Just nu i M3-nätverket
Jump to content

Extremt trög dator pga svchost


jen almbage

Recommended Posts

svchost.exe (användarnamn=system)kan helt plötsligt, efter datorn varit på i någon timma, använda all datorns kraft 99 cpu osv. Hela datorn blir jättetrög. Skickar med en Hijack logg.

 

Någon som vet varför detta händer??//Jens

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 13:18:52, on 2006-12-15

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\RUNDLL32.EXE

C:\WINNT\system\wcdvtray.exe

C:\Program\ALWILS~1\Avast4\ashDisp.exe

C:\Program\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program\iTunes\iTunesHelper.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\Java\jre1.5.0_09\bin\jusched.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program\Personal\bin\Personal.exe

C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

C:\Program\Alwil Software\Avast4\aswUpdSv.exe

C:\Program\Alwil Software\Avast4\ashServ.exe

C:\WINNT\system32\nvsvc32.exe

C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\Program\iPod\bin\iPodService.exe

C:\Program\Alwil Software\Avast4\ashMaiSv.exe

C:\Program\Alwil Software\Avast4\ashWebSv.exe

C:\Program\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://10.0.0.6'>http://10.0.0.6

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://10.0.0.6

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINNT\system32\ejmsqapx.dll (file missing)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {5214E8CB-3FE8-404D-B8AF-0157D592639d} - C:\WINNT\system32\jilkvtkf.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: (no name) - {FCE6C8CA-FA11-4FCA-B88F-16BC9CE5A888} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [OWCWebCamDV] C:\WINNT\system\wcdvtray.exe

O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164645278140

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://213.132.125.23/activex/AxisCamControl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} (VPlayer Control) - http://www.sonypictures.com/movies/casinoroyale/vividas/player/vivid_ocx.jpeg

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

 

[/log]

 

Link to comment
Share on other sites

Jag ser inget otrevligt i loggen i alla fall. Finns det något annat program som online-skanning, antispionprogram som hittar något?

 

Link to comment
Share on other sites

Jag skannade igenom datorn med avast, ad aware och kasperskys online-skanning. Kaspersky hittade ett visrus.

 

 

Kasperskys loggen

[log]-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Friday, December 15, 2006 2:30:28 PM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 15/12/2006

Kaspersky Anti-Virus database records: 236861

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: standard

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - Critical Areas:

C:\WINNT

C:\DOCUME~1\JENS~1\LOKALA~1\Temp

Scan Statistics:

Total number of scanned objects: 18905

Number of viruses found: 1

Number of infected objects: 1 / 0

Number of suspicious objects: 0

Duration of the scan process: 00:14:28

 

Infected Object Name / Virus Name / Last Action

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\Internet Logs\JENS.ldb Object is locked skipped

C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped

C:\WINNT\SchedLgU.Txt Object is locked skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\Sti_Trace.log Object is locked skipped

C:\WINNT\system32\config\Antivirus.Evt Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\default Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\software Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\system Object is locked skipped

C:\WINNT\system32\config\system.LOG Object is locked skipped

C:\WINNT\system32\drivers\dtscsi.sys Object is locked skipped

C:\WINNT\system32\drivers\sptd.sys Object is locked skipped

C:\WINNT\system32\drivers\sptd5693.sys Object is locked skipped

C:\WINNT\system32\h323log.txt Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINNT\Temp\Perflib_Perfdata_2f4.dat Object is locked skipped

C:\WINNT\Temp\ZLT01643.TMP Object is locked skipped

C:\WINNT\Temp\ZLT04502.TMP Object is locked skipped

C:\WINNT\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINNT\wiadebug.log Object is locked skipped

C:\WINNT\wiaservc.log Object is locked skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped

C:\DOCUME~1\JENS~1\LOKALA~1\Temp\hsperfdata_Jens Almbage\2920 Object is locked skipped

C:\DOCUME~1\JENS~1\LOKALA~1\Temp\Perflib_Perfdata_750.dat Object is locked skipped

C:\DOCUME~1\JENS~1\LOKALA~1\Temp\winsyst32.exe Infected: Trojan-Clicker.Win32.Costrat.y skipped

 

Scan process completed.[/log]

 

Link to comment
Share on other sites

C:\DOCUME~1\JENS~1\LOKALA~1\Temp\winsyst32.exe Infected: Trojan-Clicker.Win32.Costrat.y skipped

Se om det räcker att i felsäkert läge tömma mappen:

C:\DOCUME~1\JENS~1\LOKALA~1\Temp

där ~1 står för ett antal godtyckliga tecken.

Kontrollera sedan efter ett tag i normalt läge om den har återkommit.

 

Vi kollar med det här programmet också:

Ladda ner SDFix till Skrivbordet:

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Dubbelklicka på SDFix.exe och en ny mapp skapas, C:\SDFix.

 

Starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn).

