Saftis Skrevet 29. januar 2008 Del Skrevet 29. januar 2008 (endret) Fikk idag irriterende 60 sec avslutningsmelding fra "RPC service", avbryter det med shutdown -a, men det virker kanskje som om noe er galt. Husker disse greiene fra Blaster-dagene. Tror det hele skjedde etter at jeg installerte CopSSH uten å sette opp mer enn default install (ssh server), antakelig en eller annen portscanner som har hacket meg. Mye annet rart også, får ikke tilgang til XP firewall settings (får "unkown error"), får ikke installert nye programmer som trenger registry changes. Virusscan fant 2 gamle trojans som har ligget på disken i et par år, i programfiler som aldri har vært kjørt. Det skal også sies at den ene disken sleit rett før det skjedde (systemet frøs i 10 sec mens jeg hørte disken "bootet" på nytt). Noen tips her? Alle sikkerhetspatcher er installert. Hijackthis log: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 00:03:56, on 30.01.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: G:\WINDOWS\System32\smss.exe G:\WINDOWS\system32\winlogon.exe G:\WINDOWS\system32\services.exe G:\WINDOWS\system32\lsass.exe G:\WINDOWS\System32\svchost.exe G:\WINDOWS\system32\spoolsv.exe G:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe G:\Program Files\Cisco Systems\VPN Client\cvpnd.exe G:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe G:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe G:\WINDOWS\system32\nvsvc32.exe G:\WINDOWS\system32\HPZipm12.exe G:\WINDOWS\system32\PnkBstrA.exe G:\WINDOWS\system32\svchost.exe G:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe G:\WINDOWS\Explorer.EXE G:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe G:\WINDOWS\system32\ctfmon.exe G:\Program Files\Messenger\msmsgs.exe G:\Program Files\MSN Messenger\usnsvc.exe G:\PROGRA~1\Grisoft\AVG7\avgemc.exe G:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe G:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe G:\Program Files\Grisoft\AVG7\avgcc.exe G:\Program Files\Grisoft\AVG7\avgwb.dat G:\Program Files\Ventrilo\Ventrilo.exe G:\Program Files\Opera\Opera.exe G:\WINDOWS\system32\notepad.exe G:\utils\HiJackThis_v2.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - G:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [GrooveMonitor] "G:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] G:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-21-1715567821-1482476501-839522115-1003\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User '?') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172344127203 O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - G:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - G:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - G:\WINDOWS\system32\browseui.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - G:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - G:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe O23 - Service: Openssh SSHD (copSSHD) - Unknown owner - G:\Program Files\copSSH\bin\cygrunsrv.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - G:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: CyberLink Media Library Service - Cyberlink - G:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\system32\HPZipm12.exe O23 - Service: PnkBstrA - Unknown owner - G:\WINDOWS\system32\PnkBstrA.exe O23 - Service: SageTV - SageTV, LLC - G:\Program Files\SageTV\SageTV\SageTVService.exe -- End of file - 7409 bytes Combofix log: ComboFix 08-01-30.1 - Andreas 2008-01-30 2:01:42.1 - NTFSx86 Running from: G:\utils\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 ))))))))))))))))))))))))))))))) . 2008-01-29 18:57 . 2008-01-29 18:57 <DIR> d-------- G:\Documents and Settings\NetworkService\Application Data\AVG7 2008-01-25 20:15 . 2008-01-25 20:15 <DIR> d-------- G:\Program Files\Zebedee 2008-01-18 01:13 . 2008-01-18 01:13 <DIR> d-------- G:\Program Files\uTorrent 2008-01-03 06:55 . 2008-01-03 06:55 <DIR> d-------- G:\Program Files\Sony Ericsson 2008-01-03 06:55 . 2005-06-13 10:05 96,224 --a------ G:\WINDOWS\system32\drivers\w800mdm.sys 2008-01-03 06:55 . 2005-06-13 10:06 87,792 --a------ G:\WINDOWS\system32\drivers\w800mgmt.sys 2008-01-03 06:55 . 2005-06-13 10:08 85,664 --a------ G:\WINDOWS\system32\drivers\w800obex.sys 2008-01-03 06:55 . 2005-06-13 10:03 60,768 --a------ G:\WINDOWS\system32\drivers\w800bus.sys 2008-01-03 06:55 . 2005-06-13 10:05 9,264 --a------ G:\WINDOWS\system32\drivers\w800mdfl.sys 2008-01-03 06:55 . 2005-06-13 10:08 6,144 --a------ G:\WINDOWS\system32\drivers\w800cmnt.sys 2008-01-03 06:55 . 2005-06-13 10:08 6,144 --a------ G:\WINDOWS\system32\drivers\w800cm.sys 2008-01-03 06:55 . 2005-06-13 10:03 5,744 --a------ G:\WINDOWS\system32\drivers\w800whnt.sys 2008-01-03 06:55 . 2005-06-13 10:03 5,744 --a------ G:\WINDOWS\system32\drivers\w800wh.sys 2008-01-02 02:51 . 2008-01-02 02:51 <DIR> d-------- G:\Program Files\Sony 2008-01-02 02:10 . 2008-01-02 02:10 <DIR> d-------- G:\Program Files\Sony Setup . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-30 00:11 --------- d-----w G:\Program Files\Common Files\Wise Installation Wizard 2008-01-29 17:59 --------- d-----w G:\Documents and Settings\All Users\Application Data\avg7 2008-01-29 17:57 --------- d-----w G:\Documents and Settings\Andreas\Application Data\AVG7 2008-01-28 22:51 --------- d-----w G:\Documents and Settings\Andreas\Application Data\uTorrent 2008-01-28 20:48 --------- d-----w G:\Program Files\Steam 2008-01-23 14:22 --------- d-----w G:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-01-17 10:52 --------- d-----w G:\Documents and Settings\Andreas\Application Data\Image Zone Express 2008-01-16 18:08 --------- d-----w G:\Documents and Settings\Andreas\Application Data\iPodder 2008-01-15 04:33 --------- d-----w G:\Program Files\Save 2008-01-05 09:52 --------- d-----w G:\Program Files\mIRC 2007-12-29 17:58 --------- d-----w G:\Program Files\Opera 2007-12-18 20:21 --------- d-----w G:\Program Files\DC++ 2007-12-18 19:41 --------- d-----w G:\Documents and Settings\Andreas\Application Data\Ventrilo 2007-12-08 01:46 --------- d-----w G:\Documents and Settings\All Users\Application Data\HP . