe" [2002-03-14 C:\WINDOWS\system32\JupitCo.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\Windows\Cpqdiag\CpqDfwAg.exe" [2001-11-19 212992]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 ClntMgmt;Compaq Client Management Driver;C:\Windows\system32\Drivers\ClntMgmt.sys [2001-11-29 53926]
R2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;C:\Windows\Cpqdiag\Cpqdfwag.exe [2001-11-19 212992]
R2 cpqdiag;Compaq Diagnostics Driver;C:\Windows\System32\drivers\cpqdiag.sys [2001-06-20 41344]
R2 cpqWebDmi;Compaq DMI Web Agent;C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe [2001-12-03 24576]
R2 LCRMS;Insight Manager LC Remote Management;C:\Program Files\Compaq\LCRMS\LCRMS.EXE [2000-05-23 376881]
R2 LogWatch;Event Log Watch;C:\Windows\LogWatNT.exe [2000-06-08 50176]
R2 NetOp Host for NT Service;NetOp Helper ver. 7.50 (2002343);C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE [2002-12-09 1085712]
R3 NHOSTNT3;NetOp Driver 3 ver. 7.50 (2002343);C:\Windows\system32\Drivers\NHOSTNT3.SYS [2002-12-09 3216]
S1 NHostNT1;NetOp Driver 1 ver. 7.50 (2002343);C:\Windows\system32\Drivers\NHOSTNT1.SYS [2002-12-09 54032]
S2 JUPITER;USB SECURITY DEVICE;C:\Windows\system32\DRIVERS\JUPITER.sys [2002-03-19 9312]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05704a3e-7336-11dd-b00b-00080214b5d4}]
\Shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b32d9936-e374-11dc-af87-00080214b5d4}]
\Shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1202979132&rver=4.5.2130.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&id=64855
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{072C66EF-0460-4309-9059-F40C9E4AC1E9}: NameServer = 195.26.152.19

O16 -: Microsoft XML Parser for Java - file://C:\Windows\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} - hxxps://www.banka.com.mk/Ctrls/Ctrls.cab
C:\WINDOWS\Downloaded Program Files\Ctrls.INF
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-10-03 09:53:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\explorer.exe
-> ?:\Windows\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\compaq\ACLIENT\AClient.exe
C:\Program Files\COMPAQ\Compaq Management Agents\Cpqalert.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\NMSSVC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\COMPAQ\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\COMPAQ\COMPAQ~2\Cpqdmi.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
.
**************************************************************************
.
Completion time: 2008-10-03 9:57:53 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-10-03 07:57:42

Pre-Run: 28,908,941,312 bytes free
Post-Run: 28,929,933,312 bytes free

127




istovremeno saljem i novi log fajl od HiJackthis pod istim uslovima


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:02 AM, on 03/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\Windows\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
C:\Windows\System32\NMSSvc.exe
C:\Windows\System32\nvsvc32.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
C:\Windows\system32\JupitCo.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\System32\WScript.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = login.live.com/login.srf?wa=wsignin1.0&.....p;id=64855
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
O4 - HKLM\..\Run: [USB SECURITY DEVICE CoInstaller] JupitCo.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nar] C:\WINDOWS\nar.vbs
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} (Persits Software XEncrypt) - banka.com.mk/Ctrls/Ctrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{072C66EF-0460-4309-9059-F40C9E4AC1E9}: NameServer = 195.26.152.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{072C66EF-0460-4309-9059-F40C9E4AC1E9}: NameServer = 195.26.152.19
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Windows\LogWatNT.exe
O23 - Service: NetOp Helper ver. 7.50 (2002343) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\Windows\System32\nvsvc32.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 5812 bytes


Hvala

Poslao: 03 Okt 2008 16:39
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\nar.vbs
C:\WINDOWS\Nar.vbs

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nar"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05704a3e-7336-11dd-b00b-00080214b5d4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b32d9936-e374-11dc-af87-00080214b5d4}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Poslao: 06 Okt 2008 10:45
Idi na vrh
offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Zdravo, evo novog log fajla od comboFix-a i HiJacka

ComboFix 08-10-02.04 - Administrator 2008-10-06 10:09:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.389.1033.18.12 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-09-06 to 2008-10-06 )))))))))))))))))))))))))))))))
.