 

Öppna den nya mappen C:\SDFix och dubbelklicka på RunThis.bat för att starta programmet.

Tryck Y för att fortsätta.

Det arbetar ett tag och när det är klart så kommer det upp en fråga om du vill starta om datorn.

Tryck på godtycklig tangent för att omstarten ska påbörjas.

Datorn kommer att ta lång tid på sig under uppstarten eftersom programmet kommer att gå igång och fixa till en massa.

När det är klart visas Finished.

Tryck på valfri tangent för att avsluta programmet.

 

Öppna mappen SDFix och öppna filen Report.txt i Anteckningar.

Klistra in innehållet i filen i ditt svar här.

 

Link to comment
Share on other sites

Jag tog bort winsyst32.exe filen men det fixade tyvär inte problemet.

SDFix Report[log]

SDFix: Version 1.48

****************

 

2006-12-16 - 16:59:04,59

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Stage One - Safe Mode

 

Checking For Trojan Services...

 

Service Name:

 

 

File Path:

 

 

 

Starting Registry Repairs...

 

Restoring Default Hosts File...

 

Stage One Complete

 

Rebooting...

 

Stage Two - Normal Mode

 

Checking For Malware:

--------------------

 

 

Backing Up and Removing any Files Found...

 

Alternate Stream Check:

 

C:\WINNT\system32

No streams found.

Final Check:

 

Services:

---------

 

Rootkit pe386 Present!

 

Authorized Applications Key Export:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program\\MSN Messenger\\msnmsgr.exe"="C:\\Program\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

"C:\\Program\\iTunes\\iTunes.exe"="C:\\Program\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"C:\\Program\\IM\\IM.exe"="C:\\Program\\IM\\IM.exe:*:Enabled:IM"

"C:\\Program\\SnapStream Media\\Beyond TV\\BTVRegistrationService.exe"="C:\\Program\\SnapStream Media\\Beyond TV\\BTVRegistrationService.exe:*:Enabled:Beyond TV Registration Service"

"C:\\Program\\SnapStream Media\\Beyond TV\\BTVWebServiceProxy.exe"="C:\\Program\\SnapStream Media\\Beyond TV\\BTVWebServiceProxy.exe:*:Enabled:Beyond TV Web Service Proxy"

"C:\\Program\\SnapStream Media\\Beyond TV\\BTVLibraryService.exe"="C:\\Program\\SnapStream Media\\Beyond TV\\BTVLibraryService.exe:*:Enabled:Beyond TV Library Service"

"C:\\Program\\SnapStream Media\\Beyond TV\\BTVNetworkService.exe"="C:\\Program\\SnapStream Media\\Beyond TV\\BTVNetworkService.exe:*:Enabled:Beyond TV Network Service"

"C:\\Program\\SnapStream Media\\Beyond TV\\BTVRecordingEngine.exe"="C:\\Program\\SnapStream Media\\Beyond TV\\BTVRecordingEngine.exe:*:Enabled:Beyond TV Recording Engine"

"C:\\Program\\SnapStream Media\\Beyond TV\\BTVGuideDataLoader.exe"="C:\\Program\\SnapStream Media\\Beyond TV\\BTVGuideDataLoader.exe:*:Enabled:Beyond TV Guide Data Loader"

"C:\\Program\\SnapStream Media\\Beyond TV\\BTVSettingsService.exe"="C:\\Program\\SnapStream Media\\Beyond TV\\BTVSettingsService.exe:*:Enabled:Beyond TV Settings Service"

"C:\\Program\\SnapStream Media\\Beyond TV\\BTVTaskManagerService.exe"="C:\\Program\\SnapStream Media\\Beyond TV\\BTVTaskManagerService.exe:*:Enabled:Beyond TV Task Manager Service"

"C:\\Program\\SnapStream Media\\Beyond TV\\BTVD3DShell.exe"="C:\\Program\\SnapStream Media\\Beyond TV\\BTVD3DShell.exe:*:Enabled:Beyond TV ViewScape"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

 

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program\\MSN Messenger\\msnmsgr.exe"="C:\\Program\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

 

 

Files:

------

 

Backups Folder: - C:\SDFix\backups\backups.zip

 

Checking for files with Hidden Attributes:

 

C:\WINNT\system32\cdplayer.exe.manifest

C:\WINNT\system32\logonui.exe.manifest

C:\IO.SYS

C:\MSDOS.SYS

C:\pagefile.sys

 

FINISHED![/log]

 

// Jens

 

[inlägget ändrat 2006-12-16 17:34:21 av jen almbage]

Link to comment
Share on other sites

Ladda ner Gmer till Skrivbordet från denna sida: http://www.gmer.net/

Packa upp filen till Skrivbordet.

Start - Program - Kommandotolken

Skriv så här:

cd Skrivbord
gmer -del service pe386

Skriv ner det som eventuellt kommer upp i ditt svar här.

Skriv sedan:

exit

sedan en ny logg från SDFix

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...