100% zużycia procesora, proba wysyłania fałszywych maili

[Andrew_wojownik]

Załapałem jakieś świństwo. Wirus zżera 100% procka i do tego próbuje cały czas wysyłać maile z mojego komputera.

Norton mi wirusa scharakteryzował jako:

Plik c:\WINDOWS\system32\wintin.exe jest zainfekowany wirusem W32.Sality.U.
-Klucz rejestru:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\wintin"odwołuje się do tego zagrożenia.

Log:

Kod: Zaznacz wszystko

Logfile of HijackThis v1.99.1
Scan saved at 13:03:20, on 2007-03-09
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\taskmgr.exe
D:\Przegladarki internetowe\Opera\Opera.exe
E:\DOCUME~1\Andrew\USTAWI~1\Temp\Katalog tymczasowy 1 dla hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O1 - Hosts: 87.239.31.218 gsauth.muonline.co.kr
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [wintin] C:\WINDOWS\system32\wintin.exe
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\system32\msconfig.exe /auto
O4 - HKCU\..\Run: [AtiTrayTools] "E:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [Uptime-Project] D:\Programy\Uptime-project\client.exe
O4 - Startup: client.lnk = D:\Programy\Uptime-project\client.exe
O4 - Startup: L33TSig.lnk = D:\Programy\L33TSig\L33TSig.exe
O4 - Global Startup: Service Manager.lnk = E:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apache - Unknown owner - E:\AppServ\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - E:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



[wojtas]

Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach)
Start do awaryjnego ( F8 ) przy starcie komputera.

O4 - HKLM\..\Run: [wintin] C:\WINDOWS\system32\wintin.exe

Odpalasz hijackthis i zaznaczasz ptaszkami powyższe wpisy i dajesz Fix checked.
Pogrubione pliki usuwasz ręcznie z dysku
potem nowe logi z Hijack This oraz Silent runners

ten plik:

E:\WINDOWS\system32\msconfig.exe

przeskanuj tym

http://www.virustotal.com/en/indexf.html i wklej raport

Autor postu otrzymał pochwałę

[Andrew_wojownik]

msconfig.exe czysty


Przed chwilą komputer sam od siebie zaczął żreć 100% procka i nie pomogło wyłączenie tych programó tkore to zżerają, losowo urzycie procesora skacze z jednego programu na drugi
log z hijackthis:

Kod: Zaznacz wszystko

Logfile of HijackThis v1.99.1
Scan saved at 00:39:41, on 2007-03-14
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
E:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
E:\PROGRA~1\MICROS~2\MSSQL\binn\sqlagent.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Programy\Konnekt\konnekt.exe
E:\Documents and Settings\Andrew\Pulpit\Programy\netspeed.exe
E:\MuServer\CS\CS.exe
E:\AppServ\Apache\Apache.exe
E:\Documents and Settings\Andrew\Pulpit\CzFMuEditorV1.5a\CzFMuEditor.exe
D:\Programy\EditPlus 2\editplus.exe
M:\MuServer\MUServerStartUP.exe
m:\muserver\dataserver0\dataserver.exe
m:\muserver\dataserver1\dataserver.exe
m:\muserver\joinserver\joinserver.exe
m:\muserver\exdb\exdb.exe
m:\muserver\chatserver\chatserver.exe
m:\muserver\mu_ranking_db_server\mu_ranking_db_server.exe
m:\muserver\wz_mu2003_event_server\wz_mu2003_event_server.exe
E:\AppServ\Apache\Apache.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\taskmgr.exe
E:\Documents and Settings\Andrew\Pulpit\hijackthis_199\HijackThis.exe
E:\Program Files\Common Files\Symantec Shared\NMain.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O1 - Hosts: 87.239.31.218 gsauth.muonline.co.kr
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [AtiTrayTools] "E:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - Startup: L33TSig.lnk = D:\Programy\L33TSig\L33TSig.exe
O4 - Global Startup: Service Manager.lnk = E:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apache - Unknown owner - E:\AppServ\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - E:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Sillent Runner ma jakies problemy z odpaleniem się :/

[wojtas]

daj screena z bledem sillenta oraz daj loga z:

http://www.techsupportforum.com/sectools/Deckard/comboscan.exe