Mam problem z plikiem svchost!


(Michalrub) #1

Mam problem z plikiem svchost!! Proszę o sprawdzenie loga:

Logfile of HijackThis v1.99.1

Scan saved at 21:51:07, on 2005-12-31

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Neostrada TP\taskbaricon.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\Program Files\PWN\Definicje\Bin\Starter.exe

C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Eset\nod32kui.exe

C:\windows\adtech2006.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\PROGRA~1\COMMON~1\rwqz\rwqzm.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Neostrada TP\NeostradaTP.exe

C:\Program Files\Neostrada TP\ComComp.exe

C:\Program Files\Neostrada TP\Watch.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\Program Files\FlashGet\flashget.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\MICHA~1\USTAWI~1\Temp\Rar$EX00.219\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0000_ho

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0000_ho

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: HomePageCtrl Class - {1B9CB0F8-118B-49C1-956D-B703E976F8E3} - C:\Program Files\STHomePage\STHomePage2.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O2 - BHO: STLinksCtrl Class - {B54BFA47-D897-49CA-9657-05EC9F80A32B} - C:\Program Files\STLinks\STLinks2.dll (file missing)

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM\..\Run: [DemonStarter] C:\Program Files\PWN\Definicje\Bin\Starter.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe

O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [bxproxy] C:\WINDOWS\bxproxy.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006.exe

O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe

O4 - HKCU\..\Run: [bxproxy] C:\WINDOWS\bxproxy.exe

O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe

O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe

O4 - HKCU\..\Run: [rwqz] C:\PROGRA~1\COMMON~1\rwqz\rwqzm.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Microsoft AntiSpyware helper - {1464CDF1-A117-4C89-B862-5FD0D4C5A9D8} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1464CDF1-A117-4C89-B862-5FD0D4C5A9D8} - (no file) (HKCU)

O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.160.98/affiliates/acc0000/client/acc0000.chm::/acc0000.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{27B86B31-12E3-4796-871A-50ADD487FBED}: NameServer = 194.204.152.34 217.98.63.164

O17 - HKLM\System\CS2\Services\Tcpip\..\{27B86B31-12E3-4796-871A-50ADD487FBED}: NameServer = 194.204.152.34 217.98.63.164

O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\System32\msctl32.dll

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

:cry:


(Gutek) #2
  1. Wyłączyć Przywracanie systemu w XP TU

  2. Zastartować do trybu awaryjnego bez internetu(opis w linku wyżej).

  3. Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte.

  4. Skasować z dysku pliki i foldery, które podkreśliłem na czerwono

  5. Dokończyć skanerami online - Scanery do wyboru

  6. Pokazać nowy log :stuck_out_tongue:


(Michalrub) #3

Mam problem z usunięciem pliku msctl32.dll. Skanowałem Kasperskim.

Jak to teraz wygląda ??

Logfile of HijackThis v1.99.1

Scan saved at 01:18:08, on 2006-01-02

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Neostrada TP\taskbaricon.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\Program Files\PWN\Definicje\Bin\Starter.exe

C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Eset\nod32kui.exe

C:\windows\adtech2006.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Neostrada TP\NeostradaTP.exe

C:\Program Files\Neostrada TP\ComComp.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\Program Files\Neostrada TP\Watch.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\totalcmd\TOTALCMD.EXE

E:\Programy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0000_ho

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0000_ho

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll (file missing)

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM…\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM…\Run: [DemonStarter] C:\Program Files\PWN\Definicje\Bin\Starter.exe

O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM…\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE

O4 - HKLM…\Run: [adtech2006] C:\windows\adtech2006.exe

O4 - HKCU…\Run: [WindowsFY] c:\wp.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Microsoft AntiSpyware helper - {1464CDF1-A117-4C89-B862-5FD0D4C5A9D8} - (no file) (HKCU)

O9 - Extra ‘Tools’ menuitem: Microsoft AntiSpyware helper - {1464CDF1-A117-4C89-B862-5FD0D4C5A9D8} - (no file) (HKCU)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ … nicode.cab

O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht! http://69.50.160.98/affiliates/acc0000/client/acc0000.chm::/acc0000.exe

O17 - HKLM\System\CCS\Services\Tcpip…{27B86B31-12E3-4796-871A-50ADD487FBED}: NameServer = 194.204.152.34 217.98.63.164

O17 - HKLM\System\CS2\Services\Tcpip…{27B86B31-12E3-4796-871A-50ADD487FBED}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Złączono Posta : 02.01.2006 (Pon) 1:18

Dalej ten sam problem, svchost w 100% obciąża procesor.