2008-10-02 08:13 . 2008-10-06 10:08 7,474 -rahs---- C:\nar.vbs
2008-10-01 14:36 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-10-01 14:35 . 2008-10-01 14:35 <DIR> d-------- C:\Program Files\Alwil Software
2008-10-01 14:01 . 2008-10-01 14:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-01 13:52 . 2008-10-01 13:52 <DIR> d-------- C:\HiJack
2008-09-23 10:58 . 2008-09-23 10:58 7,474 -rahs---- C:\WINDOWS\Nar.vbs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-06 08:02 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-10-02 06:22 --------- d-----w C:\Program Files\Honorarci
2008-10-01 06:38 --------- d-----w C:\Program Files\Virmani
2008-09-25 06:41 --------- d-----w C:\Program Files\Prevoz
2008-09-25 06:41 --------- d-----w C:\Program Files\Hrana
2008-09-18 09:30 --------- d-----w C:\Program Files\Pozaren pridones
2008-09-16 06:22 --------- d-----w C:\Program Files\Provizija
2008-09-09 06:18 --------- d-----w C:\Program Files\Cistacki
2007-10-15 07:23 137,488 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2002-09-12 10:31 7,510 ----a-w C:\Program Files\ST6UNST.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"ctfmon.exe"="C:\Windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cpqek"="C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe" [2001-09-12 73728]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE" [2001-12-03 81920]
"Realtime Monitor"="C:\Program Files\CA\eTrust\InoculateIT\realmon.exe" [2001-07-19 374584]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"nar"="C:\WINDOWS\nar.vbs" [2008-09-23 7474]
"USB SECURITY DEVICE CoInstaller"="JupitCo.exe" [2002-03-14 C:\WINDOWS\system32\JupitCo.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\Windows\Cpqdiag\CpqDfwAg.exe" [2001-11-19 212992]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 ClntMgmt;Compaq Client Management Driver;C:\Windows\system32\Drivers\ClntMgmt.sys [2001-11-29 53926]
R2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;C:\Windows\Cpqdiag\Cpqdfwag.exe [2001-11-19 212992]
R2 cpqdiag;Compaq Diagnostics Driver;C:\Windows\System32\drivers\cpqdiag.sys [2001-06-20 41344]
R2 cpqWebDmi;Compaq DMI Web Agent;C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe [2001-12-03 24576]
R2 LCRMS;Insight Manager LC Remote Management;C:\Program Files\Compaq\LCRMS\LCRMS.EXE [2000-05-23 376881]
R2 LogWatch;Event Log Watch;C:\Windows\LogWatNT.exe [2000-06-08 50176]
R2 NetOp Host for NT Service;NetOp Helper ver. 7.50 (2002343);C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE [2002-12-09 1085712]
R3 NHOSTNT3;NetOp Driver 3 ver. 7.50 (2002343);C:\Windows\system32\Drivers\NHOSTNT3.SYS [2002-12-09 3216]
S1 NHostNT1;NetOp Driver 1 ver. 7.50 (2002343);C:\Windows\system32\Drivers\NHOSTNT1.SYS [2002-12-09 54032]
S2 JUPITER;USB SECURITY DEVICE;C:\Windows\system32\DRIVERS\JUPITER.sys [2002-03-19 9312]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b32d9936-e374-11dc-af87-00080214b5d4}]
\Shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1202979132&rver=4.5.2130.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&id=64855
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{072C66EF-0460-4309-9059-F40C9E4AC1E9}: NameServer = 195.26.152.19

