Task Manager, Start i Run komande

[ 6ej6uc @ 08.03.2009. 14:12 ] @

Evo rezultata

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:08:17, on 08.03.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\Kolev Gjoke\My Documents\MY_DOWNLOADS\HiJackThis.exe

O4 - HKLM\..\Run: [regdiit] C:\WINDOWS\system32\winxp.exe
O4 - HKLM\..\Run: [CTFMON] C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Windows Live Family Safety (fsssvc) - Unknown owner - C:\Program Files\Windows Live\Family Safety\fsssvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 3134 bytes

[ Nemanja Živanović @ 08.03.2009. 15:29 ] @

Pre nego sto pocnes skeniranje sa HijackThis preimenuj ga u neki drugi naziv npr. blabla.exe pa ga onda pokreni i iskopiraj ovde izvestaj.

Ova dva sigurno trebas da selektujes i FIX-ujes. Sad cemo da vidimo da li ce u novom logu da se pojavi jos nesto sto se sakrilo.

O4 - HKLM\..\Run: [regdiit] C:\WINDOWS\system32\winxp.exe
O4 - HKLM\..\Run: [CTFMON] C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg

_{[Ovu poruku je menjao Nemanja Živanović dana 08.03.2009. u 16:39 GMT+1]}

[ 6ej6uc @ 08.03.2009. 18:09 ] @

Nakon brisanja ta dva i restarta evo LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:07:51, on 08.03.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kolev Gjoke\My Documents\MY_DOWNLOADS\BlaBlaTrojann.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Windows Live Family Safety (fsssvc) - Unknown owner - C:\Program Files\Windows Live\Family Safety\fsssvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 2953 bytes

Citat:

5. Ne šarenite poruke

Ne preterujte sa korišćenjem smajlija, interpunkcijskih znakova, UBB kodova (, , , ) i ostalih stvari koje su trenutno dostupne na forumu. Njih treba upotrebiti samo u slučaju kada je potrebno izdvojiti neku misao: na primer, masna slova koja se dobijaju pomoću bold ([ b] i [ /b]) tag-a.

[ Nemanja Živanović @ 08.03.2009. 18:23 ] @

OK. Log je sada cist. Reci mi u cemu je tacno problem? Jel MBAM nije nista pobrisao? I dalje nemas pristup regedit, run, msconfig i sl.?

Ako je odgovor NE. Idemo dalje.

Sledeci korak je skidanje ovog programa:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Kada ga pokrenes idi na File pa Save as. Snimi ga i uploaduj ovde (mozes kao fajl, da ne pretrpavamo temu). Ako mozes, jos bolje, daj screenshot programa (umesto izvestaja).

Mislim da ovde moramo da instaliramo jos neki antimalware program da bismo ocistili ceo racunar, a verovatno i da cistimo racunar iz Safe Mode-a.

_{[Ovu poruku je menjao Nemanja Živanović dana 08.03.2009. u 20:18 GMT+1]}

[ 6ej6uc @ 08.03.2009. 19:48 ] @

Evo sta kaze nakon pokretanja :

Code:
http://img24.imageshack.us/img24/6594/eroreeee.jpg

[ Nemanja Živanović @ 08.03.2009. 21:08 ] @

Ok, nema veze. Sta se desava kada racunar skeniras sa MBAM-om? Jel nadje neki malware? Da li si posle pronalazenja kliknuo na Remove selected? Instaliraj SuperAntiSpyware (SAS):

http://www.superantispyware.co...productid=SUPERANTISPYWAREFREE

Ili ako link ne radi idi stranicu download pa odaberi free verziju:

http://www.superantispyware.com/download.html

Skeniraj sa njim i vidi sta ce on naci...Da li si probao da skeniras sa tvojim Nortonom? Jel on detektuje nesto? Ako mozes okaci logove MBAM-a i Nortona (kao fajlove, da ne gusimo temu).

Sledeci korak je skeniranje racunara sa Dr.Web CureIt! Mozes ga skinuti sa sledece adrese:

ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe ili http://free.drweb.com/

Posle preuzimanja restartuj racunar u Safe Mode (dok se pali racunar pritiskaj F8 pa kada se pojavi meni odaberi Safe Mode - prva stavka). Kada se ucita Safe Mode pokreni Dr.Web CureIt! pokretanjem fajla launch.exe. Kad se upali odaberi Start i potvrdi sa OK. On ce automatski poceti da skenira racunar. Mozes ga pustiti da skenira (podrazumevano je brzo skeniranje) a kada zavrsi sa skeniranjem odaberi kompletno skeniranje - Complete scan i sa desne strane pritisnu dugme Start Scanning (izgleda kao Play dugme). Ako imas vremena mozes da odmah pri prvom pokretanju pustis kompletno skeniranje, da ne cekas brzo da se zavrsi. To ces uraditi tako sto ces pri paljenju programa, kad on krene sa brzim skeniranjem pritisnuti sa desne strane Stop Scanning dugme (izgleda kao Stop dugme), pa onda odabrati kompletno skeniranje.

