Jump to content

Photo

Virus


  • Please log in to reply
20 replies to this topic

#1
OFFLINE   nipu_ro

nipu_ro

    Cresa de gaming

  • Forumist
  • Pip
  • 30 posts
    • :
  • 11 topics
0
likes on posts
Am un virus care in task manager apare cu procesele kyw41f.exe si wuaucldt.exe(nu este automatic update, am dat disable).
Ambele fisiere le gasesc in windows/temp si documents and settings/user/local settings si pot sa le sterg dar la restart reapar.
Am scanat cu Bitdefender si Nod32 si ambele au gasit virusul dar nu l-au sters.
Bitdefender reuseste sa il blocheze dar doar atat.
Ciudat este ca imi apar in task manager doar cand ma conectez la internet.
Am incercat si cu Malwabytes si nici un rezultat. Le-a gasit dar nu a rezolvat problema.
Am observat ca nu pot sa mai intru nici pe paginile antivirusilor.
Ce sa mai incerc?
Multumesc.

#2
OFFLINE   tommy-slot

tommy-slot

    Scoala Generala de gaming

  • Forumist
  • PipPipPip
  • 101 posts
    • :
  • 21 topics
0
likes on posts
incearca cu Avira AntiVir Personal Free daca vrei

#3
OFFLINE   nipu_ro

nipu_ro

    Cresa de gaming

  • Topic Starter
  • Forumist
  • Pip
  • 30 posts
    • :
  • 11 topics
0
likes on posts
CITAT(tommy-slot @ May 19 2010, 23:46) View Post

incearca cu Avira AntiVir Personal Free daca vrei

Am scanat si cu Avira dar imi gasese foarte multe fisiere infectate cu win32 virut 5. Sunt fisiere gen explorer.exe din windows.

#4
OFFLINE   Mister Sinister

Mister Sinister

    Liceul de gaming

  • Forumist
  • PipPipPipPip
  • 456 posts
    • :
  • 21 topics
2
likes on posts
incearca si cu combofix. da-l jos de pe bleepingcomputer. ai grija sa instalezi consola cand iti cere.

#5
OFFLINE   nipu_ro

nipu_ro

    Cresa de gaming

  • Topic Starter
  • Forumist
  • Pip
  • 30 posts
    • :
  • 11 topics
0
likes on posts
CITAT(s|n|ster @ May 20 2010, 13:08) View Post

incearca si cu combofix. da-l jos de pe bleepingcomputer. ai grija sa instalezi consola cand iti cere.

Am incercat si cand il instalez imi apare o eroare "You may be infected with a file pacthing virus Virut" si se inchide

#6
OFFLINE   napstar77

napstar77

    Liceul de gaming

  • Forumist
  • PipPipPipPip
  • 379 posts
    • :
  • 20 topics
4
likes on posts
salut mai nipu,

Instaleaza HijackThis si posteaza log-ul aici.


HijackThis - Download - CHIP

#7
OFFLINE   nipu_ro

nipu_ro

    Cresa de gaming

  • Topic Starter
  • Forumist
  • Pip
  • 30 posts
    • :
  • 11 topics
0
likes on posts
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:17:20 PM, on 5/20/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\TEMP\VRT27.tmp
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\hj\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-18\..\Run: [syncman] c:\documents and settings\********\wuaucldt.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [syncman] c:\documents and settings\********\wuaucldt.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{632D1533-107B-4DB2-B624-7791A21AC967}: NameServer = 82.76.253.115 82.76.253.125
O17 - HKLM\System\CS1\Services\Tcpip\..\{632D1533-107B-4DB2-B624-7791A21AC967}: NameServer = 82.76.253.115 82.76.253.125
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 4692 bytes

#8
OFFLINE   napstar77

napstar77

    Liceul de gaming

  • Forumist
  • PipPipPipPip
  • 379 posts
    • :
  • 20 topics
4
likes on posts
sterge asa

C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe

e vorba de Trojan.Agent/Gen-Virut[WinLogo]


C:\WINDOWS\TEMP\VRT27.tmp - necunoscut

O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe - necunoscut



O4 - HKUS\S-1-5-18\..\Run: [syncman] c:\documents and settings\********\wuaucldt.exe (User 'SYSTEM') - necunoscut

O4 - HKUS\.DEFAULT\..\Run: [syncman] c:\documents and settings\********\wuaucldt.exe (User 'Default user') - necunoscut


Urmatoarele IP-uri iti sunt cunoscute ? apartin de RDS dupa cate vad ...

