Komputer zwolnił i internet

Dla specjalistów Bezpieczeństwo
#1

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Pozdrawiam Gutek2222

#2

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:

C:\WINDOWS\System32\rpcc.dll

Klikasz X czerwony i restart kompa.

Foldery usuń ręcznie będąc w trybie awaryjnym natomiast wpisy HijackThis.

Megaupload Toolbar jest toolbarem wątpliwej reputacji dlatego proponuję go usunąć. Zbiera on dane o użytkowniku i wysyła gdzieś, nie wiadomo gdzie.

Zwykła wersja programu BearShare posiada w sobie syf dlatego proponuję go usunąć. A jeśli koniecznie chcesz z niego korzystać to zainstaluj wersję Lite, która jest pozbawiona syfu.

Po wykonaniu proszę pokazać nowy log z HijackThis plus z SilentRunners.

#3

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS]

“Gadu-Gadu” = ““C:\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”]

“Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS]

“nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”]

“NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” [MS]

“SoundMan” = “SOUNDMAN.EXE” [“Avance Logic, Inc.”]

“TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”]

“QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”]

“SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe”” [“Sun Microsystems, Inc.”]

“avgnt” = ““C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”]

“Adobe Photo Downloader” = ““C:\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”” [“Adobe Systems Incorporated”]

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}

“megauploadtoolbar” = “C:\DOCUME~1\Mach\USTAWI~1\Temp\tbuninstall.exe -df “C:\Program Files\MegauploadToolbar”” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided)

-> {HKLM…CLSID} = “Yahoo! Toolbar Helper”

\InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “Adobe PDF Reader Link Helper”

\InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM…CLSID} = “SSVHelper Class”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll” [“Sun Microsystems, Inc.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class”

-> {HKLM…CLSID} = “DesktopContext Class”

\InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”]

“{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper”

-> {HKLM…CLSID} = “NVIDIA CPL Extension”

\InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”]

“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”

-> {HKLM…CLSID} = “Desktop Explorer”

\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu”

-> {HKLM…CLSID} = “nView Desktop Context Menu”

\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]

“{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning”

-> {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]

“{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player”

-> {HKLM…CLSID} = “RealOne Player Context Menu Class”

\InProcServer32(Default) = “C:\Program Files\Real\rpshell.dll” [“RealNetworks, Inc.”]

“{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes”

-> {HKLM…CLSID} = “iTunes”

\InProcServer32(Default) = “C:\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\WinRAR\rarext.dll” [null data]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”

-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”

\InProcServer32(Default) = “C:\Microsoft Office\Office10\OLKFSTUB.DLL” [MS]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Microsoft Office\Office10\msohev.dll” [MS]

“{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “C:\WINZIP\WZSHLSTB.DLL” [“WinZip Computing LP”]

“{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “C:\WINZIP\WZSHLSTB.DLL” [“WinZip Computing LP”]

“{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “C:\WINZIP\WZSHLSTB.DLL” [“WinZip Computing LP”]

“{E0D79307-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “C:\WINZIP\WZSHLSTB.DLL” [“WinZip Computing LP”]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> rpcc\DLLName = “C:\WINDOWS\System32\rpcc.dll” [file not found]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

-> {HKLM…CLSID} = “PDF Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”

-> {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\WinRAR\rarext.dll” [null data]

WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “C:\WINZIP\WZSHLSTB.DLL” [“WinZip Computing LP”]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\WinRAR\rarext.dll” [null data]

WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “C:\WINZIP\WZSHLSTB.DLL” [“WinZip Computing LP”]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”

-> {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\WinRAR\rarext.dll” [null data]

WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “C:\WINZIP\WZSHLSTB.DLL” [“WinZip Computing LP”]

Group Policies {GPedit.msc branch and setting}:

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\WINDOWS\Web\Wallpaper\Windows XP.jpg”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\Documents and Settings\Mach\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Enabled Screen Saver:

HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS]

Startup items in “Mach” & “All Users” startup folders:

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Adobe Reader Speed Launch” -> shortcut to: “C:\Adobe\Reader 8.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”]

“Adobe Reader Synchronizer” -> shortcut to: “C:\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe” [null data]

“DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe” [empty string]

“Microsoft Office” -> shortcut to: “C:\Microsoft Office\Office10\OSA.EXE -b -l” [MS]

Enabled Scheduled Tasks:

“AppleSoftwareUpdate” -> launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task” [“Apple Computer, Inc.”]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

“{EF99BD32-C1FB-11D2-892F-0090271D4F88}”

-> {HKLM…CLSID} = “Yahoo! Toolbar”

\InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

“{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided)

-> {HKLM…CLSID} = “Yahoo! Toolbar”

\InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

“MenuText” = “Sun Java Console”

“CLSIDExtension” = “{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}”

-> {HKCU…CLSID} = “Java Plug-in 1.5.0_10”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll” [“Sun Microsystems, Inc.”]

-> {HKLM…CLSID} = “Java Plug-in 1.5.0_10”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll” [“Sun Microsystems, Inc.”]

Running Services (Display Name, Service Name, Path {Service DLL}):

AntiVir PersonalEdition Classic Guard, AntiVirService, “C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe” [“AVIRA GmbH”]

AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, “C:\Program Files\AntiVir PersonalEdition Classic\sched.exe” [“Avira GmbH”]

LightScribeService Direct Disc Labeling Service, LightScribeService, “C:\Program Files\Common Files\LightScribe\LSSrvc.exe” [“Hewlett-Packard Company”]

NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”]

Virtual CD v7 Management Service, VC7SecS, “C:\Program Files\HHVcdV7Sys\VC7SecS.exe” [“H+H Software GmbH”]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzsnt10\Driver = “hpzsnt10.dll” [“HP”]

<>: Suspicious data at a malware launch point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer “No” at the

first message box and “Yes” at the second message box.

---------- (total run time: 1317 seconds, including 6 seconds for message boxes)

Złączono Posta : 01.03.2007 (Czw) 19:14

sory adminie ale wpisałem CODE w nagłówku loga bo nie wiedzialem ocb , a jak klikałem na link który prowadzi do objaśnienia na forum co to jest to nie otwierała mi sie strona pozdro

#4

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE - popraw!