_{[Ovu poruku je menjao Nemanja Živanović dana 08.03.2009. u 22:19 GMT+1]}

[ Nemanja Živanović @ 09.03.2009. 12:18 ] @

@ziks010

Nemoj pisati nesto sto je vec napisano, cisto da bi rekao nesto. Sva upustva su prosledjena i napisana korisniku u prethodnim odgovorima, sada cekamo da covek odradi to i da napise rezultate.

Pozdrav i bez ljutnje ;)

[ 6ej6uc @ 09.03.2009. 15:15 ] @

Kao prvo uradio sam sve sto treba i jedan problem manje :), sad se otvara sa dupli klik na C ili D particije (pre toga otvarale su samo sa opciju desni klik, open ), ali task manager i RUN komande opet nece... :(

[ Nemanja Živanović @ 09.03.2009. 15:54 ] @

Reci mi prvo, sta si od svega navedenog uradio? Zasto imas instaliran Symantec Endpoint Protection? Jel je to poslovni racunar pa si dobio sa njim ili? Ovo pitam posto retko ko od standardnih korisnika koristi ovo resenje, koje je pre svega namenjeno firmama.

Drugo, da li imas administratorska prava na tom racunaru?

[ 6ej6uc @ 09.03.2009. 16:06 ] @

Nisam uradio jedino ono sa SAFE MODE i Dr.Web... Endpoint imam jer preporucili su mi ga, ali nije kompletan, samo AV i Firewall, nije onaj za firme (onaj od 78 MB) , koristio sam ESET pre njega, a gde da vidim ono dal sam admin na PC?

[ Nemanja Živanović @ 09.03.2009. 16:24 ] @

Ok. Sad mi treba par kratkih i jasnih odgovora:

1. Reci mi sta se desava kad skeniras racunar MBAM-om? Vidim da si postavio sliku u prvom post-u. Jel si posle pronalazenja zarazenih fajlova kliknuo na Remove Selected?

2. Sad bas gledam User Guide za Symantec Endpoint Protection, postoji sansa da ti on blokira pristup RUN-u. Otvori ga i potrazi u njemu Polices i potrazi po njemu da nemas napravljena neka pravili i zabrane. U principu trebao bi da naletis na ovu sliku (imas sliku i u prilogu).

3. Da li je problem nastao pre ili posle instalacije Nortona?

4. Da li si pustio kompletan scan sa Nortonom i MBAM-om?

_{[Ovu poruku je menjao Nemanja Živanović dana 09.03.2009. u 17:34 GMT+1]}

[ 6ej6uc @ 09.03.2009. 16:36 ] @

Naravno da sam kliknuo na Remove Selected nakon skeniranja MBAM-om. A nije problem od Endpointa, zasto sam probao i kad sam ga uninstalirao nije hteo RUN...

Pustio sam kopletan scan sa MBAM i Symantec-om i izbrisao sam sve sta je nasao sa njega...

[ Nemanja Živanović @ 09.03.2009. 16:40 ] @

Ok. Zamolio bih te da ponovo iskopiras svez HijackThis log. Pre nego sto ga pokrenes preimenuj ime fajla (hijackthis.exe) u bilo sta npr. blabla.exe. Pokreni ga i klikni na "Do a system scan and save a logfile".

Jel imas mozda instaliran System Mechanic?

[ 6ej6uc @ 09.03.2009. 16:49 ] @

Nemam System Mechanic instalirano ne.

