Proces explore.exe zjada ogromne ilości pamięci!


(Gryczewski) #1

Witam.

Jak w temacie mam straszy problem ze swoim lapkiem, mam HP 6449 2 dni temu robiony pemanentny form i nowy Win XP postawiony, nie wiem dlaczego ale mam strasznproblem bo od wczoraj proces explorer.exe zjadmi średni 130K pamięci. Mam stacjonarny komp, właściwie barzdo zbliżon konfiguracją do lapka i tam ten sam proces zabira średni 20K?? Ogólnie komp poprostuzwolnił! Odibranie poczty zabiera mu wieki, a raczej opalenie jakiegokolwiek programu, przed formatem i zaraz po nim wszystko było ok!! Dysk po defragmentacji. Nie wiem, co to może być czy jakis robalczy coś innego. Skanowany MKS Online, i NOD 32 i nic żadnych śmieci.

Bardzo prosze o rady, i jakąś pomoc bo mi się opcje kończą!

A oto jak wygląda log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:05:38, on 2008-04-24

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe

C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe

C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\ansyslmd.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ig?hl=pl&source=iglk

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe

O4 - HKLM..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe

O4 - HKLM..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM..\Run: [a805fe73] rundll32.exe "C:\WINDOWS\system32\biynytag.dll",b

O4 - HKCU..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU..\Policies\Explorer\Run: [Windows Printing Driver] WinSpooler.exe

O4 - HKCU..\Policies\Explorer\Run: [WinUpdating] WinUpdating.exe

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe

O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--

End of file - 5917 bytes


(slawex1983) #2

130K? to strasznie mało.


(Gryczewski) #3

To ile tobie zajmuje??


(Dmirecki) #4

FIX w hijacl:

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\WINDOWS\system32\biynytag.dll

Plik -> zapisz jako -> CFScript.txt

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

88953CFScript-createdbyMiekiemoes.gif

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum + nowy log z HijackThis.

Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: ** Qoobox**


(Gryczewski) #5

Witam,

No chyba się powiodło nie zapeszając. Żeczywiście proces explorer zachowuje się normalnie, a co do logów wyglądają tak:

ComboFix 08-04-22.5 - lukanek 2008-04-24 21:41:35.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1379 [GMT 2:00]

Running from: C:\Documents and Settings\lukanek\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\lukanek\Pulpit\CFScript.txt

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\aecvtfxc.dll

C:\WINDOWS\system32\biynytag.dll

C:\WINDOWS\system32\efcYQHAS.dll

C:\WINDOWS\system32\gatynyib.ini

C:\WINDOWS\system32\hrtfgmuo.dll

C:\WINDOWS\system32\iifGXqqn.dll

C:\WINDOWS\system32\keiosvxh.dll

C:\WINDOWS\system32\nqqXGfii.ini

C:\WINDOWS\system32\nqqXGfii.ini2

C:\WINDOWS\system32\ouejcajx.ini

C:\WINDOWS\system32\rovwyyyr.dll

C:\WINDOWS\system32\tuvWqolK.dll

C:\WINDOWS\system32\vjpyxjdf.dll

C:\WINDOWS\system32\xjacjeuo.dll

.

((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))

.

2008-04-24 19:15 . 2008-04-24 19:15

2008-04-24 19:14 . 2008-04-24 20:26

2008-04-24 19:13 . 2008-04-24 19:13 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2008-04-24 18:31 . 2008-04-24 18:32 1,504,020 —hs---- C:\WINDOWS\system32\nrftssdl.ini

2008-04-24 17:50 . 2008-04-24 17:50

2008-04-24 17:50 . 2008-04-24 17:50

2008-04-24 17:36 . 2008-04-24 17:36 45 --a------ C:\TEST.XML

2008-04-23 19:24 . 2008-04-23 19:24

2008-04-23 18:28 . 2008-04-24 18:29 1,504,260 —hs---- C:\WINDOWS\system32\xfahhqjv.ini

2008-04-22 15:11 . 2008-04-22 15:11

2008-04-22 14:15 . 2008-04-22 14:15

2008-04-22 14:15 . 2004-07-14 12:54 676,864 --a------ C:\WINDOWS\system32\drivers\hardlock.sys

2008-04-22 14:15 . 2007-03-02 14:02 76,288 --a------ C:\WINDOWS\system32\drivers\SENTINEL.SYS

