Svchost.exe- 100% CPU + winlogon.exe- Borlander + logi


(Orooomo) #1

Witam!

SVCHOST.EXE

Wszystko zaczęło się jakieś 10 dni temu albo i więcej...

Chciałem sprawdzić czy mam pozamykane porty i użyłem programu Windows Worms Doors Cleaner i o dziwo wyskoczył komunikat mówiący ( w wolnym tłumaczeniu) :

Prawdopodobnie plik SVCHOST.EXE jest zainfekowany zużywa 71234k pamięci ( !!

Czasem po starcie systemu komputer strasznie muli a zużycie CPU przez SVCHOST dochodzi do 95% i pamięć też od 70000 - 97000! !!

Czasem po starcie jest dobrze i CPU jest na ok. 5% a pamięć do 30000.

A gdy korzystam z update.microsoft.com to jest najgorzej system jest "martwy" CPU 100% i mija to po 2 minutach po wszystkim SVCHOST zużywa teraz nie pamiętam ale coś 15 % CPU i od 37000 do 55000 pamięci.

WINLOGON.EXE

Skanowałem komputer programem Spyware Doctor i wykrył on mi Borlander'y w plikach

C:\Windows\~DFD###.dll było ich 7! !!

Pliki te powstają po każdym starcie sytemu a za pomocą programu Who Lock Me? dowiedziałem się, że są tworzone przez WINLOGON.EXE...

Chciałbym po prostu wiedzieć czy mam jakiegoś syfa i jak się go pozbyć...

O to logi...

HijackThis

Silent Runners

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"kav" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"" ["Kaspersky Lab"]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"WinampAgent" = ""C:\Program Files\Winamp\winampa.exe"" [null data]

"DAEMON Tools-1033" = ""C:\Program Files\D-Tools\daemon.exe" -lang 1045" ["DAEMON'S HOME"]

"Outpost Firewall" = "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice" ["Agnitum Ltd."]

"OutpostFeedBack" = "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup" ["Agnitum Ltd."]


HKLM\Software\Microsoft\Active Setup\Installed Components\

{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"

                                        \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = (no title provided)

  - {HKLM...CLSID} = "PCTools Site Guard"

                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  - {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = (no title provided)

  - {HKLM...CLSID} = "PCTools Browser Monitor"

                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  - {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  - {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"

  - {HKLM...CLSID} = "History Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  - {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  - {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  - {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Ochrona WWW"

  - {HKLM...CLSID} = "Ochrona WWW"

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll" ["Kaspersky Lab"]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"

  - {HKLM...CLSID} = "Trojan Remover Shell Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\

 "AppInit_DLLs" = "system32\aakah.dll" [file not found]


HKLM\System\CurrentControlSet\Control\Session Manager\

 "BootExecute" = "PDBoot.exe" ["Raxco Software, Inc."]|"autocheck autochk *"


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

 klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]

 WRNotifier\DLLName = "WRLogonNTF.dll" [file not found]


HKLM\Software\Classes\PROTOCOLS\Filter\

 text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"

  - {HKLM...CLSID} = "Outpost.ASWShellExt Component"

                   \InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll" ["Kaspersky Lab"]

Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"

  - {HKLM...CLSID} = "Trojan Remover Shell Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

WhoLockMe\(Default) = "{81ED7E40-2DE4-47ae-91CA-C3E8E8E98E22}"

  - {HKLM...CLSID} = "Who Lock Me ?"

                   \InProcServer32\(Default) = "C:\Program Files\WhoLockMe\WhoLockMe.dll" ["Bitmind"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"

  - {HKLM...CLSID} = "Outpost.ASWShellExt Component"

                   \InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"

  - {HKLM...CLSID} = "Outpost.ASWShellExt Component"

                   \InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll" ["Kaspersky Lab"]

Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"

  - {HKLM...CLSID} = "Trojan Remover Shell Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

WhoLockMe\(Default) = "{81ED7E40-2DE4-47ae-91CA-C3E8E8E98E22}"

  - {HKLM...CLSID} = "Who Lock Me ?"

                   \InProcServer32\(Default) = "C:\Program Files\WhoLockMe\WhoLockMe.dll" ["Bitmind"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"DisableRegistryTools" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|System|

Prevent access to registry editing tools}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Prosiak\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Startup items in "Prosiak" "All Users" startup folders:

---------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"EPSON Status Monitor 3 Environment Check" - shortcut to: "C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE" ["SEIKO EPSON CORPORATION"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{F2CF5485-4E02-4F68-819C-B92DE9277049}"

  - {HKLM...CLSID} = "Links"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{0D704FAD-66E9-4F0A-BFED-4F665770DDB3}"

  - {HKLM...CLSID} = "Tłumaczenie"

                   \InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" ["Techland"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{0D704FAD-66E9-4F0A-BFED-4F665770DDB3}" = (no title provided)

  - {HKLM...CLSID} = "Tłumaczenie"

                   \InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" ["Techland"]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{175556B1-4D91-4E9A-9C4B-D6888D5DEE6C}\(Default) = "Ramka Tłumaczenia"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" ["Techland"]


HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Ochrona WWW"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll" ["Kaspersky Lab"]


HKLM\Software\Classes\CLSID\{A1A7E22D-1587-4230-8F16-081C68D21448}\(Default) = "Szybkie dostosowywanie programu"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll" ["Agnitum Ltd."]


