Svchost.exe Denial of service

Meee · 20 Listopad 2006 19:04

Hmm cos ciekawego, od dzisiaj moj komp strasznie sie spowolnil a lacze takze posiadam 5 procesow svchost.exe jeden to svcchost.exe, jednak svchost posiadam tylko w system32 niewiem czy jest to plik zarazony. Znalazlem w nim:

Logoff User

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Logon User Name

This program cannot be run in DOS mode.

wRwiawjwxyw Pwzw

_t 3PMQPPuSh

V39s WuVVjh

Internet Explorer

0/Welcome Finished

Days between clean up

Last used time

Software\Microsoft\Windows NT\CurrentVersion

Desktop More Programs Pane

Desktop User Pane

Software\Microsoft\Windows NT\CurrentVersion\Windows

Software\Microsoft\Windows\Internet Settings

Enable Balloon Tip

PProxy Desktop

Icon Cleanup Time

Control Panel\Appearance

Control Panel\Desktop\WindowMetrics

Software\Microsoft\Active Setup\Installed Components\InitiallyClear

Default Taskbar

SOFTWARE\Microsoft\Windows NT\CurrentVersion\srvWiz

SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel

\Microsoft Office\Office10\OUTLOOK.EXE

Shell Startup

Control Panel\Desktop\ResourceLocale

nusrmgr.cpl ,initialTask

t9x uWuj

Lfy uEhc

RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL

2N2SjP TaskbarVert

explorer.exe /e,

Microsoft\Internet Explorer\Quick Launch

Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu

FShell Object Offsets

\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk

\Start Menu\Programs\Accessories\Windows Movie Maker.lnk

\Start Menu\Programs\Accessories\Tour Windows XP.lnk

\Start Menu\Programs\Windows Messenger.lnk

\Start Menu\Programs\Windows Media Player.lnk

\Start Menu\Programs\MSN Explorer.lnk

\Start Menu\Programs\Get Online with MSN.lnk

\Start Menu\Programs\Get Going with Tablet PC.lnk

\Start Menu\Set Program Access and Defaults.lnk

\Start Menu\Programs\Windows Journal.lnk

\Start Menu\Programs\Accessories\Media Center\Media Center.lnk

\Start Menu\Programs\Internet Explorer.lnk

Set Program Access and Defaults.lnk

CoFreeUnusedLibraries RegisterDragDrop

Dodatek Service Pack. 1

sk Manager\TaskMan.exe

\Documents and Settings\All Users\Menu Start\Programy\Sunbelt Software\Personal Firewall\Start Firewall.lnk

qo xc

ykT4jO ad00

Zabezpieczenia systemu Windows…

czenia sieciowe

Drukarki i faksy

Pasek zadaD i

menu Start

Mysle ze to takze jest keylogger a tutaj reszta:

Synchronizuj

Urucho

c i obsBuga techniczna

Pomo

Wyszukaj

sterowania

Panel

Ustawienia

Puste

Dokumenty

Puste

bione

Puste

Programy

Iipw

wqmhhUAix

FFiqrwpFFd

yaag

yuqob

fimqrx

urpih6

Iiipqu

xwqoigTA3

iioq

urqmihggA

yurqoiihhUp

rporrx

\yOme

hilka

711EEOPUTkkgifhZ

valkmnrd

bgcehj

nB_oddmqaa

aumm\hhp

nllollkj

OPXYccjjfe

ojsy

eca_rnW.