2008-04-22 14:15 . 2007-03-02 14:03 50,176 --a------ C:\WINDOWS\system32\SNTI386.DLL

2008-04-22 14:15 . 2007-03-02 14:02 18,432 --a------ C:\WINDOWS\system32\RNBOVDD.DLL

2008-04-22 14:15 . 2007-03-02 14:02 9,949 --------- C:\WINDOWS\system32\SENTINEL.HLP

2008-04-22 14:15 . 2008-04-22 14:15 1,025 --a------ C:\WINDOWS\system32\ayju8sn.tgz

2008-04-22 14:14 . 2008-04-22 14:14 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys

2008-04-22 14:14 . 2008-04-22 14:14 6,656 --a------ C:\WINDOWS\system32\haspvdd.dll

2008-04-22 14:14 . 2008-04-18 22:47 2,596 --a------ C:\WINDOWS\system32\config.hsp

2008-04-22 14:14 . 2008-04-22 14:14 383 --a------ C:\WINDOWS\system32\haspdos.sys

2008-04-22 14:11 . 2008-04-22 14:14

2008-04-22 14:01 . 2008-04-22 14:01

2008-04-22 13:38 . 2008-04-23 18:27 1,540,677 —hs---- C:\WINDOWS\system32\ghrsgkdw.ini

2008-04-22 13:35 . 2008-04-24 21:00 109,765 --a------ C:\WINDOWS\BMab36cdef.xml

2008-04-22 13:02 . 2008-04-22 13:02

2008-04-22 13:01 . 2008-04-22 13:01

2008-04-22 10:10 . 2008-04-22 10:10

2008-04-22 09:49 . 2008-04-22 09:49

2008-04-22 09:39 . 2006-06-28 04:37 1,009,336 --------- C:\WINDOWS\system32\mschrt20.ocx

2008-04-22 09:39 . 2005-03-03 21:09 389,120 --------- C:\WINDOWS\system32\Codejock.DockingPane.Unicode.9601.ocx

2008-04-22 09:39 . 2006-06-28 04:37 212,240 --------- C:\WINDOWS\system32\RICHTX32.OCX

2008-04-22 09:39 . 2001-07-30 16:40 24,576 --------- C:\WINDOWS\system32\msxml3a.dll

2008-04-22 09:32 . 2008-04-22 09:32

2008-04-22 08:29 . 2008-04-22 09:35

2008-04-20 22:26 . 2008-04-20 22:30

2008-04-20 22:20 . 2008-01-07 14:29 352 --ah----- C:\WINDOWS\nod32fixtemdono.reg

2008-04-20 21:39 . 2008-04-24 21:49

2008-04-20 21:39 . 2008-04-20 21:43 37,888 --a------ C:\WINDOWS\system32\rar.exe

2008-04-20 21:35 . 2008-04-20 21:35

2008-04-20 21:35 . 2008-04-23 21:07

2008-04-20 21:35 . 2008-04-20 21:35

2008-04-20 21:28 . 2008-04-20 21:28

2008-04-20 21:17 . 2008-04-20 21:17

2008-04-20 21:15 . 2008-04-20 21:15 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI

2008-04-20 21:13 . 2008-04-20 21:13 23 --ah----- C:\WINDOWS\yacht.xws

2008-04-20 21:05 . 2008-04-22 14:12

2008-04-20 21:04 . 2008-04-20 21:04

2008-04-20 21:04 . 2008-04-20 21:22

2008-04-20 21:04 . 2008-04-20 21:17

2008-04-20 21:04 . 2008-04-20 21:04

2008-04-20 21:04 . 2008-04-22 13:55

2008-04-20 21:03 . 2008-04-20 21:03

2008-04-20 21:00 . 2008-04-20 21:00

2008-04-20 21:00 . 2008-04-20 21:00

2008-04-20 20:55 . 2008-04-20 20:55

2008-04-20 20:54 . 2008-04-20 20:54

2008-04-20 20:53 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll

2008-04-20 20:47 . 2008-04-20 21:04

2008-04-20 20:46 . 2008-04-20 20:46

2008-04-20 20:45 . 2008-04-20 20:47

2008-04-20 20:45 . 2008-04-24 17:35

2008-04-20 20:36 . 2008-04-20 20:36

2008-04-20 20:22 . 2008-03-01 15:02 6,066,176 -----c— C:\WINDOWS\system32\dllcache\ieframe.dll