O16 -: Microsoft XML Parser for Java - file://C:\Windows\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} - hxxps://www.banka.com.mk/Ctrls/Ctrls.cab
C:\WINDOWS\Downloaded Program Files\Ctrls.INF
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-10-06 10:13:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-06 10:17:18
ComboFix-quarantined-files.txt 2008-10-06 08:17:06
ComboFix2.txt 2008-10-03 07:57:58

Pre-Run: 28,946,558,976 bytes free
Post-Run: 28,935,561,216 bytes free

99






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:55 AM, on 06/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\system32\JupitCo.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\Windows\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
C:\Windows\System32\NMSSvc.exe
C:\Windows\System32\nvsvc32.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = login.live.com/login.srf?wa=wsignin1.0&.....p;id=64855
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
O4 - HKLM\..\Run: [USB SECURITY DEVICE CoInstaller] JupitCo.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nar] C:\WINDOWS\nar.vbs
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} (Persits Software XEncrypt) - banka.com.mk/Ctrls/Ctrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{072C66EF-0460-4309-9059-F40C9E4AC1E9}: NameServer = 195.26.152.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{072C66EF-0460-4309-9059-F40C9E4AC1E9}: NameServer = 195.26.152.19
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Windows\LogWatNT.exe
O23 - Service: NetOp Helper ver. 7.50 (2002343) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\Windows\System32\nvsvc32.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 5643 bytes

Poslao: 06 Okt 2008 16:44
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Prethodno uputstvo nije pravilno ispraćeno - treba ponoviti postupak.

Znači, potrebno je iskopirati sve što se nalazi unutar Kod polja (sve ono što je zeleno)


Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\nar.vbs
C:\WINDOWS\Nar.vbs

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nar"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b32d9936-e374-11dc-af87-00080214b5d4}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.


Btw, na kompjuter su priključivana dva USB flash drive-a - oba su inficirana.
Ako ti je neki od njih pri ruci, možeš ga priključiti pre no što kreneš da radiš ovo odozgo (treba ga samo priključiti, ništa više. Ne otvarati ga!).

Poslao: 07 Okt 2008 09:07
Idi na vrh
offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Zdravo, vec sa prvim ciscenjem kompjuter je radio prilicno dobro. Sada posle novog ciscenja kompjutera a istovremeno i jednog USB flasha (uvek je bio prikljucen samo jedan ne dva), saljem novi log file

ComboFix 08-10-02.04 - Administrator 2008-10-07 8:21:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.389.1033.18.54 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\nar.vbs
C:\WINDOWS\Nar.vbs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\nar.vbs
C:\WINDOWS\Nar.vbs

.
((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.