Co zrobiłem nie tak.

Złączono Posta : 02.01.2006 (Pon) 12:37

Czytałem na innych postach, że problemem może być proces rpcss. Mam taki plik rpcxss.dll. Usunołem w awaryjnym i było super, lecz powrócił po restarcie. ??


(Gutek) #4

instrukcja uuswnia jak wyzej

Po wszystkim daj mi log z Silenta - Silent opis: http://www.searchengines.pl/phpbb203/in … opic=15989


(Michalrub) #5

Zrobione. Jak to teraz wygląda ??

“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS]

“nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”]

“WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string]

“SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”]

“WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”]

“WOOTASKBARICON” = “C:\Program Files\Neostrada TP\taskbaricon.exe” [“France Télécom R&D”]

“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

“WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data]

“SunJavaUpdateSched” = “C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe” [null data]

“DemonStarter” = “C:\Program Files\PWN\Definicje\Bin\Starter.exe” [null data]

“KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” [MS]

“WinFast Schedule” = “C:\Program Files\WinFast\WFTVFM\WFWIZ.exe” [“Leadtek Research Inc.”]

“HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”]

“nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}

“Flag” = 2

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{A5366673-E8CA-11D3-9CD9-0090271D075B}(Default) = “IeCatch2 Class” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\FlashGet\jccatch.dll” [“Amaze Soft”]

{E5A1691B-D188-4419-AD02-90002030B8EE}(Default) = “FlashFXP Helper for Internet Explorer” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\FlashFXP\IEFlash.dll” [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{E6FB5E20-DE35-11CF-9C87-00AA005127ED}” = “WebCheck”

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\msvcrta.dll” [file not found]

“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Eksplorator pulpitów”

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

“{B089FE88-FB52-11d3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

INFECTION WARNING! “{38D4D5D0-423E-4220-B6F9-30918C2AE4A4}” = “*U” (unwritable string)

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\frennk.dll” [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

“WebCheck” = “{E6FB5E20-DE35-11CF-9C87-00AA005127ED}”

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\msvcrta.dll” [file not found]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

Active Desktop and Wallpaper:


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\Documents and Settings\Michał\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp”


(Gutek) #6

Użyj http://www.searchengines.pl/phpbb203/pl … bcheck.vbs - prawoklik na link i zapisz na pulpicie, jak użyjesz fix-u restart kompa, nowy log z Silenta ale dłuzej poczekaj niech silent pochodzi bo log nie kompletny z 60 sekund


(Michalrub) #7

Ściągnąłem i pojawiła sie komenda “Registry entry normal” - OK.

??


(Gutek) #8

Daj nowy log z Silenta - prosiłem


(Michalrub) #9

Sorry. Nowy log:

“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS]

“nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”]

“WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string]

“SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”]

“WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”]

“WOOTASKBARICON” = “C:\Program Files\Neostrada TP\taskbaricon.exe” [“France Télécom R&D”]

“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

“WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data]

“SunJavaUpdateSched” = “C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe” [null data]

“DemonStarter” = “C:\Program Files\PWN\Definicje\Bin\Starter.exe” [null data]

“KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” [MS]

“WinFast Schedule” = “C:\Program Files\WinFast\WFTVFM\WFWIZ.exe” [“Leadtek Research Inc.”]

“HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”]

“nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}

“Flag” = 2

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{A5366673-E8CA-11D3-9CD9-0090271D075B}(Default) = “IeCatch2 Class” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\FlashGet\jccatch.dll” [“Amaze Soft”]

{E5A1691B-D188-4419-AD02-90002030B8EE}(Default) = “FlashFXP Helper for Internet Explorer” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\FlashFXP\IEFlash.dll” [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Eksplorator pulpitów”

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

“{B089FE88-FB52-11d3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

INFECTION WARNING! “{38D4D5D0-423E-4220-B6F9-30918C2AE4A4}” = “*]” (unwritable string)

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\frennk.dll” [file not found]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

Active Desktop and Wallpaper:


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\Documents and Settings\Michał\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp”

Startup items in “Michał” & “All Users” startup folders:


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“HP Digital Imaging Monitor” -> shortcut to: “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”]

“Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

imon.dll ["Eset "], 01 - 05, 23

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 22

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

Toolbars, Explorer Bars, Extensions:


Explorer Bars

Dormant Explorer Bars in “View, Explorer Bar” menu

HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\ = “Volet Wanadoo”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\ = “ToolBand Class”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}\ = “Volet Wanadoo”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\

{1464CDF1-A117-4C89-B862-5FD0D4C5A9D8}\

“ButtonText” = “Microsoft AntiSpyware helper”

