Komputer wolno pracuje, podejrzewam plik rpcc.dll

cześć

Od pewnego czasu komputer bardzo wolno się uruchamia i zamyka, a proces svchost.exe zużywa nadzwyczaj dużo pamięci (56 688 K)

spybot znajduje rpcc.dll, czy to może być robak/wirus ?

prosze o pomoc i załączam log z hijackthis :

Logfile of HijackThis v1.99.1

Scan saved at 13:18:25, on 2006-11-26

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

E:\instalowane programy\panda\pavsrv51.exe

E:\instalowane programy\panda\AVENGINE.EXE

D:\WINDOWS\system32\svchost.exe

E:\instalowane programy\panda\TPSrv.exe

D:\WINDOWS\system32\svchost.exe

E:\instalowane programy\panda\Firewall\PNMSRV.EXE

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\System32\GEARSec.exe

D:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

D:\WINDOWS\system32\oodag.exe

E:\instalowane programy\panda\PavFnSvr.exe

D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

E:\instalowane programy\panda\PsImSvc.exe

D:\WINDOWS\Explorer.EXE

E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

D:\WINDOWS\system32\svchost.exe

E:\instalowane programy\panda\apvxdwin.exe

e:\instalowane programy\panda\WebProxy.exe

D:\WINDOWS\SOUNDMAN.EXE

D:\WINDOWS\system32\ctfmon.exe

D:\tomek.R\DVD Decrypter\DVDDecrypter.exe

D:\Program Files\Opera\Opera.exe

D:\WINDOWS\system32\wuauclt.exe

E:\! programy\Trojans & Antyspy\! innego typu\HijackThis\HijackThis.exe

D:\WINDOWS\system32\wuauclt.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pc-cillin9.antivirus.com/en/90/PccReg/wcoRegister.asp?SN=PCEO%2D9995%2D2453%2D7412%2D7255&GUID=6C6E6E6B6F6F6E686F6C6C6C6E665E

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - D:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [APVXDWIN] "E:\instalowane programy\panda\APVXDWIN.EXE" /s

O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7118DE39-DD07-4DDE-B07B-7206B7EFA544}: NameServer = 194.63.133.4,194.63.132.4

O20 - Winlogon Notify: avldr - D:\WINDOWS\SYSTEM32\avldr.dll

O20 - Winlogon Notify: rpcc - D:\WINDOWS\system32\rpcc.dll

O23 - Service: GEARSecurity - GEAR Software - D:\WINDOWS\System32\GEARSec.exe

O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: Norton Ghost - Symantec Corporation - D:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\system32\oodag.exe

O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - E:\instalowane programy\panda\PavFnSvr.exe

Ściągasz GMERA

W zakładke CMD -> CMD wklej:

Klikasz Uruchom

W HJT zaznaczasz wpis i klikasz na dole “Fix checked” :

Po zabiegach nowe logi z HiJacka oraz Silent Runners (zaznaczasz No i czekasz aż skończy pracować w tle). :slight_smile:

dzięki, poradziłam sobie z rpcc.dll :smiley:

a to nowe logi z hijackthis i silent runners :

Logfile of HijackThis v1.99.1

Scan saved at 17:34:55, on 2006-11-26

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

E:\instalowane programy\panda\pavsrv51.exe

E:\instalowane programy\panda\AVENGINE.EXE

D:\WINDOWS\system32\svchost.exe

E:\instalowane programy\panda\TPSrv.exe

E:\instalowane programy\panda\Firewall\PNMSRV.EXE

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\System32\GEARSec.exe

D:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

D:\WINDOWS\system32\oodag.exe

E:\instalowane programy\panda\PavFnSvr.exe

D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

E:\instalowane programy\panda\PsImSvc.exe

D:\WINDOWS\Explorer.EXE

E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\SOUNDMAN.EXE

E:\instalowane programy\panda\APVXDWIN.EXE

D:\WINDOWS\system32\ctfmon.exe

e:\instalowane programy\panda\WebProxy.exe

D:\WINDOWS\system32\wuauclt.exe

E:\! programy\Trojans & Antyspy\! innego typu\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pc-cillin9.antivirus.com/en/90/PccReg/wcoRegister.asp?SN=PCEO%2D9995%2D2453%2D7412%2D7255&GUID=6C6E6E6B6F6F6E686F6C6C6C6E665E