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="G:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360] "MsnMsgr"="G:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352] "MSMSGS"="G:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="G:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480] "nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 G:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="NvMCTray.dll" [2006-10-22 11:22 86016 G:\WINDOWS\system32\nvmctray.dll] "GrooveMonitor"="G:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47 31016] "AVG7_CC"="G:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-29 18:57 579072] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="G:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360] "AVG7_Run"="G:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-29 18:57 219136] G:\Documents and Settings\All Users\Start Menu\Programs\Startup\ VPN Client.lnk - G:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-05-05 11:04:20 6144] [HKLM\~\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^CoreCenter.lnk] path=G:\Documents and Settings\All Users\Start Menu\Programs\Startup\CoreCenter.lnk backup=G:\WINDOWS\pss\CoreCenter.lnkCommon Startup [HKLM\~\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=G:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=G:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2007-10-10 19:51 39792 G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] --a------ 2008-01-29 18:57 579072 G:\PROGRA~1\Grisoft\AVG7\avgcc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2007-04-03 23:29 165784 G:\Program Files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2006-02-19 01:41 49152 G:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] --------- 2005-06-20 04:32 127118 G:\Program Files\CyberLink\PowerCinema\PCMService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-04-27 08:41 282624 G:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] -ra------ 2006-03-02 00:22 577536 G:\WINDOWS\SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2007-11-30 09:11 1266936 G:\Program Files\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-07-12 03:00 132496 G:\Program Files\Java\jre1.6.0_02\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave] --a------ 2006-08-25 13:45 803184 G:\Program Files\Save\Save.exe . Contents of the 'Scheduled Tasks' folder "2007-06-17 17:49:30 G:\WINDOWS\Tasks\shutdown.job" - G:\Documents and Settings\Andreas\Desktop\shutdown.bat . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-30 02:03:30 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-30 2:05:07 Endret 30. januar 2008 av Saftis Lenke til kommentar
Zeph Skrevet 30. januar 2008 Del Skrevet 30. januar 2008 Denne tråden var feilpostet og er blitt flyttet til riktig kategori. Lenke til kommentar
norbat Skrevet 30. januar 2008 Del Skrevet 30. januar 2008 Denne ligger i 'jobb'-lista di: G:\WINDOWS\Tasks\shutdown.job". Kan det ha noe med den å gjøre? (fil: G:\Documents and Settings\navn\Desktop\shutdown.bat) Lenke til kommentar
Saftis Skrevet 30. januar 2008 Forfatter Del Skrevet 30. januar 2008 Nei, er bare noe som hang igjen fra noe jeg prøvde for lenge siden, det er kun en jobb som ble satt opp til å kjøre 16.06, "next run time: never" - "last run time: never". Lenke til kommentar
norbat Skrevet 30. januar 2008 Del Skrevet 30. januar 2008 Loggene viser ingen spesielle ting. Har det bare vært ett enkelttilfelle - alt kjører ok nå? Lenke til kommentar
Saftis Skrevet 31. januar 2008 Forfatter Del Skrevet 31. januar 2008 Tja.. avinstallerte alt av mistenkelige kilder som ssh server, andre servere, torrentprogs osv, og resatte firewall setting. Spybot fant ingenting heller. Begynner å helle mot disk error, selv om det virker rimelig søkt at noe sånt skal trigge RPC call. Kanskje det var en blanding, at hull i firewall pga. ssh server åpnet for RPC shutdown ting, mens disk error gjorde andre deler av systemet ustabilt.' Maskina ble plutselig sirup i dag, stengte alle applikasjoner og hørte disken "reboote" med noen klikkelyder, så var alt plutselig i sin vante gang igjen. Snodige greier dette, orker ikke gjøre noe mer med det nå etter å ha brukt 3 timer på virusscan og 1 time på spywarescan i går, så lenge det fungerer greit. Lenke til kommentar
Saftis Skrevet 5. februar 2008 Forfatter Del Skrevet 5. februar 2008 (endret) Oppdaget ved en tilfeldighet (skulle laste ned Windows Movie Maker 2) at windows update bugget seg. Det viser seg at filene til BITS (background intelligent transfer service, som brukes av windows update som jeg har skrudd på til å installere og laste alt selv) var skadet, og at tjenesten hadde vært deaktivert siden 24. mai 2007. Mao. har jeg ikke mottatt sikkerhetsoppdateringer siden det. Da er det vel rimelig bankers at ett eller annet har klart å trenge inn i mellomtiden. Edit: Lastet ned ny BITS og kjørte windows update, det bugger seg på .NET framework patchene nå. Edit2: Klarte til slutt etter mye herjing å få avinstallert .NET frameworks, reinstallert og patchet de opp. Systemet virker faktisk mer stabilt nå, bruker ikke 9 år på å avslutte slik som før. Endret 5. februar 2008 av Saftis Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå