Kinga86
(Kot Klara)
28 Grudzień 2006 14:04
#1
Od paru dni wyskakuje mi dziwny błąd, po pierwszym automatycznie pojawia się drugi i tak w kółko.
1:
Microsoft Visual C++ - Runtime library
Program: …am Files\Sunbelt Software\Personal Firewall\assist.exe
This application has requested the Runtime to terminate it in an unusal way. Please contact the application’s support team for more application.
Klikam OK i pojawia się:
2:
Sunbelt Kerio Personal Firewall has detected and blocked an intrusion attempt of type Code injection. The technical details about the attack are provided in the window below:
INTRUSION ATTEPMT BLOCKED
Intruder: c:\winnt3237796.exe
Technical details about each intrusion incident are very useful to Kerio. Please allow that information to be transmited to Sunbelt for further analyis. Only the contents of this window will be sent to Sunbelt.
Zazanaczam: Allow the technical details to be transmited to Sunbelt a następnie Zamknij.
Po chwili znowu pojawiają się te 2 błędy
Najlepsze jest to, że nie mam nigdzie tego pliku winnt3237796, na dysku C codziennie pojawiają mi się ikony winnt… i nie mam pojęcia skąd one się biorą.
Prosiłabym także o sprawdzenie moich logów. Nie wiem co znowu z tym kompem się dzieje.
Dzięki i pozdrawiam!
Z Hijacka
Logfile of HijackThis v1.99.1 Scan saved at 15:03:08, on 2006-12-28 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\explorer.exe C:\WINDOWS\alg.exe C:\WINDOWS\System32\FTRTSVC.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\rundll32.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\BearFlix\BearFlix.exe C:\WINDOWS\System32\ctfmon.exe C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Uninstall.exe C:\Program Files\WLAN\WConfig\WConfig.exe C:\PROGRA~1\NEOSTR~1\neostradatp.exe C:\PROGRA~1\NEOSTR~1\ComComp.exe C:\PROGRA~1\NEOSTR~1\Toaster.exe C:\PROGRA~1\NEOSTR~1\Inactivity.exe C:\PROGRA~1\NEOSTR~1\PollingModule.exe C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE C:\PROGRA~1\NEOSTR~1\Watch.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\services.exe C:\WINDOWS\System32\services.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Winamp\winamp.exe C:\WINDOWS\System32\services.exe C:\WINDOWS\System32\services.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\AntiVir PersonalEdition Classic\update.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Kinga\USTAWI~1\Temp\Rar$EX00.532\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - C:\PROGRA~1\BEARSH~2\BEARSH~2\MediaBar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe” O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe O4 - HKLM…\Run: [bearFlix] “C:\Program Files\BearFlix\BearFlix.exe” /pause O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [WinMedia] C:\winnt3237796.exe O4 - HKCU…\Run: [WinUpdate] winnt32178781.exe O4 - HKCU…\Run: [WinInit] winnt32147843.exe O4 - HKCU…\Run: [eMuleAutoStart] D:\Pliki Kingi\Pobrane\eMule\emule.exe -AutoStart O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Uninstall.exe O4 - Global Startup: WConfig.lnk = C:\Program Files\WLAN\WConfig\WConfig.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup … 6135330608 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 6135266373 O17 - HKLM\System\CCS\Services\Tcpip…{958FCF18-3392-4038-B5E6-E309992FA5C7}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Application Layer Gateway Services - Unknown owner - C:\WINDOWS\alg.exe O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
adam9870
(adam9870)
28 Grudzień 2006 14:09
#2
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Start => uruchom => cmd => wpisz
W trybie awaryjnym z wyłączonym przywracaniem systemu usuń:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - C:\PROGRA~1\BEARSH~2\BEARSH~2\MediaBar.dll O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll O4 - HKCU…\Run: [WinMedia] C:\winnt3237796.exe O4 - HKCU…\Run: [WinUpdate] winnt32178781.exe O4 - HKCU…\Run: [WinInit] winnt32147843.exe O4 - Global Startup: Uninstall.exe O23 - Service: Application Layer Gateway Services - Unknown owner - C:\WINDOWS\alg.exe
Pliki i foldery zaznaczone kasujesz ręcznie z dysku natomiast wpisy w HijackThis.
Po wykonaniu proszę pokazać nowy log z HijackThis plus z SilentRunners .