“MenuText” = “Microsoft AntiSpyware helper”

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

“MenuText” = “Sun Java Console”

“CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}”

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\msjava.dll” [MS]

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

“ButtonText” = “FlashGet”

“MenuText” = “&FlashGet”

“Exec” = “C:\PROGRA~1\FlashGet\flashget.exe” [“Amaze Soft”]

Miscellaneous IE Hijack Points


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):

“{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = “Search Class” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string]

Running Services (Display Name, Service Name, Path {Service DLL}):


NOD32 Kernel Service, NOD32krn, “C:\Program Files\Eset\nod32krn.exe” ["Eset "]

NVIDIA Driver Helper Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”]

Remote Procedure Call (RPC) Extensions, RpcxSs, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“RpcxSs.Dll” [MS]}

Print Monitors:


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt05\Driver = “hpzlnt05.dll” [“HP”]


  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 52 seconds.

  • The search for all Registry CLSIDs containing dormant Explorer Bars

took 212 seconds.

---------- (total run time: 460 seconds)


(Gutek) #10

jeszcze tylko to:

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG

Przejście do trybu awaryjnego Windows i uruchomienie pliku FIX.REG.


(Michalrub) #11

Uruchomiłem ten plik. Został zapisany w rejestrze, ale nadal procesor jest zamulony - w menadżerze urządzeń svchost zabiera 99 %.

Nie wiem co mam dalej robić. ( a rpcxss.dll ?? )


(Gutek) #12

Alt+ Ctrl+ Delete w Menu>>>Widok>>>Wybierz kolumny i zaznacz PID (idenfikator procesu)

Będziesz wiedział jaki proces który ma PID (numer), ma duże zużycie.

START -> Uruchom>>>Wpisz cmd i w powstalym okienku wpisz tasklist /svc - daj mi tylko pliki svchost


(Michalrub) #13

Daję pliki svchost: nr PID i usługę

688 Rpcss

720 AudioSrv, Browser, CryptSvc, Dhcp, dmserwe, EwentSystem, itp( ten nie blokuje)

784 Dnscache

852 LmHosts, RemoteRegistry, SSDPSRV, WebClient

1308 Rpcxss

1352 stisvc

Z menadżera wynika, że blokuje PID 1308. :!:


(Gutek) #14

Usuwanie:

Start do Konsoli Odzyskiwania i wprowadzenie zestawu komend:

DISABLE RpcxSs

DEL C:\WINDOWS\system32\rpcxss.dll

EXIT

Oczywiście jeśli ktoś ma folder Windows pod inną literą czy o innej nazwie to uwzględnia poprawki w komendach. Po zresetowaniu komputera przejść już normalnie do Windows i uruchomić Registry Search Tool na szukanie słowa RpcxSs. Pokazane wyniki skasować ręcznie poprzez Start >>> Uruchom >>> regedit >>> prawoklikowe kasacje kluczy z loga


(Michalrub) #15

Mam pytanie: zanim uruchomiłem konsole odzyskiwania, usunąłęm rpcxss.dll w awaryjnym i tym razem się nie pojawił od ostatniego usunięcia. Wszystko ok. Dla pewności uruchomiłem Registry Search Tool - pokazał 14 wpisów. Te pokazane niżej nie dają się usunąć( prawokliknięćiem ) z rejestru.

Da sie z tym coś zrobić, chciałbym sprawę zakończyć definitywnie, czy mogą zostać.

REGEDIT4

; RegSrch.vbs © Bill James

; Registry search results for string “rpcxss” 2006-01-06 13:40:15

; NOTE: This file will be deleted when you close WordPad.

; You must manually save this file to a new location if you want to refer to it again later.

; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RPCXSS]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RPCXSS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RPCXSS\0000]

“Service”=“RpcxSs”

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RPCXSS]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RPCXSS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RPCXSS\0000]

“Service”=“RpcxSs”

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RPCXSS\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RPCXSS\0000\Control]

“ActiveService”=“RpcxSs”

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_RPCXSS]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_RPCXSS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_RPCXSS\0000]

“Service”=“RpcxSs”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCXSS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCXSS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCXSS\0000]

“Service”=“RpcxSs”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCXSS\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCXSS\0000\Control]

“ActiveService”=“RpcxSs”

Dziękuje za pomoc. Dużo się nauczyłem. :smiley:


(Gutek) #16

Do jak jesteś przy kluczu musisz z prawokliku w trybie awaryjnym zmienić uprawnienia :wink:


(Michalrub) #17

Udało sie pousuwać. Dziękuje jeszcze raz za pomoc :lol: