persef
(Persef Ona)
#1
cześć
Od pewnego czasu komputer bardzo wolno się uruchamia i zamyka, a proces svchost.exe zużywa nadzwyczaj dużo pamięci (56 688 K)
spybot znajduje rpcc.dll, czy to może być robak/wirus ?
prosze o pomoc i załączam log z hijackthis :
Logfile of HijackThis v1.99.1
Scan saved at 13:18:25, on 2006-11-26
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
E:\instalowane programy\panda\pavsrv51.exe
E:\instalowane programy\panda\AVENGINE.EXE
D:\WINDOWS\system32\svchost.exe
E:\instalowane programy\panda\TPSrv.exe
D:\WINDOWS\system32\svchost.exe
E:\instalowane programy\panda\Firewall\PNMSRV.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\GEARSec.exe
D:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
D:\WINDOWS\system32\oodag.exe
E:\instalowane programy\panda\PavFnSvr.exe
D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
E:\instalowane programy\panda\PsImSvc.exe
D:\WINDOWS\Explorer.EXE
E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WINDOWS\system32\svchost.exe
E:\instalowane programy\panda\apvxdwin.exe
e:\instalowane programy\panda\WebProxy.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\tomek.R\DVD Decrypter\DVDDecrypter.exe
D:\Program Files\Opera\Opera.exe
D:\WINDOWS\system32\wuauclt.exe
E:\! programy\Trojans & Antyspy\! innego typu\HijackThis\HijackThis.exe
D:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pc-cillin9.antivirus.com/en/90/PccReg/wcoRegister.asp?SN=PCEO%2D9995%2D2453%2D7412%2D7255&GUID=6C6E6E6B6F6F6E686F6C6C6C6E665E
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - D:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "E:\instalowane programy\panda\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7118DE39-DD07-4DDE-B07B-7206B7EFA544}: NameServer = 194.63.133.4,194.63.132.4
O20 - Winlogon Notify: avldr - D:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: rpcc - D:\WINDOWS\system32\rpcc.dll
O23 - Service: GEARSecurity - GEAR Software - D:\WINDOWS\System32\GEARSec.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton Ghost - Symantec Corporation - D:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\system32\oodag.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - E:\instalowane programy\panda\PavFnSvr.exe
Joan
(Joan Sunshine)
#2
Ściągasz GMERA
W zakładke CMD -> CMD wklej:
Klikasz Uruchom
W HJT zaznaczasz wpis i klikasz na dole “Fix checked” :
Po zabiegach nowe logi z HiJacka oraz Silent Runners (zaznaczasz No i czekasz aż skończy pracować w tle).
persef
(Persef Ona)
#3
dzięki, poradziłam sobie z rpcc.dll
a to nowe logi z hijackthis i silent runners :
Logfile of HijackThis v1.99.1
Scan saved at 17:34:55, on 2006-11-26
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
E:\instalowane programy\panda\pavsrv51.exe
E:\instalowane programy\panda\AVENGINE.EXE
D:\WINDOWS\system32\svchost.exe
E:\instalowane programy\panda\TPSrv.exe
E:\instalowane programy\panda\Firewall\PNMSRV.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\GEARSec.exe
D:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
D:\WINDOWS\system32\oodag.exe
E:\instalowane programy\panda\PavFnSvr.exe
D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
E:\instalowane programy\panda\PsImSvc.exe
D:\WINDOWS\Explorer.EXE
E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\SOUNDMAN.EXE
E:\instalowane programy\panda\APVXDWIN.EXE
D:\WINDOWS\system32\ctfmon.exe
e:\instalowane programy\panda\WebProxy.exe
D:\WINDOWS\system32\wuauclt.exe
E:\! programy\Trojans & Antyspy\! innego typu\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pc-cillin9.antivirus.com/en/90/PccReg/wcoRegister.asp?SN=PCEO%2D9995%2D2453%2D7412%2D7255&GUID=6C6E6E6B6F6F6E686F6C6C6C6E665E
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - D:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "E:\instalowane programy\panda\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7118DE39-DD07-4DDE-B07B-7206B7EFA544}: NameServer = 194.63.133.4,194.63.132.4
O20 - Winlogon Notify: avldr - D:\WINDOWS\SYSTEM32\avldr.dll
O23 - Service: GEARSecurity - GEAR Software - D:\WINDOWS\System32\GEARSec.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton Ghost - Symantec Corporation - D:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\system32\oodag.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - E:\instalowane programy\panda\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - E:\instalowane programy\panda\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - E:\instalowane programy\panda\Firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - E:\instalowane programy\panda\PsImSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - E:\instalowane programy\panda\TPSrv.exe
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "D:\WINDOWS\system32\ctfmon.exe" [MS]
"STYLEXP" = "D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide" [empty string]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"APVXDWIN" = ""E:\instalowane programy\panda\APVXDWIN.EXE" /s" ["Panda Software International"]
"KernelFaultCheck" = "D:\WINDOWS\system32\dumprep 0 -k"
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{C333CF63-767F-4831-94AC-E683D962C63C}\(Default) = "TGTSoft Explorer Toolbar Changer"
-> {HKLM...CLSID} = "CoTGT_BHO Class"
\InProcServer32\(Default) = "D:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "D:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "E:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"
-> {HKLM...CLSID} = "Panda Antivirus"
\InProcServer32\(Default) = "E:\instalowane programy\panda\ShellTit.DLL" ["Panda Software International"]
HKLM\System\CurrentControlSet\Control\Session Manager\
<> "BootExecute" = "autocheck autochk *"|"OODBS" ["O&O Software GmbH"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> avldr\DLLName = "avldr.dll" ["Panda Software"]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
-> {HKLM...CLSID} = "Panda Antivirus"
\InProcServer32\(Default) = "E:\instalowane programy\panda\ShellTit.DLL" ["Panda Software International"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
-> {HKLM...CLSID} = "Panda Antivirus"
\InProcServer32\(Default) = "E:\instalowane programy\panda\ShellTit.DLL" ["Panda Software International"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "D:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\rodzinny\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
e:\instalowane programy\panda\pavlsp.dll ["Panda Software International"], 01 - 03, 15
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 14
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
GEARSecurity, GEARSecurity, "D:\WINDOWS\System32\GEARSec.exe" ["GEAR Software"]
Norton Ghost, Norton Ghost, "D:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe" ["Symantec Corporation"]
O&O Defrag, O&O Defrag, "D:\WINDOWS\system32\oodag.exe" ["O&O Software GmbH"]
Panda anti-virus service, PAVSRV, ""E:\instalowane programy\panda\pavsrv51.exe"" ["Panda Software International"]
Panda Function Service, PAVFNSVR, ""E:\instalowane programy\panda\PavFnSvr.exe"" ["Panda Software International"]
Panda IManager Service, PSIMSVC, ""E:\instalowane programy\panda\PsImSvc.exe"" ["Panda Software"]
Panda Network Manager, PNMSRV, ""E:\instalowane programy\panda\Firewall\PNMSRV.EXE"" ["Panda Software International"]
Panda Process Protection Service, PavPrSrv, ""D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe"" ["Panda Software"]
Panda TPSrv, TPSrv, ""E:\instalowane programy\panda\TPSrv.exe"" ["Panda Software"]
StarWind iSCSI Service, StarWindService, "E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
----------
<>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 57 seconds.
---------- (total run time: 106 seconds)
proszę o komentarz
adam9870
(adam9870)
#4
Logi są ok.
Ciachnij kosmetycznie:
Możesz zajrzeć: Optymalizacja i odchudzanie Windowsa XP.