Sign in to follow this  
Followers 0

Virus

21 posts in this topic

# 1   Posted · Report post

Am un virus care in task manager apare cu procesele kyw41f.exe si wuaucldt.exe(nu este automatic update, am dat disable).

Ambele fisiere le gasesc in windows/temp si documents and settings/user/local settings si pot sa le sterg dar la restart reapar.

Am scanat cu Bitdefender si Nod32 si ambele au gasit virusul dar nu l-au sters.

Bitdefender reuseste sa il blocheze dar doar atat.

Ciudat este ca imi apar in task manager doar cand ma conectez la internet.

Am incercat si cu Malwabytes si nici un rezultat. Le-a gasit dar nu a rezolvat problema.

Am observat ca nu pot sa mai intru nici pe paginile antivirusilor.

Ce sa mai incerc?

Multumesc.

0

Share this post


Link to post
Share on other sites

# 2   Posted · Report post

incearca cu Avira AntiVir Personal Free daca vrei

0

Share this post


Link to post
Share on other sites

# 3   Posted · Report post

incearca cu Avira AntiVir Personal Free daca vrei

Am scanat si cu Avira dar imi gasese foarte multe fisiere infectate cu win32 virut 5. Sunt fisiere gen explorer.exe din windows.

0

Share this post


Link to post
Share on other sites

# 4   Posted · Report post

incearca si cu combofix. da-l jos de pe bleepingcomputer. ai grija sa instalezi consola cand iti cere.

0

Share this post


Link to post
Share on other sites

# 5   Posted · Report post

incearca si cu combofix. da-l jos de pe bleepingcomputer. ai grija sa instalezi consola cand iti cere.

Am incercat si cand il instalez imi apare o eroare "You may be infected with a file pacthing virus Virut" si se inchide

0

Share this post


Link to post
Share on other sites

# 7   Posted · Report post

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 22:17:20 PM, on 5/20/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

C:\Program Files\Softwin\BitDefender10\vsserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Softwin\BitDefender10\bdagent.exe

C:\Program Files\Softwin\BitDefender10\bdmcon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\TEMP\VRT27.tmp

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\hj\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"

O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe

O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKUS\S-1-5-18\..\Run: [syncman] c:\documents and settings\********\wuaucldt.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [syncman] c:\documents and settings\********\wuaucldt.exe (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{632D1533-107B-4DB2-B624-7791A21AC967}: NameServer = 82.76.253.115 82.76.253.125

O17 - HKLM\System\CS1\Services\Tcpip\..\{632D1533-107B-4DB2-B624-7791A21AC967}: NameServer = 82.76.253.115 82.76.253.125

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)

O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--

End of file - 4692 bytes

0

Share this post


Link to post
Share on other sites

# 8   Posted · Report post

sterge asa

C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe

e vorba de Trojan.Agent/Gen-Virut[WinLogo]

C:\WINDOWS\TEMP\VRT27.tmp - necunoscut

O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe - necunoscut

O4 - HKUS\S-1-5-18\..\Run: [syncman] c:\documents and settings\********\wuaucldt.exe (User 'SYSTEM') - necunoscut

O4 - HKUS\.DEFAULT\..\Run: [syncman] c:\documents and settings\********\wuaucldt.exe (User 'Default user') - necunoscut

Urmatoarele IP-uri iti sunt cunoscute ? apartin de RDS dupa cate vad ...

'82.76.253.115 82.76.253.125'

----------------------------------------------------------------------------------

O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe infect, nu-l sterge inca

Raporteaza fisierul la adresa asta, si vezi rezultatul, ai putea deasemenea sa-l postezi aici.

http://www.virustotal.com/flash/index_en.html

0

Share this post


Link to post
Share on other sites

# 9   Posted · Report post

sterge asa

C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe

e vorba de Trojan.Agent/Gen-Virut[WinLogo]

C:\WINDOWS\TEMP\VRT27.tmp - necunoscut

O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe - necunoscut

O4 - HKUS\S-1-5-18\..\Run: [syncman] c:\documents and settings\********\wuaucldt.exe (User 'SYSTEM') - necunoscut

O4 - HKUS\.DEFAULT\..\Run: [syncman] c:\documents and settings\********\wuaucldt.exe (User 'Default user') - necunoscut

Urmatoarele IP-uri iti sunt cunoscute ? apartin de RDS dupa cate vad ...

'82.76.253.115 82.76.253.125'

----------------------------------------------------------------------------------

O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe infect, nu-l sterge inca

Raporteaza fisierul la adresa asta, si vezi rezultatul, ai putea deasemenea sa-l postezi aici.

http://www.virustotal.com/flash/index_en.html

Nu pot sa intru pe acel site si fisierele le-am sters cu exceptia winlogo.exe pe care nu il gasesc.(imi aparea si o eroare cu winlogo cand deschideam calc dar acum nu mai apare.