2khlbmuwxRP6

NDsrqol

KCigea

9srqoZE

wytsrqnlifc

7a_2jrqnlifc

/kjigb\B

zywtrqnmjhfa

zywtrqnmjhfa\ZXVM

zxwtrqnmjhfa\ZXVQTOLF

zxutrqnmjhfa\ZXVQTOLFEC

jhfa\B,

\ZXHoutrqnmjhfa\ZXVQTOLFEC

VQQUNqnmjhfa\ZXVQTOLFEC

UOL.jhfa\ZXVQTOLFEC

SvaZ

I5bgiz

Wf,og

kDqFsJuKvJuFsDqGn

pRWeYJaTfCnWmFtT

JKQtilo

OJKQfillpo

pRWeYJaTfCnWmFtT

olit

MQoo

MMzoo

JKMMilloo

JKMMQtilloo

JJKMMfiilloo

HJJKMMiijzl

66HJJKMMtifxixtfw

pRWeYJaTfCnWmFtT

YYYtpie

wwwuphc

/hoB

UetiXQSYVNU

uiim

Uooqkezs

6UUqqinvYoww

6UiinVXZdwaf

88VVWXZEFajj

8WWXYD4GJef

ssvrniqqU6

ossWViiU6

ddoZYXWVV88

iahMVr9m

Auqqptoxslh

ZpromP

Rnoj

xywe

xuywd

xuyphC

vsuqwptd

2OQQtponquxvzvxqpttd7

PPPtrxvmsuoeC

ojmms

oilml1

ffill6

ZattB

PLKGFeDcbb\

RQO3KJGFEeb

QO3KJGFEeDDstb

O3KJGFEeDDdb

cceccYY

oqkIJyVYf

snidvTW.9

Oraalow

daab

uxttc

kivhgkk

eeeii

FFkRReJJO661

rtgil7

osZlo7

cejacG

biih

pppo

u1nhffVT

ooogV1

uqhff2WV

juquq

hffa

fffa

CHUZZXY2_c/Q_0a

777Ga.P1WZZXYi

uqgq

uqqVnvviaV2N\

uuqqmk2h0V1M\

hmqqmmkk2ar

I7POYhXQdSuJ

YmZ_s_AssiyxPaSzMeV.hA

SL8UZ,bo2\e

sskZagsa

vvaM71…5BWaks

kUZva___g_g_g_g_g_g_ggmgmgg__gmmnssyzszssyyzz

gUZaaBVV_____m_m__g__g__g__gg__

spgkW7IMUat

vvkaZURQMWa

ktta

bbcemgk

ygvaZaZSt

bcemggk

Flood…

RegEnumKeyExW

RegSetValueExW

RegCreateKeyExW

RegQueryValueExW

RegQueryInfoKeyW

RegOpenKeyExW

RegEnumValueW

RegDeleteValueW

RegCreateKeyW

RegCloseKey

RegQueryValueW

RegOpenKeyExA

RegQueryValueExA

RegNotifyChangeKeyValue

RegEnumKeyW

RegSetValueW

_except_handler3

_ftol

_itow

free

memmove

realloc

I pelno innych… Prosze o porady, posiadam nod32 ale on nic niewykryl oraz Windows XP+ KPF ~150polaczen wychodzacych z niego do microsoft-ds

Bieniol · 20 Listopad 2006 19:25

Wrzuć zestaw logów - HijackThis + Silent Runners

Meee · 20 Listopad 2006 20:53

Logfile of HijackThis v1.99.1 Scan saved at 20:42:22, on 2006-11-20 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\alg.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\System32\svcchost.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe C:\PROGRA~1\NEOSTR~1\ComComp.exe C:\PROGRA~1\NEOSTR~1\Watch.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Documents and Settings\Edziu\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.twikibar.com/searchie.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe” O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [msvcc25] svcchost.exe O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\RunServices: [msvcc25] svcchost.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip…{5DB89B74-CFC6-4151-B3D1-B8123C19E2AA}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Te drugie niedlugo dam

Złączono Posta : 20.11.2006 (Pon) 22:04

FATAL ERROR!

“Silent Runners” cannot use WMI to identify the operating system.

This is caused by corruption of the WMI installation.

WMI is complex and it is recommended that you use a Microsoft

tool, “WMIDiag.vbs,” to diagnose WMI on your system.

It can be downloaded here:

http://go.microsoft.com/fwlink/?LinkId=62562

error chyba niebede sciagac tego pliku gdy strona microsoftu wlacza mi sie z 2min, transfer mam 3kb/s przez tego DoS’a

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Pozdrawiam Gutek2222

Gutek · 20 Listopad 2006 21:04

użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable. Po użyciu tego narzędzia wymagany jest reset sysa.

usuń wpisy HJT, a plik ręcznie w trybie awaryjnym

Meee · 20 Listopad 2006 21:24

W tym problem ze ten plik tworzy mi sie kilka sek po polaczeniu do netu sproboje zamknac port 445 z tego co przeczytalem w tym procesie, to ze atak idzie na 445 nieiwem czy dobrze napisalem ^^ dobra wiadomosc to, to, ze mozna ten proces zabic recznie i juz sie niepojawia

Gutek · 20 Listopad 2006 21:28

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable. Po użyciu tego narzędzia wymagany jest reset sysa.

Użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot i w polu Full Path of File to Delete wklejasz ścieżkę

C:\WINDOWS\System32\svcchost.exe

i naciskasz X czerwony. Program poprosi o reset kompa … czyli resetujesz.

Meee · 20 Listopad 2006 21:38

Dziekuje, teraz rozumiem

Gutek · 20 Listopad 2006 21:46

Daj nowe logi

Meee · 21 Listopad 2006 14:42

Logfile of HijackThis v1.99.1 Scan saved at 15:44:23, on 2006-11-21 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\Eset\nod32krn.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe C:\PROGRA~1\NEOSTR~1\ComComp.exe C:\PROGRA~1\NEOSTR~1\Watch.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Documents and Settings\Edziu\Pulpit\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.twikibar.com/searchie.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe” O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip…{5DB89B74-CFC6-4151-B3D1-B8123C19E2AA}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Bieniol · 21 Listopad 2006 15:20

Usuń Hijackiem te wpisy:

Poza tym już czysto

Meee · 21 Listopad 2006 18:50

Ok, dzieki ;D