Evo log file :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:47:51, on 09.03.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kolev Gjoke\My Documents\aMSNPortable\App\aMSN\bin\wish.exe
C:\Program Files\SkyView\SkyView.exe
C:\Documents and Settings\Kolev Gjoke\My Documents\MY_DOWNLOADS\BlaBlaTrojann.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [regdiit] C:\WINDOWS\system32\winxp.exe
O4 - HKLM\..\Run: [CTFMON] C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Windows Live Family Safety (fsssvc) - Unknown owner - C:\Program Files\Windows Live\Family Safety\fsssvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 3528 bytes

[ Nemanja Živanović @ 09.03.2009. 17:06 ] @

U HijackThis-u stikliraj sledece redove i klikni na Fix Checked:

O4 - HKLM\..\Run: [CTFMON] C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg
O4 - HKLM\..\Run: [regdiit] C:\WINDOWS\system32\winxp.exe

Posle ovoga restartuj racunar pa uradi ponovo scan sa HijackThis-om i ovi redovi ne bi smeli da se nadju na spisku. Takodje taj novi log okaci ovde.

Slede ce je da skines ovaj program: http://www.dougknox.com/xp/utils/xp_secconsole.zip Kad ga preuzmes otpakuj ga i pokreni xp_secconsole.exe. Kad ga pokrenes sa leve strane odaberi Start Menu and Taskbar pa sa desne stikliraj Remove Run i pritisni Apply. Sada restartuj racunar. Posle restarta ponovo pokreni ovaj program idi pod istu stavku pa bi trebalo da je ostalo stiklirano Remove Run. Ako jeste deselektuj ga pritisni Apply i opet restartuj racunar. Ovo bi trebalo da resi problem.

Molim te idi tacno po ovom uputstvu i nemoj nista da preskaces. Samo tako cemo uspeti da zajedno resimo problem.

[ 6ej6uc @ 09.03.2009. 17:49 ] @

Nista brate opet, nakon selektiranja i FIX Checked i restarta ponovo su te 2 linije u log fajlu :(

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:45:55, on 09.03.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SkyView\SkyView.exe
C:\Documents and Settings\Kolev Gjoke\My Documents\MY_DOWNLOADS\BlaBlaTrojann.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [regdiit] C:\WINDOWS\system32\winxp.exe
O4 - HKLM\..\Run: [CTFMON] C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Windows Live Family Safety (fsssvc) - Unknown owner - C:\Program Files\Windows Live\Family Safety\fsssvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 3401 bytes

[ magna86 @ 09.03.2009. 17:59 ] @

Skini Ovaj Program
Startuj ga i kopiraj ovo dole:

Code:

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run | regdiit

Files to delete:
C:\WINDOWS\system32\winxp.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\winjpg.jpg

Klikni na "Execute"

yes..yes...restartovace ti se kompjuter ,(ako se nerestartuje ti ces ga rucno restartovati)
tad ce poceti ciscenje

pa ponovo restartuj kompjuter,pokreni HiJackThis i proveri jel se u logu pojavljuju one linije za koje ti je Nemanja Živanović rekao da ubijes
ili ...bolje kopiraj taj log na forum da ti on proveri valje

[ 6ej6uc @ 09.03.2009. 18:01 ] @

@Nemanja , znas sta sam primetio, ovako, kad obrisem te linije i restartujem racunar nakon ponovo skeniranje sistema sa HJThis nema te linije. ALI, kad probam da startujem TaskManager-a i onda ponovo skeniram sa HJThis te linije se opet javljaju....

[ 6ej6uc @ 09.03.2009. 19:54 ] @

Uradio ono sta je magna rekao evo rezultate :

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\winxp.exe" deleted successfully.
File "C:\WINDOWS\system32\wscript.exe" deleted successfully.
File "C:\WINDOWS\system32\winjpg.jpg" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run|regdiit" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:50:58, on 09.03.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kolev Gjoke\My Documents\MY_DOWNLOADS\BlaBlaTrojann.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTFMON] C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Windows Live Family Safety (fsssvc) - Unknown owner - C:\Program Files\Windows Live\Family Safety\fsssvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 3225 bytes

za neko vreme pokusacu opet na ovo od @nebojse

Sad prilikom pisanja komande u RUN-u kaze da ne moze da nadje to sto pokusavam .dll...

A od Task Manager-a jos uvek ni traga ni glasa :)

[ Nemanja Živanović @ 09.03.2009. 20:01 ] @

Ok. Posto je Avenger obrisao one fajlove FIX-uj sa HijackThis-om sledeci red:

O4 - HKLM\..\Run: [CTFMON] C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg

Posle toga preuzmi ovu alatku:

http://www.symantec.com/conten...l/threat_writeups/FxBeagle.exe

1. Snimi program na Desktop
2. Zatvori sve tekuce programe
3. Diskonektuj se sa interneta
4. Ugasi System Restore ako je upaljen
5. Pokreni program FxBeagle.exe i pritisni Start.
6. Ako dobijas neke greske ili program ne moze da izvrsi skeniranje restartuj racunar u Safe mode, pa probaj iz njega.