0

Share this post


Link to post
Share on other sites

# 10   Posted · Report post

poi ca sa le stergi selectezi fisierele in HijackThis si ii dai de-acolo clean /remove

sa ne tii in legatura cum se manifesta PC-ul

reseteaza Internet Explorer : start > run > inetcpl.cpl > Advanced > RESET

Incearca sa vezi daca poti sa raportezi fisierul aici

https://anubis.iseclab.org/?action=register

0

Share this post


Link to post
Share on other sites

# 11   Posted · Report post

Pentru incepatori cel mai bun anti-virus este Avira, a fost primul meu anti-virus si inca mai este, nu am luat virusi..( stiu sa ma feresc,pana la urma cel mai bun anti-virus esti chiar tu )

0

Share this post


Link to post
Share on other sites

# 12   Posted · Report post

Avira sterge si fisierele mai bine luativa Avast 4.6 sa va mearga bine pc-url plus ca daca bagi virusi in carantina nu sterge fisierul

0

Share this post


Link to post
Share on other sites

# 13   Posted · Report post

poi ca sa le stergi selectezi fisierele in HijackThis si ii dai de-acolo clean /remove

sa ne tii in legatura cum se manifesta PC-ul

reseteaza Internet Explorer : start > run > inetcpl.cpl > Advanced > RESET

Incearca sa vezi daca poti sa raportezi fisierul aici

<a href="https://anubis.iseclab.org/?action=register" target="_blank">https://anubis.iseclab.org/?action=register</a>

Salut , astazi am nstalat HiJackThis da mii se pare complicat daca poti sa ma ajuti cu niste sfaturi chiar nu mai stiu ce sa ii fac :( ms frumos

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\MioNet\MioNetManager.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\MioNet\jvm\bin\MioNet.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe

D:\muzika\dnb , dubstep ,\HiJackThis.exe

C:\Documents and Settings\Alexandra\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Alexandra\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Alexandra\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Alexandra\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

O4 - HKCU\..\Run: [HijackThis startup scan] D:\muzika\dnb , dubstep ,\HijackThis.exe /startupscan

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (file missing)

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Windows CardSpace (idsvc) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing)

O23 - Service: MioNet Service (MioNet) - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe

O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 3042 bytes

0

Share this post


Link to post
Share on other sites

# 14   Posted · Report post

poi ca sa le stergi selectezi fisierele in HijackThis si ii dai de-acolo clean /remove

sa ne tii in legatura cum se manifesta PC-ul

reseteaza Internet Explorer : start > run > inetcpl.cpl > Advanced > RESET

Incearca sa vezi daca poti sa raportezi fisierul aici

<a href="https://anubis.iseclab.org/?action=register" target="_blank">https://anubis.iseclab.org/?action=register</a>

Salut , astazi am nstalat HiJackThis da mii se pare complicat daca poti sa ma ajuti cu niste sfaturi chiar nu mai stiu ce sa ii fac :( ms frumos

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\MioNet\MioNetManager.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\MioNet\jvm\bin\MioNet.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe

D:\muzika\dnb , dubstep ,\HiJackThis.exe

C:\Documents and Settings\Alexandra\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Alexandra\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Alexandra\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Alexandra\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

O4 - HKCU\..\Run: [HijackThis startup scan] D:\muzika\dnb , dubstep ,\HijackThis.exe /startupscan

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (file missing)

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Windows CardSpace (idsvc) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing)

O23 - Service: MioNet Service (MioNet) - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe

O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 3042 bytes

0

Share this post


Link to post
Share on other sites

# 16   Posted · Report post

Avira sterge si fisierele mai bine luativa Avast 4.6 sa va mearga bine pc-url plus ca daca bagi virusi in carantina nu sterge fisierul

well, nu am folosit niciodata Avira in particular, dar marea majoritate a masinilor de scanat de pe piata au mai multe optiuni in ceea ce priveste manifestarea fata de un fisier mutat in carantina (alegi personal daca vrei sa fie sters sau doar mutat in carantina) si poti controla in detaliu the heuristic protection (ce fisiere sa fie scanate, ce signatures sa fie incluse-excluse, etc. )

@ Adrian1988.

cunosti virusul care ti-a navalit PC-ul ? cum se manifesta ?...

Log-ul HijackThis arata ca toate procesele ruleaza in parametrii normali.

Pentru inceput ti-as recomanda sa rulezi un full scan cu Malwarebytes si un full scan cu Kaspersky Online Scan.

Ramai legat de topicul acesta pana iti dam unda verde.

