SEGURIDAD INFORMATICA, Firewall, parches, vacunas, antivirus, anti troyanos, spyware etc > Seguridad Informatica - Firewall - Virus - Troyanos - Spyware - Ad Aware - Malware
EXPLORER.EXE pide conexion saliente (SOLUCIONADO)
Mr_X:
¿Desinstalaste el Panda y/o el McAfee?
Saca un log del Autoruns (clic)...
BATWB:
Ahí va el log de autoruns:
HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ nod32kui NOD32 Control Center GUI (Not verified) Eset c:\archivos de programa\eset\nod32kui.exe
+ nwiz File not found: nwiz.exe
+ Outpost Firewall Outpost Firewall main module (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\outpost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
C:\Documents and Settings\TONVER\Menú Inicio\Programas\Inicio
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Classes\Protocols\Filter
+ application/octet-stream Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-complus Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-msdownload Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
HKLM\SOFTWARE\Classes\Protocols\Handler
+ cetihpz HPCETIUI Protocol Handler Module (Not verified) Hewlett-Packard Company c:\archivos de programa\hp\hpcoretech\comp\hpuiprot.dll
+ ms-itss Microsoft® InfoTech Storage System Library (Not verified) Microsoft Corporation c:\archivos de programa\archivos comunes\microsoft shared\information retrieval\msitss.dll
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
+ 0 File not found: About:Home
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ n/a c:\archivos de programa\windowsloader\windowsload.exe
+ n/a Microsoft .NET IE SECURITY REGISTRATION (Not verified) Microsoft Corporation c:\windows\system32\mscories.dll
HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ AlcoholShellEx AXShlEx.dll (Verified) Alcohol Soft Code Signing Services c:\archivos de programa\alcohol soft\alcohol 120\axshlex.dll
+ Desktop Explorer NVIDIA Desktop Explorer, Version 66.93 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll
+ Desktop Explorer Menu NVIDIA Desktop Explorer, Version 66.93 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll
+ Extensión de paneo de pantalla del Panel de control File not found: deskpan.dll
+ Fusion Cache Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ NOD32 Context Menu Shell Extension c:\archivos de programa\eset\nodshex.dll
+ nView Desktop Context Menu NVIDIA Desktop Explorer, Version 66.93 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll
+ Shell Extensions for RealOne Player RealPlayer Shell Extensions (Not verified) RealNetworks, Inc. c:\archivos de programa\real\realplayer\rpshell.dll
+ Shell Icon Handler for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\windows\system32\dfshim.dll
+ ShellLink for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\windows\system32\dfshim.dll
+ WinRAR shell extension c:\archivos de programa\winrar\rarext.dll
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ PDF Shell Extension PDF Shell Extension (Not verified) Adobe Systems, Inc. c:\archivos de programa\adobe\acrobat 7.0\activex\pdfshell.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ Adobe PDF Reader Link Helper Adobe Acrobat IE Helper Version 7.0 for ActiveX (Verified) Adobe Systems, Incorporated c:\archivos de programa\adobe\acrobat 7.0\activex\acroiehelper.dll
+ VGOIEHelper Class 21CN VGO ????? IE?? (Verified) 21CN Corporation Limited c:\archivos de programa\21cn\vgo\vgoiebho.dll
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
HKLM\Software\Microsoft\Internet Explorer\Toolbar
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Extensions
HKLM\Software\Microsoft\Internet Explorer\Extensions
+ Uninstall BitDefender Online Scanner v8 c:\windows\bdoscandel.exe
Task Scheduler
HKLM\System\CurrentControlSet\Services
+ NOD32krn NOD32 Kernel Service (Not verified) Eset c:\archivos de programa\eset\nod32krn.exe
+ NVSvc Provides system and desktop level support to the NVIDIA display driver File not found: C:\WINDOWS\System32\nvsvc32.exe