HKLM\Software\Classes\CLSID\{D553F157-2AB0-4B46-98D2-7BA7CA418491}\(Default) = "Słownik Podręczny"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" ["Techland"]


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"

  - {HKCU...CLSID} = "Java Plug-in 1.5.0_09"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

  - {HKLM...CLSID} = "Java Plug-in 1.5.0_09"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]


{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\

"ButtonText" = "Ochrona WWW"


{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\

"ButtonText" = "Spyware Doctor"

"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"

  - {HKLM...CLSID} = "PCTools Browser Monitor"

                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]


{44627E97-789B-40D4-B5C2-58BD171129A1}\

"ButtonText" = "Szybkie dostosowywanie programu Outpost Firewall Pro"


{85D1F590-48F4-11D9-9669-0800200C9A66}\

"MenuText" = "Uninstall BitDefender Online Scanner v8"

"Exec" = "%windir%\bdoscandel.exe" [null data]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{B46B0919-62BA-4D99-A5C4-916B57A6805C}\

"MenuText" = "@C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103"

"CLSIDExtension" = "{B46B0919-62BA-4D99-A5C4-916B57A6805C}"

  - {HKLM...CLSID} = "InternetTranslatorProperties Class"

                   \InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" ["Techland"]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Kaspersky Anti-Virus 6.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r" ["Kaspersky Lab"]

Outpost Firewall Service, OutpostFirewall, "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /service" ["Agnitum Ltd."]

PC Tools Spyware Doctor, SDhelper, "C:\Program Files\Spyware Doctor\sdhelp.exe" ["PC Tools Research Pty Ltd"]

PDAgent, PDAgent, ""C:\Program Files\Raxco\PerfectDisk\PDAgent.exe"" ["Raxco Software, Inc."]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\system32\MsPMSPSv.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

EPSON STM3 2KMonitor10\Driver = "E_SL2010.DLL" ["SEIKO EPSON CORPORATION"]



----------

: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 33 seconds.

---------- (total run time: 102 seconds)

Z góry dziękuje za pomoc....


(Gutek) #2

Syfna kompie nie ma, użyj jeszcze - skan AVG Anti-Spyware 7.5 po update :wink:


(Orooomo) #3

AVG już sprawdziłem i niczego nie wykrył

kiedyś miałem podobny problem i Outpost Firewall mi coś znalazł nie pamiętam co ale w rejestrze chyba w usługach (services)

dokładnej ścieżki nie pamiętam no ale teraz nic nie znajduje


(Gutek) #4

Jest Ok, czysto :slight_smile: przeczyść rejestr - RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177 albo jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509


(Orooomo) #5

ok dzięki za pomoc

rejestr już czysty...


(Rockayers) #6

czyszczenie rejestru nic Ci nie pomoze,na logu widac wpisy R01 i R20 to sa rootkity. przede wszystkim spróbuj je usunac hijackthis zaznaczajac je i wciskajac fix-checked i uruchom ponownie kompa postaw kolejnego loga i sprawdz czy nadal sa jesli tak proponuje sciagnac gmer-a, RootkitRevealer-a lub spycatcher-express i probuj usowac, wiem z doswiadczenia ze niestety nie jest to takie proste. Powodzenia


(Gutek) #7

które? :mrgreen:


(Rockayers) #8

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O20 - AppInit_DLLs: system32\aakah.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

na moj skromny gust to sa podejrzane wpisy nie puzniej jak 3 miesiace temu milaem bardzo podobny problem tez z WINLOGON.EXE moglem kozystac z przegladarki tylko dlatego ze kerio go blokowal poszperalem i sie dowiedzialem ze moze chodzic o rootkita i faktycznie, zaden antywir tego nie znajdzie bo proces uruchamia sie wraz ze startem potem sie laczy z netem i zapycha lacze i procka, ja pisze jak sam bym go potraktowal i jak faktycznie go potraktowalem, wpisy R01 i 020 przy normalnie dzialajacym kompie nie maja prawa istniec, i u mnie nie istnieja :slight_smile: a jakos wszystko od tamtej pory smiga jak szalone :mrgreen:

Złączono Posta : 03.12.2006 (Nie) 0:24

ale pewnie sie nie znam :oops:


(Joan Sunshine) #9

Pierwsze 3 to strony Microsoftu.

Czwarty od Anti-Keyloggera.

Piąty od Kasperskiego.

Ostatnie 2 - normalne biblioteki systemowe.

W skrócie - nie ma tu nic, czego być nie powinno :wink:


(Rockayers) #10

tylko wytlumacz mi po co stronki majak sie wlaczaja przy starcie systemu

Złączono Posta : 03.12.2006 (Nie) 0:33

Microsoftu ??


(Joan Sunshine) #11

Przy jakim starcie? No przecież to są ustawione strony startowe IE :?


(Rockayers) #12

zapewne sie myle zwracam honor chcialem dobrze bo wiem jakie to potrafi byc wq... ajace


(Bbieniol) #13

Te wpisy można kosmetycznie usunąć, ponieważ plików już nie ma:


(Orooomo) #14

Już myślałem, że temat jest zamknięty... no ale widzę, że tak nie było...

W każdym razie dzięki, że się zainteresowaliście moją sprawą...

Pozdrawiam...