0

Share this post


Link to post
Share on other sites

# 17   Posted · Report post

Sal, ma ajutati si pe mine, am vazut ca nipu_ro avea ceva .exe suspecte, asa ca m-am uitat si eu la task manger sa vad daca gasesc ceva si am gasit astea:

winlogon.exe

wuauclt.exe

Insa la nipu_ro apar winlogo.exe si wuaucldt.exe

Sa fie cumva acelasi lucru sau ce.Vreau sa mentionez ca wuauclt cand am deschis pc acu cateva min aparea insa acuma nu mai apare, oricum am dat un scan cu HijackThis cand el se executa.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 12:05:09 PM, on 8/13/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

C:\Program Files\DAEMON Tools Lite\DTLite.exe

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\system32\wuauclt.exe

E:\Kituri\HiJackThis204.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [ASUS Update Checker] C:\Program Files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker.exe

O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{935FA4C2-662C-4433-9990-A18EFF3D92B0}: NameServer = 89.40.196.2,89.40.196.3

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - E:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 6030 bytes

Iar aici este un ss cu .exe de la task manager.

http://img72.imageshack.us/img72/9815/45015256.jpg

0

Share this post


Link to post
Share on other sites

# 18   Posted · Report post

winlogon.exe si wuauclt.exe sunt procese windows.

winlogon este un proces folosit de windows pt autentificare useri. exe-ul se gaseste in system32

wuauclt este prescurtarea de la windows update autoupdate client, de aici deduci si la ce se foloseste. exe-ul se gaseste tot in system32.

pc-ul tau manifesta vreun semn de infectare?

0

Share this post


Link to post
Share on other sites

# 19   Posted · Report post

winlogon.exe si wuauclt.exe sunt procese windows.

winlogon este un proces folosit de windows pt autentificare useri. exe-ul se gaseste in system32

wuauclt este prescurtarea de la windows update autoupdate client, de aici deduci si la ce se foloseste. exe-ul se gaseste tot in system32.

pc-ul tau manifesta vreun semn de infectare?

Nu, nu manifesta nici un semn, nimica, merge foarte bine, doar ca am vazut ca nipu_ro avea winlogo.exe si wuaucldt.exe iar eu avand winlogon.exe si wuauclt.exe am crezut ca e acelasi lucru si de asta am intrebat

0

Share this post


Link to post
Share on other sites

# 20   Posted · Report post

winlogon.exe si wuauclt.exe sunt procese windows.

winlogon este un proces folosit de windows pt autentificare useri. exe-ul se gaseste in system32

wuauclt este prescurtarea de la windows update autoupdate client, de aici deduci si la ce se foloseste. exe-ul se gaseste tot in system32.

pc-ul tau manifesta vreun semn de infectare?

2 winlogon = keylogger , daca ai 2 winlogon.exe in task maneger esti fucked up , daca incerci si inchizi winlogonul gresit .. iar esti fucked up .. deci

go run , cmd , scrie netstat -ano , go task manager , view , select colums activeaza PID , acuma go iar cmd alea listening sunt ok , alea established unele nu sunt de bine deci te uiti la PID din cmd si il cauti si in task manager , daca e un program cunoscut il lasi gen messenger , firefox alea established sunt toate care sunt conectate la internet deci poate fi conectate la un alt calculator .. daca gasesti pe acolo PID de la un winlogon established fugi rpd task manager si verifici , si il inchizi . in fine e la fel ca si cand dezamorsezi o bomba daca gresesti firul , in acest caz procesul esti fucked up ;) . Ok sper ca am ajutat chiar daca a trecut ceva timp .

programe folositoare : http://www.microsoft.com/security_essentials/ , http://www.anti-keyloggers.com/

0

Share this post


Link to post
Share on other sites

# 21   Posted · Report post

' date='28 August 2010 - 15:15' timestamp='1282997700' post='5319793']

2 winlogon = keylogger , daca ai 2 winlogon.exe in task maneger esti fucked up , daca incerci si inchizi winlogonul gresit .. iar esti fucked up .. deci

go run , cmd , scrie netstat -ano , go task manager , view , select colums activeaza PID , acuma go iar cmd alea listening sunt ok , alea established unele nu sunt de bine deci te uiti la PID din cmd si il cauti si in task manager , daca e un program cunoscut il lasi gen messenger , firefox alea established sunt toate care sunt conectate la internet deci poate fi conectate la un alt calculator .. daca gasesti pe acolo PID de la un winlogon established fugi rpd task manager si verifici , si il inchizi . in fine e la fel ca si cand dezamorsezi o bomba daca gresesti firul , in acest caz procesul esti fucked up ;) . Ok sper ca am ajutat chiar daca a trecut ceva timp .

programe folositoare : http://www.microsoft.com/security_essentials/ , http://www.anti-keyloggers.com/

nu baga omul in stres :) nu zice nicaieri ca ruleaza de 2 ori

winlogon.exe ruleaza in parametrii normali, numele procesului in descrie si functia, proces responsabil pt log-in / log-out in Windows

C:\WINDOWS\system32\winlogon.exe

daca il gasesti sub alt folder, da poate fii un proces mascat = trojan

aceeasi poveste si cu wuauclt.exe, ruleaza in parametrii normali, un proces responsabil pt Windows update

C:\WINDOWS\system32\wuauclt.exe

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.