Kada program zavrsi sa skeniranjem dobices neke rezultate. Molim te postavi ih ovde (mozes i kao sliku).

Posle toga idi u Run (Start > Run, ako ne radi Run udji u Command Prompt*) i kucaj gpedit.msc Otvara ti se prozor za editovanje Group Policy-a. Sa leve strane klikni na User configuration pa na Administrative Templates pa na System pa na CTRL+ALT+DEL Options. Kada to poslednje selektujes sa desne strane imas stavku Remove Task Manager. Klikni dva puta na njega (otvara se novi prozor) i oznaci Disabled i potvrdi sa Apply i OK i izadji iz ovog prozora. To bo trebalo da bude to.

Tek kad sve ovo zavrsis restartuj racunar, nemoj nikako pre ili izmedju ovih procesa!

Javi ako je negde zapelo i gde tacno...

*U Command Prompt se ulazi na sledeci nacin: Start -> All programs -> Accessories -> Command Prompt

_{[Ovu poruku je menjao Nemanja Živanović dana 09.03.2009. u 21:15 GMT+1]}

[ 6ej6uc @ 09.03.2009. 21:06 ] @

Sve od gore napisano sam probao, isto, nema nista, sve je isto :(

Sad nema one linije, ali se ne pokrece nista preko RUN, nema ni TM-a...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:06:04, on 09.03.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\Kolev Gjoke\My Documents\MY_DOWNLOADS\BlaBlaTrojann.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Windows Live Family Safety (fsssvc) - Unknown owner - C:\Program Files\Windows Live\Family Safety\fsssvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 3213 bytes

[ Nemanja Živanović @ 09.03.2009. 22:32 ] @

Ajde probaj opet ovo, posto sada nema one linije u HijackThis-u:

Skines ovaj program: http://www.dougknox.com/xp/utils/xp_secconsole.zip Kad ga preuzmes otpakuj ga i pokreni xp_secconsole.exe. Kad ga pokrenes sa leve strane odaberi Start Menu and Taskbar pa sa desne stikliraj Remove Run i pritisni Apply. Sada restartuj racunar. Posle restarta ponovo pokreni ovaj program idi pod istu stavku pa bi trebalo da je ostalo stiklirano Remove Run. Ako jeste deselektuj ga pritisni Apply i opet restartuj racunar. Ovo bi trebalo da resi problem.

[ valjan @ 10.03.2009. 10:15 ] @

Imao sam takvu situaciju na nekoliko racunara u firmi, kombinacija koja je meni pomogla je ComboFix + MBAM + Spybot Search & Destroy + HiJackThis + Sysinternals-ovi Process Explorer i AutoRuns, uz rucno brisanje ili menjanje odredjenih kljuceva u registryju, kao i rucno gasenje nekih servisa. Naravno, na kraju sledi detaljan scan nekim AV programom. Cest je problem da malware promeni prava pristupa na fajlovima (najcesce na cmd.exe postave samo "everyone" i njemu zabrane svaki pristup) i registry kljucevima, i onda su ovi alati nemocni dok im rucno "ne otkljucas" pristup tim fajlovima i registry kljucevima (uglavnom moras da preuzmes vlasnistvo nad tim fajlom, ako ne znas kako se to radi javi pa da ti posaljem uputstvo).

Takodje se malware cesto maskira kao sistemski servis, ali ja jos nijednom nisam naisao na tako maskirani malware koji nije imao bar neku slovnu ili gramaticku gresku u opisu servisa pa ih veoma lako otkrijem, pa ako bas dobro znas engleski, procesljaj spisak pokrenutih servisa (probaj da li funkcionise desni klik na My Computer > Manage > Services and Applications > Services, pa sortiraj po statusu) i disable-uj i zaustavi sve one koji imaju na bilo koji nacin deformisan opis ("hijeroglifi" umesto teksta, skracen tekst - vidljivo je da nedostaje jedan deo, pogresno ispisane reci - npr. netwark umesto network, itd.).