+ OutpostFirewall Outpost Firewall main module (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\outpost.exe
+ PDSched PDSched Module (Not verified) Raxco Software, Inc. c:\archivos de programa\raxco\perfectdisk\pdsched.exe
+ StarWindService Enables network access to local devices via iSCSI protocol. (Not verified) Rocket Division Software c:\archivos de programa\alcohol soft\alcohol 120\starwind\starwindservice.exe
HKLM\System\CurrentControlSet\Services
+ ADBLOCK.DLL Outpost Firewall kernel mode plugin (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\kernel\adblock.dll
+ ADILOADER File not found: System32\Drivers\adildr.sys
+ adiusbaw File not found: system32\DRIVERS\adiusbaw.sys
+ AMON Amon monitor (Not verified) Eset c:\windows\system32\drivers\amon.sys
+ ARP.DLL Outpost Firewall kernel mode plugin (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\kernel\arp.dll
+ ComFiltr File not found: C:\WINDOWS\system32\DRIVERS\COMFiltr.sys
+ CONTENT.DLL Outpost Firewall kernel mode plugin (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\kernel\content.dll
+ DNSCACHE.DLL Outpost Firewall kernel mode plugin (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\kernel\dnscache.dll
+ ElbyCDFL ElbyCDIO Filter Driver (Not verified) SlySoft, Inc. c:\windows\system32\drivers\elbycdfl.sys
+ ElbyCDIO ElbyCD Windows NT/2000/XP I/O driver (Not verified) Elaborate Bytes AG c:\windows\system32\drivers\elbycdio.sys
+ FTPFILT.DLL Outpost Firewall kernel mode plugin (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\kernel\ftpfilt.dll
+ HTMLFILT.DLL Outpost Firewall kernel mode plugin (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\kernel\htmlfilt.dll
+ HTTPFILT.DLL Outpost Firewall kernel mode plugin (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\kernel\httpfilt.dll
+ HWIONT Hwiont (Not verified) The freeware company c:\archivos de programa\canal plus plus\moretv\hwiont.sys
+ IMAPFILT.DLL Outpost Firewall kernel mode plugin (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\kernel\imapfilt.dll
+ MAILFILT.DLL Outpost Firewall kernel mode plugin (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\kernel\mailfilt.dll
+ NNTPFILT.DLL Outpost Firewall kernel mode plugin (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\kernel\nntpfilt.dll
+ pctvNT PCTV WDM Driver for Win2K (Not verified) Pinnacle Systems c:\windows\system32\drivers\pctvw2k.sys
+ pfc Padus(R) ASPI Shell (Not verified) Padus, Inc. c:\windows\system32\drivers\pfc.sys
+ POP3FILT.DLL Outpost Firewall kernel mode plugin (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\kernel\pop3filt.dll
+ PROTECT.DLL Outpost Firewall kernel mode plugin (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\kernel\protect.dll
+ SandBox SandBox File System Access Control by Process Manager (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\kernel\sandbox.sys
+ SECRET.DLL Outpost Firewall kernel mode plugin (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\kernel\secret.dll
+ SOCKFILT.DLL Outpost Firewall kernel mode plugin (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\kernel\sockfilt.dll
+ sptd c:\windows\system32\drivers\sptd.sys
+ TESTCAP PCTV NT Audio Driver (Not verified) Pinnacle Systems c:\windows\system32\drivers\pctvaud.sys
+ TSP File not found: C:\WINDOWS\system32\drivers\klif.sys
+ USBSHGX SHARP GX series USB Driver (Not verified) SHARP c:\windows\system32\drivers\usbgx_2.sys
+ vaxscsi c:\windows\system32\drivers\vaxscsi.sys
+ VFILT Virtual Firewall driver (Not verified) Agnitum Ltd. c:\archivos de programa\agnitum\outpost firewall\kernel\filtnt.sys
+ vulfnths VIA USB Host Controller Lower Filter Driver (Not verified) VIA Technologies, Inc. c:\windows\system32\drivers\vulfnth.sys
+ vulfntrs VIA USB Roothub Lower Filter Driver (Not verified) VIA Technologies, Inc. c:\windows\system32\drivers\vulfntr.sys
+ ZD1201U(ZyXEL) File not found: system32\DRIVERS\zd1201u.sys
+ ZDNDIS5 File not found: C:\WINDOWS\system32\ZDNDIS5.SYS
