Proszę o sprawdzenie loga

Dla specjalistów Bezpieczeństwo
#1

Witam

Od kilku dni raz na dobę wyżuca mi bład"Trwa zamykanie systemu itd Zamykanie zostało zainicjowane przea ZARZąDZANIE SYSTEMEM NT\SYSTEM

CZAS ZAMKNIęCIA 60s

System Windows musi być zamkniety ponieważ usługa Zdalne wywoływanie procedur (RPC) została nieoczekiwanie przerwana

Oto log

Logfile of HijackThis v1.99.1

Scan saved at 09:03:07, on 2006-08-11

Platform: Windows 2003 (WinNT 5.02.3790)

MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

C:\BHROOT\BIN\NT611SVC.EXE

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Eset\nod32krn.exe

C:\BHROOT\BIN\PORTMAP.EXE

C:\WINDOWS\system32\srvany.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\resetservice.exe

C:\BHROOT\BIN\DBMANG.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\Dfssvc.exe

C:\WINDOWS\system32\keyhook.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\FRITZ!\FriFax32.exe

C:\Program Files\Option\GlobeTrotter Mobility Manager\GlobeTrotter Mobility Manager.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\WINDOWS\system32\sistray.exe

C:\Program Files\Option\GlobeTrotter Mobility Manager\VirtualWirelessDevice.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\DAKZAM3\DAKzam3.exe

C:\Program Files\Screamer Radio\screamer.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Inter Cars\IC_Katalog\i_cars.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\rdpclip.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\keyhook.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\FRITZ!\FriFax32.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\WINDOWS\system32\sistray.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Pogoda\pogoda.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\Rar$EX02.313\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcworld.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcworld.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: Shell=explorer.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {2059D29F-F562-4C93-BE6E-86E5FC61EF11} - C:\WINDOWS\system32\docproq2.dll (file missing)

O2 - BHO: IE 4.x-5.x BHO in ObjectPascal - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\PROGRA~1\marbit\tools\IEHelper.dll (file missing)

O2 - BHO: WebCGMHlprObj Class - {56B38F40-4E70-11d4-A076-0080AD86BA2F} - C:\WINDOWS\system32\cgmopenbho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {B6DA7E87-BC33-439A-A725-FF7E25BA44AA} - C:\WINDOWS\system32\LTDIS14n.dll (file missing)

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O4 - HKLM…\Run: [siS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe

O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE

O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM…\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM…\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [MarBitTools] C:\Program Files\marbit\tools\tools.exe 1

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: FRITZ!fax.lnk = C:\Program Files\FRITZ!\FriFax32.exe

O4 - Global Startup: GlobeTrotter Mobility Manager.lnk = C:\Program Files\Option\GlobeTrotter Mobility Manager\GlobeTrotter Mobility Manager.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O8 - Extra context menu item: Download with Internet TOOLS - C:\Program Files\marbit\tools\MBdownload.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O14 - IERESET.INF: START_PAGE_URL=http://www.pcworld.pl

O17 - HKLM\System\CCS\Services\Tcpip…{7DEB8690-8031-49DA-8D98-D8CECB0CF918}: NameServer = 194.204.152.34,194.204.159.1

O17 - HKLM\System\CCS\Services\Tcpip…{BB925461-4A71-479B-AB2A-939F54F889E6}: NameServer = 212.2.96.51 212.2.96.52

O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

O23 - Service: bh611 - Bell& Howell - C:\BHROOT\BIN\NT611SVC.EXE

O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Bell & Howell Database Manager (dbmang) - Bell & Howell - C:\BHROOT\BIN\DBMANG.EXE

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: ONC/RPC Portmapper (portmapper) - Bell & Howell - C:\BHROOT\BIN\PORTMAP.EXE

O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe

O23 - Service: Struktura sterowników trybu użytkownika w systemie Windows (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)

czy coś z tym da sie zrobić? Używam WIn 2003 eterprice
#2

Zobacz to: Usuwanie robaka Blaster