logo elektroda
logo elektroda
X
logo elektroda
REKLAMA
REKLAMA
Adblock/uBlockOrigin/AdGuard mogą powodować znikanie niektórych postów z powodu nowej reguły.

Analiza loga HijackThis v1.99.1 na Windows XP SP2 - podejrzenie infekcji?

0madziar 05 Gru 2005 21:53 942 4
REKLAMA
  • #1 2057190
    0madziar
    Poziom 11  
    Posty: 13
    Logfile of HijackThis v1.99.1
    Scan saved at 21:17:36, on 2005-12-05
    Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\sywsvcs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\T.D.M\Pulpit\Nowy folder\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/secure32.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RefSettingsBibThird] C:\Documents and Settings\All Users\Dane aplikacji\DRV BODY REF SETTINGS\exit slow.exe
    O4 - HKLM\..\Run: [bxproxy] C:\WINDOWS\bxproxy.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [Outpost Center] C:\WINDOWS\system32\outpstd.exe
    O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRA~1\GADU-G~1\gg.exe" /tray
    O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe
    O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [bxproxy] C:\WINDOWS\bxproxy.exe
    O4 - HKCU\..\Run: [Name Mapi] C:\DOCUME~1\TD2240~1.M\DANEAP~1\ANTIRE~1\LONG TRANS.exe
    O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://arcaonline.arcabit.com
    O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab
    O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: hpdj - HP - C:\DOCUME~1\TD2240~1.M\USTAWI~1\Temp\hpdj.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
  • REKLAMA
  • Pomocny post
    #2 2057218
    Kolobos
    Spec od komputerów
    Posty: 85169
    Pomógł: 17166
    Ocena: 10445
    Zakoncz proces:
    C:\WINDOWS\system32\sywsvcs.exe

    W hijackthis usun:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/secure32.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html <- usun plik
    F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe <- usun caly katalog inet20003
    O4 - HKLM\..\Run: [RefSettingsBibThird] C:\Documents and Settings\All Users\Dane aplikacji\DRV BODY REF SETTINGS\exit slow.exe <- usun plik
    O4 - HKLM\..\Run: [bxproxy] C:\WINDOWS\bxproxy.exe
    O4 - HKLM\..\Run: [Outpost Center] C:\WINDOWS\system32\outpstd.exe <- usun plik
    O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" <- usun plik
    O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe <- usun plik
    O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe <- usun plik
    O4 - HKCU\..\Run: [bxproxy] C:\WINDOWS\bxproxy.exe <- usun plik
    O4 - HKCU\..\Run: [Name Mapi] C:\DOCUME~1\TD2240~1.M\DANEAP~1\ANTIRE~1\LONG TRANS.exe <- usun plik
    O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll <- usun plik

    Na koniec skan:
    http://download.ewido.net/ewido-setup.exe <- zrob update przed skanowaniem, po przeskanowaniu odinstaluj.
  • REKLAMA
  • #3 2057672
    0madziar
    Poziom 11  
    Posty: 13
    Z góry dzieki za pomoc zrobiłem jak mówiłeś usunołem wpisy w Hijacku zeskanowałem tym skanerem i nie poradził sobie jedynie z takim czyms : C:\Windows\_delete_on_rebot_bxproxy.exe moze masz pomysł jak sie tego pozbyc dla pewności wklejam loga.

    Logfile of HijackThis v1.99.1
    Scan saved at 23:29:06, on 2005-12-05
    Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\DOCUME~1\ALLUSE~1\DANEAP~1\DRVBOD~1\EXITSL~1.EXE
    C:\Program Files\Opera\Opera.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\ewido\security suite\SecuritySuite.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Documents and Settings\T.D.M\Pulpit\Nowy folder\HijackThis.exe

    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRA~1\GADU-G~1\gg.exe" /tray
    O4 - HKCU\..\Run: [Name Mapi] C:\DOCUME~1\TD2240~1.M\DANEAP~1\ANTIRE~1\LONG TRANS.exe
    O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://arcaonline.arcabit.com
    O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: hpdj - HP - C:\DOCUME~1\TD2240~1.M\USTAWI~1\Temp\hpdj.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
  • REKLAMA
  • Pomocny post
    #4 2057701
    Kolobos
    Spec od komputerów
    Posty: 85169
    Pomógł: 17166
    Ocena: 10445
    Zakoncz proces:
    C:\DOCUME~1\ALLUSE~1\DANEAP~1\DRVBOD~1\EXITSL~1.EXE
    I usun plik tak jak pisalem.

    W hijackthis usun:
    O4 - HKCU\..\Run: [Name Mapi] C:\DOCUME~1\TD2240~1.M\DANEAP~1\ANTIRE~1\LONG TRANS.exe
    I usun plik.

    Jak juz to zrobisz to uruchom ponownie windows i sprobuj usunac C:\Windows\_delete_on_rebot_bxproxy.exe jezeli bedzie problem to sciagnij killbox (znajdziesz na google) zaznacz w nim delete on reboot, wybierz plik i po resecie go nie bedzie.
  • #5 2057734
    0madziar
    Poziom 11  
    Posty: 13
    No tak ale takiego czegos jak C:\Windows\_delete_on_rebot_bxproxy.exe nie moge znaleść killbox także wiec chyba juz go nie ma,nie chce mi sie juz instalowac ponownie ewido zeby sprawdzić czy jeszcze go wykrywa. Tak wiec dzieki wielkie za pomoc no i zasłużone punkty dla Ciebie. I tak juz jest 100 razy lepiej,rano jeszcze raz zeskanuje i jak by co to napisze.Pozdrawiam
REKLAMA