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - D:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [APVXDWIN] "E:\instalowane programy\panda\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7118DE39-DD07-4DDE-B07B-7206B7EFA544}: NameServer = 194.63.133.4,194.63.132.4

O20 - Winlogon Notify: avldr - D:\WINDOWS\SYSTEM32\avldr.dll

O23 - Service: GEARSecurity - GEAR Software - D:\WINDOWS\System32\GEARSec.exe

O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: Norton Ghost - Symantec Corporation - D:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\system32\oodag.exe

O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - E:\instalowane programy\panda\PavFnSvr.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - E:\instalowane programy\panda\pavsrv51.exe

O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - E:\instalowane programy\panda\Firewall\PNMSRV.EXE

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - E:\instalowane programy\panda\PsImSvc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: StyleXPService - Unknown owner - D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

O23 - Service: Panda TPSrv (TPSrv) - Panda Software - E:\instalowane programy\panda\TPSrv.exe

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "D:\WINDOWS\system32\ctfmon.exe" [MS]

"STYLEXP" = "D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide" [empty string]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"APVXDWIN" = ""E:\instalowane programy\panda\APVXDWIN.EXE" /s" ["Panda Software International"]

"KernelFaultCheck" = "D:\WINDOWS\system32\dumprep 0 -k"


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{C333CF63-767F-4831-94AC-E683D962C63C}\(Default) = "TGTSoft Explorer Toolbar Changer"

  -> {HKLM...CLSID} = "CoTGT_BHO Class"

                   \InProcServer32\(Default) = "D:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "E:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"

  -> {HKLM...CLSID} = "Panda Antivirus"

                   \InProcServer32\(Default) = "E:\instalowane programy\panda\ShellTit.DLL" ["Panda Software International"]


HKLM\System\CurrentControlSet\Control\Session Manager\

<> "BootExecute" = "autocheck autochk *"|"OODBS" ["O&O Software GmbH"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> avldr\DLLName = "avldr.dll" ["Panda Software"]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"

  -> {HKLM...CLSID} = "Panda Antivirus"

                   \InProcServer32\(Default) = "E:\instalowane programy\panda\ShellTit.DLL" ["Panda Software International"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"

  -> {HKLM...CLSID} = "Panda Antivirus"

                   \InProcServer32\(Default) = "E:\instalowane programy\panda\ShellTit.DLL" ["Panda Software International"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "D:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "D:\Documents and Settings\rodzinny\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

e:\instalowane programy\panda\pavlsp.dll ["Panda Software International"], 01 - 03, 15

%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 14

%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


GEARSecurity, GEARSecurity, "D:\WINDOWS\System32\GEARSec.exe" ["GEAR Software"]

Norton Ghost, Norton Ghost, "D:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe" ["Symantec Corporation"]

O&O Defrag, O&O Defrag, "D:\WINDOWS\system32\oodag.exe" ["O&O Software GmbH"]

Panda anti-virus service, PAVSRV, ""E:\instalowane programy\panda\pavsrv51.exe"" ["Panda Software International"]

Panda Function Service, PAVFNSVR, ""E:\instalowane programy\panda\PavFnSvr.exe"" ["Panda Software International"]

Panda IManager Service, PSIMSVC, ""E:\instalowane programy\panda\PsImSvc.exe"" ["Panda Software"]

Panda Network Manager, PNMSRV, ""E:\instalowane programy\panda\Firewall\PNMSRV.EXE"" ["Panda Software International"]

Panda Process Protection Service, PavPrSrv, ""D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe"" ["Panda Software"]

Panda TPSrv, TPSrv, ""E:\instalowane programy\panda\TPSrv.exe"" ["Panda Software"]

StarWind iSCSI Service, StarWindService, "E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 57 seconds.

---------- (total run time: 106 seconds)

proszę o komentarz :smiley:

Logi są ok.

Ciachnij kosmetycznie:

Możesz zajrzeć: Optymalizacja i odchudzanie Windowsa XP.