'82.76.253.115 82.76.253.125'
----------------------------------------------------------------------------------
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe infect, nu-l sterge inca

Raporteaza fisierul la adresa asta, si vezi rezultatul, ai putea deasemenea sa-l postezi aici.
http://www.virustota...h/index_en.html





#9
OFFLINE   nipu_ro

nipu_ro

    Cresa de gaming

  • Topic Starter
  • Forumist
  • Pip
  • 30 posts
    • :
  • 11 topics
0
likes on posts
CITAT(napstar77 @ May 21 2010, 16:25) View Post

sterge asa

C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe

e vorba de Trojan.Agent/Gen-Virut[WinLogo]
C:\WINDOWS\TEMP\VRT27.tmp - necunoscut

O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe - necunoscut
O4 - HKUS\S-1-5-18\..\Run: [syncman] c:\documents and settings\********\wuaucldt.exe (User 'SYSTEM') - necunoscut

O4 - HKUS\.DEFAULT\..\Run: [syncman] c:\documents and settings\********\wuaucldt.exe (User 'Default user') - necunoscut
Urmatoarele IP-uri iti sunt cunoscute ? apartin de RDS dupa cate vad ...

'82.76.253.115 82.76.253.125'
----------------------------------------------------------------------------------
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe infect, nu-l sterge inca

Raporteaza fisierul la adresa asta, si vezi rezultatul, ai putea deasemenea sa-l postezi aici.
http://www.virustota...h/index_en.html

Nu pot sa intru pe acel site si fisierele le-am sters cu exceptia winlogo.exe pe care nu il gasesc.(imi aparea si o eroare cu winlogo cand deschideam calc dar acum nu mai apare.

#10
OFFLINE   napstar77

napstar77

    Liceul de gaming

  • Forumist
  • PipPipPipPip
  • 379 posts
    • :
  • 20 topics
4
likes on posts
poi ca sa le stergi selectezi fisierele in HijackThis si ii dai de-acolo clean /remove

sa ne tii in legatura cum se manifesta PC-ul

reseteaza Internet Explorer : start > run > inetcpl.cpl > Advanced > RESET

Incearca sa vezi daca poti sa raportezi fisierul aici
Anubis - Register for a Free Account

#11
Guest_Diazzz_*

Guest_Diazzz_*
  • Vizitatori
  • 7 topics
Pentru incepatori cel mai bun anti-virus este Avira, a fost primul meu anti-virus si inca mai este, nu am luat virusi..( stiu sa ma feresc,pana la urma cel mai bun anti-virus esti chiar tu )


#12
OFFLINE   (BadBoy)

(BadBoy)

    Scoala Generala de gaming

  • Forumist
  • PipPipPip
  • 124 posts
    • Online: 3h 50m 11s
  • 90 topics
0
likes on posts
Avira sterge si fisierele mai bine luativa Avast 4.6 sa va mearga bine pc-url plus ca daca bagi virusi in carantina nu sterge fisierul

#13
Guest_ADRIAN1988_*

Guest_ADRIAN1988_*
  • Vizitatori
  • 20 topics

poi ca sa le stergi selectezi fisierele in HijackThis si ii dai de-acolo clean /remove

sa ne tii in legatura cum se manifesta PC-ul

reseteaza Internet Explorer : start > run > inetcpl.cpl > Advanced > RESET

Incearca sa vezi daca poti sa raportezi fisierul aici
<a href="Anubis - Register for a Free Account target="_blank">Anubis - Register for a Free Account



Salut , astazi am nstalat HiJackThis da mii se pare complicat daca poti sa ma ajuti cu niste sfaturi chiar nu mai stiu ce sa ii fac :( ms frumos

C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\MioNet\MioNetManager.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
D:\muzika\dnb , dubstep ,\HiJackThis.exe
C:\Documents and Settings\Alexandra\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alexandra\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alexandra\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alexandra\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

O4 - HKCU\..\Run: [HijackThis startup scan] D:\muzika\dnb , dubstep ,\HijackThis.exe /startupscan
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Windows CardSpace (idsvc) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing)
O23 - Service: MioNet Service (MioNet) - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 3042 bytes

