101605.exe = CO TO JEST?


(Soku11) #1

WITAM!!

Ostatnio pojawil mi sie problem z komputerem. Chodzac po necie zaczal mi sie strasznie zamulac. Gdy wlaczalem Moj Komputer to musialem czekac okolo minuty na ukazanie sie okienka!! W dodatku bez polaczenia z netem po wlaczeniu Moj Komputer wyskakiwalo okienko o nawiazaniu polaczenia. Uzylem AVASTA aby ten zeskanowal mi HDD w poszukiwaniu wirusow i znalazl kilka takowych :stuck_out_tongue: Usunal z powodzeniem i teraz komp w miare szybko chodzi ale nieraz wlacza sie proces o nazwie 101605.exe. Nie wiem co to jest i stad moje pytanie bo niczego o takiej nazwie nie instalowalem. Podrzucam LOGI z hijackthisa i silentrunners. Prosze o POMOC! !!

HiJackThis:

Logfile of HijackThis v1.99.1

Scan saved at 20:25:22, on 2006-08-12

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Avast4\ashDisp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avast4\aswUpdSv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Avast4\ashServ.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alcohol 120\StarWind\StarWindService.exe

C:\Program Files\Avast4\ashWebSv.exe

C:\Program Files\Avast4\ashMaiSv.exe

C:\Program Files\Peer2Mail\P2M.exe

C:\DOCUME~1\SOQ\USTAWI~1\Temp\101605.exe

C:\WINDOWS\SYSTEM32\winmine.exe

C:\Program Files\Screamer Radio\screamer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\SOQ\Pulpit\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: Shockwave Flash Object - {14A21378-5BB1-4BC4-95D5-5D3F51527F6F} - C:\WINDOWS\SYSTEM32\smflash.ocx

O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FLASHGET\jccatch.dll

O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll

O4 - HKLM\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe

O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DD929D46-B628-468E-92BB-590A92AEF96C}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

oraz SilentRunners:

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"internat.exe" = "internat.exe" [file not found]

"SystemTray" = "SysTray.Exe" [MS]

"avast!" = "C:\PROGRA~1\Avast4\ashDisp.exe" [null data]

"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{14A21378-5BB1-4BC4-95D5-5D3F51527F6F}\(Default) = (no title provided)

  - {HKLM...CLSID} = "Shockwave Flash Object"

                   \InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\smflash.ocx" ["Macromedia, Inc."]

{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = (no title provided)

  - {HKLM...CLSID} = "IeCatch5 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FLASHGET\jccatch.dll" ["FlashGet"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  - {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  - {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "Łącza"

  - {HKLM...CLSID} = "Łącza"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Miniatura"

  - {HKLM...CLSID} = "Miniatura"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{568804CA-CBD7-11d0-9816-00C04FD91972}" = "Folder powłoki menu"

  - {HKLM...CLSID} = "Folder powłoki menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\SHDOCVW.DLL" [MS]

"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Shell Menu DeskBar"

  - {HKLM...CLSID} = "Shell Menu DeskBar"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Shell Menu BandSite"

  - {HKLM...CLSID} = "Shell Menu BandSite"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"

  - {HKLM...CLSID} = "IShellFolderBand"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  - {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  - {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  - {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  - {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"



Enabled Scheduled Tasks:

------------------------


"Uruchomienie aplikacji dostrajania" - launches: "walign" [file not found]

"Przypomnienie o wygaśnięciu dezinstalacji" - launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /u /n:1" [MS]

"DM_Install_Program" - launches: "C:\DOCUME~1\SOQ\USTAWI~1\Temp\101605.exe" [null data]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:

%SystemRoot%\system32\mswsock.dll [MS], 1 - 3

%SystemRoot%\system32\rsvpsp.dll [MS], 4 - 5



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"

  - {HKLM...CLSID} = "FlashGet Bar"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FLASHGET\fgiebar.dll" ["Amaze Soft"]


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\(Default) = "Volet Wanadoo"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]


HKLM\Software\Classes\CLSID\{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\(Default) = "ToolBand Class"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]


HKLM\Software\Classes\CLSID\{5BF498C0-931E-4A4F-B33F-456D07137EAA}\(Default) = "Volet Wanadoo"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "FlashGet"

"Exec" = "C:\PROGRA~1\FLASHGET\flashget.exe" ["FlashGet.com"]



Miscellaneous IE Hijack Points

------------------------------


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\


Missing lines (compared with English-language version):

"{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)

  - {HKLM...CLSID} = "Search Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]


HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

HIJACK WARNING! "NavigationFailure" = "res://shdocvw.dll/navcancl.htm" [MS]

HIJACK WARNING! "DesktopItemNavigationFailure" = "res://shdocvw.dll/navcancl.htm" [MS]

HIJACK WARNING! "NavigationCanceled" = "res://shdocvw.dll/navcancl.htm" [MS]

HIJACK WARNING! "OfflineInformation" = "res://shdocvw.dll/offcancl.htm" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


AutoUpgrade, AutoUpgrade, "C:\WINDOWS\System32\svchost.exe -k AutoUpgrade" {"C:\WINDOWS\System32\tasklist.dll" [null data]}

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

Background Intelligent Transfer Services, BITS32, "C:\WINDOWS\System32\svchost.exe -k BITS32" {"c:\windows\system32\group.dll" [MS]}

DNS SystemServices, RpcSs32, "C:\WINDOWS\System32\svchost.exe -k RpcSs32" {"c:\windows\system32\sql32.dll" [MS]}

StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

TrueVector Internet Monitor, vsmon, "C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe -service" ["Zone Labs, LLC"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 55 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 47 seconds.

---------- (total run time: 274 seconds)

(Lost World) #2

W logu HiJackThis jest czysto...


(Myszonus) #3

pewny jesteś :wink:

start --> uruchom --> cmd i wklep :

zrób to najlepiej w trybie awaryjnym.

Skasuj te wpisy. Plik na czerwono ręcznie wywal z dysku w awaryjnym.


(Soku11) #4

Tak tez zrobilem... Pliku juz nie bylo - pewnie wywalil go antyvirus :stuck_out_tongue: Jak narazie proces 101605.exe sie nie pojawia ale nadal przy wlaczeniu mojego komputera cos probuje nawiazac polaczenie. Sa jeszcze jakies sugestie?? Co z logiem Silent Runners?? POZDRO

Złączono Posta : 20.08.2006 (Nie) 10:02

WITAM PONOWNIE!

Problem z tym polaczeniem nie ustapil :confused: Gdy wlacze internet i wlacze Moj Komputer wlacza sie jakas chinska strona ent.sogua.com/love lub ent.sogua.net/joke. Co to moze byc?? POZDRAWIAM