2008-04-20 20:22 . 2007-04-17 11:32 2,455,488 -----c— C:\WINDOWS\system32\dllcache\ieapfltr.dat

2008-04-20 20:22 . 2007-03-08 07:11 1,036,288 -----c— C:\WINDOWS\system32\dllcache\ieframe.dll.mui

2008-04-20 20:22 . 2008-03-01 15:02 459,264 -----c— C:\WINDOWS\system32\dllcache\msfeeds.dll

2008-04-20 20:22 . 2008-03-01 15:02 383,488 -----c— C:\WINDOWS\system32\dllcache\ieapfltr.dll

2008-04-20 20:22 . 2008-03-01 15:02 267,776 -----c— C:\WINDOWS\system32\dllcache\iertutil.dll

2008-04-20 20:22 . 2008-03-01 15:02 63,488 -----c— C:\WINDOWS\system32\dllcache\icardie.dll

2008-04-20 20:22 . 2008-03-01 15:02 52,224 -----c— C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2008-04-20 20:22 . 2008-02-22 12:00 13,824 -----c— C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-04-20 17:41 . 2008-04-20 17:41

2008-04-20 17:39 . 2008-04-20 17:39

2008-04-20 17:39 . 2008-04-20 17:41

2008-04-20 17:37 . 2008-04-20 17:37

2008-04-20 17:35 . 2008-04-20 17:35

2008-04-20 17:33 . 2008-04-20 17:33

2008-04-20 17:29 . 2008-04-20 17:29

2008-04-20 17:29 . 2005-06-15 03:00 102,400 --a------ C:\WINDOWS\system32\tsccvid.dll

2008-04-20 17:28 . 2008-04-20 17:28

2008-04-20 17:28 . 2008-04-20 17:28

2008-04-20 17:28 . 2005-12-30 20:10 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll

2008-04-20 17:28 . 2005-12-30 20:18 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll

2008-04-20 17:28 . 2005-12-30 20:16 77,824 --a------ C:\WINDOWS\system32\xvid.ax

2008-04-20 17:28 . 2008-04-20 17:28 56 -r-hs---- C:\WINDOWS\system32\4BF8C45FE9.sys

2008-04-20 17:27 . 2008-04-24 19:13

2008-04-20 17:26 . 2008-04-24 19:18 69 --a------ C:\WINDOWS\NeroDigital.ini

2008-04-20 17:19 . 2008-04-20 17:19

2008-04-20 17:14 . 2008-04-20 17:15

2008-04-20 17:14 . 2008-04-22 13:01

2008-04-20 17:10 . 2008-04-20 17:10

2008-04-20 17:09 . 2008-04-20 17:09

2008-04-20 17:09 . 2008-04-20 17:09 1,024 --ah----- C:\Documents and Settings\Default User\NtUser.dat.LOG

2008-04-20 17:07 . 2008-04-20 17:07

2008-04-20 17:07 . 2008-04-20 17:08

2008-04-20 17:07 . 2008-04-20 17:07

2008-04-20 16:44 . 2008-04-20 16:44 0 --a------ C:\WINDOWS\system32\mapisvc.inf

2008-04-20 16:35 . 2008-04-20 16:35

2008-04-19 01:13 . 2008-04-21 20:53

2008-04-19 01:13 . 2008-04-19 01:13 32 --a------ C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2008-04-19 01:12 . 2008-04-19 01:12

2008-04-19 01:12 . 2008-04-19 01:12

2008-04-19 01:12 . 2008-04-21 23:17

2008-04-19 01:12 . 2008-04-19 01:12

2008-04-19 01:11 . 2008-04-19 01:11

2008-04-19 01:11 . 2008-04-20 16:34

2008-04-19 01:09 . 2008-04-19 01:10

2008-04-18 23:56 . 2008-04-18 23:56

2008-04-18 23:40 . 2008-04-18 23:40

2008-04-18 23:39 . 2008-04-18 23:39

2008-04-18 23:37 . 2008-04-18 23:37

2008-04-18 23:36 . 2008-04-18 23:36

2008-04-18 23:36 . 2008-04-18 23:36

2008-04-18 23:36 . 2006-08-10 20:00 921,656 --a------ C:\WINDOWS\system32\VGA.RAW