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
+ PDBoot.exe PerfectDisk Boot Time Defragmentation (Not verified) Raxco Software, Inc. c:\windows\system32\pdboot.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Microsoft\Command Processor\Autorun
HKCU\Software\Microsoft\Command Processor\Autorun
HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKCU\Control Panel\Desktop\Scrnsave.exe
HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImageName
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
+ NOD32 NOD32 IMON - Internet scanning support (Not verified) Eset c:\windows\system32\imon.dll
+ NOD32 protected [MSAFD Tcpip [RAW/IP]] NOD32 IMON - Internet scanning support (Not verified) Eset c:\windows\system32\imon.dll
+ NOD32 protected [MSAFD Tcpip [TCP/IP]] NOD32 IMON - Internet scanning support (Not verified) Eset c:\windows\system32\imon.dll
+ NOD32 protected [MSAFD Tcpip [UDP/IP]] NOD32 IMON - Internet scanning support (Not verified) Eset c:\windows\system32\imon.dll
+ NOD32 protected [RSVP TCP Service Provider] NOD32 IMON - Internet scanning support (Not verified) Eset c:\windows\system32\imon.dll
+ NOD32 protected [RSVP UDP Service Provider] NOD32 IMON - Internet scanning support (Not verified) Eset c:\windows\system32\imon.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
Una pregunta como puedo saber que archivo es el que da la orden de conectar el proceso explorer.exe por el puerto 2000? :panic:
Mr_X:
Haz una copia de seguridad del registro usando el ERUNT; deshabilita el 'Restaurar el sistema'; reinicia en MODO SEGURO, ejecuta el Autoruns, selecciona las siguientes entradas con el botón derecho y dale a 'Delete':
--- Código: ---+ n/a c:\archivos de programa\windowsloader\windowsload.exe
+ VGOIEHelper Class 21CN VGO ????? IE?? (Verified) 21CN Corporation Limited c:\archivos de programa\21cn\vgo\vgoiebho.dll
+ ADILOADER File not found: System32\Drivers\adildr.sys
+ adiusbaw File not found: system32\DRIVERS\adiusbaw.sys
+ ComFiltr File not found: C:\WINDOWS\system32\DRIVERS\COMFiltr.sys
+ TSP File not found: C:\WINDOWS\system32\drivers\klif.sys
+ ZD1201U(ZyXEL) File not found: system32\DRIVERS\zd1201u.sys
+ ZDNDIS5 File not found: C:\WINDOWS\system32\ZDNDIS5.SYS
--- Fin del código ---
Reinicia normal, actualiza el NOD32 y pásalo reiniciando en MODO SEGURO... Saca nuevos logs del HijackThis y el Autoruns...
--- Cita de: BATWB en 15 de Diciembre de 2006, 07:41:28 pm ---Una pregunta como puedo saber que archivo es el que da la orden de conectar el proceso explorer.exe por el puerto 2000? :panic:
--- Fin de la cita ---
Baja el ProcessExplorer y el TCPView para que 'monitorices' los procesos y conexiones que tienes en la máquina...
BATWB:
POR FIN, he conseguido eliminar el maldito bicho de mi pc! ya lo dicen con paciencia y saliba... :-6
Ha desaparecido la conexión por el puerto remoto 2000 y el ordenador vuelve a funcionar como antaño. :-D
Hize lo que me dijiste Mr x, elimié las entradas con el autoruns y pase el NOD a pueba de fallos, de esta manera y después de reiniciar desapareció el problema que me llegaba a ralentizar mi ordenador.
Comento que tb eliminé el wininit.ini con este contenido:
[RENAME]
NUL=C:\DOCUME~1\TONVER\CONFIG~1\Temp\nstmp\uninstall.exe
NUL=C:\DOCUME~1\TONVER\CONFIG~1\Temp\nstmp\uninstall.ini
NUL=C:\DOCUME~1\TONVER\CONFIG~1\Temp\nstmp
NUL=C:\DOCUME~1\TONVER\CONFIG~1\Temp\nstmp\uninstall.exe
NUL=C:\DOCUME~1\TONVER\CONFIG~1\Temp\nstmp\uninstall.ini
NUL=C:\DOCUME~1\TONVER\CONFIG~1\Temp\nstmp
NUL=C:\DOCUME~1\TONVER\CONFIG~1\Temp\nstmp1\uninstall.exe
NUL=C:\DOCUME~1\TONVER\CONFIG~1\Temp\nstmp1\uninstall.ini
NUL=C:\DOCUME~1\TONVER\CONFIG~1\Temp\nstmp1
Ya me direis si restauro el archivo o lo elimino de la papelera definitivamente.
Muchas gracias por vuestra inestimable ayuda sin la cual no hubiera sido posible la muerte del jodido bicho,
Salu2
destroyer:
Gracias por comentarlo amigo, damos pues el tema por solucionado.
Un saludo
Navegación
[*] Página Anterior
Ir a la versión completa