Koliko vidim iz tvojih izvestaja, tebi je jos uvek stalno aktivan

C:\Documents and Settings\Kolev Gjoke\My Documents\MY_DOWNLOADS\BlaBlaTrojann.exe

Posto ne mozes da pokrenes Task Manager, probaj sa Sysinternalsovim ProcesExplorerom http://live.sysinternals.com/procexp.exe pa nadji na spisku & ubi doticnog trojanca (desni klik i Kill), i onda pokusaj sa onim izmenama u HJT-u koje su ti predlagali. Proveri i ostale procese, pa ako ti neki deluje sumnjivo klikni desnim na njega i odaberi "Search Online" opciju - ako neki od linkova kaze da postoji mogucnost da se radi o virusu, slobodno i njega kill-uj.

Jos ako uspes da pokrenes AutoRuns sa http://live.sysinternals.com/autoruns.exe (mada i on cesto bude blokiran) idi odmah na "Image Hijacks" jezicak i obrisi sve osim "Your Image File Name Here without a path Symbolic Debugger for Windows 2000 Microsoft Corporation c:\windows\system32\ntsd.exe", a onda mozes da bacis pogled i na Services jezicak pa pogledaj vidis li nesto sumnjivo (svi koji imaju cudan description, nemaju publishera ili je neobicno ime, path im je neki podfolder ispod c:\windows\system32\ i sl. pa probaj da ga disableujes tako sto odstikliras kucicu na pocetku reda.

[ 6ej6uc @ 10.03.2009. 15:00 ] @

Nece nikako, najbolje format i cao :), worm je : VBS/AutoRun.BX.worm

Hvala svima na pomocu.

[ valjan @ 10.03.2009. 15:56 ] @

Ako vec znas da se radi o VBS/AutoRun.BX.worm, sta te sprecava da mu rucno uklonis njegove fajlove? Imas detaljan opis na

http://vil.nai.com/vil/content/v_144151.htm

pa samo odradis kontra proces i obrises najpre registry kljuceve koje on dodaje, a zatim i fajlove koje je kreirao. Ako ti treba pomoc, javi...

_{[Ovu poruku je menjao Nemanja Živanović dana 31.03.2009. u 12:03 GMT+1]}

[ 6ej6uc @ 10.03.2009. 18:59 ] @

@valjan ajd da probam jos sa tebe :), ovaj link nosi me da download-ujem McAfee ?
Ako ne, daj reci kako si mislio rucno da uklonim registre ?

[ Nemanja Živanović @ 10.03.2009. 20:12 ] @

Pogledaj da li imas neke od sledecih fajlova na racunaru:

c:\WINDOWS\system32\amvo.exe
c:\WINDOWS\system32\amvo0.dll
c:\xn1i9x.com
c:\2ifetri.cmd
c:\x.com
c:\3wcxx91.cmd
c:\awda2.exe

Ako nemas uzmi ovaj program (http://www.hotlinkfiles.com/files/2368685_wrlsp/ScanTool.rar), pokreni ga, pritisni Scan i postavi rezultate ovde.

[ valjan @ 10.03.2009. 20:25 ] @

Evo sta kaze na onom linku:

Citat:

It attempts to spread to removable drives by creating an autorun.inf file, which will run the worm automatically, if a systems which use the removable drive are set to Autorun.

* This worm adds the following files and registry entries to load itself on startup.

Files:
c:\WINDOWS\system32\amvo.exe
c:\WINDOWS\system32\amvo0.dll

Registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
amva = C:\WINDOWS\System32\amvo.exe

* This worm changes the following registry values in attempt to change the windows explorer view settings

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = 2

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = 0

* This worm also attempts to create an autorun.inf file on the root any accessible disk volumes.

[Drive]:\autorun.inf

* The autorun.inf will reference one of the following files that will also be written to the root of the volume.

(Additional filenames may be found in other variants of this worm)
[Drive]:\xn1i9x.com
[Drive]:\2ifetri.cmd
[Drive]:\x.com
[Drive]:\3wcxx91.cmd
[Drive]:\awda2.exe

E sad, bilo bi pozeljno da probas da pokrenes http://live.sysinternals.com/procexp.exe i ako uspes da ga otvoris idi na View > Select Columns pa stikliraj Image Path.

Onda u koloni Image Path probaj da pronadjes c:\WINDOWS\system32\amvo.exe i/ili c:\WINDOWS\system32\amvo0.dll, pa klikni desnim dugmetom na te stavke i odaberi Kill Process. Takodje, ako negde u toj koloni vidis smss.exe a da nije u c:\windows\system32 folderu, likvidiraj ga odmah, a isto vazi i za fajlove pobrojane pri kraju citata.