2008-04-18 23:36 . 2006-10-13 18:43 253,952 --a------ C:\WINDOWS\system32\vmprp326.ax

2008-04-18 23:36 . 2006-10-13 15:52 219,520 --a------ C:\WINDOWS\system32\drivers\usbvm326.sys

2008-04-18 23:36 . 2006-06-05 13:44 192,512 --a------ C:\WINDOWS\VimicroCam.exe

2008-04-18 23:36 . 2006-06-08 11:25 73,728 --a------ C:\WINDOWS\VMInstNT.exe

2008-04-18 23:36 . 2006-08-21 21:13 40,960 --a------ C:\WINDOWS\VM303UninstNT.exe

2008-04-18 23:36 . 2006-08-10 20:00 32,768 --a------ C:\WINDOWS\system32\VMCtrl326.ax

2008-04-18 23:36 . 2002-02-26 18:47 15,086 --a------ C:\WINDOWS\uninstall.ico

2008-04-18 23:36 . 2005-09-29 16:26 8,990 --a------ C:\WINDOWS\Product.ico

2008-04-18 23:34 . 2008-04-18 23:34

2008-04-18 23:24 . 2008-04-18 23:24 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-20 18:58 --------- d-----w C:\Program Files\MSBuild

2008-04-20 18:46 --------- d-----w C:\Program Files\Common Files\Menedżer instalacji SolidWorks

2008-04-18 23:00 --------- d-----w C:\Program Files\TC UP

2008-04-18 22:57 --------- d-----w C:\Documents and Settings\lukanek\Dane aplikacji\HEXelon

2008-04-18 22:55 --------- d-----w C:\Program Files\Crystal Player

2008-04-18 22:42 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help

2008-04-18 22:41 --------- d-----w C:\Program Files\Microsoft Works

2008-04-18 22:20 --------- d-----w C:\Program Files\D-Tools

2008-04-18 22:19 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\LightScribe

2008-04-18 20:56 --------- d-----w C:\Documents and Settings\lukanek\Dane aplikacji\InstallShield

2008-04-18 20:48 --------- d-----w C:\Program Files\microsoft frontpage

2008-04-18 20:46 --------- d-----w C:\Program Files\Usługi online

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“LightScribe Control Panel”=“C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe” [2007-10-18 15:27 455968]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44 15360]

“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2008-04-24 19:45 171448]

“STYLEXP”=“C:\Program Files\TGTSoft\StyleXP\StyleXP.exe” [2006-05-24 20:31 1372160]

“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe” [2007-10-23 14:18 202024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“High Definition Audio Property Page Shortcut”=“CHDAudPropShortcut.exe” [2006-07-27 12:44 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2007-08-23 22:15 8478720]

“nwiz”=“nwiz.exe” [2007-08-23 22:15 1626112 C:\WINDOWS\system32\nwiz.exe]

“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2007-08-23 22:15 81920]

“SynTPStart”=“C:\Program Files\Synaptics\SynTP\SynTPStart.exe” [2007-09-14 19:29 102400]

“QPService”=“C:\Program Files\HP\QuickPlay\QPService.exe” [2006-07-11 21:55 102400]

“QlbCtrl”=“C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe” [2007-12-06 14:13 202032]

“WheelMouse”=“C:\Program Files\A4Tech\Mouse\Amoumain.exe” [2007-02-10 16:07 241664]

“egui”=“C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” [2007-12-21 08:21 1443072]

“SolidWorks_CheckForUpdates”=“C:\Program Files\Common Files\Menedżer instalacji SolidWorks\Scheduler\sldIMScheduler.exe” []

“NeroFilterCheck”=“C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe” [2007-03-01 14:57 153136]

“NBKeyScan”=“C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe” [2007-09-20 08:51 1836328]

“GrooveMonitor”=“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” [2006-10-27 00:47 31016]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

“Windows Printing Driver”= WinSpooler.exe

“WinUpdating”= WinUpdating.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

“{56F9679E-7826-4C84-81F3-532071A8BCC5}”= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcYQHAS]

efcYQHAS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“SENTINEL”= snti386.dll

“vidc.DIV3”= DivXc32.dll

“vidc.DIV4”= DivXc32f.dll

“msacm.divxa32”= DivXa32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@=“Driver”

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusOverride”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=