#14
Guest_ADRIAN1988_*

Guest_ADRIAN1988_*
  • Vizitatori
  • 21 topics

poi ca sa le stergi selectezi fisierele in HijackThis si ii dai de-acolo clean /remove

sa ne tii in legatura cum se manifesta PC-ul

reseteaza Internet Explorer : start > run > inetcpl.cpl > Advanced > RESET

Incearca sa vezi daca poti sa raportezi fisierul aici
<a href="Anubis - Register for a Free Account target="_blank">Anubis - Register for a Free Account



Salut , astazi am nstalat HiJackThis da mii se pare complicat daca poti sa ma ajuti cu niste sfaturi chiar nu mai stiu ce sa ii fac :( ms frumos

C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\MioNet\MioNetManager.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
D:\muzika\dnb , dubstep ,\HiJackThis.exe
C:\Documents and Settings\Alexandra\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alexandra\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alexandra\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alexandra\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

O4 - HKCU\..\Run: [HijackThis startup scan] D:\muzika\dnb , dubstep ,\HijackThis.exe /startupscan
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Windows CardSpace (idsvc) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing)
O23 - Service: MioNet Service (MioNet) - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 3042 bytes

#15
OFFLINE   Sensini

Sensini

    nemuritor si rece

  • Războinic LinkManiac
  • 4,578 posts
    • Online: 2h 3m 14s
  • 90 topics
42
likes on posts
W32.Virut Removal Tool Free Download - Softpedia

virut parca aveai, nu? vezi cu tool asta

#16
OFFLINE   napstar77

napstar77

    Liceul de gaming

  • Forumist
  • PipPipPipPip
  • 379 posts
    • :
  • 21 topics
4
likes on posts

Avira sterge si fisierele mai bine luativa Avast 4.6 sa va mearga bine pc-url plus ca daca bagi virusi in carantina nu sterge fisierul


well, nu am folosit niciodata Avira in particular, dar marea majoritate a masinilor de scanat de pe piata au mai multe optiuni in ceea ce priveste manifestarea fata de un fisier mutat in carantina (alegi personal daca vrei sa fie sters sau doar mutat in carantina) si poti controla in detaliu the heuristic protection (ce fisiere sa fie scanate, ce signatures sa fie incluse-excluse, etc. )

@ Adrian1988.

cunosti virusul care ti-a navalit PC-ul ? cum se manifesta ?...

Log-ul HijackThis arata ca toate procesele ruleaza in parametrii normali.

Pentru inceput ti-as recomanda sa rulezi un full scan cu Malwarebytes si un full scan cu Kaspersky Online Scan.

Ramai legat de topicul acesta pana iti dam unda verde.

#17
OFFLINE   queenofthedamned

queenofthedamned

    Liceul de gaming

  • Războinic LinkManiac
  • 280 posts
    • Online: 3d 9h 9m 36s
  • 55 topics
18
likes on posts
Sal, ma ajutati si pe mine, am vazut ca nipu_ro avea ceva .exe suspecte, asa ca m-am uitat si eu la task manger sa vad daca gasesc ceva si am gasit astea:

winlogon.exe
wuauclt.exe

Insa la nipu_ro apar winlogo.exe si wuaucldt.exe
Sa fie cumva acelasi lucru sau ce.Vreau sa mentionez ca wuauclt cand am deschis pc acu cateva min aparea insa acuma nu mai apare, oricum am dat un scan cu HijackThis cand el se executa.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:05:09 PM, on 8/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Kituri\HiJackThis204.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ASUS Update Checker] C:\Program Files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{935FA4C2-662C-4433-9990-A18EFF3D92B0}: NameServer = 89.40.196.2,89.40.196.3
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - E:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6030 bytes

Iar aici este un ss cu .exe de la task manager.
http://img72.imagesh...15/45015256.jpg

#18
OFFLINE   Sensini

Sensini

    nemuritor si rece

  • Războinic LinkManiac
  • 4,578 posts
    • Online: 2h 3m 14s
  • 20 topics
42
likes on posts
winlogon.exe si wuauclt.exe sunt procese windows.
winlogon este un proces folosit de windows pt autentificare useri. exe-ul se gaseste in system32
wuauclt este prescurtarea de la windows update autoupdate client, de aici deduci si la ce se foloseste. exe-ul se gaseste tot in system32.

pc-ul tau manifesta vreun semn de infectare?