Ako ne uspes da pokrenes ProcessExplorer, pokusaj fizicki da obrises te fajlove (ako su zakljucani, imaju i MBAM i HiJackThis alate za brisanje takvih fajlova), ali to najverovatnije nece proci bez restarta, tako da ti jos preostaje da pokrenes regedit (C:\Windows\regedit.exe - probaj da ga preimenujes ako nece, ili skini besplatni RegAlyzer koji su razvili autori Spybota sa http://www.spybot-updates.biz/files/regalyz.exe) pa lociraj HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run i iz njega obrisi vrednost amva (koja ukazuje do C:\WINDOWS\System32\amvo.exe), i sve ostale gorepomenute fajlove. Ne bi bilo lose da odradis search u registry-ju na sve .com, .dll i .exe fajlove koji se spominju u gornjem citatu, pa da ih pobrises. Ako neka stavka ne dozvoljava brisanje, onda klikni desnim dugmetom na ime kljuca (otvorena zuta "fascikla" u levom prozoru), odaberi Permissions, klikni na Advanced dugme, pa na jezicak Owner, selektuj Administrators i stikliraj dole kucicu "Replace owner on Subcontainer and objects", klikni na OK, pa kad se zatvori taj prozor klikni na dugme Add i dodaj svoj nalog na spisak i daj mu Full Control prava, klikni na OK i onda pokusaj brisanje one "neposlusne stavke".

Ako uspes da pokrenes i http://live.sysinternals.com/autoruns.exe verovatno ces sve stavke iz citata pronaci i tamo, pa ih obrisi, i kao sto rekoh obavezno poseti jezicak Image Hijacks i obrisi sve osim one jedne stavke sto sam spomenuo u ranijim postovima.

Ako ne uspes da pokrenes bilo sta od pobrojanog, javi se pa da krenemo detaljnije korak po korak.

[ 6ej6uc @ 10.03.2009. 20:49 ] @

Evo rezultate za @nemanja, kasnije cu da probam ono od @valjan :

================= Boot.ini =================
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
================= Process =================
[4] system
[1184] c:\windows\system32\smss.exe
[1312] c:\windows\system32\csrss.exe
[1336] c:\windows\system32\winlogon.exe
[1380] c:\windows\system32\services.exe
[1392] c:\windows\system32\lsass.exe
[1564] c:\windows\system32\svchost.exe
[1660] c:\windows\system32\svchost.exe
[236] c:\windows\system32\svchost.exe
[276] c:\windows\system32\svchost.exe
[376] c:\windows\system32\svchost.exe
[1064] c:\windows\explorer.exe
[1200] c:\windows\system32\spoolsv.exe
[1272] c:\program files\eset\eset smart security\egui.exe
[1824] c:\program files\dyndns updater\dyndns.exe
[1840] c:\windows\system32\ctfmon.exe
[328] c:\program files\bonjour\mdnsresponder.exe
[584] c:\program files\eset\eset smart security\ekrn.exe
[852] c:\program files\java\jre6\bin\jqs.exe
[832] c:\windows\system32\nvsvc32.exe
[616] c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe
[932] c:\windows\system32\alg.exe
[3188] c:\program files\skype\phone\skype.exe
[3200] c:\program files\mozilla firefox\firefox.exe
[3632] c:\documents and settings\kolev gjoke\my documents\amsnportable\app\amsn\bin\wish.exe
[2804] c:\documents and settings\kolev gjoke\desktop\scantool.exe
================= Hidden =================
[4] <--- HIDDEN
================= %PATH% =================
C:\WINDOWS\system32
C:\WINDOWS
C:\WINDOWS\system32\wbem
C:\Program Files\QuickTime\QTSystem
C:\Program Files\Common Files\Adobe\AGL
================= Explorer - File =================
C:\WINDOWS\explorer.exe
================= Explorer - Registry=================
DefaultDomainName=KOLEV-BB31A84F7
DefaultUserName=Kolev Gjoke
LegalNoticeCaption=
LegalNoticeText=
PowerdownAfterShutdown=0
ReportBootOk=1
Shell=Explorer.exe
ShutdownWithoutLogon=0
System=
Userinit=C:\WINDOWS\system32\userinit.exe,
VmApplet=rundll32 shell32,Control_RunDLL "sysdm.cpl"
allocatecdroms=0
allocatedasd=0
allocatefloppies=0
cachedlogonscount=10
scremoveoption=0
UIHost=LogonUI.EXE
Background=0 0 0
DebugServerCommand=no
WinStationsDisabled=0
AltDefaultUserName=Kolev Gjoke
AltDefaultDomainName=KOLEV-BB31A84F7