Podejrzany plik svehost.exe

wonsky2 · 15 Listopad 2007 19:57

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:39:58, on 2007-11-15 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ESET\ESET Smart Security\egui.exe C:\WINDOWS\system32\svehost.exe C:\WINDOWS\VM_STI.EXE C:\Program Files\BWMeter\BWMeter.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\WINDOWS\system32\oodag.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe C:\WINDOWS\RTHDCPL.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM…\Run: [egui] “C:\Program Files\ESET\ESET Smart Security\egui.exe” /hide /waitservice O4 - HKLM…\Run: [Microsoft Updates] svehost.exe O4 - HKLM…\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE CANYON CN-WCAM23 PC-Camera O4 - HKLM…\RunServices: [Microsoft Updates] svehost.exe O4 - HKLM…\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu O4 - Startup: BWMeter.lnk = C:\Program Files\BWMeter\BWMeter.exe O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204 O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll O9 - Extra ‘Tools’ menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll O17 - HKLM\System\CCS\Services\Tcpip…{D40172D2-3A7A-484C-BCB3-1CB62BA0E8D7}: NameServer = 213.241.79.37,83.238.255.76 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe – End of file - 3448 bytes

Niepokoi mnie wpis:

Gutek · 15 Listopad 2007 20:01

Daj log z ComboFix

usuń wpisy HJT

Daj log z ComboFix

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

wonsky2 · 15 Listopad 2007 20:23

Combofix

ComboFix 07-11-08.1 - wonsky 2007-11-15 21:13:20.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.693 [GMT 1:00] Running from: C:\Documents and Settings\wonsky\Pulpit\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\drivers\npf.sys C:\WINDOWS\system32\packet.dll C:\WINDOWS\system32\wpcap.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\NPF ((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 ))))))))))))))))))))))))))))))) . 2007-11-15 21:12 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-12 21:17 2007-11-12 21:17 16,896 --a------ C:\WINDOWS\system32\drivers\dsnpfd.sys 2007-11-12 21:09 2007-11-11 16:03 2007-11-11 14:08 2007-11-11 14:05 2007-11-11 14:04 2007-11-11 14:04 2007-11-11 12:16 2007-11-11 11:27 2007-11-11 11:14 2007-11-11 11:00 2007-11-11 10:58 2007-11-11 10:47 54,784 --a------ C:\WINDOWS\system32\vfwwdm32.dll 2007-11-11 10:47 54,784 --a–c— C:\WINDOWS\system32\dllcache\vfwwdm32.dll 2007-11-11 10:47 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys 2007-11-11 10:47 17,024 --a–c— C:\WINDOWS\system32\dllcache\ccdecode.sys 2007-11-11 10:46 2007-11-11 10:46 2007-11-11 10:02 2007-11-11 10:02 2007-11-11 10:02 2007-11-11 10:02 29,704 --a------ C:\WINDOWS\system32\uxtuneup.dll 2007-11-11 10:01 2007-11-10 21:51 2007-11-10 20:14 2007-11-10 18:51 2007-11-10 18:36 2007-11-10 18:36 2007-11-10 18:36 2007-11-10 18:35 2007-11-10 18:29 2007-11-10 18:28 2007-11-10 18:25 2007-11-10 18:18 2007-11-10 18:15 2007-11-10 18:15 2007-11-10 18:15 2007-11-10 17:49 2007-11-10 17:48 2007-11-10 17:45 2007-11-10 17:44 2007-11-10 17:44 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2007-11-10 16:30 2007-11-10 16:27 2007-11-10 16:27 2007-11-10 16:20 2007-11-10 16:20 2007-11-10 16:16 2007-11-10 16:09 2007-11-10 13:59 2007-11-10 13:07 0 --a------ C:\WINDOWS\ativpsrm.bin 2007-11-10 11:23 451,072 --a------ C:\WINDOWS\Radeon Omega Drivers v3.8.421 Uninstall.exe 2007-11-10 09:32 2007-11-10 08:40 2007-11-09 22:33 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-11-09 22:18 1,694 --a------ C:\WINDOWS\mozver.dat 2007-11-09 22:14 2007-11-09 22:13 2007-11-09 22:13 2007-11-09 22:13 2007-11-09 22:06 2007-10-25 09:27 53,768 --a------ C:\WINDOWS\system32\drivers\epfwtdi.sys 2007-10-25 09:27 50,696 --a------ C:\WINDOWS\system32\drivers\epfw.sys 2007-10-25 09:27 30,728 --a------ C:\WINDOWS\system32\drivers\epfwndis.sys 2007-10-25 09:25 33,800 --a------ C:\WINDOWS\system32\drivers\eamon.sys 2007-10-25 09:25 27,144 --a------ C:\WINDOWS\system32\drivers\easdrv.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-15 20:07 --------- d-----w C:\Documents and Settings\wonsky\Dane aplikacji\SiteAdvisor 2007-11-15 20:05 --------- d-----w C:\Program Files\Mozilla Thunderbird 2007-11-14 20:54 --------- d-----w C:\Documents and Settings\wonsky\Dane aplikacji\Orbit 2007-11-12 20:17 --------- d-----w C:\Program Files\cFosSpeed 2007-11-11 19:10 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-10 16:59 --------- d-----w C:\Program Files\NAPI-PROJEKT 2007-11-10 10:23 --------- d-----w C:\Program Files\Radeon Omega Drivers 2007-11-10 10:05 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2007-11-09 20:59 --------- d-----w C:\Program Files\SubEdit-Player 2007-11-09 20:56 --------- d-----w C:\Program