2008-10-01 14:36 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-10-01 14:35 . 2008-10-01 14:35 <DIR> d-------- C:\Program Files\Alwil Software
2008-10-01 14:01 . 2008-10-01 14:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-01 13:52 . 2008-10-01 13:52 <DIR> d-------- C:\HiJack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 05:39 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-10-02 06:22 --------- d-----w C:\Program Files\Honorarci
2008-10-01 06:38 --------- d-----w C:\Program Files\Virmani
2008-09-25 06:41 --------- d-----w C:\Program Files\Prevoz
2008-09-25 06:41 --------- d-----w C:\Program Files\Hrana
2008-09-18 09:30 --------- d-----w C:\Program Files\Pozaren pridones
2008-09-16 06:22 --------- d-----w C:\Program Files\Provizija
2008-09-09 06:18 --------- d-----w C:\Program Files\Cistacki
2007-10-15 07:23 137,488 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2002-09-12 10:31 7,510 ----a-w C:\Program Files\ST6UNST.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"ctfmon.exe"="C:\Windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cpqek"="C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe" [2001-09-12 73728]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE" [2001-12-03 81920]
"Realtime Monitor"="C:\Program Files\CA\eTrust\InoculateIT\realmon.exe" [2001-07-19 374584]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"USB SECURITY DEVICE CoInstaller"="JupitCo.exe" [2002-03-14 C:\WINDOWS\system32\JupitCo.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\Windows\Cpqdiag\CpqDfwAg.exe" [2001-11-19 212992]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 ClntMgmt;Compaq Client Management Driver;C:\Windows\system32\Drivers\ClntMgmt.sys [2001-11-29 53926]
R2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;C:\Windows\Cpqdiag\Cpqdfwag.exe [2001-11-19 212992]
R2 cpqdiag;Compaq Diagnostics Driver;C:\Windows\System32\drivers\cpqdiag.sys [2001-06-20 41344]
R2 cpqWebDmi;Compaq DMI Web Agent;C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe [2001-12-03 24576]
R2 LCRMS;Insight Manager LC Remote Management;C:\Program Files\Compaq\LCRMS\LCRMS.EXE [2000-05-23 376881]
R2 LogWatch;Event Log Watch;C:\Windows\LogWatNT.exe [2000-06-08 50176]
R2 NetOp Host for NT Service;NetOp Helper ver. 7.50 (2002343);C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE [2002-12-09 1085712]
R3 NHOSTNT3;NetOp Driver 3 ver. 7.50 (2002343);C:\Windows\system32\Drivers\NHOSTNT3.SYS [2002-12-09 3216]
S1 NHostNT1;NetOp Driver 1 ver. 7.50 (2002343);C:\Windows\system32\Drivers\NHOSTNT1.SYS [2002-12-09 54032]
S2 JUPITER;USB SECURITY DEVICE;C:\Windows\system32\DRIVERS\JUPITER.sys [2002-03-19 9312]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-10-07 08:24:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-07 8:27:47
ComboFix-quarantined-files.txt 2008-10-07 06:27:40
ComboFix2.txt 2008-10-06 08:17:21
ComboFix3.txt 2008-10-03 07:57:58

Pre-Run: 28,946,083,840 bytes free
Post-Run: 28,935,069,696 bytes free

88


i HiJack log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:03 AM, on 07/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\Windows\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
C:\Windows\System32\NMSSvc.exe
C:\Windows\System32\nvsvc32.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
C:\Windows\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
C:\Windows\system32\JupitCo.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = login.live.com/login.srf?wa=wsignin1.0&rpsn.....x&id=64855
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
O4 - HKLM\..\Run: [USB SECURITY DEVICE CoInstaller] JupitCo.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} (Persits Software XEncrypt) - banka.com.mk/Ctrls/Ctrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{072C66EF-0460-4309-9059-F40C9E4AC1E9}: NameServer = 195.26.152.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{072C66EF-0460-4309-9059-F40C9E4AC1E9}: NameServer = 195.26.152.19
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Windows\LogWatNT.exe
O23 - Service: NetOp Helper ver. 7.50 (2002343) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\Windows\System32\nvsvc32.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 5767 bytes



Mislim da smo uspeli zavrsiti posao, hvala najlepse
Pozdrav

Dopuna: 07 Okt 2008 9:07

Zdravo, vec sa prvim ciscenjem kompjuter je radio prilicno dobro. Sada posle novog ciscenja kompjutera a istovremeno i jednog USB flasha (uvek je bio prikljucen samo jedan ne dva), saljem novi log file

ComboFix 08-10-02.04 - Administrator 2008-10-07 8:21:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.389.1033.18.54 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\nar.vbs
C:\WINDOWS\Nar.vbs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\nar.vbs
C:\WINDOWS\Nar.vbs

.
((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.