“C:\Program Files\Microsoft Office\Office12\GROOVE.EXE”=

“C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=

“C:\Program Files\Nero\Nero8\Nero Home\NeroHome.exe”=

“C:\Program Files\BearShare\BearShare.exe”=

“C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\orbixd.exe”=

“C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CNEXT.exe”=

“C:\Program Files\DC++\DCPlusPlus.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

“C:\Program Files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe”=

“C:\Program Files\ANSYS Inc\v110\RSM\bin\JMAdmin.exe”=

“C:\Program Files\ANSYS Inc\v110\RSM\bin\JMPassword.exe”=

“C:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe”=

“C:\Program Files\ANSYS Inc\v110\CommonFiles\CATIAV5\Intel\code\bin\ReaderHostCAT5U.exe”= C:\Program Files\ANSYS Inc\v110\CommonFiles\CATIAV5\intel\code\bin\ReaderHostCAT5U.exe

“C:\Program Files\ANSYS Inc\v110\AISOL\CommonFiles\intel\AnsysWBU.exe”=

“C:\Program Files\ANSYS Inc\v110\ANSYS\bin\intel\ANSYS.exe”=

“C:\Program Files\ANSYS Inc\v110\AISOL\CAD Integration\intel\ActivePIMgrU.exe”=

“C:\Program Files\ANSYS Inc\v110\AISOL\CAD Integration\intel\ReaderHostU.exe”=

“C:\Program Files\ANSYS Inc\v110\CommonFiles\TCL\bin\intel\tclsh.exe”=

“C:\Program Files\ANSYS Inc\v110\CommonFiles\TCL\bin\intel\wish.exe”=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]

R1 LUMDriver;LUMDriver;C:\WINDOWS\system32\drivers\LUMDriver.sys [2003-07-11 15:22]

R1 VD_FileDisk;VD_FileDisk;C:\WINDOWS\system32\drivers\VD_FileDisk.sys [2006-01-13 15:00]

R2 BBDemon;Backbone Service;“C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe” -service []

R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-11-14 10:04]

S2 JobManagerService110;Ansys JobManager Service V11;“C:\Program Files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe” [2007-01-16 15:20]

S2 ScriptHostService110;Ansys ScriptHost Service V11;“C:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe” [2007-01-16 15:20]

S3 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [2006-03-24 23:34]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

“C:\Program Files\Common Files\LightScribe\LSRunOnce.exe”

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-24 21:49:16

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\searchindexer.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

.

**************************************************************************

.

Completion time: 2008-04-24 21:53:19 - machine was rebooted

ComboFix-quarantined-files.txt 2008-04-24 19:53:15

Pre-Run: 26,959,327,232 bajtów wolnych

Post-Run: 26,950,791,168 bajt˘w wolnych

272 — E O F — 2008-04-24 15:30:17

a z Hijack:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:57:05, on 2008-04-24

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\A4Tech\Mouse\Amoumain.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ig?hl=plsource=iglk

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM…\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM…\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe

O4 - HKLM…\Run: [QPService] “C:\Program Files\HP\QuickPlay\QPService.exe”

O4 - HKLM…\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM…\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe

O4 - HKLM…\Run: [egui] “C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice

O4 - HKLM…\Run: [solidWorks_CheckForUpdates] “C:\Program Files\Common Files\Menedżer instalacji SolidWorks\Scheduler\sldIMScheduler.exe” /scheduler

O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM…\Run: [NBKeyScan] “C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe”

O4 - HKLM…\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”

O4 - HKCU…\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU…\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe”

O4 - HKCU…\Policies\Explorer\Run: [Windows Printing Driver] WinSpooler.exe

O4 - HKCU…\Policies\Explorer\Run: [WinUpdating] WinUpdating.exe

O8 - Extra context menu item: Eksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra ‘Tools’ menuitem: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: efcYQHAS - efcYQHAS.dll (file missing)

O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe

O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: Ansys JobManager Service V11 (JobManagerService110) - Ansys, Inc - C:\Program Files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Ansys ScriptHost Service V11 (ScriptHostService110) - Ansys, Inc. - C:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

End of file - 7771 bytes

Spójrzcie jednak na te logi i powiedzcie czy są ok? Z góry wielkie dzięki.


(Leon$) #6

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

:slight_smile:


(Gutek) #7

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350