Files\Trend Micro 2007-11-09 20:54 --------- d-----w C:\Program Files\Foxit Software 2007-11-09 20:50 --------- d-----w C:\Program Files\Java 2007-11-09 20:49 --------- d-----w C:\Program Files\Common Files\Java 2007-11-09 20:41 --------- d-----w C:\Program Files\KeePass Password Safe 2007-11-09 20:33 --------- d-----w C:\Documents and Settings\wonsky\Dane aplikacji\Tlen.pl 2007-11-09 20:30 --------- d-----w C:\Program Files\foobar2000 2007-11-09 20:28 --------- d-----w C:\Program Files\Orbitdownloader 2007-11-09 20:24 --------- d-----w C:\Program Files\Opera 2007-11-09 20:19 --------- d-----w C:\Documents and Settings\wonsky\Dane aplikacji\Talkback 2007-11-09 20:19 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\SiteAdvisor 2007-11-09 20:19 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\McAfee 2007-11-09 20:16 --------- d-----w C:\Documents and Settings\wonsky\Dane aplikacji\Thunderbird 2007-11-09 20:10 --------- d-----w C:\Program Files\K-Lite Codec Pack 2007-11-09 20:09 --------- d-----w C:\Program Files\Tlen.pl 2007-11-09 19:55 --------- d-----w C:\Documents and Settings\wonsky\Dane aplikacji\ESET 2007-11-09 19:55 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ESET 2007-11-09 19:51 --------- d-----w C:\Program Files\Realtek 2007-11-09 19:51 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-11-09 19:43 --------- d-----w C:\Program Files\Intel 2007-11-09 19:37 --------- d-----w C:\Program Files\microsoft frontpage 2007-11-09 19:36 --------- d-----w C:\Program Files\Usługi online 2007-09-29 06:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp 2007-09-29 04:05 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys 2007-09-29 03:19 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “egui”=“C:\Program Files\ESET\ESET Smart Security\egui.exe” [2007-10-25 09:26] “BigDogPath”=“C:\WINDOWS\VM_STI.exe” [2004-08-20 15:51] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] “WIAWizardMenu”=RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoRecentDocsHistory”=1 (0x1) “NoRecentDocsNetHood”=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] ALCMTR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA] atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut] HDAShCut.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Updates] svehost.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray] C:\WINDOWS\system32\oodtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] RTHDCPL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] SkyTel.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys R1 epfwtdi;epfwtdi;C:\WINDOWS\system32\DRIVERS\epfwtdi.sys R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys R2 ekrn;Eset Service;“C:\Program Files\ESET\ESET Smart Security\ekrn.exe” R2 epfw;epfw;C:\WINDOWS\system32\DRIVERS\epfw.sys R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs R3 dsnpfd;DeskSoft Service;C:\WINDOWS\system32\DRIVERS\dsnpfd.sys R3 Epfwndis;Eset Personal Firewall;C:\WINDOWS\system32\DRIVERS\Epfwndis.sys S3 EhttpSrv;Eset HTTP Server;“C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe” S3 MEMSWEEP2;MEMSWEEP2;??\C:\WINDOWS\system32\3C3.tmp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{89e77f46-9047-11dc-9a31-0050fc89f06e}] \Shell\AutoRun\command - O:\USBNB.exe . Contents of the ‘Scheduled Tasks’ folder “2007-11-11 09:16:40 C:\WINDOWS\Tasks\1-Click Maintenance.job” - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-15 21:16:30 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-15 21:17:14 - machine was rebooted . — E O F —

i HJT po zafiksowaniu wskazanych wpisów

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:22:04, on 2007-11-15 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\WINDOWS\system32\oodag.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ESET\ESET Smart Security\egui.exe C:\WINDOWS\VM_STI.EXE C:\Program Files\BWMeter\BWMeter.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM…\Run: [egui] “C:\Program Files\ESET\ESET Smart Security\egui.exe” /hide /waitservice O4 - HKLM…\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE CANYON CN-WCAM23 PC-Camera O4 - HKLM…\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu O4 - Startup: BWMeter.lnk = C:\Program Files\BWMeter\BWMeter.exe O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204 O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll O9 - Extra ‘Tools’ menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll O17 - HKLM\System\CCS\Services\Tcpip…{D40172D2-3A7A-484C-BCB3-1CB62BA0E8D7}: NameServer = 213.241.79.37,83.238.255.76 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe – End of file - 3226 bytes

Gutek · 15 Listopad 2007 20:26

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

wonsky2 · 15 Listopad 2007 20:41

Gotowe. Dzięki za pomoc.