2008-10-01 14:36 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-10-01 14:35 . 2008-10-01 14:35 <DIR> d-------- C:\Program Files\Alwil Software
2008-10-01 14:01 . 2008-10-01 14:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-01 13:52 . 2008-10-01 13:52 <DIR> d-------- C:\HiJack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 05:39 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-10-02 06:22 --------- d-----w C:\Program Files\Honorarci
2008-10-01 06:38 --------- d-----w C:\Program Files\Virmani
2008-09-25 06:41 --------- d-----w C:\Program Files\Prevoz
2008-09-25 06:41 --------- d-----w C:\Program Files\Hrana
2008-09-18 09:30 --------- d-----w C:\Program Files\Pozaren pridones
2008-09-16 06:22 --------- d-----w C:\Program Files\Provizija
2008-09-09 06:18 --------- d-----w C:\Program Files\Cistacki
2007-10-15 07:23 137,488 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2002-09-12 10:31 7,510 ----a-w C:\Program Files\ST6UNST.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"ctfmon.exe"="C:\Windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cpqek"="C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe" [2001-09-12 73728]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE" [2001-12-03 81920]
"Realtime Monitor"="C:\Program Files\CA\eTrust\InoculateIT\realmon.exe" [2001-07-19 374584]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"USB SECURITY DEVICE CoInstaller"="JupitCo.exe" [2002-03-14 C:\WINDOWS\system32\JupitCo.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\Windows\Cpqdiag\CpqDfwAg.exe" [2001-11-19 212992]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 ClntMgmt;Compaq Client Management Driver;C:\Windows\system32\Drivers\ClntMgmt.sys [2001-11-29 53926]
R2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;C:\Windows\Cpqdiag\Cpqdfwag.exe [2001-11-19 212992]
R2 cpqdiag;Compaq Diagnostics Driver;C:\Windows\System32\drivers\cpqdiag.sys [2001-06-20 41344]
R2 cpqWebDmi;Compaq DMI Web Agent;C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe [2001-12-03 24576]
R2 LCRMS;Insight Manager LC Remote Management;C:\Program Files\Compaq\LCRMS\LCRMS.EXE [2000-05-23 376881]
R2 LogWatch;Event Log Watch;C:\Windows\LogWatNT.exe [2000-06-08 50176]
R2 NetOp Host for NT Service;NetOp Helper ver. 7.50 (2002343);C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE [2002-12-09 1085712]
R3 NHOSTNT3;NetOp Driver 3 ver. 7.50 (2002343);C:\Windows\system32\Drivers\NHOSTNT3.SYS [2002-12-09 3216]
S1 NHostNT1;NetOp Driver 1 ver. 7.50 (2002343);C:\Windows\system32\Drivers\NHOSTNT1.SYS [2002-12-09 54032]
S2 JUPITER;USB SECURITY DEVICE;C:\Windows\system32\DRIVERS\JUPITER.sys [2002-03-19 9312]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-10-07 08:24:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-07 8:27:47
ComboFix-quarantined-files.txt 2008-10-07 06:27:40
ComboFix2.txt 2008-10-06 08:17:21
ComboFix3.txt 2008-10-03 07:57:58

Pre-Run: 28,946,083,840 bytes free
Post-Run: 28,935,069,696 bytes free

88


i HiJack log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:03 AM, on 07/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\Windows\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
C:\Windows\System32\NMSSvc.exe
C:\Windows\System32\nvsvc32.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
C:\Windows\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
C:\Windows\system32\JupitCo.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = login.live.com/login.srf?wa=wsignin1.0&.....p;id=64855
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
O4 - HKLM\..\Run: [USB SECURITY DEVICE CoInstaller] JupitCo.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} (Persits Software XEncrypt) - banka.com.mk/Ctrls/Ctrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{072C66EF-0460-4309-9059-F40C9E4AC1E9}: NameServer = 195.26.152.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{072C66EF-0460-4309-9059-F40C9E4AC1E9}: NameServer = 195.26.152.19
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Windows\LogWatNT.exe
O23 - Service: NetOp Helper ver. 7.50 (2002343) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\Windows\System32\nvsvc32.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 5767 bytes



Mislim da smo uspeli zavrsiti posao, hvala najlepse
Pozdrav

Poslao: 07 Okt 2008 17:20
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Uradi još i sledeće:
Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi
Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji
Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore



To je sve.

Poslao: 08 Okt 2008 08:27
Idi na vrh
offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Hvala Doktore

MyCity » Ambulanta -> Arhiva Ambulante » Pomagajte ponovo

Ko je trenutno na forumu
 

Ukupno su 785 korisnika na forumu :: 2 registrovanih, 0 sakrivenih i 783 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: panzerwaffe, TBF1D