#19
OFFLINE   queenofthedamned

queenofthedamned

    Liceul de gaming

  • Războinic LinkManiac
  • 280 posts
    • Online: 3d 9h 9m 36s
18
likes on posts

winlogon.exe si wuauclt.exe sunt procese windows.
winlogon este un proces folosit de windows pt autentificare useri. exe-ul se gaseste in system32
wuauclt este prescurtarea de la windows update autoupdate client, de aici deduci si la ce se foloseste. exe-ul se gaseste tot in system32.

pc-ul tau manifesta vreun semn de infectare?


Nu, nu manifesta nici un semn, nimica, merge foarte bine, doar ca am vazut ca nipu_ro avea winlogo.exe si wuaucldt.exe iar eu avand winlogon.exe si wuauclt.exe am crezut ca e acelasi lucru si de asta am intrebat

#20
OFFLINE   Mfoch

Mfoch

    Facultatea de gaming

  • Războinic LinkManiac
  • 928 posts
    • Online: 22h 46m 39s
21
likes on posts

winlogon.exe si wuauclt.exe sunt procese windows.
winlogon este un proces folosit de windows pt autentificare useri. exe-ul se gaseste in system32
wuauclt este prescurtarea de la windows update autoupdate client, de aici deduci si la ce se foloseste. exe-ul se gaseste tot in system32.

pc-ul tau manifesta vreun semn de infectare?


2 winlogon = keylogger , daca ai 2 winlogon.exe in task maneger esti fucked up , daca incerci si inchizi winlogonul gresit .. iar esti fucked up .. deci


go run , cmd , scrie netstat -ano , go task manager , view , select colums activeaza PID , acuma go iar cmd alea listening sunt ok , alea established unele nu sunt de bine deci te uiti la PID din cmd si il cauti si in task manager , daca e un program cunoscut il lasi gen messenger , firefox alea established sunt toate care sunt conectate la internet deci poate fi conectate la un alt calculator .. daca gasesti pe acolo PID de la un winlogon established fugi rpd task manager si verifici , si il inchizi . in fine e la fel ca si cand dezamorsezi o bomba daca gresesti firul , in acest caz procesul esti fucked up ;) . Ok sper ca am ajutat chiar daca a trecut ceva timp .


programe folositoare : Microsoft Security Essentials - Microsoft Windows , Anti-keylogger :: Professional anti spyware

#21
OFFLINE   napstar77

napstar77

    Liceul de gaming

  • Forumist
  • PipPipPipPip
  • 379 posts
    • :
4
likes on posts


2 winlogon = keylogger , daca ai 2 winlogon.exe in task maneger esti fucked up , daca incerci si inchizi winlogonul gresit .. iar esti fucked up .. deci


go run , cmd , scrie netstat -ano , go task manager , view , select colums activeaza PID , acuma go iar cmd alea listening sunt ok , alea established unele nu sunt de bine deci te uiti la PID din cmd si il cauti si in task manager , daca e un program cunoscut il lasi gen messenger , firefox alea established sunt toate care sunt conectate la internet deci poate fi conectate la un alt calculator .. daca gasesti pe acolo PID de la un winlogon established fugi rpd task manager si verifici , si il inchizi . in fine e la fel ca si cand dezamorsezi o bomba daca gresesti firul , in acest caz procesul esti fucked up http://www.linkmania.ro/forums/public/st... . Ok sper ca am ajutat chiar daca a trecut ceva timp .


programe folositoare : Microsoft Security Essentials - Microsoft Windows , Anti-keylogger :: Professional anti spyware


nu baga omul in stres :) nu zice nicaieri ca ruleaza de 2 ori

winlogon.exe ruleaza in parametrii normali, numele procesului in descrie si functia, proces responsabil pt log-in / log-out in Windows

C:\WINDOWS\system32\winlogon.exe

daca il gasesti sub alt folder, da poate fii un proces mascat = trojan

aceeasi poveste si cu wuauclt.exe, ruleaza in parametrii normali, un proces responsabil pt Windows update

C:\WINDOWS\system32\wuauclt.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users